Data Protection and Privacy: Hitting a Real World Wall

March 10, 2011

You may have missed the story about the Danish data protection regulator and the application from a local education authority to use cloud computing for certain purposes. Summarising wildly, Datatilsynet told Odense Municipality that it could not use Google Apps online office suite with calendar and document processing features because Google Ireland was not to be trusted. Among other objections, the Datatilsynet view was that the local authority had done insufficient risk assessment. There is a short account {here:} and the full rejection is {here:}.

The reaction has included the suggestion that Denmark is not part of the real world. (I can’t say for sure as I have never been, and though Wikipedia says it is a Scandinavian country in Northern Europe that is a notoriously unreliable source.) Clearly the suggestion that the intricacies of data protection should get in the way of a sensible initiative from a local authority (a rare enough phenomenon) has brought a few people to the very edge of apoplexy – and only one step away from reading the Daily Mail. Getting in the way of the cloud is seen as standing in the way of progress and practically Luddite.

The reported reaction of some members of the IT community to the Information Commissioner’s {gentle reminder:} about the need for consent to cookies has been over the top too in some cases. Rory Cellan-Jones in his {BBC blog:} reported a reaction that suggested it was ‘cookie madness’ and would lead to European-based web sites trading at a disadvantage. TechCrunch had the sober headline {‘Stupid EU Cookie Law Will Hand the Advantage to the US and Kill Our Start-ups Stone Dead’:}

I am tending to side with the Luddites on all of this, although not the nasty destructive and violent behaviour with which they are associated (or is that Leeds Utd?).

While the Denmark episode has the whiff of a jobsworth approach, my eye was caught by this passage from the Datatilsynet opinion:
{i}If the general requirements cited by Odense Municipality are to solely comprise the processor agreement, this requirement would be described as follows: “Customer … instructs Google to provide the Services and process End User personal data in accordance with the Google Privacy Policies and Google agrees to do the same.” (cf. section 1.4 of “Google Apps General Terms”).
In the view of the Danish Data Protection Agency, this solely obliges Google Ireland Limited to process the personal data in accordance with Google Inc.’s own Privacy Policy. Thus, Odense Municipality solely instructs Google Ireland Limited to process data in accordance with the Google Inc. group’s own guidelines. The Danish Data Protection Agency finds that such instructions must be deemed devoid of content, in purely material terms.
In addition, it does not appear to be out of question that Google Ireland Limited can unilaterally change the agreement terms in the company’s general terms and conditions, nor is there anything in the processor agreement that prevents Google Inc. from unilaterally changing the company’s Privacy Policy. On this basis, the Danish Data Protection Agency’s view is that Odense Municipality, in reality, has no control of how the data will be processed. The agency therefore assumes that Google Ireland Limited – and Google Inc. – decide how the data will be processed.{/i}
That is hardly consistent with a data processor acting on a controller’s instructions. Agreements such as the Google Apps one that say ’we can do what the heck we like’ are, of course, not to be taken seriously. But they are not uncommon – look at {the recent piece in the magazine from Simon Bradshaw, Christopher Millard and Ian Walden:}. Cloud advocates who complain about data protection getting in the way of commerce should admit that, in instances like this, the cloud industry is largely the author of its own misfortune.
I feel pretty much the same about cookies, but a lot more worried (Denmark is a long way away – 25 May isn’t). It is worth remembering that the effect of the amendments to the Privacy and Electronic Communications Directive is to require web sites to have the user’s consent before using that user’s computer for the storage and retrieval of information. Put like that, it does not seem unreasonable – the word ‘cookies’ does not appear anywhere. In the real world, you cannot stick a name badge on me without my say-so and you certainly cannot give me a tracking device without consent (or deceit). Why does some minor commercial inconvenience override this on the Internet? And if the inconvenience is not ‘minor’ then, after a three-year lead-in, it darn well should be – as I have suggested {here before:}, the need is for a more sophisticated range of cookies not just for the ‘basic oatmeal’ and ‘track every move’ flavours.

Increased choices and openness will lead most people to give consent freely – just as most lie wildly when claiming to have read and agreed to the terms of conditions of practically everything. But it will give those who want to make careful choices the opportunity to do so – those choices are currently available {i}in the real world{/i} only to the technologically sophisticated.

What worries me most is that a combination of the powerful advertising and Internet lobbies and government and EU fears about trading disadvantage will lead first to large-scale dragging of feet in implementation (widely forecast already) and then to an acceptance that so-called web browser consent is enough. The EU Commissioner and the government will be able to bask in the added privacy protection that they have given to Internet users, and everyone in the game will know that, especially as mobile Internet use via smartphones etc increases, the goal has been left wide open.

I think that it is the Internet advertisers and many web site operators that are failing to live in the real world – and government bodies, EU and national, need to drag them into it. Wake up and smell the privacy.