Joris van Hoboken

Should a merger review between online advertising companies be open to address privacy issues? The two sides disagree. Some months ago Michael Zimmer and me posted some questions about the privacy issues related to Google’s acquisition of Doubleclick on Google public policy blog. Michael Zimmer observed that the statement of Google on the acquisition did not contain ANY reference to possible privacy issues. Peter Fleischer writes about the privacy issue on his blog. He states that privacy is irrelevant in this context and should be dealt with in other fora. Although I respect his position, it has its flaws.

First of all to the public it would not matter much that European competition law does not allow discussions about possible threats to privacy of a merger between two of the heaviest profilers on the Web. Those are technical points that are better made in discussions with the relevant authorities.

Secondly, it is to me not at all clear why these issues are not relevant to the acquisition. To me it seems that the present ability of these companies to track and profile web users in a combined form has very anti-competitive effects. There would be just no other online service provider with these essential assets for serving advertisers, comparable to Google plus Doubleclick. Since these combined data collections and abilities to collect data on web use have competitive relevance, they are surely relevant in the review.

Thirdly, if this merger review does not allow for such issues to be addressed, the framework should probably be changed. In media mergers pluralism is taken into account. In a merger between online service providers that track people’s online behavior, privacy should be taken into account.

How far should search companies go in indexing the world around us? Privacy protection sets some limitations to the possible ‘reach’ of search engines. These limitations vary across the globe. I just saw a nice post by Peter Fleisscher. He is talking about the right privacy policies for Google Street View, i.e. whether they should move into Europe and Canada with an opt out regime. Yesterday night I was re-reading a great article by Froomkin, ‘The death of privacy’, that explaines among many other things how First Amendment doctrine in the U.S. sets some clear boundaries on how ‘publicly’ available information can be regulated in the United States.

In Europe this is very different. Information about people can be regulated. Yesterday I wrote about the rules of the Data Protection Authority on the publication of personal data online. What I did not speak about, but what is (for legal doctrine) important in respect of balancing data protection with freedom of expression, is the exception that is made in Dutch data protection law for journalists, artists and writers. They do not have to comply with some of the data protection. They do not have to inform people about the processing of their data, they can publish sensitive data, they do not have to respect the rights to make requests of data subjects…

Here the same problem arises as with the responsibility of intermediaries I talked about yesterday. The law uses fairly traditional institutions, such as the publisher or the journalist, to make the basic distinctions. These legal distinctions thereby become as problematic as these institutions themselves. With this I do not want to say that I do not like professional journalism. (I actually am very much in favor of it and would push it even to increase its professional standards.) I just want to say that it makes data protection law very difficult to apply if all the basic distinctions that are being made are highly contested by the practices of society.

EFF is investigating blocking and shaping of Internet traffic by Comcast. They have already found some evidence about which they have made this report. This type of interference is starting to be fashionable. Blocking p2p is exactly the type of private censorship that will probably do fairly well in the political arena. A Belgian judge even ordered the ISP to start filtering such traffic. I think it will be big enough a hedge for lifting the concerns over net neutrality. Although it could be that some companies are found to be so deep into our Internet traffic that it gets sticky. we’ll see…

The Dutch Data Protection Authority (DPA) has published rules (in Dutch only) for the publication of personal data on the Internet. The rules are directed at the actors responsible for publication of information on the Web. They translate the data protection obligations under the European privacy directive (plus implementation into Dutch Law) to the Web specific context. The DPA summarizes the rules with the header: “Privacy regulation applies also for the Internet”.

The rules give a detailed account of the applicable rules for the lawful publication of personal data online. On its newly launched website mijnprivacy.nl (myprivacy.nl) there are simple explanations and documents for the public. The strategy of the DPA seems to be exactly to empower the public with the tools to control the publication of their data on the Web. The rules are still under consultation. The final and official version will probably be published in a few months.

One of the most striking issues in this context is the gap between what is considered lawful under Dutch law by the DPA and the current state of personal data on the Web. If one analyzes the rules, it follows that in many cases one needs permission to lawfully publish personal data. According to the DPA, in many cases one should use logins for sites on which personal data are being published, use the robots.txt to make sure search engines do not make these data searchable.

