CBI forum on e-privacy and the digital economy

This speech was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government

Today more than 40 million of us in the UK regularly use the internet, with 13 million of us able to get online anywhere, anytime through our…

Today more than 40 million of us in the UK regularly use the internet, with 13 million of us able to get online anywhere, anytime through our smartphones. Thirty million of us are on Facebook alone. Internet dating sites are now part of the basket of consumer goods used to calculate the rate of inflation. 

The result is an internet that now holds at least 5 billion gigabytes of data.  That’s more than 100 times the size of every bit of text ever written, in every language, since the beginning of recorded history. 

Last year, more than 13 million hours of video were uploaded on to YouTube alone. That’s about 150,000 full-length films every week. Or 35 hours of video uploaded every minute.

These are tremendous, awe-inspiring figures.
So it’s no wonder that many people have already suggested that that the internet has changed the way we think. 

Certainly it is changing our social norms - as the rise of internet dating illustrates.

And it is also changing our purchasing habits.  According to a report from the Boston Consulting Group, we are now the world leaders in e-commerce with an internet economy worth £100 billion a year.  That means more and more of us purchasing goods online, and more and more people uploading their credit card details to make purchases.

In the age of Web 3.0, the lines between our real live selves and our online selves are becoming blurred, as geo-location applications and “always on” networks mean that we are engaged by the internet wherever we are, and the internet always knows where we are.

We also live in the world of the cloud, of increased virtualisation, shared sites and shared tenancy. Or put simply of more software and less kit. This in itself asks new and challenging questions of consumers, business and legislators, as well as offering unparalleled opportunities for the transfer and storage of massive quantities of data; data that can be used to improve the world in which we live and the services we use.

In a world like this, it is absolutely natural that people are concerned about privacy, but still want to benefit from the services that could effectively compromise it. 

This inherent conflict between individual privacy and the latest online applications is something that we see played out in the media virtually every week.

Thing about the wall-to-wall coverage of Facebook’s plans to make the phone numbers and addresses of its users available to advertisers. 

Or last year when - quite rightly - there was uproar when it was discovered that Google Streetview cars had downloaded people’s passwords and other data. Indeed the French regulator fined Google only last week as a result.

Or back in 2009, there was concern when it was discovered a company was working with BT to track behaviour on the internet in order to target advertising more effectively. 

In an interconnected world people still value their privacy. Our research shows that three-quarters of people worry about internet security. What is perhaps more surprising is how few of us know how to make ourselves more secure online.

Fewer than a third of people have ever changed the security setting of their browser. More than a third did not know how many, if any, cookies they had accepted on to their machine and if so what those cookies do.  Only about one in 10 people actually know what a cookie - in the context of the internet - is. 

It seems to me that consumers have two key concerns around privacy. The first is about what happens to the data that we upload: the bank details we submit when we buy our groceries online; the family video on myspace; the photo on Facebook. The second concern is more complicated and relates to what others know about us and where we have been, to the fear of the online big-brother; a debate which in the US has come to be known as “do not track”.

Let’s be clear about where we are today. Many people voluntarily give up their privacy when they go online.  But they still want a number of rules to apply. 

They want the sites they use to be secure; they want to be sure that their data is kept securely; and they want internet companies to be transparent in how their data is used in terms of tracking their activity on the web. 

There are many benefits to internet sites knowing who you are, or indeed where you are, in terms of providing tailored information.  People just want to have the option to say ‘yes’ or ‘no’ before allowing it to happen.

back to top


The Internet and regulation

**Now let me be clear. When it comes to addressing these concerns, I am not a big fan of regulation. 

When Government steps into the fast moving world of technology we risk creating more problems than we can solve.   If industry can bring in its own measures to reassure customers - such as clear guidelines in plain English and greater transparency - not only will they win customers, they will avoid regulation.

Even so, this is not a completely self-regulated world.  There are already two major pieces of legislation that cover privacy on the internet. 

The first is the Data Protection Act which covers how all companies, whether internet based or not, use data.  The Information Commissioner, who enforces the Act, has developed a code of practice specifically to help business to handle personal data online.  That covers everything from the collection of people’s details through application forms to the use of cookies or IP addresses to target content; from using personal data to market goods to the issues around personal data and cloud computing.

The second is the e-Privacy Directive. And with a revised version set to come into force in two months’ time, there are three key changes to be aware of:

First, personal data breaches, such as your bank losing your banking details or making them available to someone else, will now have to be notified to the Information Commissioner;

Second, there will be criminal as well as civil penalties for breaches of the directive; and

Third, consumers will now have to give their consent for the import of cookies on to their machines.

Of these, it is the cookies provision that is the biggest change, and therefore of most concern to business.  It’s a good example of a well-meaning regulation that will be very difficult to make work in practice.  If we get the implementation wrong, it will seriously hamper the smooth running of the internet, and so it’s therefore a provision that should concern the consumer as well. 

That’s why our approach to this very challenging provision is a sensible and pragmatic one.  We have made it clear, for example, that the consent of the user is not needed where a cookie is essential for a service that has been requested by the user. The use of cookies for shopping baskets on websites, for example. 

We are also supporting cross-industry work on the use of third party cookies in behavioural advertising.

