Over the past three years, Intel’s “Rethink Privacy” has called for a reinterpretation of the Fair Information Practice Principles that guide the responsible collection, use and protection of personal data. While the principles remain relevant, we believe that industry, technologists and advocates need to think creatively about how organizations can be applied in a flexible way that fosters innovation and effectively protects individuals.
Openness states that “There should be no personal data record-keeping system whose very existence is secret and there shall be a policy of openness about an organization’s personal data record keeping policies, practices, and systems.” From the beginning, effective implementation of the principle of Openness has proven elusive. Notices have been the preferred mechanism, but have often proven unwieldy, and in perhaps because they are asked to perform so many roles – basis for consumer choice, regulatory tool, and public education platform among them – they are often of limited utility to consumers. While regulators have called for notices that are concise and comprehensive, consumer and privacy advocates note that attempts to create those have rarely been met with success, leaving individuals unequipped to make decisions and ill-informed about technology, devices and data use.
In the Rethink document, Intel proposes that to effect openness, companies should take a two-pronged approach, posting a comprehensive notice for use by regulators, advocates and experts, and a concise notice that supports consumers’ decision making about data collection, processing and sharing. Building on that approach, last week I was fortunate to join my colleague, Mary Culnan, Professor Emeritus at Bentley University, in publishing a paper titled, “Through a Glass Darkly: From Privacy Notices to Effective Transparency” in the University of North Carolina Journal of Law and Technology. In it we examine the roles notices traditionally have been expected to play, the ways they have succeeded and failed at doing so, and lessons to be taken from those experiences. We argue that the openness principle would be better served by efforts to create an environment of transparency, which we define as a condition of disclosure and openness jointly created by companies and policymakers through the use of a variety of approaches, including notice.
We agree with Intel’s proposal of a two-pronged approach to notice – based on our review of the history of notice, we believe that organizations should continue to provide comprehensive, technical notices to facilitate the roles of regulators in enforcing privacy laws, and companies’ commitments to best practices and their promises to consumers. We also support organizations’ development of alternative forms of disclosure that serve the needs of individuals, providing them with relevant information in clear, understandable language that is delivered at the appropriate time.
Professor Culnan and I suggest that creating transparency will require more. We recommend that notices be developed as part of “privacy-by-design” – that they should not be drafted and posted as the last step before a product or service goes to market, but rather be considered and built in across the arc of the development process. We highlight the importance of consumer expectations in identifying what information should be included in a notice. We look to technology to make notices more useful, and to role of public education in promoting transparency.
As the volume of data we collect increases, and as collection becomes more pervasive, openness is more important than ever. The Rethink calls on our imagination and our ability to innovate to make the data eco-system more transparent and the notices that promote transparency work better.