[other/tag] Formal Objection on Privacy Principles (Technical Report)

From
   https://lists.w3.org/Archives/Team/w3t/2023Dec/0017.html

[[
[Member] Formally Object to the decision by the World Wide Web 
Consortium's (“W3C”) and the TAG to publish the Privacy 
Principles<https://www.w3.org/TR/privacy-principles/> (“the Principles”).

The purpose of this email is to register a Formal Objection, pursuant to 
clause 5.5 of the W3C Process Document. (1)

We object to the adoption of the Principles by a technical 
standards-making body. Fundamentally, the Principles are not about 
making technical standards, rather they concern the conduct of separate 
and competing businesses that should be competing independently.

We see the need to promote privacy protection for end users when 
different businesses operate over the web. The opportunity for the open 
web to operate as a dynamic process of different businesses vying with 
each other to offer higher levels of privacy protection is a laudable 
policy goal. However, the Principles are likely to restrict and distort 
the levels of privacy protection different businesses offer to end 
users. It is also intended to affect how each of them protects personal 
data and the safeguarding of private information, even though a precise 
definition of privacy is lacking.

Online businesses are not dissimilar to brick-and-mortar businesses, 
driven to attract customers through the prices that they offer and the 
quality of their products. Both prices and non-price factors are 
important to customers’ decisions. Ad-funded online businesses need to 
show a good return on investment for advertisers and their advertising 
must be seen by end users before it can contribute to sales generation, 
preferably by generating clicks and conversions. Targeting advertising 
to meet end user interests depends on what users are interested in. Data 
is obtained for that purpose about user interests, and their interests 
are then matched with suppliers of advertisers and products. Advertising 
and marketing underpin the market economy and perform a valuable 
function in revealing users interests and enabling customers to 
understand the different products on offer and to make informed choices 
between them.

A significant proportion of world trade is now conducted online and 
hence affected by the conduct of members of the W3C.

Examples of privacy policies affecting trade are many and varied. For 
instance, commitments to privacy affect whether users sign up to use a 
product and a platform. Facebook initially offered users a comparatively 
high level of privacy protection (over 10 years ago) when seeking to 
encourage users to sign up to its social media services. By initially 
offering greater levels of protection than other social media 
businesses, Facebook attracted users keen to switch to a platform that 
provided higher levels of protection. (2)

Competing on privacy has been used by WhatsApp as an effective mechanism 
to attract end users, as well as Signal, which offers even greater 
levels of protection, attracting users to its offering because of its 
guarantees of privacy.

Like anything that affects competition between online businesses, 
privacy policies should be set by each business individually.

Indeed, the EU ‘s data protection law imposes on each business an 
obligation to make its own assessments and tailor its compliance system 
accordingly. The European Commission has also recognised this in the 
Facebook/Whatsapp merger, where it indicated that in markets for 
consumer communications services, data privacy and data security 
constitute key parameters of non-price competition. (3)

The Principles are a W3C TAG Draft Note pursuant to 6.4.2 of the W3C 
Process Document. Much is uncontroversial, where, for example it 
provides a description of issues arising from dark patterns which 
mislead users. However, the Principles then seek to present browsers as 
User Agents and guardians of users’ data.

Currently it is open to ISPs to offer bill payers (often parents) 
privacy setting to protect their children. By proposing functionality 
which enables privacy settings to be incorporated into the browser, the 
draft statement suggests a shift of functionality and responsibility 
from parent to browser owner. We see this as an attempt to increase the 
power of the browser and an intrusion into people’s personal decisions 
that is entirely outside the scope of the W3C.

The Principles then refer to “collective governance” and identify that 
certain implementations of supposedly privacy protecting policies in 
fact undermine end user controls and lead to reidentification, which may 
damage both individuals and groups. We see the issue as one that needs 
to be policed by the relevant authorities and welcome increased 
enforcement to addresses these issues. “One size fits all” or unfair 
terms are illegal under a variety of consumer protection and competition 
laws worldwide. Both Google and Meta’s privacy policy terms have been 
found to be illegal recently. (4)

However, and counterintuitively, the Principles suggest increasing 
browser control under the expression:

“In general, collective issues in data require collective solutions. Web 
standards help with data governance by defining structural controls in 
user agents, ensuring that researchers and regulators can discover 
group-level abuse, and establishing or delegating to institutions that 
can handle issues of privacy. Governance will often struggle to achieve 
its goals if it works primarily by increasing individual control instead 
of by collective action.”

We disagree that increasing the amount of data held by browser owners, 
subjecting them to researcher and regulatory scrutiny, is a meaningful 
solution. We see increase in browser control to be more likely to be a 
source of further abuse by browser owners. More fundamentally, we see it 
as a further example of expansion of the role of the browser at the 
expense of the end user, which is beyond the role of the W3C.

We agree that the issues identified in the section concerning group 
privacy are real; but should be addressed by privacy regulators, rather 
than the W3C. Similarly, many of the obligations that are outlined as 
applicable to user agents are either covering ground already occupied by 
many laws worldwide, or suggesting extensions of obligations and duties 
that may be worthy but are for elected lawmakers and those in policy 
positions in different governments worldwide. While we have sympathy 
with the sentiments, they are not matters for W3C members to properly be 
defining when making technical standards.

Moreover, by setting out principles that would be adopted by the two 
dominant browser owners, the unfortunate consequence could very well be 
that the Principles eliminate differences between their privacy 
offerings altogether. In the circumstances, eliminating what little 
competition exists between browsers would reinforce both businesses’ 
dominant market positions.

As noted above, many data protection laws require privacy policies to be 
set by individual businesses as part of their competitive offerings. 
Where the proposals seek to minimise the data that is held by 
businesses, they may be laudable, but again risk undermining the 
business freedom of each firm through which online competition operates. 
We assume that data minimisation is proposing a reduced level of data 
being transferred than is currently permitted by the law, which would 
also risk reinforcing already dominant platforms to the detriment of 
others. For a collective body of private businesses such as W3C, to 
propose such an approach, if endorsed by the dominant browser owners, 
could significantly affect online markets.

It would be irresponsible to ignore the fact that the worlds’ 
governments and regulators are increasingly seeking to police the 
operations of browser owners (such as through the designation of browser 
as core platform services under the EU Digital Markest Act). We should 
help the authorities to that end and explain to them the concerns raised 
in the Principles with a request that they are addressed in the 
appropriate forum.

We are also mindful that the issue of “privacy washing” or dressing up 
illegal behaviour in privacy clothes through coordination among a number 
of companies has been raised in a complaint by the Texas Attorney 
General and other states in litigation against Google. (5)

In the circumstances the Principles must be removed from public access 
until these matters are addressed.

___________
Footnotes:


   1.  W3C Process Document. – We do not accept that this version of the 
Process is the operative Process as the Bylaws were not followed. See 
our letter to W3C of 22 August 2023.
   2.  The Antitrust Case against Facebook: A Monopolist’s Journey 
Towards Pervasive Surveillance in Spite of Consumers Preference for 
Privacy, Dina Srinivasan, Berkeley Business Law Journal, 39 at 41.
   3.  See Case M 7217 Facebook/WhatsApp [2014], para 87, See also 
Microsoft/LinkedIn where the EC further affirmed this stance in its 
decision, claiming that data privacy is ‘a significant factor of 
quality’ in the market for Professional Social Networks (PSNs).3 
European Commission, 'Commission approves acquisition of LinkedIn by 
Microsoft, subject to conditions' (6 Dec 2016).
   4.  See the Bundeskartellamt decision in 
B7-70/21<https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Entscheidungen/Missbrauchsaufsicht/2023/B7-70-21.html> 
issued 5 October 2023, see also Case C‑252/21, where the European Court 
of Justice confirms the Bundekartellamt decision that Meta’s terms for 
the use of Facebook infringed the German prohibition on the abuse of a 
dominant market position.
   5.  Re: Google Digital Advertising Antitrust Litigation, third 
amended complaint: TAC - Redacted Version (public).pdf 
(texasattorneygeneral.gov).<https://www.texasattorneygeneral.gov/sites/default/files/global/images/TAC%20-%20Redacted%20Version%20(public).pdf>
]]

Received on Friday, 19 January 2024 18:41:27 UTC