- From: Philippe Le Hégaret <plh@w3.org>
- Date: Fri, 19 Jan 2024 13:50:00 -0500
- To: public-review-comments@w3.org
(the Formal Objection was originally received on December 7, 2023) On 1/19/2024 1:41 PM, Philippe Le Hégaret wrote: > From > https://lists.w3.org/Archives/Team/w3t/2023Dec/0017.html > > [[ > [Member] Formally Object to the decision by the World Wide Web > Consortium's (“W3C”) and the TAG to publish the Privacy > Principles<https://www.w3.org/TR/privacy-principles/> (“the Principles”). > > The purpose of this email is to register a Formal Objection, pursuant to > clause 5.5 of the W3C Process Document. (1) > > We object to the adoption of the Principles by a technical > standards-making body. Fundamentally, the Principles are not about > making technical standards, rather they concern the conduct of separate > and competing businesses that should be competing independently. > > We see the need to promote privacy protection for end users when > different businesses operate over the web. The opportunity for the open > web to operate as a dynamic process of different businesses vying with > each other to offer higher levels of privacy protection is a laudable > policy goal. However, the Principles are likely to restrict and distort > the levels of privacy protection different businesses offer to end > users. It is also intended to affect how each of them protects personal > data and the safeguarding of private information, even though a precise > definition of privacy is lacking. > > Online businesses are not dissimilar to brick-and-mortar businesses, > driven to attract customers through the prices that they offer and the > quality of their products. Both prices and non-price factors are > important to customers’ decisions. Ad-funded online businesses need to > show a good return on investment for advertisers and their advertising > must be seen by end users before it can contribute to sales generation, > preferably by generating clicks and conversions. Targeting advertising > to meet end user interests depends on what users are interested in. Data > is obtained for that purpose about user interests, and their interests > are then matched with suppliers of advertisers and products. Advertising > and marketing underpin the market economy and perform a valuable > function in revealing users interests and enabling customers to > understand the different products on offer and to make informed choices > between them. > > A significant proportion of world trade is now conducted online and > hence affected by the conduct of members of the W3C. > > Examples of privacy policies affecting trade are many and varied. For > instance, commitments to privacy affect whether users sign up to use a > product and a platform. Facebook initially offered users a comparatively > high level of privacy protection (over 10 years ago) when seeking to > encourage users to sign up to its social media services. By initially > offering greater levels of protection than other social media > businesses, Facebook attracted users keen to switch to a platform that > provided higher levels of protection. (2) > > Competing on privacy has been used by WhatsApp as an effective mechanism > to attract end users, as well as Signal, which offers even greater > levels of protection, attracting users to its offering because of its > guarantees of privacy. > > Like anything that affects competition between online businesses, > privacy policies should be set by each business individually. > > Indeed, the EU ‘s data protection law imposes on each business an > obligation to make its own assessments and tailor its compliance system > accordingly. The European Commission has also recognised this in the > Facebook/Whatsapp merger, where it indicated that in markets for > consumer communications services, data privacy and data security > constitute key parameters of non-price competition. (3) > > The Principles are a W3C TAG Draft Note pursuant to 6.4.2 of the W3C > Process Document. Much is uncontroversial, where, for example it > provides a description of issues arising from dark patterns which > mislead users. However, the Principles then seek to present browsers as > User Agents and guardians of users’ data. > > Currently it is open to ISPs to offer bill payers (often parents) > privacy setting to protect their children. By proposing functionality > which enables privacy settings to be incorporated into the browser, the > draft statement suggests a shift of functionality and responsibility > from parent to browser owner. We see this as an attempt to increase the > power of the browser and an intrusion into people’s personal decisions > that is entirely outside the scope of the W3C. > > The Principles then refer to “collective governance” and identify that > certain implementations of supposedly privacy protecting policies in > fact undermine end user controls and lead to reidentification, which may > damage both individuals and groups. We see the issue as one that needs > to be policed by the relevant authorities and welcome increased > enforcement to addresses these issues. “One size fits all” or unfair > terms are illegal under a variety of consumer protection and competition > laws