How two almost rights can become awfully wrong.

Posted originally on the Drum

Privacy issues online are a daily occurrence; so much so that I get the feeling that many out there feel personal privacy is the Titanic in our connected world and that they might as well abandon it in favour of the Iceberg that is big data and go with the flow! That’s certainly inherent in the naming of Facebook’s new app as ‘Home’, an indicator of just how much access we have already given away.

Last week, however, it was our online history or ‘‘right to be forgotten’’ that came in to sharp focus. All those ill-conceived comments, and inebriated pictures that you shared so innocently in the past that followed you around ever since; as Kent’s new youth police commissioner found out last week. Those unavoidable rocks of your digital life, you run into while ego surfing (and job hunting).

Currently there is a fight going on between the UK and EU as to how best legislate ones ‘right to be forgotten’. Whilst occasionally ‘good’ does come from the EU, like having to opt-in to email, much of the industry is still feeling the sting of the Cookie bill, which became a non-issue for consumers, and could have been dealt with without draconian (and unenforceable and expensive) legislation.

In the ‘Right’ corner the EU believes that everyone should have the right to remove their debris. It will be the service providers responsibility to not only promptly comply but also contact any other third party with whom the content has been shared (!), and for non-compliance a fine of up to 2% of gross turnover will be applied (!!). This is another potentially unenforceable and extremely expensive regulation, especially for online services who aren’t faced with these issues on a regular basis.

In the other ‘Right’ corner is the UK. The government claims that this is too much of a burden on business and that we in the UK and (other individual countries) should have the right to make their own laws to deal with it; and that the individual should be made personally responsible for contacting each service. This means that businesses may have to deal with at least 27 local variations of the above – which is also problematic.

I find myself somewhat torn on the issue – I firmly believe in privacy rights and the ‘right to be forgotten’, however I also appreciate the complexity, and to an extent futility, of blanket policies when it comes to the internet. They invariably lead to unpleasant unforeseen consequences, and I’m just going to skim the surface on some of the commercial ones.

How bad could it be?

  • A consumer posted up a picture for a competition that they want removed on a dodgy flash microsite you made a few years back – you’ve already changed agencies (hopefully dumped flash) and don’t have access to it anymore – what do you do? Take it all down?
  • Worse when the real trolls get a hold of you with legislation to sue you and start marketing their cleansing services on a no-win no-fee basis.  They love going after middle-tier businesses that are happy to settle out of court.
  • The big guys (Facebook, Google etc.) have already been pulled up on this still haven’t entirely resolved the issue of taking down embarrassing pictures if you didn’t put them up there yourself – the copyright is actually owned by someone else, so it becomes a whole world of hurt.
  • What fun we’ll have dealing with fake takedown notices as is rife with the DMCA in the US. Split up with your boyfriend? Get him removed from the web!
  • It will be abused as an easy way to censor the Internet. What if somebody quoted you in a damning article? Retweeted a mistake, like Reading East MP Rob Wilson? Redaction-tastic! They say they want to protect freedom of expression but actually the best way to do that is to allow people to express themselves freely, not make ‘an exemption’, which is one of the key criticisms of the bill.

So can we affect the outcome of this battle? Probably not, and in many ways it doesn’t really matter. Consumers demand and deserve the right, so whether it’s poorly legislated or self-regulated, anybody who provides any kind of online service will be affected.

So how can you prepare?

