,
50 tweets,
10 min read
Read on Twitter
Today we kick off the 4th Interdisciplinary Summer Schoool on Privacy (Nijmegen) w marvelous participants &
@FusterGloria
@marioseventysix
@narseo
@mdieter
@NoraADraper
@graydesign
@amislove
@jusTechne
@moniekbuijzen & co.
@MLeiser
as instructors
#ISP2019
isp.cs.ru.nl
@FusterGloria
@marioseventysix
@narseo
@mdieter
@NoraADraper
@graydesign
@amislove
@jusTechne
@moniekbuijzen & co.
@MLeiser
as instructors
#ISP2019
isp.cs.ru.nl
Second day continues with a lecture by Gloria González Fuster presenting “Dark Transparency Patterns” 
“I will talk about law, and not ethics, law, but specifically European Union law; and about data protection law and not privacy.”
Specifically, will talk about transparency and data protection.
The three actors of the fundamental right to data protection are data subjects, controllers and supervisory authorities. I will focus on the relationship between data subjects and controllers.
Transparency can be many things, philosophical things or things important for democracy. In data protection, controllers have to process data in a transparent way. Also, the communication between the two needs to be transparent. Transparency of processing and communication.
There are the classical rights of the data subject, access, objection etc. There are other rights that you “have”, that go beyond these. Like to launch a complaint with a DPA, or mandate an NGO to represent you.
You have a general right to access for information actively, demand information about what is going and access to data. This week we focus on the situations in which data subject’s data is flowing to the data controller.
The data controllers are obliged to give information, including information about data subject rights to the data subject. If you go to a privacy policy, data protection notice, there should be a part called “your rights”. At least there should be.
They are obliged to do this, because we assume that data subjects do not always know that they have these rights. It is not really working, but that is the idea and it is the first step of the transparency.
They give you information about these powers, like the right to access, rectify, object and give you more information about access to the data. The data subjects have the right to get something back.
A lot of the studies so far focus on the flows from data subject to the controller but not the other way around, where #darkpatterns also appear.
Transparency is never just to disclose information, it is a translation. The way in which data controllers communicate mirrors inter alia a certain idea of the data subject.
To get data in that sense is not sufficient, it may not be meaningful to the subject, or may or may not help to better understand themselves, but to provide some info about the processing. (I may have butchered this, but putting here because it opens a bunch of questions)
There is a discussion also about whether privacy policies are the right way to fulfill the transparency obligations.
What data controllers communicate about the data subject is interesting, because in general terms, we have no idea of who is the data subject.
We have some idea of the legislators idea of the data subject. The legislator, for example, imagines that the data subject has no clue, hence the rights need to be communicated. But at the same time, they assume this data subject can give informed consent.
I have been told that I am obliged to provide this information to you at #ISP2019: Information must be provided to data subject regardless of the legal ground for processing and not only in order to obtain ‘informed consent’.
In Article 6 of the GDPR there are 6 grounds, consent is one of them. But, when one of the other conditions are fulfilled, data controller does not need consent.
Q: what if you have multiple grounds?
A: good question, ideally should be one and people should stick to it...
Q: what if you have multiple grounds?
A: good question, ideally should be one and people should stick to it...
There are situation where data subjects will revoke consent, and the data controller will come up with another ground to continue processing. That shouldn’t be a way out of the revocation.
There is also legitimate interest. Some people argue it is better than informed consent because it requires the balancing of fundamental rights. From a legal perspective, this can be seen as a more serious assessment for processing than the easy to obtain consent.
In any case, the user has to be informed about the legitimate interest and the data controller needs to make transparent the balancing that they made.
Which information exactly must data controllers provide to data subjects? Article 13 specifies “information to provide when collecting data from the data subject”.
It also says that you need to provide information about the existence of various data subjects rights, like access, rectification, erasure. But just letting data subjects know that rights exist is unlikely to be sufficient, if it’s not clear, if & when these rights apply to them.
All this information must be provided in a concise and clear way. The law text includes all the following words: concise, transparency, intelligible, easily accessible...
Article 12 further states that the controller shall facilitate the exercise of data subject access rights.
Facilitate: dictionary says, it should make easy, easier, possible, smooth, clear the way for, lubricate, expedite.
Has this happened to you with data subject access rights?
Facilitate: dictionary says, it should make easy, easier, possible, smooth, clear the way for, lubricate, expedite.
Has this happened to you with data subject access rights?
There is a tendency for some of the companies to encourage you to download some of your data: is this sufficient to exercise your rights? You usually download some partial view, and this is often not facilitating your real rights, although it pretends to do so.
The right to unsubscribe is one of the most popular implementations of the right to object to processing for marketing. The signals are used to optimize marketing.
A year after GDPR, ‘active’ data subject rights have generated quite some interest, especially among ‘experts’. However, privacy policies are still unpopular. There is relatively limited interest in compliance with information obligations.
Many people don’t read them, experts don’t trust them. Even if I try to convince you that they are really important.
Many of the activism is on using the active rights, and not using the privacy policies/data protection notices. The exception is the crawling and automated checking of privacy policies using “AI”.
I am worried about such crawlers/automated checkers. Privacy policies are not about complying with a check list but giving subjects information about things they can do, facilitating their rights.
If data controllers do not comply with their information obligations, then data subjects cannot find out how they can exercise their data subject rights. We need to look to see if these rights are being communicated well.
Most data controllers are not good with fulfilling their information obligations. This becomes evident in the many dark transparency patterns.
Gloria expands #darkpatterns with #darktransparencypatterns information that negatively impact data subjects’ understanding of what is going on with their data and rights
Some interesting insights can be found in recent cases on Twitter, Google and Facebook in France (please ask @FusterGloria for references)
She refers to cases by the Tribunal de Grand Instance de Paris.
Legislators do think about information provision, but in many ways, they don’t think about interactions and the use of #darkpatterns to make certain interactions difficult and how these may come to affect the facilitation of data subject rights. (Gonna check if i got this right!)
One of the great things regarding #darkpatterns is knowledge coming from consumer law. But this is not always good, for example, when they center the data subject as a consumer who transacts with their data, which is not how GDPR conceives the data subject.
How can a data protection notice actually facilitate the exercise of data subject rights?
Here are some 5 simple rules, cause I am hopeful we can do this:
Here are some 5 simple rules, cause I am hopeful we can do this:
1. Inform data subjects about the rights they actually have. Don’t refer to their mere existence.
2. Provide details as to which data these rights apply!
Do not just provide hints about where these information might be found.
Do not just provide hints about where these information might be found.
Typical example is the right to withdraw consent, to that which you provided consent. But, what did the data subject consent to? That information is never provided.
3. Give precise information about the consequences of exercising such rights.
Do not mention vague potential catastrophic consequences.
Do not mention vague potential catastrophic consequences.
Threatening language, if you don’t provide us with your information, we may not be able to provide you with health assistance!?!?!
Gloria shows another example, where a privacy policy says, “if you withdraw consent, we will use other legal grounds.”
4. Give clear instructions on how to exercise your data subject rights
Avoid over complicated information.
5. Refrain from adding unnecessary, not applicable, or ambiguous information about exceptional, improbable or purely hypothetical scenarios, for instance if related to other jurisdictions or situations which seem to have no connection with the case at stake.
That’s the end of my presentation, and I hope it was optimistic!