The rules follow the same omnibus regulatory approach as one finds in the EU privacy directive. The fact that information that is being handled or published online consists of or contains personal data triggers the data protection regulation. The responsible party for publication needs to have a legitimation, such as permission, a contract, a legal obligation or a provable necessity to publish the personal data. It needs to inform the people involved how and why these personal data are being used (How do you inform people that a photograph or video of them has been tagged with their name?) . Publication of sensitive data such as data on political preferences, race and health, without the explicit consent of the person involved is forbidden altogether. The DPA considers a publication that someone has broken its foot as medical, hence sensitive data, and photographs and videos as well, since they reveal someone’s race. The responsible actor needs to make sure that the quality of the data is guaranteed. Everyone has the right to ask for specific information about the handling of data about him, and the right to ask for correction and removal of the data involved.

The rules are pre-2.0. The rules do not clarify the responsibilities of search engines with regard to the handling of personal data. Neither do the rules discuss the proper responsibility of even newer types of intermediaries. Since there is no exemption of liability for search engines and many other intermediaries in the Netherlands it is unclear what this is supposed to mean for these business models. In comments in an article from the NRC about the CBP rules I stressed that privacy is not the only value involved. In my opinion, search engines should in general not be blamed for the unlawful publications of third parties.

Michael Wesch, creator of the most succesful YouTube video on web 2.0 posted a new one, this time focusing in on categorizing and search. Again it is wonderful and insightful.

Currently, I am writing an article about liability of search providers for unlawful material (no safe harbour in The Netherlands for them yet…), reading an article by Frank Pasquale, that discusses the legal space our new categorizers will need to make our information ecology florish, “Copyright in an Era of Information Overload: Toward the Priviliging of Categorizers“. Some weeks ago I ran into Information policy for the library of Babel, by James Grimmelmann and based on the great Jorge Luis Borges.

I planned not to write about it, but these questions from ALDE changed my mind. These questions make a lot of sense, but i have the idea Frattini is on a different thought level. If you want to see some of that, visit his website. It’s not only his weird pronunciation of the words ‘world’ and ’security’. His idiom and ideas are beyond.

Some short excerpts from his thoughts of the week, published in his capacity as European Commissioner:

10 September 2007, 9/11:

“We must also ensure that our counter-terrorism work is underpinned by the best technology we can have. This is vital for us and difficult too because we have to strike the right balance between the right to security and the other fundamental rights of individuals, including privacy and procedural rights. [...] EU citizens deserve our commitment to avoid their daily underground, train, or bus journey becoming a death space.” (Maybe I have to stand on my head to understand his ideas about constitutional rights. I thought their primary purpose is to protect us from over intrusive governments…)

17 September 2007, ‘European Mobility’ (his new word for Immigration):

“…You know well that we Europeans get old and we don’t have children. How many people do we then need? Some speak about 20 million; I don’t know if they calculated this figure or say it simply to scare our fellow citizens who have their doubts. But this is a number that, to be precise, needs to take into consideration at least: 1. The period we are talking about, 2. A fixed age for retirement [...] 3. Births [...].”

24 September 2007, from ‘Civil servant’:

“In general, the role and the image of a civil servant should be marked with prestige when viewed from the outside and internal pride from those who belong to an institution that is “great” because of its service to the citizen. Over time, these two dimensions have been lost. A democratic society needs to know how to increase equality without losing sight of talent and the important assignments we give ourselves.”

I think the video material is very suitable for a compilation If I have time I will try to make one and add it to this post.

EDRI just issued a statement on a new Council of Europe Recommendation. The adopted recommendation seems more an outline how to suppress freedom of expression and information than to promote and protect it. Here is the statement (for more info go to EDRI’s page on the call for action):

European Digital Rights Statement and Call for Action - 10 October 2007

European Digital Rights (EDRI) wishes to express its serious concerns over the adoption on 26 September 2007 by the Council of Europe (CoE) Committee of Ministers of a new Recommendation on ‘promoting freedom of expression and information in the new information and communications environment’ (Rec(2007)11).