And this is an example of where industry-led solutions can provide an answer.  Yahoo, for instance, recently launched its “ad choices” icon in the UK, after launching it last year in the US. This approach gives the consumer more information on the use of cookies, as well as introducing a self-regulatory compliance and enforcement mechanism. Through clicking on the icon the consumer will be informed about: each specific internet advert; who the advertiser is; the server; who the advert was customised by; and an option to refuse those and other cookies. The icon is exactly the sort of industry developed solution that we see as critical to the UK’s ability to meet the requirements of the Directive.

We are also working with the browser manufacturers to see if browsers can be enhanced to provide relevant information about cookies, as well as easy to use settings. Because we want users to be able to make informed decisions about what they do or don’t allow on to their machines.
However, a one size fits all solution will not cover everything. There will, inevitably, be legitimate uses of cookies that fall through the cracks.

That’s why it is so important for us to adopt a flexible approach - so that new business models and innovations that no one has yet thought of are not held back. 

We don’t want to be prescriptive. We want business, regulators and consumers to continue to work together to provide solutions as problems arise.  And we want to see sensible solutions that balance privacy and innovation.

At the same time, where there are instances of clear breaches of privacy, it is vital that the Information Commissioner’s Office has the right tools to do its job properly.

That’s why new powers will allow the ICO to fine companies for privacy breaches for the first time; to conduct e-privacy audits where appropriate; and to identify operators who withhold their number or hide their email ID in order to make cold calls and send spam e-mails.

back to top


Working with Europe and the US

**So this is the current landscape in the UK.

But as well as offering an overview - and underlining the Government’s keeness to pursue self-regulation wherever possible - I also wanted to stress the importance of working both with our European partners, and with the US administration, where online privacy is also a key concern.

With TV, radio and publishing, Governments can to an extent set their own rules. These are mediums that respect national boundaries. The internet does not. When we place information on the Internet, we are sharing it with the world.  The rules governing on-line privacy need to reflect that.  For the sake of web users and businesses we need a unified and consistent approach to on-line privacy that crosses borders.

In the US the Department of Commerce has just finished consulting for a Green Paper on online privacy, and the Obama Administration has now set out its support for the key principles that will underpin a forthcoming Bill. 

This would bring forward a legally enforceable “consumer privacy bill of rights” - broad and flexible enough to allow consumer privacy protection and business practices to adapt to new technologies and services as they emerge. 

Crucially, the US is keen to promote consistency on privacy rules. This would cut the multiple compliance burdens that companies face and provide consumers with more consistent cross-border data protections.

This “consumer bill of rights” is, it seems to me, not that different from the rights conferred on consumers by Europe’s current data protection and e-Privacy directives. 

But, after more than a decade, the European Commission is now quite rightly looking at revisions to the Data Protection Directive. I believe that it is therefore vital that the Commission works closely with the US Administration, so that we can move towards a unified approach that will benefit consumers and businesses alike on both sides of the Atlantic. 

Commissioner Reding has already set out the four principles of her approach. 

They include, in her words, “the right to be forgotten”; the need for transparency; default privacy settings; and protection from EU data protection rules regardless of whether or not your data is actually processed in the EU.

Obviously we will have to look at these proposals in detail.

In principle, we support the idea that consumers should have the right to withdraw their consent for data processing. And of course we support greater transparency. 

But we also need to be clear about the practicalities of any regulation. For example, how do we enforce the ‘right to be forgotten’ when data can be copied and transferred across the globe in an instant? How do we force a website hosted in Calcutta to take down an image uploaded in Croydon?   We should not give people false expectations.  No Government can guarantee that photos shared with the world will be deleted by everyone when someone decides it’s time to forget.

We agree data should be processed in accordance with expectations of privacy in Europe. But we need to be aware that questions of liability could jeopardise the ability of European firms to use the Cloud for data processing and storage. We should question the logic of trying to make firms outside of the EU subject to EU law.

When it comes to putting these revisions into practice, we need to think carefully about how to ensure that they do not stifle innovation. We need to ensure that the international transfer of data, so critical to economic growth, can continue. And we need to ensure that changes are both practical and proportionate.

This approach informs our efforts at the Organization for Economic Cooperation and Development (OECD), where we want to broker an international agreement on the principles of Internet policy-making.

Creating an international standard for on-line privacy will ensure businesses compete on a level playing field while web users enjoy the same protections wherever a website is based.  This may seem like a lofty ambition. But I think that looking at trends in the US and intentions in Europe, it is clear that the two are not poles apart.  Indeed, both the Commission and the American Administration recognise that this is a problem that needs to be addressed.

We all want to have better control of our data. We all want to see business thrive and innovate. The trick is ensuring that we strike the right balance.



**So while I am determined that we should preserve the internet as a lightly regulated engine of growth, it is pretty clear that a set of privacy standards is emerging - both from existing regulation and from forthcoming legislation from Europe and the US.

And it is clear that these are based on a number of principles: transparency; the right to opt in or out of having your data tracked or passed to third parties; proper rules surrounding the storing and transfer of data; the right to have your data removed from specific websites; and an appropriate system of sanction when rules are clearly breached.

I look forward to working with the Commission, with other Member States and with the US to see whether a common set of principles can emerge which will support both the interests of consumers and the businesses on which our economy relies.