worldwide. Both Google and Meta’s privacy policy terms have been > found to be illegal recently. (4) > > However, and counterintuitively, the Principles suggest increasing > browser control under the expression: > > “In general, collective issues in data require collective solutions. Web > standards help with data governance by defining structural controls in > user agents, ensuring that researchers and regulators can discover > group-level abuse, and establishing or delegating to institutions that > can handle issues of privacy. Governance will often struggle to achieve > its goals if it works primarily by increasing individual control instead > of by collective action.” > > We disagree that increasing the amount of data held by browser owners, > subjecting them to researcher and regulatory scrutiny, is a meaningful > solution. We see increase in browser control to be more likely to be a > source of further abuse by browser owners. More fundamentally, we see it > as a further example of expansion of the role of the browser at the > expense of the end user, which is beyond the role of the W3C. > > We agree that the issues identified in the section concerning group > privacy are real; but should be addressed by privacy regulators, rather > than the W3C. Similarly, many of the obligations that are outlined as > applicable to user agents are either covering ground already occupied by > many laws worldwide, or suggesting extensions of obligations and duties > that may be worthy but are for elected lawmakers and those in policy > positions in different governments worldwide. While we have sympathy > with the sentiments, they are not matters for W3C members to properly be > defining when making technical standards. > > Moreover, by setting out principles that would be adopted by the two > dominant browser owners, the unfortunate consequence could very well be > that the Principles eliminate differences between their privacy > offerings altogether. In the circumstances, eliminating what little > competition exists between browsers would reinforce both businesses’ > dominant market positions. > > As noted above, many data protection laws require privacy policies to be > set by individual businesses as part of their competitive offerings. > Where the proposals seek to minimise the data that is held by > businesses, they may be laudable, but again risk undermining the > business freedom of each firm through which online competition operates. > We assume that data minimisation is proposing a reduced level of data > being transferred than is currently permitted by the law, which would > also risk reinforcing already dominant platforms to the detriment of > others. For a collective body of private businesses such as W3C, to > propose such an approach, if endorsed by the dominant browser owners, > could significantly affect online markets. > > It would be irresponsible to ignore the fact that the worlds’ > governments and regulators are increasingly seeking to police the > operations of browser owners (such as through the designation of browser > as core platform services under the EU Digital Markest Act). We should > help the authorities to that end and explain to them the concerns raised > in the Principles with a request that they are addressed in the > appropriate forum. > > We are also mindful that the issue of “privacy washing” or dressing up > illegal behaviour in privacy clothes through coordination among a number > of companies has been raised in a complaint by the Texas Attorney > General and other states in litigation against Google. (5) > > In the circumstances the Principles must be removed from public access > until these matters are addressed. > > ___________ > Footnotes: > > > 1. W3C Process Document. – We do not accept that this version of the > Process is the operative Process as the Bylaws were not followed. See > our letter to W3C of 22 August 2023. > 2. The Antitrust Case against Facebook: A Monopolist’s Journey > Towards Pervasive Surveillance in Spite of Consumers Preference for > Privacy, Dina Srinivasan, Berkeley Business Law Journal, 39 at 41. > 3. See Case M 7217 Facebook/WhatsApp [2014], para 87, See also > Microsoft/LinkedIn where the EC further affirmed this stance in its > decision, claiming that data privacy is ‘a significant factor of > quality’ in the market for Professional Social Networks (PSNs).3 > European Commission, 'Commission approves acquisition of LinkedIn by > Microsoft, subject to conditions' (6 Dec 2016). > 4. See the Bundeskartellamt decision in > B7-70/21<https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Entscheidungen/Missbrauchsaufsicht/2023/B7-70-21.html> issued 5 October 2023, see also Case C‑252/21, where the European Court of Justice confirms the Bundekartellamt decision that Meta’s terms for the use of Facebook infringed the German prohibition on the abuse of a dominant market position. > 5. Re: Google Digital Advertising Antitrust Litigation, third > amended complaint: TAC - Redacted Version (public).pdf > (texasattorneygeneral.gov).<https://www.texasattorneygeneral.gov/sites/default/files/global/images/TAC%20-%20Redacted%20Version%20(public).pdf> > ]]
Received on Friday, 19 January 2024 18:50:02 UTC