The right to privacy is recognised internationally as a human right, and is also closely linked to the fulfilment of the right to freedom of expression. The Internet has had a dramatic impact on our understandings of the very concept of privacy, providing unprecedented levels of freedom and anonymity while simultaneously subjecting users to intense levels of tracking and surveillance.
The collection and sale of personal information are major economic forces underlying the spread of Internet services. This has both positive and negative aspects, and States have a responsibility to protect consumers in these relationships. It is arguable that the intrusiveness of State regulation over companies in this area should depend, at least in part, on the extent to which industry acts to offer effective protections of its own.
Recommendations for Private Sector Online Intermediaries:
Communicating With Users
- Intermediaries should publish clear and transparent information about their policies and practices regarding the collection, processing and sharing of user information and the level of privacy protection they afford their users. This should include a list of the specific types of third parties who may be given access and information about how the information may be used by these third parties. Where policies need to be complex due to the fact that they form the basis of a legal contract with users, they should be accompanied by clear, concise and easy to understand summaries or explanatory guides.
- Intermediaries should make sure that any representations they make to users regarding privacy or anonymity are clear and reasonable, and they should then respect those commitments.
- Intermediaries should allow their users to view personal information they have gathered or shared which relates to them.
- Intermediaries should take reasonable steps to educate their users about security online and should consider introducing incentives to encourage users to adopt good security practices.
- Where a security breach occurs, intermediaries should inform their users promptly and fully, particularly anyone whose information has or may have been compromised.
- Intermediaries should limit the amount of personal user data they collect and store to what is reasonably necessary for operational or commercial reasons.
- Intermediaries should make reasonable efforts to limit the ways in which they process personal user data to what is reasonably required to sustain their business models, including by limiting personal data processing to fully automated systems whenever possible.
- Intermediaries who rely on a business model whereby users trade their personal information for services should consider offering customers the possibility of opting out of the model in exchange for paying for the service.
- Intermediaries should allow users to request that their accounts be permanently deleted, including all information that the intermediary has gathered about them (except where this information has been aggregated or processed with other information and extraction is not practical or it is needed for ongoing operational purposes).
- User information should, whenever this is legally, operationally and technically possible, be encrypted and anonymised during storage.
- Intermediaries should, whenever possible, support end-to-end encryption.
- When releasing data for research purposes, which is a recognised public interest action, intermediaries should make sure that adequate measures have been taken to protect private content in the data, for example through proper anonymisation of the data or by requiring researchers to limit further dissemination of the data.
- Intermediaries should take into account the human rights impact of real-name registration policies and should work to mitigate any negative impacts, including by allowing use of pseudonyms or by allowing parts of the service to be used anonymously. Intermediaries should not require real-name registration where this would significantly harm the rights of their users.
The Right to Be Forgotten
- Search engines which are subject to the right to be forgotten should publish detailed information about their policies, standards and decision-making processes in assessing removal requests, as well as aggregated information about the number of requests received and how they were processed.
- Search engines should develop robust and detailed policies and standards regarding how they apply the right to be forgotten which ensure a proper balancing between freedom of expression and the right to information, on the one hand, and privacy, on the other. They should carry out robust consultations with key stakeholders, including civil society actors, when developing these policies and standards.
- Search engines should respect due process when applying the right to be forgotten, including by informing those whose content is subject to a removal request, as far as this is legally permitted, and by giving them an opportunity to argue that the material should not be blocked, including because the public interest lies in continuing to display the content. Consideration should be given to putting in place some sort of appeals or reconsideration mechanism for more difficult or cutting edge cases.