The Recommendation has been prepared by the Council of Europe Group of Specialists on Human Rights in the Information Society (MC-S-IS). It has been proposed and discussed by members of this group since December 2005. It was originally intended to be an instrument to ‘further elaborate principles and guidelines to ensure respect for human rights and the rule of law in the information society’. The text eventually turned into a set of ‘guidelines on the ethical roles and responsibilities for key state and non-state actors’, to be promoted through this Recommendation by the Council of Europe. Its final draft has further been amended by the Steering Committee on the Media and New Communication Services (CDMC), under which authority the MC-S-IS operates, and then submitted to the Committee of Ministers.

EDRI participated in the debate in its capacity of independent non-governmental observer to the MC-S-I-S group, without the right to vote. However, few EDRI’s contributions, either during meetings or through written comments and proposed amendments, were taken into account in the final document.

We consider the result to be promoting opaque “self-regulation” and other soft law instruments driven by private interests and implemented through technical mechanisms. As a result, we have great concern that the Recommendation will fail to uphold respect for freedom of expression and information in the online world.

The Recommendation also raises specific concerns, most notably over its part II (’Common standards and strategies for reliable information, flexible content creation and transparency in the processing of information’).

It refers to ‘reliable information’ or content and this is little different from the “official information” of the bad old days. It is hardly compatible with the promotion of freedom of expression and information, which is the purpose of this document.

Moreover, this section calls for balancing freedom of expression and communication with the rights of others to have their ‘values and sensibilities’ respected. As “values and sensibilities” vary not only from time to time and from place to place, but also among different sections of the population, this is certainly against the general CoE background, and in any case goes far beyond the restrictions identified in Article 10 paragraph 2 of the European Convention on Human Rights, as stressed by the jurisprudence of the European Court of Human Rights numerous times.

Furthermore, and in order to strike such a balance, section II of the Recommendation calls for the development by the private sector and member States of tools and standards for the rating and labelling of content and services.
EDRI regrets that the CoE encourages such trend over transparent and accountable public policies as well as binding legislation respectful of fundamental rights, democracy and the rule of law.

EDRI considers this Recommendation to be damaging and a retrograde step for freedom of expression and freedom of the press. EDRI is deeply concerned that such instruments will be used to legitimize subtle means of censorship, through privatised censorship and measures to protect against so-called harmful content.

EDRI will continue to participate to the MC-S-I-S group as an active independent observer, and will continue to raise awareness of the public on issues related to the group mandate. With other instruments being prepared by the same MC-S-I-S group, there is a risk that the trend shown in this Recommendation be confirmed. To better avoid such a risk, EDRI needs your support.

Last weekend (29-30 Sep 2007) I participated in a discussion on search engines on the Jan van Eyck Akademie in Maastricht, the Forum on Quaero. I participated to the discussions and joined Erik Borr’s presentation on Open Search, a Dutch project aiming to develop a privacy friendly, open source, censor proof, p2p search engine. There were no members of the Quaero project present. They had actually contacted the organizers to ask for the removal of Quaero from the title. I especially liked the presentations by Michael Zimmer, Jodi Dean, Richard Rogers and Florian Kramer. Netzmedium has a nice post on the forum. Next month (10 October 2007) there is a conference on European search engine projects, in Geneva, with industry and policy makers present.

The Economist weekly magazine is currently doing a series of editorials called “Civil liberties under threat”. The first two are The real price of freedom and Learning to live with Big Brother. Both are definitely worth reading.

The real price of freedom makes an argument I have not seen in a mainstream news outlet (but maybe I didn’t pay enough attention):

“Locking up suspected terrorists [...] before they commit crimes would probably make society safer. Dozens of plots may have been foiled and thousands of lives saved as a result of some of the unsavoury practices now being employed in the name of fighting terrorism. Dropping such practices in order to preserve freedom may cost many lives. So be it.”

A radical counterargument against a misleading paradigm about the state of our society.