02.04.2013

Too much information? Not when it comes to privacy.

Portrait von Niko Härting
Niko Härting

Too much, too long, too complicated: These are the main complaints when privacy policies are discussed. And yes, in many cases, they are too complicated. But if most of us will agree that transparency is a major tool to preserve privacy, can there really be too much information?

Transparency Missed?

As far as the lack of simplicity and readability is concerned, Google's Peter Fleischer recently made an observation that is just to the point:

"Why can't Johnny read a privacy policy?  It's because privacy policies aren't being written for Johnny to read.  They're being written for regulators and lawyers to read."

("Why Johnny can't read ... a privacy policy", Peter Fleischer: Privacy ...?, blog post of 27 March 2013)

True: When the Data Protection Authority (DPA) is likely to be happy with the wording of a privacy policy, the client is happy. And in order to make DPAs happy, you have to follow the rules (e.g. the law). As privacy policies are, no doubt, legal documents, the standard language is legalese. And legalese is a language that average users are unlikely to understand.

Lack of User-Friendly Standards

It would foster transparency if standards were established for user-friendly explanations. So far, no such standards exist. The development of user-friendly information and standards is, however, a task upon which lawyers should not even sit in the back seat.

User-friendly language or legalese? I do not think that there is an either/or. Many online services are trying to do both at the same time. When you scroll through the pages of Google ("Google Policies & Principles", Overview), LinkedIn ("LinkedIn Privacy Policy" highlights and in full) and others, you will find attempts at doing both: legalese to meet the legal requirements and shorter expalantions in (more or less) plain and user-friendly language.

How much information?

When there is a lot of information on privacy, you often hear the comment that there is "too much information". A comment that seems odd when you esteem privacy:

  • Rough and in great detail: Medical information, information on the hotel you want to spend your next holiday at, information on the play that you are going to see next week: We are used to finding an enormous amount of information on items that we are interested in. And taking privacy and the need for transparency seriously, why should there be a need for scarcity? Users who just want some rough information should be able to find it. And for users (or lawyers) who want to know everything in great detail, there should not be any limit to the information a data processing company may provide. In the digital age, scarcity of information can never be a virtue.
  • Concept of  "informed" consent: "Too much information" can be a serious problem when the legal requirement for data processing is explicit, previous and "informed" consent. How much information can a user swallow without being overfed? And how much information is necessary in order to regard the consumer as "informed". Tough questions to answer. But maybe the first question should be whether "informed" consent as such is perhaps an over-rated concept. The "one-size-fits-all" legality principle makes data processing illegal. "Informed" consent is then the golden bridge out of illegality. Consent as an instrument of preserving privacy and control is overrated ("Letting Down Our Guard With Web Privacy", The New York Times of 31 March 2013) and fetishized. The belief that consent equals control is far greater than the sobering reality of a "carte blanche consent by checkbox and mouse click" deserves. The "one-size-fits-all"  legality principle is the problem rather than "too much information".

A Simple Request:

We need standards for user-friendly privacy information. But we do not need to cut down on information when it comes to privacy.

 

Zurück