Tuesday 20 September 2011

The perils of devising privacy principles


Ouch. I write from experience here. I write from the perspective of someone who has tried hard, several times, to create guides or codes of practice which help others understand what sorts of data protection rules they should actually be following.

In a previous life, while working for the Association of British Insurers, I helped prepare material that explained data protection obligations to insurance companies. Then, I helped prepare material for members of the financial services industry more generally. And, in recent months, I've been putting my mind to the sorts of messages that could be usefully sent to web application developers, and particularly the developers of applications that will sit on mobile devices. These are messages that could be sent by the GSM Association. This bunch represents the interests of mobile phone operators worldwide. Spanning 219 countries, it works with nearly 800 of the world’s mobile operators, as well as more than 200 companies in the broader mobile ecosystem, including handset makers, software companies, equipment providers, internet companies, and media and entertainment groups.

This is the first time that I’ve tried to help out with privacy stuff on a global scale. I haven’t helped out a lot. Just a bit. But let’s be honest, developing British standards can be tough enough. And developing European standards is much, much tougher. So who has the energy and commitment to up the ante even higher and commit themselves full time to developing global standards?

Why do I bother? Even doing the little I do? In moments of despair, I ask myself that question. And the reason is always the same. Mainly, because I care. I want to help people understand the issues they need to consider when they develop fun stuff for other people. But is it actually possible to achieve this when people’s cultural expectations differ so greatly around the globe?

Data protection is never going to be the sort of subject that will be in the forefront of the developer’s mind. "Worthy but dull" is perhaps the best way they will think of it. Data protection is worthy, but it need not be dull. It's increasingly important, and application developers who don't get it are likely to have their internet applications increasingly criticised by regulators. Whether this leads to fewer people wanting those applications is another issue, and I don't propose to comment on that issue in this blog posting.

The real peril comes when a decision has to be made by those who are developing the standards about what standards should be proposed to meet the obligations that have been identified. Should the authors always insist on the highest standard, or could a lesser approach work better? Where should the bar should be placed?

The difficulty of making such decisions is magnified when it is a representative trade association that is creating the guidance. There is always a tension between creating guidance which suits the immediate needs of the businesses for which the guidance is designed, and the longer term needs of the customers of the businesses for which the guidance is designed.

So, with that in mind, it is going to be really interesting (to me, at least) to see where the GSMA will set the bar as it polishes its draft Mobile Privacy Design Guidelines.

For those who don’t already know, the GSMA has had a brilliant idea and it has published, and for several months has been inviting comments on, a discussion document outlining a set of Privacy Design Guidelines for Mobile Application Development (and an annex of illustrative examples). As the GSMA explains: these guidelines seek to articulate the Mobile Privacy Principles in more functional terms and are intended to help drive a more consistent approach to user privacy across mobile platforms, applications and devices. The GSMA welcomes comments from all parties on the guidelines and encourages stakeholders from the broader Information and Communications Technology industry to join in conversation and partnership on this work.

Right. As the discussion document was circulated for comment in April 2011, the consultation period must surely be coming to an end soon. Consequently, it won't be long before some key decisions are made. What sort of decisions need to be made? Well, if I were to get my crystal ball out, I would expect the GSMA to consider, in the light of the responses to its consultation exercise:

• Whether the rules should be designed to point an application developer in the general direction of what they need to do to comply with most of the relevant privacy rules, or whether the rules should offer comprehensive guidance about that to do in every conceivable situation in every relevant country;
• Whether the rules should be designed to meet the needs of consumers in specific parts of the world (eg just Europe and the USA), or whether they should meet everyone’s needs, wherever they are on the planet; and – most importantly -
• Whether the rules should be offered to its members as an example of good practice, or whether absolute adherence to every rule should be a strict condition of GSMA membership, with members failing to comply being thrown out of the Association.


I don’t know the answers to these questions, nor do I know how the GSMA will decide the answers. But, when they do become publicly known, I expect that I’ll be blogging about them.

Sources:
http://www.gsm.org/documents/privacy_design_guidelines.pdf
http://www.gsm.org/documents/use_case_annex_privacy.pdf

.