The publication today of the ICO’s privacy notices code of practice coincided with a furore this week over the announcement of the launch of the UK’s first directory of mobile telephone numbers. Although the press coverage about Connectivity’s service leaves unsaid important points about the business of providing directory services (which Datonomy will be airing over the coming week), it underlines an important point about the business of consent and privacy policies. The same point is made (in slightly different ways) by both the survey accompanying the ICO’s consultation on the code (reproduced here, with permission of the ICO) and the recent RAND report, and the point is one that the intended readers of such policies have long known: almost nobody reads ’em.
Privacy policies now seem to be read mainly by the professionally interested, and there appears to be a steady drift away from these policies being about privacy and towards them being about compliance. Examples of enterprises which are differentiating themselves from their competitors by reference to their privacy practices are hard to find. In a competitive market economy this is curious. It is not the pesky law which is forcing us to write surprisingly similar privacy policies.
But does any of this matter? RAND thinks it does. Its findings highlight that one of the main weaknesses of Directive 95/46 is the absence of a clear link in Directive 95/46 between the concept of personal data and real data protection risks. This missing link is in danger of undermining the effectiveness of European data protection.
Yet the RAND report does not quite seem to draw out some of the conclusions that flow from this finding. In a modern, networked environment, as enterprises move into the computing cloud and begin to adopt more measurable means of marketing to their consumers, and consumers share more of their lives online on social networks, some categories of personal data have become so ubiquitous that the case for affording them a lower standard of protection now seems compelling. And conversely, “anonymised” data, which currently escapes regulation (although the act of anonymising personal data does not), increasingly is much more intrusive of privacy than many species of personal data. Put another way, knowing what I like generally reveals a lot more about me than who I am. Assuming this is correct, there is now a case for the law to adapt to reflect this.
That would be some time away. For today, the Privacy Notices Code of Practice is a call to action to write better privacy policies.