In the week that Elizabeth Denham was announced as the next UK Information Commissioner, the outgoing Commissioner has made several controversial statements about fair processing notices which are to change dramatically in length with the advent of a General Data Protection Regulation (GDPR).
The Commissioner noted that when Articles 14 and 14A of the GDPR came into force, he was expecting privacy policies of more than 5,000 words to become the norm. To avoid this prospect, the Commissioner intimated that the next version of the “Privacy Notices Code of Practice” (which covers the GDPR) could be entitled “The Anti-Privacy Notices Code of Practice”.
His comments were made at an impromptu press conference at the bar of the Banana Beach Club in Grand Baie following a demanding day at the Annual Data Protection Commissioner’s Conference held in the Mauritius; the WP29 Committee had just devoted the day to debating the differences between “unambiguous consent” and “explicit consent”.
The Commissioner quoted research (see references) that showed that the median length of a privacy policy from the top 75 USA websites turned out to be 2,514 words. As the standard reading rate in the academic literature is about 250 words a minute, each and every privacy policy takes 10 minutes to read. For a firm with 2, 000 staff, this means it would take just under a fortnight of staff time to read it.
The time calculation is different with the 3,882 words for Google’s Privacy Policy (2016 version) as experiments show that it takes the average Sun reader over an hour to read. Personally, I found the added time quite surprising because Google’s insists, wherever possible, of using words of less than one syllable to communicate the privacy impact on data subjects.
Introducing the “anti-privacy” idea, the Commissioner (with a slight dig at the "Northern Powerhouse" policy) stated that “breathing the clean air as an honorary Northerner for the last seven years, mainly because most of the heavy engineering works, salt mines, mills and pits have all been closed, I am now used to calling a spade, a shovel”. He then said that this meant the data protection community needed to be honest with the terms we use.
For instance, if Privacy Policies were called “Anti-Privacy Policies”, the Commissioner added, “they would become shorter”; this was because, the public would see that the larger the word-count the more likely the policy would be invasive of privacy. Privacy policies would still not be read by anybody, but the word-count would be a simple and essential guide to how invasive a data controller would be.
The Commissioner added that, if privacy policies were called “anti-privacy policies”, Google would not support a text of 4,000 words length; instead most data controllers would boast about “how tiny it is”.
Warming to his honesty theme he said that a “Privacy Notice” is really the opposite. For instance, if there is no privacy notice on a website form, then the data subject knows that the processing of his personal data is only for obvious purposes. A privacy notice is only needed to alert the data subject to non-obvious processing purpose; for instance, data sharing for credit scoring purposes.
The term “privacy notice” is therefore an example of the use the language that describes the opposite. For example, a Money-Laundering Officer at a bank does not offer a service in order to launder a suitcase of rolled up 500 Euronotes (found under the bed after your granny’s death); his job is to prevent money laundering.
“It’s the same with Privacy Notices; a Privacy Notice is present to describe non-obvious invasions of privacy not the protection of privacy”. That is why the Code of Practice is going to change its name.
Indeed, the Commissioner stated one wondered whether the same idea should apply when considering the term “Chief Privacy Officers”; perhaps they should be called “Chief anti-Privacy Officers”.
The Commissioner then added “they don’t protect data subjects from privacy invasions, their job is to protect data controllers from data subjects”.
Publicity
We also have a BCS DP Practitioner Qualification (starting in London on April 12 and in Edinburgh on April 25). BCS FOI Practitioner Certificate (starting in London on April 19).
We hold GDPR Regulation Workshops in London (May 23), Edinburgh (May 20) and Douglas (IoM; May 5); details of all our DP/FOI/CISMP courses in Leeds, London and Edinburgh are accessible by clicking the relevant buttons on the Amberhawk home page: www.amberhawk.com
References
Mauritius press release: http://www.govmu.org/English/News/Pages/Mauritius-Hosts-36th-International-Conference-of-Data-Protection-and-Privacy-Commissioners.aspx
Length of Privacy Notices: http://www.out-law.com/page-9490
Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days http://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/
Data Protection Commissioner’s Conference Mauritius: http://www.privacyconference2014.org/