I’ve recently given two presentations about the internet and privacy, the first a fortnight ago in UCD at the Student Legal Convention, and the second last week in WIT. My theme, both times, was the decline of privacy online, and what we can do about it, not only from regulation by Data Protection Commissioners to individual court cases, but also from protecting our own privacy to respecting the privacy of others. In the latter context, I called for a Creative Commons for Privacy and I suggested that it might be called Privacy Paradigm (but if you have a better idea, please let me know). In this post, I want to tease out what a Privacy Paradigm, a Creative Commons for Privacy, might look like and what it could do.
If the analogy is to Creative Commons, the first question must be: what does Creative Commons do? Have a look at the column on the right, and scroll down a bit to the box headed “Licence”. You’ll see a badge with three icons and some short-hand; and you’ll see accompanying text which explains that this blog is “licensed under a Creative Commons … License”. By these means, I signal not only that you may re-use my content, but also the conditions under which you may do so. However, to do this, I didn’t have to design the badge, write a convoluted piece of legal code, or a complex piece of computer code, or even a plain-English description of either of these pieces of code. Creative Commons have already done all of this for me. I went to their site, selected the standard-form licence that best suited my needs, took the badge and link which they supplied, and placed it on my blog in the “Licence” box in the right column. The icons and short-hand on the badge signal the chosen licence (that is to say, the conditions under which you may re-use my content), and the accompanying link goes back to the text of the standard-form licence on the Creative Commons website. Creative Commons maintain their licences in three parallel forms: standard-form human-readable language, technical legal code, and powerful machine-readable code. Their elegant approach promotes a full understanding of, and encourages a culture of respect for, the nature and limits of copyright law.
Where Creative Commons provide standard-form copyright licences, Privacy Paradigm would provide standard-form privacy policies. And where the Creative Commons licences reflect general principles of copyright law, the Privacy Paradigm privacy policies would reflect general principles of privacy law.
Hence, Privacy Paradigm, as a Creative Commons for Privacy would provide a means by which I could signal not only that I respect your privacy when you use my website but also how (if at all) my site processes personal data. I would need a badge with icons and short-hand, and accompanying text which explains that this blog operates under a standard-form privacy policy. Reflecting its debt to Creative Commons, the Privacy Paradigm badge and icons could be based on the image at the top left of this post (an image plainly influenced by Creative Commons livery, which I have adapted pursuant to their licence; but, again, if you have a better idea, please let me know). And it would write the necessary convoluted legal code, complex computer code, and plain-English descriptions of these pieces of code, for its standard-form privacy policies. I would then be able to go to their site, select the standard-form privacy policy that best suits my needs, take the badge and link supplied, and place them on my blog in an appropriate place. The icons and short-hand on the badge would signal the chosen privacy policy (that is to say, how (if at all) my site processes personal data), and the accompanying link would go back to the text of the standard-form privacy policy on the Privacy Paradigm website. By analogy with Creative Commons licences, Privacy Paradigm would maintain their privacy policies in three parallel forms: standard-form human-readable language, technical legal code, and powerful machine-readable code. This approach would help to promote a full understanding of, and to encourage a culture of respect for, the nature and limits of privacy online.
The simplest Creative Commons license – CC0 – waives all copyrights. By analogy, the simplest Privacy Paradigm policy – with stunning unoriginality, let’s call it PP0 – would amount to an undertaking that the site does not process any personal data all, and thus entirely respects the privacy of all visitors to, and users of, the site. There would be a PP0 icon on the site, which would link to the standard-form human-readable policy on the Privacy Paradigm website, which in turn would link to the technical legal code on the Privacy Paradigm website.
Beyond CC0, Creative Commons offers suite of copyright licences, and powerful computer code under the hood helps users to choose the most appropriate licence for them. Similarly, beyond PP0, Privacy Paradigm would offer a suite of privacy policies, with powerful computer code under the hood to help users to choose the most appropriate policy for them. One of these policies could reflect best privacy practice; another could reflect the minimum standards laid down by appropriate regulations or regulators (such as the long delayed EU Data Protection Regulation). One significant lesson which can be drawn from the success of Creative Commons is that their suite of licences is small but well-chosen. If there are too many options, the process can get confusing for the user; but if there is a small set of options, users can more easily understand them and make the most informed and appropriate choices. So, Privacy Paradigm would need to have a similarly small but well-chosen set of options. And, of course, they would need to have icons on the Privacy Paradigm badges just as memorable and accessible as the icons on the Creative Commons badges.
Privacy Paradigm would need to go further in at least one important respect. It would need to provide a suite of privacy-compliant plug-ins for popular platforms such as WordPress and Drupal. In particular, where a site requires personal data, Privacy Paradigm would code a privacy-compliant workflow and provide it in an appropriate plug-in, PP badge, and linked standard-form privacy policy. For example, there are issues around cookie compliance, do not track policies, and so on, which Privacy Paradigm privacy policies and badges would probably need to include, and this may require plug-ins to implement the user’s choices in this regard.
More than that, off the top of my head, by looking at what this site does, and from my own experience online, I can see at least five ways in which sites on popular platforms such as WordPress and Drupal can process personal data. The first is in the comments section; the second is in the contact form; and the third is where a site requires registration for access. All of these can require names, email addresses, and other personal data. Privacy Paradigm could write plug-ins that respect the privacy of those filling in personal data on such forms, and provide the appropriate badges so that users filling in their personal data would know just what what use the site will make of it. Moreover, the contact form would need to make it easy to make privacy requests (such as rectification or erasure of personal data (pdf), or delinking pursuant to the right to be forgotten).
