Re: [other/tag] Formal Objection on Privacy Principles (Technical Report)

(the Formal Objection was originally received on December 7, 2023)

On 1/19/2024 1:41 PM, Philippe Le Hégaret wrote:
> From
>    https://lists.w3.org/Archives/Team/w3t/2023Dec/0017.html
> 
> [[
> [Member] Formally Object to the decision by the World Wide Web 
> Consortium's (“W3C”) and the TAG to publish the Privacy 
> Principles<https://www.w3.org/TR/privacy-principles/> (“the Principles”).
> 
> The purpose of this email is to register a Formal Objection, pursuant to 
> clause 5.5 of the W3C Process Document. (1)
> 
> We object to the adoption of the Principles by a technical 
> standards-making body. Fundamentally, the Principles are not about 
> making technical standards, rather they concern the conduct of separate 
> and competing businesses that should be competing independently.
> 
> We see the need to promote privacy protection for end users when 
> different businesses operate over the web. The opportunity for the open 
> web to operate as a dynamic process of different businesses vying with 
> each other to offer higher levels of privacy protection is a laudable 
> policy goal. However, the Principles are likely to restrict and distort 
> the levels of privacy protection different businesses offer to end 
> users. It is also intended to affect how each of them protects personal 
> data and the safeguarding of private information, even though a precise 
> definition of privacy is lacking.
> 
> Online businesses are not dissimilar to brick-and-mortar businesses, 
> driven to attract customers through the prices that they offer and the 
> quality of their products. Both prices and non-price factors are 
> important to customers’ decisions. Ad-funded online businesses need to 
> show a good return on investment for advertisers and their advertising 
> must be seen by end users before it can contribute to sales generation, 
> preferably by generating clicks and conversions. Targeting advertising 
> to meet end user interests depends on what users are interested in. Data 
> is obtained for that purpose about user interests, and their interests 
> are then matched with suppliers of advertisers and products. Advertising 
> and marketing underpin the market economy and perform a valuable 
> function in revealing users interests and enabling customers to 
> understand the different products on offer and to make informed choices 
> between them.
> 
> A significant proportion of world trade is now conducted online and 
> hence affected by the conduct of members of the W3C.
> 
> Examples of privacy policies affecting trade are many and varied. For 
> instance, commitments to privacy affect whether users sign up to use a 
> product and a platform. Facebook initially offered users a comparatively 
> high level of privacy protection (over 10 years ago) when seeking to 
> encourage users to sign up to its social media services. By initially 
> offering greater levels of protection than other social media 
> businesses, Facebook attracted users keen to switch to a platform that 
> provided higher levels of protection. (2)
> 
> Competing on privacy has been used by WhatsApp as an effective mechanism 
> to attract end users, as well as Signal, which offers even greater 
> levels of protection, attracting users to its offering because of its 
> guarantees of privacy.
> 
> Like anything that affects competition between online businesses, 
> privacy policies should be set by each business individually.
> 
> Indeed, the EU ‘s data protection law imposes on each business an 
> obligation to make its own assessments and tailor its compliance system 
> accordingly. The European Commission has also recognised this in the 
> Facebook/Whatsapp merger, where it indicated that in markets for 
> consumer communications services, data privacy and data security 
> constitute key parameters of non-price competition. (3)
> 
> The Principles are a W3C TAG Draft Note pursuant to 6.4.2 of the W3C 
> Process Document. Much is uncontroversial, where, for example it 
> provides a description of issues arising from dark patterns which 
> mislead users. However, the Principles then seek to present browsers as 
> User Agents and guardians of users’ data.
> 
> Currently it is open to ISPs to offer bill payers (often parents) 
> privacy setting to protect their children. By proposing functionality 
> which enables privacy settings to be incorporated into the browser, the 
> draft statement suggests a shift of functionality and responsibility 
> from parent to browser owner. We see this as an attempt to increase the 
> power of the browser and an intrusion into people’s personal decisions 
> that is entirely outside the scope of the W3C.
> 
> The Principles then refer to “collective governance” and identify that 
> certain implementations of supposedly privacy protecting policies in 
> fact undermine end user controls and lead to reidentification, which may 
> damage both individuals and groups. We see the issue as one that needs 
> to be policed by the relevant authorities and welcome increased 
> enforcement to addresses these issues. “One size fits all” or unfair 
> terms are illegal under a variety of consumer protection and competition 
