Warning: liveblog, my impressions, not direct quotes, long post. Also using simultaneous translation for some speakers. This post may contain data protection law. You have been warned.
The third session of Day One addressed the question of data protection and social networking, and brought together an interesting range of speakers, who had all encountered the law and policy of data protection in different ways.
The provocative introduction is given by Monica Vilasau of UOC, highlighting various examples of non-compliance by social networking sites, but also alluding to Grimmelmann’s point of the morning about the threats to data protection rights by fellow users alongside familiar threats associated with public authorities and private enterprises. She also drew our attention to the high levels of SNS use in Spain, and how the existing privacy controls are often ignored by users (i.e. defaults followed).
Esther Mitjans of the Catalan Data Protection Agency reviewed her experiences dealing with new web services and was quite frank about the limitations of existing legislation but also the persistent need for scrutiny of private enterprises involved in the processing of data. She acknowledged the pressure for clear rules to become established (in whatever fashion is appropriate) but that this should not ignore the abiding importance of parental control and scrutiny, where there is a significant degree of responsibility that cannot be replaced by a data protection agency. She also posed some thoughtful questions about the possible ‘new vulnerabilities’ associated with social networking, the meaning of ‘informed consent’ in the current era, and suggested that although there may be lacunae in the law, it does contribute to user ‘confidence’ despite this. Mitjans also discussed the Article 29 Working Party report on online social networking in some detail, explaining its principles clearly and cogently. On a number of occasions, she did argue that it was necessary to prosecute those who act illegally (whether they are involved in managing sites or gathering data published on them) as part of a broader philosophy of risk management.
Pablo Perez of the INTECO observatory reported on his research into social networking sites published as a recent report, including some in-depth work with under-14 users who are (as you may expect) frequent and fluent users of such websites. He identifies three points at which crucial decisions are made and potential risks are present: the creation of the profile, the use of the service, and the deletion of an account. His range of recommendations included some suggestions towards age identification/verification, which of course has been the subject of discussion in the US for some time now. He also considered the need for better coordinated or harmonised international law on these topics.
A philosophical perspective was provided by Franck Dumortier, who focused on the ‘de-contextualization’ of identity and information through the use and reuse of such in different contexts. He traced the roots of privacy, including possible tensions between the right to be left alone and the right to contextual integrity. Illustrating a key point with a wry discussion of how information on one’s sexual life is most appropriate in certain contexts and wholly inappropriate in others, Dumortier took a sceptical approach to some of the claims of social networking sites, arguing that identity itself was being challenged by the way in which information is stored and shared. He also made a useful argument regarding the distinctions between ‘privacy’ and ‘data protection’, with some criticisms being expressed of the language and framing of the latter (the data subject etc).
Barbara Navarro, of various hats but particularly the person responsible for institutional relations in Google’s outpost in Spain and Portugal, had the difficult task of following the earlier papers with a defence of Google’s activities and practices. And defend it she did, setting out to demolish myths and misunderstandings of Google’s behaviour. She noted that Google is seen by many as a ‘symbol’ of the Internet, and therefore is frequently in the public eye, but suggested that the perception among some of the amount of information held and used by Google is inaccurate. She relied upon the pronouncements by certain EU authorities that IP addresses are not personal data and explained how Google’s activities in the area of data retention have particular technical and quality control purposes, but also discussed the role of contextual advertising and its importance to the Internet industries (and, crossing both points, set out to reassure Gmail users that Google neither has the time nor the will to ‘read your email’!). On these points, as indeed with other points, Navarro was an advocate for both self-regulation and for protection of privacy based on education and the ability of users to choose.
This was, as you can see, a wide-ranging discussion, drawing upon reports from the research coalface, a defence of the role of public authorities as guarantors of the public interest, the view from a large commercial player, and a long-term view looking at the implications of data exchange for concepts of privacy. There was some discussion of broader ‘safety’ issues, which will be discussed in a further panel on day 2. Another report is provided by Ismael.