The fourth relates to the analysis of user traffic provided by various analytics packages. Here, Privacy Paradigm could write plug-ins that respect the privacy of site users, and provide the appropriate badges so that users would know just what analytics are being undertaken with the site’s traffic data, and where – if anywhere – these analytics are being shared. The fifth relates to simple online shopping, where a user purchases a good or service on a small-business site, and where the site therefore inevitably processes personal data. Again, Privacy Paradigm could write plug-ins that respect the privacy of site users, and provide the appropriate badges so that users would know just what use is made of their personal data, and where – if anywhere – it is being shared. Finally, here, I hope that those more knowledgeable about website data processing that I am will be able to tell me about other data processing undertaken by and for popular platforms, so that appropriate Privacy Paradigm plug-ins could be provided.
There are always questions of enforcement of the terms of Creative Commons licences, and there will be similar questions of enforcement of Privacy Paradigm privacy policies. Compliance with Creative Commons licences is largely a matter of trust, but breach of such licences can have legal consequences. Similarly, respect for Privacy Paradigm privacy policies would likewise largely be a matter of trust, but breach of such policies would also have legal consequences. Those consequences would depend upon the terms of the relevant policies and also upon the applicable legal regulations. It would therefore be necessary to co-ordinate the work of Privacy Paradigm with appropriate regulators, so that, in particular, (by analogy with CC4 licences) Privacy Paradigm privacy policies could both reflect international standards and refer to the relevant local regulator. Of course, this will require careful drafting of Privacy Paradigm’s privacy policies and accompanying computer code. But this challenge should be more than surmountable.
In the same way that Creative Commons, as one element of the copyright ecosystem, takes its place alongside other open or public licences, so Privacy Paradigm, as one element of the privacy ecosystem, would similarly take its place alongside existing privacy seals and website icons. A privacy seal is awarded, by a regulator or private operator, to organisations that demonstrate that they meet or exceed high standards of privacy protection. When they work, they’re appropriate for bigger businesses. Icons can provide a visual representation of a privacy policy, and can be bolted onto an existing privacy policy. A more sophisticated commercial solution is provided by Disconnect, which provides a means of automatically generating a set of icons to explain the privacy policies of websites and the privacy implications of search results. The target adopters of these seals and icons are sites where differentiation based on privacy matters to their users. Moreover, there are commercial sites that generate privacy policies, often in a small number of clicks.
Seals and icons are a signal of privacy compliance, but such schemes are individuated (often commercial, paid-for) solutions, whose credibility turns on trusted third parties to validate them in some way, and will ultimately only be as good as their underlying standards and ability to monitor compliance. Similarly, commercial privacy policy generators are also individual, paid for, solutions; and they tend not to provide not to provide additional badges to signal the applicable privacy policy. None of these provides a complete suite of solutions; and there is little or nothing in them for the ordinary website user or webmaster who cannot afford, or doesn’t need, a made-to-order solution. That is where Privacy Paradigm comes in, and where the explicit analogy with Creative Commons matters. The standard-form privacy policy on the Privacy Paradigm website, linked from the Privacy Paradigm badge on the website of the ordinary website user or webmaster, would fill all of the gaps in the other solutions.
There are limits to the utility of the Privacy Paradigm solution, of course, just as there are limits to the utility of the Creative Commons solution. They do not displace bespoke privacy policies or copyright licences, especially in the case of bigger businesses, where professional advice is necessary. Beyond this, however, the success of Creative Commons demonstrates that there is a need for a simple set of copyright licences, available to all. Similarly, Privacy Paradigm would demonstrate whether there is a need for a simple set of privacy policies, available to all – and I believe that there is.
There is a final set of questions: what else does Creative Commons do from which Privacy Paradigm might learn? And, from the perspective of protecting and respecting privacy, what more could Privacy Paradigm do in its own terms? If you have any suggestions, please let me know! In essence, if Creative Commons can be summed up in the three word slogan “some rights reserved“, then Privacy Paradigm can equally be summed up in the three word slogan “respecting privacy online”.
In conclusion, credit where credit is due: the phrase “Creative Commons for Privacy” was suggested during a recent meeting of the Ethics and Privacy working group of the ADAPT centre in Trinity College Dublin. Present were Owen Conlan, Bert Gordijn, Linda Hogan, Dave Lewis, Declan O’Sullivan, Mary Sharp, and yours truly. In answer to a question from Dave, I was talking about coding work flows which would build privacy by design into the centre’s digital content innovations. I commented that this would be a complicated marriage of complex computer code to convoluted legal code. And I pointed to Creative Commons as an example of where this kind of marriage has been conspicuously successful. I was musing on whether their (legal code/human readable/machine readable) licence workflow could be adapted to the privacy context, on whether “Creative Commons and Privacy” might go together in some way, and Owen replied with a comment which contained the phrase “Creative Commons for Privacy”. The rest, I hope, will be history. Indeed, any benefactor out there wants to support this endeavour, please let me know. Roll up; roll up!
2 Reply to “Privacy Paradigm – Towards a Creative Commons for Privacy”