> laws worldwide. Both Google and Meta’s privacy policy terms have been 
> found to be illegal recently. (4)
> 
> However, and counterintuitively, the Principles suggest increasing 
> browser control under the expression:
> 
> “In general, collective issues in data require collective solutions. Web 
> standards help with data governance by defining structural controls in 
> user agents, ensuring that researchers and regulators can discover 
> group-level abuse, and establishing or delegating to institutions that 
> can handle issues of privacy. Governance will often struggle to achieve 
> its goals if it works primarily by increasing individual control instead 
> of by collective action.”
> 
> We disagree that increasing the amount of data held by browser owners, 
> subjecting them to researcher and regulatory scrutiny, is a meaningful 
> solution. We see increase in browser control to be more likely to be a 
> source of further abuse by browser owners. More fundamentally, we see it 
> as a further example of expansion of the role of the browser at the 
> expense of the end user, which is beyond the role of the W3C.
> 
> We agree that the issues identified in the section concerning group 
> privacy are real; but should be addressed by privacy regulators, rather 
> than the W3C. Similarly, many of the obligations that are outlined as 
> applicable to user agents are either covering ground already occupied by 
> many laws worldwide, or suggesting extensions of obligations and duties 
> that may be worthy but are for elected lawmakers and those in policy 
> positions in different governments worldwide. While we have sympathy 
> with the sentiments, they are not matters for W3C members to properly be 
> defining when making technical standards.
> 
> Moreover, by setting out principles that would be adopted by the two 
> dominant browser owners, the unfortunate consequence could very well be 
> that the Principles eliminate differences between their privacy 
> offerings altogether. In the circumstances, eliminating what little 
> competition exists between browsers would reinforce both businesses’ 
> dominant market positions.
> 
> As noted above, many data protection laws require privacy policies to be 
> set by individual businesses as part of their competitive offerings. 
> Where the proposals seek to minimise the data that is held by 
> businesses, they may be laudable, but again risk undermining the 
> business freedom of each firm through which online competition operates. 
> We assume that data minimisation is proposing a reduced level of data 
> being transferred than is currently permitted by the law, which would 
> also risk reinforcing already dominant platforms to the detriment of 
> others. For a collective body of private businesses such as W3C, to 
> propose such an approach, if endorsed by the dominant browser owners, 
> could significantly affect online markets.
> 
> It would be irresponsible to ignore the fact that the worlds’ 
> governments and regulators are increasingly seeking to police the 
> operations of browser owners (such as through the designation of browser 
> as core platform services under the EU Digital Markest Act). We should 
> help the authorities to that end and explain to them the concerns raised 
> in the Principles with a request that they are addressed in the 
> appropriate forum.
> 
> We are also mindful that the issue of “privacy washing” or dressing up 
> illegal behaviour in privacy clothes through coordination among a number 
> of companies has been raised in a complaint by the Texas Attorney 
> General and other states in litigation against Google. (5)
> 
> In the circumstances the Principles must be removed from public access 
> until these matters are addressed.
> 
> ___________
> Footnotes:
> 
> 
>    1.  W3C Process Document. – We do not accept that this version of the 
> Process is the operative Process as the Bylaws were not followed. See 
> our letter to W3C of 22 August 2023.
>    2.  The Antitrust Case against Facebook: A Monopolist’s Journey 
> Towards Pervasive Surveillance in Spite of Consumers Preference for 
> Privacy, Dina Srinivasan, Berkeley Business Law Journal, 39 at 41.
>    3.  See Case M 7217 Facebook/WhatsApp [2014], para 87, See also 
> Microsoft/LinkedIn where the EC further affirmed this stance in its 
> decision, claiming that data privacy is ‘a significant factor of 
> quality’ in the market for Professional Social Networks (PSNs).3 
> European Commission, 'Commission approves acquisition of LinkedIn by 
> Microsoft, subject to conditions' (6 Dec 2016).
>    4.  See the Bundeskartellamt decision in 
> B7-70/21<https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Entscheidungen/Missbrauchsaufsicht/2023/B7-70-21.html> issued 5 October 2023, see also Case C‑252/21, where the European Court of Justice confirms the Bundekartellamt decision that Meta’s terms for the use of Facebook infringed the German prohibition on the abuse of a dominant market position.
>    5.  Re: Google Digital Advertising Antitrust Litigation, third 
> amended complaint: TAC - Redacted Version (public).pdf 
> (texasattorneygeneral.gov).<https://www.texasattorneygeneral.gov/sites/default/files/global/images/TAC%20-%20Redacted%20Version%20(public).pdf>
> ]]

Received on Friday, 19 January 2024 18:50:02 UTC