Out-Law News 3 min. read
08 Jul 2015, 5:54 pm
The telecommunications regulator asked WIK-Consult to review existing research into the "effectiveness of different approaches to informing consumers about proposed uses of their data, and securing their engagement and consent".
WIK-Consult found that there is already a disconnect between the need, in many occasions, to obtain consumers' informed consent to the processing of personal data and the fact that, in practice, many consumers do not read privacy policies online.
In its report on personal data and privacy (199-page / 1.26MB PDF), WIK-Consult said there is "no single solution" to address that "dissonance", and said the problem could get worse as more devices are connected with one another and data flows more freely in the so-called 'internet of things' (IoT).
"Although data flows in the IoT do not differ fundamentally from the data flows observed in any connected environment, the sheer increase in the number of connected devices multiplies the data that becomes accessible and analysable," WIK-Consult said. "If expectations about the take-up of such connected devices are correct, online tracking of personal data is likely to become seamless across all areas of people’s lives."
"Besides the increase in the amount of data, one may also expect that data gathering, aggregation and analysis will become even more subtle as machines talk to machines without (almost) any human intervention. Thus, consumers have even less opportunity to learn about data-gathering practices. In some cases, they may not even be aware that the device they are currently using is actually connected to the internet," it said. "Consequently, it is likely that the evolution towards the IoT will aggravate the issues outlined … for the status quo of connectivity."
WIK-Consult said that an increasing number of, and more complex, "contractual relationships" are likely to emerge as the IoT develops, which will reflect the increasing connectivity of devices and data flows. This is likely to mean that privacy policies will "become even longer and more difficult to understand", it said.
"For a privacy policy to be transparent, the privacy policy needs to point out exactly who interacts with the data, when, how and to what end," WIK-Consult said. "This objective conflicts with the objective to write easy-to-understand policies, especially in an IoT context with largely increased combination options for the many more data flows becoming available. Pointing out all possible interactions appears challenging at best and detrimental to consumers’ understanding at worst. It will most certainly not lead to a policy that consumers have a good chance of understanding."
In addition, companies might need to rethink how they explain the way personal data could be used to consumers in the IoT because "it is likely that many connected devices will feature only very small screens or even no screens at all", it said.
The WIK-Consult review said that there are some measures that can help raise consumers' awareness of data privacy issues, including 'nudging' which is where consumers are prompted to consider the benefits as well as implications of enabling the processing of their personal data. Nudging, however, "is unlikely to work with many connected devices", WIK-Consult said.
The IoT is also like to increase uncertainty about what the consequences of consumers' actions will be, WIK-Consult said. This is because "as the complexity of interactions multiplies, so do potentially adverse effects of willingly or unwillingly disclosing personal data", it said.
Ofcom said it would use the findings of the review to inform its thinking on data privacy in the IoT environment. It said in January that it would "work with relevant organisations … to identify and explore solutions to data privacy issues in the IoT, in which Ofcom will play a facilitating role". Amongst the work it could get involved in is the development of a "set of principles for the sharing of data within the IoT".
Separately, European Data Protection Supervisor Giovanni Buttarelli has said there is a need for a "real debate on security and privacy". He said that intrusions into privacy for security purposes must be justified by "necessity", according to an article he wrote for the Mark News website.
"There is little evidence that mass surveillance prevents terrorist attacks and that giving up privacy results in greater security," Buttarelli said. "Indeed, greater security does not require the loss of privacy. It is time that nations move beyond the false fad of discussing security vs. privacy and focus on implementing laws that take into account privacy rights as well as the indisputable need to fight terrorism."
"Governments need to justify why any massive, non-targeted, and indiscriminate collection of individuals’ data is really needed. In order to protect our fundamental rights in a world of big data, we need to defend our data protection principles," he said.