Collection of information about the users of our services

Question

You are an up-and-coming associate at a prestigious law firm. Your hypo_clients brings to you the problem found at http://cyber.law.harvard.edu/globaleconomy/hypo.pdf. The senior partners have divided your class of associates into small teams to parse the many Internet-related legal and business issues presented by this problem. Please draft a short memo to the hypo_clients that highlights a single issue within your assigned topic area. Your memo should also provide initial advice as to how the hypo_clients should address this issue, whether through legal, business-modeling, technical, or other means. You should not seek to address all the possible issues lurking in your topic area. Team members should each write their own memo to the hypo_clients. Please be prepared to summarize your findings and to defend your advice in a meeting of the legal team working on this issue on December 3, 2003. (The assignment is also described at http://cyber.law.harvard.edu/globaleconomy/admin.html).

Collection of information about the users of our services From: Anders Moberg

The main legal issue with respect to our gathering of information about our users is the users’ privacy and our handling of their information. What we want to do is to collect as much information as is possible, in order to create a personal profile about each user. By doing this we will be able to provide the users with a service that is personalized and hence useful to them, e.g. by giving them the kind of news they are looking for, or by tracking a certain part of the stock market for them. Furthermore, it could be of interest to us to sell the profiles we have built up to other companies.

By gathering and using information about our users, we will inevitably subject ourselves to legal regimes that have been implemented for the protection of personal data. Even though such regimes differ from one jurisdiction to another, they normally apply where the gathered information somehow (directly or indirectly) can be connected to a specific natural person (cf. Art. 2 of Directive 95/46/EC, which applies to the processing of personal data within the European Union).

There are several risks associated with the gathering of this sort of information, both legal and non-legal. The legal risks we face are mostly associated with the possibilities for regulatory agencies to interfere with our business (e.g. by disallowing the continued use of the information we have gathered or by imposing fines, etc.). However, we also run the risk of incurring both civil liability (mainly in the U.S.), and even criminal liability (in some of the countries in eastern Europe). Non-legal risks include the risk of adverse publicity and security breaches (e.g. theft of information by a competitor).

Since we intend to attract users all over the world, it is likely that we will subject ourselves to these risks in many different jurisdictions. Even though it is likely that many of the jurisdictions have regimes that are similar in many aspects, there are great differences between, e.g., the rather far-reaching regulations of the European Union, and the, comparably, relaxed, industry self-regulation in the U.S.

There are two main ways of meeting the challenge of complying with several different bodies of rules. We can either try to comply with the rules as they are set out in each area of operations, thus complying to different standards in different jurisdictions, or we can try to comply with the most strict regime and hope that the less strict regimes will then be automatically complied with. Even though there are some advantages and some disadvantages with both solutions, our goal should be to comply with the strictest regime.

First of all it would be incredibly burdensome, from an administrative point of view, to handle a system where we behave differently in different jurisdictions; we would have to handle many different privacy policies, and it would not necessarily, due to legal restrictions, be possible to transfer information from one part of the organization to another.

Furthermore, by complying only to one regime we can better assure business continuity, since we do not have to change our privacy policy each time one jurisdiction changes its rules, and since we can use the same policy in the whole organization.

Another reason for adhering to the strictest legal regime is that it would otherwise be all but impossible to determine which rules that apply to which gathering of data. We have to assume that our users are mobile, and it is, for instance, extremely difficult to determine with certainty which rules apply for an American in Ghana who’s accessing the Internet through a French Internet provider, especially if the user originally signed up for our services in Russia.

On the other hand, adhering to the strictest regime automatically means that we restrict our gathering of information in all the jurisdictions which are not the most restrictive, and thus that we place ourselves at a disadvantage as compared to any competitors which only comply with the less restrictive rules. This should not be a problem, however, since even the European Union, which currently has the strictest regime, allows us enough leeway to provide our services in the way we intend to.

What then do we have to do to comply with the requirements of the European Union? Well, most important is to get all users to consent to our processing of their personal data. The consent can and should be given during and as a precondition of the users’ signing up for our service. The users’ explicit consent allows us to get past the fundamental hurdle of obtaining the right to process the information in the first place. It is important, however, both from a legal and from a goodwill point of view, that we are very explicit as to what we intend to do with the information we gather, and as to what rights our users have with respect to our processing of their data. Our privacy policy must thus not only comply with all legal requirements, but should also be very explicit, and it should be clearly displayed to all users. We should also reserve the right to amend the policy if it should become necessary.

We will furthermore have to set up our organization so that we can handle the legal requirements we have to meet. We must, for instance, be able to provide the users with information on what data we have on them, and we must be able to correct any information that might be incorrect. This should be handled by a centralized department, which can specialize in the legal and practical aspects of the gathering of personal data.

Finally, it is of vital importance that we adhere to the policy that we have implemented. Not only would it be a breach of the applicable legal rules not to, but it would also be detrimental to our business if our users felt that they weren’t treated properly; few things travel as quickly over the Internet as discontent.

Complying only with strictest regime may be cheap now... From: Devon Bush

Complying with the strictest regime might be the easiest short-term solution, but given the current flux in privacy legal regimes might not be the best long-term move. Even if compliance with the strictest privacy regimes assures compliance with lesser regimes now, that might not be the case in the future, and it might be unwise to develop a product based on that assumption. While designing a modular system that is capable of easily adapting to various privacy regimes is undoubtedly a greater investment, the investment now could save many dollars in the event of changes in privacy regulations. This modular approach would also allow much greater flexibility on the users side. This product is marketed to power-internet users looking for a customized experience, many of whom will be very sensitive about disclosing certain information even if it is not covered under privacy laws, and it may be very important to provide them with flexibility in what they disclose and how it is used.

This company is looking to roll out their product quickly, and maybe complying only with the strictest regime is the best short-term solution, but the design must be able to accomodate differing regimes and user preferences down the road. I think you're right on that discontent travels fast, but I think companies often have trouble predicting what their customers will find objectionable (or how third parties will exploit certain features) and a modular system allows the fastest response to user complaints about their privacy.