Data Protection and Privacy
Data Protection and Privacy
Data protection and privacy (as far as its overlapping facet is concerned) are concrete fundamental rights, whose enjoyment depends on the active provision of all the necessary conditions by data controllers and processors. The duty to inform data subjects about how their data are used, processed, and stored, is certainly included. After all, rights are worth very little if their bearers are not aware of them, or how to enforce them.
In this light, the recent outrage concerning Google Street View’s surreptitious collection of personal data such as email addresses, passwords, IP addresses etc., is easily explained. The related report published at the end of April demonstrates that the collection of such data by Google’s vehicles mapping different cities’ streets was not due to the decision of a single employee acting in his own capacity. Rather, it was a well-orchestrated programme, which many people inside the company were aware of. Consequently, EU prosecutors are planning to resume actions against the company.
This comes one month after the Commission stretched its muscles over Google’s privacy policy change, whereby all accounts held by one user are going to be conflated in one single access point to its services, in an effort to step up identity management, i.e. identification of customers, to better extract revenues from users. The problem here is a ‘take-it-or-leave-it’ approach, whereby customers are left with no choice but accepting the changes or quitting, provided they have read and understood the new policy at all. Google is hardly the only company faced with criticism over this issue; Facebook, for instance, is also criticized for its constantly changing, ‘take-it-or-leave-it’ approach. These policies seem to be a tick-box exercise: they comply with legal requirements without providing users with meaningful instruments to protect their privacy.
In contrast, in the online world privacy/data protection policies are an important, and sometimes only, means toward this end (if succinct, complete, and written in layman’s language). Appeals to foster clear information started some years ago, and have been recently restated in programmatic speeches on data protection legislation reforms, such as Vivianne Reading’s.
Unfortunately, this is often forgotten. Either privacy policies are used as a tick-box exercise, or they are inexistent, even with those who preach the importance of enhancing human rights. Indeed, we reviewed 20 related projects under the SEC and SSH call. Of the 18 fully operational project websites, only a few have a legal notice, and an overwhelming majority does not provide a data protection policy, even among those whose research focus is privacy.
Click on the link below to read the SURVEILLE FP7 project’s data protection policy. Comments and suggestions are most welcome.
https://surveille.eui.eui.eu/index.php/about-surveille/privacy-notice/