  1. Allowing consumers to easily delete their own data is simply best practice. Most modern platforms have the functionality built in, but if it was built bespoke, it may require more development.
  2. You may want to look at your Data, Terms Of Service and Privacy Policies now, as opposed to later. Blanket legislation will overrule your own – and that it’s a positive action to give your consumers more control over their data – updating them shouldn’t be a challenge (although enabling it might be).
  3. If you are socially driven startup – be it reviews, comment or community – this could potentially be disastrous, add ‘data deletion’ into your ‘Minimum Viable Product’.
  4. If you are the local arm of a global business, but the development resides outside Europe, you may want to add the functionality in to your roadmap or production process now, rather than scrabble around next year trying to grab resources.
  5. Do some spring-cleaning. The Internet it still littered with ancient microsites from the dark ages – do us all a favour and just bin them!
  6. Double check that when you say you are deleting something it’s actually gone. This is often much harder than you think, especially with search engine caches, the Internet Archive and the recently launched UK libraries archive all trying to preserve the data, not destroy it!
  7. Be wary about who you may be sharing or syndicating your data to. This is especially relevant to the publishing industry; editions that carry international comments may find themselves in a whole world of pain. Better to sort it now.
  8. For those whose business model is not completely reliant on advertising – whilst not a solution, but a possible deterrent – you may want to consider not indexing some parts of your site to head a few folk off at the pass.
  9. It should go without saying, but it’s worth factoring this in when planning out sites, apps and user-generated campaigns. Think of it as a data tax, the more you collect the more you are likely to pay in terms of increased time dealing with requests from consumers. I’m sure after a while you’ll be able to actually calculate your exposure up front, but at the moment it’s up in the air.
  10. In the UK and Europe, this will finally put an end to the question ‘Who owns the data?’ and the answer is rightly – The Consumer. If your business model is entirely reliant on the goodwill of your customers, you better make sure you don’t overly exploit them, as I suspect personal takedowns may become the protest mechanism of the future.

Don’t assume this won’t affect you. This isn’t like the nobody-really-cares Cookie Monstrosity, there is nothing worse than a disgruntled consumer with the law and the trolls on their side!

Overly pessimistic or just the tip of the iceberg? Have you had to deal with this yourself yet? Would self-regulation be a better route forward?

Jon Bains is a partner at Business futures practice http://www.weareatmosphere.com

Advertisements
  1. Jon,

    I belong to the camp of legislate it now, and worry about the enforcement controls later. At least this will get the app developers start thinking about baking controls for the data owners in the apps they are working on. I also think the requirement for a service provider to contact any third party that they may have shared the content with, makes lot of sense. If you are sharing my content with someone else for profit then you should have a terms of use with that third party.

    Right to be forgotten is more than just the ability to erase your personal embarrassing past on the internet. As commissioner Vivian Reding pointed out that one of the key provisions of the right to be forgotten is that “If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.”

    This is important to me.

    Last month I wanted to close “delete” my evernote account because of the security breach at evernote. But it turns out evernote does not let you delete your account. You can disable the account, but not delete. That means that evernote will store my account info for ever, and possibly the deleted notes in some archived manner.

    Another example is Netflix. Even if you delete your account, it retains all your profile, preferences, payment details and any other associated information with your account forever. There is no way to get that deleted.

    The “right to be forgotten” will help me in getting this situation remedied by forcing the service provider to delete my information once there is no longer a legitimate reason to keep it.

    Saqib

    • Totally agree about services being required to properly delete user accounts. I just have concerns about the language of whatever legislation is passed.

      The third party liability is very tricky to get right, just as a thought exercise here’s a couple of scenarios

      I post something on my wall on Facebook, that get tweeted and goes viral, is Facebook then responsible to clean the web?

      I post post on my wall and iftt.com (with my authorization) republishes to twitter and it goes viral… Is iftt.com responsible now? or Buffer etc?

      Expanding on one of the examples, if I quote a bit of your comment in another article which then ends up on the huffington post or something is WordPress responsible?

      Seems a bit nuts but with the wrong legal language things can go very bad very quickly.

      I think it’s extremely important for us to maintain pressure on online services to adopt deletion as a norm, absolutely, however it’s the potential impact on freedom of speech which makes me nervous. Lawmakers just aren’t very good at making laws for the Internet 😉

      • Jon,

        I think your concerns are valid. However, this reminds of CA SB1386 (information protection bill), where every one was concerned about how the “reasonable measures” to protect the information will be evaluated in the case of a breach. What’s reasonable and what’s not? But overtime this became a non-issue. The court, lawyers, data owners, data custodians, system owners and all other parties understood what “reasonable measure” means.

        I am just saying let’s not over think this 🙂

        Saqib

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: