Are Privacy Shield/Kitemarks the solution for transparent Terms & Conditions?

ICO-urges-firms-to-get-privacy-sealsAt the heart of current online consumer protection is the concept of informed consent where by the prospective consumer makes a conscious decision to sign up to a service with full knowledge and consent to the consequences of doing so. Even in the newly signed EU General Data Protection Regulation, which will go into effect in 2018, this will not fundamentally change. For anyone who has ever used a commercial internet service however, and this included policy makers, it is glaringly obvious that there is a fundamental flaw in this approach, namely the assumption that the consumer has a good understanding of the contract that is being entered into.

The means by which consumers are meant to gain the required knowledge is by way of Terms & Conditions and Privacy Policy documents. According to evidence that was submitted by Citizens Advice to the House of Lords inquiry on Online Platforms and the Digital Single Market “approximately only a third of consumers’ report that they read terms and conditions”, but that according to the evidence of “actual time spent reading terms and conditions … the figure appears closer to 1%”, a finding that was confirmed in evidence given by The German Monopolies Commission to the same committee. The reason for this consumer behaviour is of course obvious since these texts (T&C or Privacy Policy) have a tendency to be as long as Shakespeare plays and written to be understood and used in a US court rather than by ordinary consumers [see also previous work on this from Horizon DER]. Somewhat unsurprisingly, a Eurobarometer survey found that, of those who did not fully read privacy statements, 67% found them too long, while 38% found them unclear or difficult to understand.

In order to remedy this situation the Lords’ inquiry in Online Platforms makes a firm recommendation “that privacy notices should be supported by kite-marks, to identify online platforms meeting EU standards on the handling and processing of personal data. Kite-marks would provide a visual symbol for consumers to quickly understand the implication of any agreement they may make regarding data protection when engaging with an online platform.” Furthermore, “[w]e [the Lords’ committee] support provisions within the General Data Protection Regulation to allow organisations to use privacy seals, or kite-marks, to give consumers confidence that they comply with data protection rules.” This is concluded with the recommendation that, “[i]n order to encourage competition on privacy standards, not just compliance with the law, we recommend that the Government and the Information Commissioner’s Office [ICO] work with the European Commission to develop a kite-mark or privacy seal that incorporates a graded scale or traffic light system, similar to that used in food labelingTrafficLightStyle_label, which can be used on all websites and applications that collect and process the personal data of EU citizens.” In giving these recommendations, the Lords’ committee reiterated the recommendation that was previously made in the conclusions of the Commons Science and Technology Select committee inquiry on Responsible Data Use in November 2014.

Based on the 2014 recommendation the ICO started work on developing a certification scheme of Privacy shields/kite-marks in 2015 which is scheduled to start operating later this year. Under the ICO’s scheme, “A privacy seal is a ‘stamp of approval’ which demonstrates good privacy practice and high data protection compliance standards. It will work much like the British Standard Institute’s Kitemark symbol, which is displayed on numerous products and services within the UK to demonstrate quality and high standards.”secure-digital-transactions Once the scheme is up and running, organisations that are able to demonstrate that they meet the highest data protection standards will be awarded an ICO privacy seal, which they can use to show that they are adopting best practice when it comes to looking after people’s information. They will be able to continue using the ICO privacy seal as long as the organisation is maintaining these high standards, which will be periodically reassessed. (Further information about the development of the ICO privacy seal can be found in the ICO’s blog post ‘What you need to know about ICO Privacy Seals’.)

While the work of the ICO is a great step in the right direction, and will undoubtedly be useful, the reality of the internet is that online services are dominated by US companies that look at business on a global scale of hundreds of millions of customers. From that perspective, a UK level Kitemark initiative, affecting less than 60 million citizen, rapidly looses its significance unless it is picked up and implemented at an international level, or at the minimum at the EU level where it will affect 500million citizens. This is at the heart of the concept of a Digital Single Market and why it is important that the House of Lords Committee on European Union, which held the Online Platforms inquiry, included the recommendation that the Government and the Information Commissioner’s Office [ICO] work with the European Commission in developing the kite-mark/privacy seal scheme.

Go on, leave us a reply!