Transparency is increasingly understood as a core component of addressing the challenges of the modern information economy. But what exactly transparency means and how to accomplish it will continue to be one of the crucial debates for some time to come.
How much do most of us really understand about what is happening to our own personal information? What exactly is being collected? Who is using it and for what purposes? We generally don’t know. And that can create a lack of trust in society towards the organizations that collect and use our personal information, potentially causing overreactions to otherwise perfectly legitimate and beneficial uses of personal data.
Earlier this week, I participated in a conference organized by the Data Transparency Lab (DTL) at the Massachusetts Institute of Technology (MIT). Teams of computer scientists, technologists and researchers discussed their efforts to create tools that help us understand what happens to our personal information online and and, by extension, enable more effective user control and choice in that environment.
What exactly transparency means and how to accomplish it will continue to be one of the crucial debates for some time to come.
Indeed, even the experts acknowledge that the complexity of the information economy can be difficult to understand. They all agreed better transparency is the remedy that deserves significant intellectual capital and effort.
Participating on behalf of the Centre for Information Policy Leadership (CIPL) at the DTL Conference provided me the opportunity to share some of my thoughts on transparency. Creating transparency must begin with what specific goals we want to achieve, as they will inform the specific tools and mechanisms, as well as the style of communication, by which we will achieve these goals.
I can see at least three goals of transparency:
- providing the appropriate amount of information to enable informed user engagement, choice or consent;
- creating general awareness of information practices in a way that creates consumer trust and “buy-in” to the value propositions of the information exchange, even in the absence of choice and consent; and
- educating policy makers, legislators and privacy enforcement authorities about the benefits associated with information uses as well as the associated risks to enable informed and effective policies, laws and enforcement.
Each of these goals requires different approaches and methodologies for conveying relevant information. While this sounds straight forward, the larger questions are actually not settled. Many people consider number one above as the principal goal, seeing transparency as a new and improved way to devise actionable privacy notices. However, I consider numbers two and three as increasingly more important.
The lack of agreement on this issue was brought home during one of the breakout sessions at the 37th International Privacy Conference, specifically with regard to the Privacy Bridges Report.
During our breakout session we were asked to discuss the transparency bridge. One of the key disagreements in the room dealt with the purpose of transparency. The transparency bridge seemed to assume that transparency’s primary goal is to enable “user control”, or choice and consent. Most commenters in the room questioned this, though they acknowledged that enabling user control is one role of transparency.
They pointed out that in an increasing number of contexts where choice and consent are no longer possible or practicable, consumers may not be the primary audience for detailed transparency. Instead, policy makers, legislators and regulators should be the primary audience because they are the ones that need to understand the business practices around personal data in order to devise appropriate legal and regulatory frameworks. Consumers often just need to be given enough information to have trust and confidence in the organizations that use their personal information.
Indeed, the role of transparency to create general awareness and trust in society in the absence of choice and consent is going to have to become the dominant function of transparency.
Just like with cars, most consumers don’t want to look under the hood, according to one of the commenters. They just want to know their car can take them from point A to point B safely. Equally, individuals just want to use online products and services of their choice, knowing that their information is processed appropriately, for good purposes, and not to their detriment. In light of the complexities involved, that is all one can ask for in an increasing number of circumstances.
This is an important point in the transparency debate: How is it that we celebrate driverless cars, but fail to recognize the need for driverless privacy (from the consumers’ perspective) for some of the same reasons? Of course, there will need to be drivers, but the primary drivers should be trustworthy organizations and competent, informed authorities, with the possibility of consumer engagement where it still makes sense.
So, what is transparency’s role in contexts where consumers cannot or do not want to look under the hood?
First, transparency can create trust by explaining the value propositions of the information exchanges they engage; educate about an organization’s information-management and use practices and the benefits that will result from them; explain how information might be used in the future to create as of yet unknown benefits, and how it goes about protecting individuals from harm when such benefits are pursued; tell the story of the organization’s data-use goals and practices in an understandable, compelling and truthful manner to reassure the public that personal information will be handled in compliance with applicable laws and with the individuals’ best interest in mind; create a sense that individuals have a stake in, and are contributing to, positive information-use outcomes for themselves and society, and finally, serve as one of the foundations for official policies that allow accountable organizations to leverage verifiable digital responsibility towards greater flexibility and latitude in putting personal data to legitimate and beneficial uses, even in the absence of specific consent.
Second, transparency can ensure that lawmakers, regulators and enforcement authorities understand the businesses they are regulating to prevent unnecessary or ill-advised privacy laws and regulations or enforcement actions. They need to understand the value-propositions of modern information uses to know what is at stake when imposing restrictions. And they need to understand an organization’s efforts to be a responsible steward of personal information. In a nutshell, a key function of transparency is to demonstrate responsible and beneficial information uses in a way that enables sensible privacy laws, regulations and enforcement.
Indeed, the role of transparency to create general awareness and trust in society in the absence of choice and consent is going to have to become the dominant function of transparency.
To better protect and safeguard the consumer in the new digital economy, we will have to get used to the idea of driverless privacy. There will be an increasing number of contexts where individual engagement, choice or consent are no longer practicable, possible, or even wanted by individuals. Organizations will have to employ alternative mechanisms to protect individuals in this environment, and individuals have to trust these mechanisms.
All effective privacy protection flows from transparency, making transparency the catalyst for a productive and innovative information economy.
CIPL has spent a lot of time thinking about what these alternative mechanisms are generally, and what they might look like specifically. And, indeed, these alternative mechanisms no longer have to be invented; they exist, for example, through frameworks of organizational accountability, but must be further refined and more broadly implemented.
In our recent whitepaper, we discuss how the core elements of organizational accountability, including risk assessment, increasingly concepts of fair and ethical processing and, yes, transparency, can provide the necessary information management and use framework to enable both privacy protections and modern data uses.
The importance of the ongoing debate about transparency through initiatives such as the DTL and follow-up work on the Privacy Bridges Project by CIPL and others cannot be overstated. Transparency, in fact, is the core enabler of such alternative ways of protecting the individual in that it enables both individuals and regulators to see, trust and verify where necessary what is being done to protect privacy while pursuing legitimate information uses. So, in a sense, all effective privacy protection flows from transparency, making transparency the catalyst for a productive and innovative information economy.