Control and consent should be watchwords for everyone, not just Google
Tuesday’s letter to Google CEO Larry Page, personally signed by 29 European data protection authorities, ordered the corporation (inter alia) to give users greater control over their personal information. The notions of trust and control are emphasised throughout the letter, and Google is urged to "…develop new tools to give users more control over their personal data" and "collect explicit consent for the combination of data for certain purposes". It is good news that the regulators have investigated and exposed the reality behind Google’s claims about the high levels ‘user control’ of personal information processing on its platforms and applications.
But let us not forget that this disingenuity is not limited to Google, but currently permeates the industry as a whole, including most other internet ‘biggies’. Last year, Ireland’s data protection regulator investigated Facebook and recommended it implement a series of necessary changes, including "a mechanism for users to make informed choices about how their information is used and shared on the site" and "transparency and control for users….". Meanwhile, Microsoft has sneaked in under the radar with new privacy terms and conditions that may allow Google-esque data sharing across its services. The reality is that the potential returns for companies indulging in this kind of large scale data mining and correlation are very substantial, and the fact that most consumers and citizens aren't aware of what’s going on makes it easy to remove any meaningful form of control without anyone kicking up a fuss. Increasingly sophisticated technologies will also allow more and more mining, yet there seems to be no counter-balancing development of easy-to-use privacy-enhancing technologies.
So it is all very well to urge the big boys to conform to existing data protection regulations (which they rarely do) and to lead the way to good practice by example - but it is not enough. There are hundreds of companies out there indulging in the same practices, and it’s impossible to assess and police them all. As well as more effective 'self-defence' technologies, we need better prevention policies. Therefore the EU's ongoing revision of the data protection laws - currently being considered by the EU Parliament and Council - is to be welcomed, and particularly the proposed general data protection Regulation, which signals a shift towards more consumer and citizen control over personal data. The proposed definition of consent clarifies that it should be strong through being ‘explicit’ and evidenced by a statement or clear affirmative action. Given the shenanigans unveiled by the Google investigation, we feel that it should be strengthened even further, and be also ‘provable’ and based on meaningful information rather than legalistic or over-simplistic privacy notices. This would go a long way towards engendering more user trust and more control in the future, as well as better compliance with the law on the part of the companies, providing the available sanctions for infringement are commensurate with their wealth and power.
To the alarmists and hundreds of lobbyists in Brussels threatening that stronger data protection laws will destroy the digital economy, lay waste to economic recovery and stifle innovation, we say: look at the behavioural research evidence. The more people feel in control and 'in the know', the more they are willing to share. Effective data protection is, in fact, good for everyone.