I’ve recently given two presentations about the internet and privacy, the first a fortnight ago in UCD at the Student Legal Convention, and the second last week in WIT. My theme, both times, was the decline of privacy online, and what we can do about it, not only from regulation by Data Protection Commissioners to individual court cases, but also from protecting our own privacy to respecting the privacy of others. In the latter context, I called for a Creative Commons for Privacy and I suggested that it might be called Privacy Paradigm (but if you have a better idea, please let me know). In this post, I want to tease out what a Privacy Paradigm, a Creative Commons for Privacy, might look like and what it could do.
If the analogy is to Creative Commons, the first question must be: what does Creative Commons do? Have a look at the column on the right, and scroll down a bit to the box headed “Licence”. You’ll see a badge with three icons and some short-hand; and you’ll see accompanying text which explains that this blog is “licensed under a Creative Commons … License”. By these means, I signal not only that you may re-use my content, but also the conditions under which you may do so. However, to do this, I didn’t have to design the badge, write a convoluted piece of legal code, or a complex piece of computer code, or even a plain-English description of either of these pieces of code. Creative Commons have already done all of this for me. I went to their site, selected the standard-form licence that best suited my needs, took the badge and link which they supplied, and placed it on my blog in the “Licence” box in the right column. The icons and short-hand on the badge signal the chosen licence (that is to say, the conditions under which you may re-use my content), and the accompanying link goes back to the text of the standard-form licence on the Creative Commons website. Creative Commons maintain their licences in three parallel forms: standard-form human-readable language, technical legal code, and powerful machine-readable code. Their elegant approach promotes a full understanding of, and encourages a culture of respect for, the nature and limits of copyright law.
Where Creative Commons provide standard-form copyright licences, Privacy Paradigm would provide standard-form privacy policies. And where the Creative Commons licences reflect general principles of copyright law, the Privacy Paradigm privacy policies would reflect general principles of privacy law.
The simplest Creative Commons license – CC0 – waives all copyrights. By analogy, the simplest Privacy Paradigm policy – with stunning unoriginality, let’s call it PP0 – would amount to an undertaking that the site does not process any personal data all, and thus entirely respects the privacy of all visitors to, and users of, the site. There would be a PP0 icon on the site, which would link to the standard-form human-readable policy on the Privacy Paradigm website, which in turn would link to the technical legal code on the Privacy Paradigm website.
Beyond CC0, Creative Commons offers suite of copyright licences, and powerful computer code under the hood helps users to choose the most appropriate licence for them. Similarly, beyond PP0, Privacy Paradigm would offer a suite of privacy policies, with powerful computer code under the hood to help users to choose the most appropriate policy for them. One of these policies could reflect best privacy practice; another could reflect the minimum standards laid down by appropriate regulations or regulators (such as the long delayed EU Data Protection Regulation). One significant lesson which can be drawn from the success of Creative Commons is that their suite of licences is small but well-chosen. If there are too many options, the process can get confusing for the user; but if there is a small set of options, users can more easily understand them and make the most informed and appropriate choices. So, Privacy Paradigm would need to have a similarly small but well-chosen set of options. And, of course, they would need to have icons on the Privacy Paradigm badges just as memorable and accessible as the icons on the Creative Commons badges.
More than that, off the top of my head, by looking at what this site does, and from my own experience online, I can see at least five ways in which sites on popular platforms such as WordPress and Drupal can process personal data. The first is in the comments section; the second is in the contact form; and the third is where a site requires registration for access. All of these can require names, email addresses, and other personal data. Privacy Paradigm could write plug-ins that respect the privacy of those filling in personal data on such forms, and provide the appropriate badges so that users filling in their personal data would know just what what use the site will make of it. Moreover, the contact form would need to make it easy to make privacy requests (such as rectification or erasure of personal data (pdf), or delinking pursuant to the right to be forgotten).
The fourth relates to the analysis of user traffic provided by various analytics packages. Here, Privacy Paradigm could write plug-ins that respect the privacy of site users, and provide the appropriate badges so that users would know just what analytics are being undertaken with the site’s traffic data, and where – if anywhere – these analytics are being shared. The fifth relates to simple online shopping, where a user purchases a good or service on a small-business site, and where the site therefore inevitably processes personal data. Again, Privacy Paradigm could write plug-ins that respect the privacy of site users, and provide the appropriate badges so that users would know just what use is made of their personal data, and where – if anywhere – it is being shared. Finally, here, I hope that those more knowledgeable about website data processing that I am will be able to tell me about other data processing undertaken by and for popular platforms, so that appropriate Privacy Paradigm plug-ins could be provided.
There are always questions of enforcement of the terms of Creative Commons licences, and there will be similar questions of enforcement of Privacy Paradigm privacy policies. Compliance with Creative Commons licences is largely a matter of trust, but breach of such licences can have legal consequences. Similarly, respect for Privacy Paradigm privacy policies would likewise largely be a matter of trust, but breach of such policies would also have legal consequences. Those consequences would depend upon the terms of the relevant policies and also upon the applicable legal regulations. It would therefore be necessary to co-ordinate the work of Privacy Paradigm with appropriate regulators, so that, in particular, (by analogy with CC4 licences) Privacy Paradigm privacy policies could both reflect international standards and refer to the relevant local regulator. Of course, this will require careful drafting of Privacy Paradigm’s privacy policies and accompanying computer code. But this challenge should be more than surmountable.
There are limits to the utility of the Privacy Paradigm solution, of course, just as there are limits to the utility of the Creative Commons solution. They do not displace bespoke privacy policies or copyright licences, especially in the case of bigger businesses, where professional advice is necessary. Beyond this, however, the success of Creative Commons demonstrates that there is a need for a simple set of copyright licences, available to all. Similarly, Privacy Paradigm would demonstrate whether there is a need for a simple set of privacy policies, available to all – and I believe that there is.
There is a final set of questions: what else does Creative Commons do from which Privacy Paradigm might learn? And, from the perspective of protecting and respecting privacy, what more could Privacy Paradigm do in its own terms? If you have any suggestions, please let me know! In essence, if Creative Commons can be summed up in the three word slogan “some rights reserved“, then Privacy Paradigm can equally be summed up in the three word slogan “respecting privacy online”.
In conclusion, credit where credit is due: the phrase “Creative Commons for Privacy” was suggested during a recent meeting of the Ethics and Privacy working group of the ADAPT centre in Trinity College Dublin. Present were Owen Conlan, Bert Gordijn, Linda Hogan, Dave Lewis, Declan O’Sullivan, Mary Sharp, and yours truly. In answer to a question from Dave, I was talking about coding work flows which would build privacy by design into the centre’s digital content innovations. I commented that this would be a complicated marriage of complex computer code to convoluted legal code. And I pointed to Creative Commons as an example of where this kind of marriage has been conspicuously successful. I was musing on whether their (legal code/human readable/machine readable) licence workflow could be adapted to the privacy context, on whether “Creative Commons and Privacy” might go together in some way, and Owen replied with a comment which contained the phrase “Creative Commons for Privacy”. The rest, I hope, will be history. Indeed, any benefactor out there wants to support this endeavour, please let me know. Roll up; roll up!