- From: Philippe Le Hégaret <plh@w3.org>
- Date: Fri, 19 Jan 2024 13:41:23 -0500
- To: public-review-comments@w3.org
From https://lists.w3.org/Archives/Team/w3t/2023Dec/0017.html [[ [Member] Formally Object to the decision by the World Wide Web Consortium's (“W3C”) and the TAG to publish the Privacy Principles<https://www.w3.org/TR/privacy-principles/> (“the Principles”). The purpose of this email is to register a Formal Objection, pursuant to clause 5.5 of the W3C Process Document. (1) We object to the adoption of the Principles by a technical standards-making body. Fundamentally, the Principles are not about making technical standards, rather they concern the conduct of separate and competing businesses that should be competing independently. We see the need to promote privacy protection for end users when different businesses operate over the web. The opportunity for the open web to operate as a dynamic process of different businesses vying with each other to offer higher levels of privacy protection is a laudable policy goal. However, the Principles are likely to restrict and distort the levels of privacy protection different businesses offer to end users. It is also intended to affect how each of them protects personal data and the safeguarding of private information, even though a precise definition of privacy is lacking. Online businesses are not dissimilar to brick-and-mortar businesses, driven to attract customers through the prices that they offer and the quality of their products. Both prices and non-price factors are important to customers’ decisions. Ad-funded online businesses need to show a good return on investment for advertisers and their advertising must be seen by end users before it can contribute to sales generation, preferably by generating clicks and conversions. Targeting advertising to meet end user interests depends on what users are interested in. Data is obtained for that purpose about user interests, and their interests are then matched with suppliers of advertisers and products. Advertising and marketing underpin the market economy and perform a valuable function in revealing users interests and enabling customers to understand the different products on offer and to make informed choices between them. A significant proportion of world trade is now conducted online and hence affected by the conduct of members of the W3C. Examples of privacy policies affecting trade are many and varied. For instance, commitments to privacy affect whether users sign up to use a product and a platform. Facebook initially offered users a comparatively high level of privacy protection (over 10 years ago) when seeking to encourage users to sign up to its social media services. By initially offering greater levels of protection than other social media businesses, Facebook attracted users keen to switch to a platform that provided higher levels of protection. (2) Competing on privacy has been used by WhatsApp as an effective mechanism to attract end users, as well as Signal, which offers even greater levels of protection, attracting users to its offering because of its guarantees of privacy. Like anything that affects competition between online businesses, privacy policies should be set by each business individually. Indeed, the EU ‘s data protection law imposes on each business an obligation to make its own assessments and tailor its compliance system accordingly. The European Commission has also recognised this in the Facebook/Whatsapp merger, where it indicated that in markets for consumer communications services, data privacy and data security constitute key parameters of non-price competition. (3) The Principles are a W3C TAG Draft Note pursuant to 6.4.2 of the W3C Process Document. Much is uncontroversial, where, for example it provides a description of issues arising from dark patterns which mislead users. However, the Principles then seek to present browsers as User Agents and guardians of users’ data. Currently it is open to ISPs to offer bill payers (often parents) privacy setting to protect their children. By proposing functionality which enables privacy settings to be incorporated into the browser, the draft statement suggests a shift of functionality and responsibility from parent to browser owner. We see this as an attempt to increase the power of the browser and an intrusion into people’s personal decisions that is entirely outside the scope of the W3C. The Principles then refer to “collective governance” and identify that certain implementations of supposedly privacy protecting policies in fact undermine end user controls and lead to reidentification, which may damage both individuals and groups. We see the issue as one that needs to be policed by the relevant authorities and welcome increased enforcement to addresses these issues. “One size fits all” or unfair terms are illegal under a variety of consumer protection and competition laws worldwide. Both Google and Meta’s privacy policy terms have been found to be illegal recently. (4) However, and counterintuitively, the Principles suggest increasing browser control under the expression: “In general, collective issues in data require collective solutions. Web standards help with data governance by defining structural controls in user agents, ensuring that researchers and regulators can discover group-level abuse, and establishing or delegating to institutions that can handle issues of privacy. Governance will often struggle to achieve its goals if it works primarily by increasing individual control instead of by collective action.” We disagree that increasing the amount of data held by browser owners, subjecting them to researcher and regulatory scrutiny, is a meaningful solution. We see increase in browser control to be more likely to be a source of further abuse by browser owners. More fundamentally, we see it as a further example of expansion of the role of the browser at the expense of the end user, which is beyond the role of the W3C. We agree that the issues identified in the section concerning group privacy are real; but should be addressed by privacy regulators, rather than the W3C. Similarly, many of the obligations that are outlined as applicable to user agents are either covering ground already occupied by many laws worldwide, or suggesting extensions of obligations and duties that may be worthy but are for elected lawmakers and those in policy positions in different governments worldwide. While we have sympathy with the sentiments, they are not matters for W3C members to properly be defining when making technical standards. Moreover, by setting out principles that would be adopted by the two dominant browser owners, the unfortunate consequence could very well be that the Principles eliminate differences between their privacy offerings altogether. In the circumstances, eliminating what little competition exists between browsers would reinforce both businesses’ dominant market positions. As noted above, many data protection laws require privacy policies to be set by individual businesses as part of their competitive offerings. Where the proposals seek to minimise the data that is held by businesses, they may be laudable, but again risk undermining the business freedom of each firm through which online competition operates. We assume that data minimisation is proposing a reduced level of data being transferred than is currently permitted by the law, which would also risk reinforcing already dominant platforms to the detriment of others. For a collective body of private businesses such as W3C, to propose such an approach, if endorsed by the dominant browser owners, could significantly affect online markets. It would be irresponsible to ignore the fact that the worlds’ governments and regulators are increasingly seeking to police the operations of browser owners (such as through the designation of browser as core platform services under the EU Digital Markest Act). We should help the authorities to that end and explain to them the concerns raised in the Principles with a request that they are addressed in the appropriate forum. We are also mindful that the issue of “privacy washing” or dressing up illegal behaviour in privacy clothes through coordination among a number of companies has been raised in a complaint by the Texas Attorney General and other states in litigation against Google. (5) In the circumstances the Principles must be removed from public access until these matters are addressed. ___________ Footnotes: 1. W3C Process Document. – We do not accept that this version of the Process is the operative Process as the Bylaws were not followed. See our letter to W3C of 22 August 2023. 2. The Antitrust Case against Facebook: A Monopolist’s Journey Towards Pervasive Surveillance in Spite of Consumers Preference for Privacy, Dina Srinivasan, Berkeley Business Law Journal, 39 at 41. 3. See Case M 7217 Facebook/WhatsApp [2014], para 87, See also Microsoft/LinkedIn where the EC further affirmed this stance in its decision, claiming that data privacy is ‘a significant factor of quality’ in the market for Professional Social Networks (PSNs).3 European Commission, 'Commission approves acquisition of LinkedIn by Microsoft, subject to conditions' (6 Dec 2016). 4. See the Bundeskartellamt decision in B7-70/21<https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Entscheidungen/Missbrauchsaufsicht/2023/B7-70-21.html> issued 5 October 2023, see also Case C‑252/21, where the European Court of Justice confirms the Bundekartellamt decision that Meta’s terms for the use of Facebook infringed the German prohibition on the abuse of a dominant market position. 5. Re: Google Digital Advertising Antitrust Litigation, third amended complaint: TAC - Redacted Version (public).pdf (texasattorneygeneral.gov).<https://www.texasattorneygeneral.gov/sites/default/files/global/images/TAC%20-%20Redacted%20Version%20(public).pdf> ]]
Received on Friday, 19 January 2024 18:41:27 UTC