Is There A Global Basis For Privacy? Free-Expression? Censorship?

The European climate for online privacy is coming into conflict with US norms, as realized by Facebook, at least. The most recent flare-up is an investigation by Swiss and German commisioners regarding the way that these services allow users to upload pictures and email addresses of other people:

Frank Jordans, European privacy battle looms for Facebook, Google

Swiss and German data protection commissioners are demanding that Facebook explain its practice of allowing users to upload e-mail addresses, photographs and other personal details about people who haven’t signed up to the site.

“The way it’s organized at the moment, they simply allow anyone who wants to use this service to say they have the consent of their friends or acquaintances,” Swiss commissioner Hanspeter Thuer told The Associated Press.

To conform with Switzerland’s strict privacy law, Facebook could be required to contact people whose information has been posted online and ask them whether they agree to its being stored there, he said.

Thilo Weichert, data protection commissioner in the northern German state of Schleswig Holstein, said in a telephone interview that Facebook’s assertion that it gets necessary consent for the posting of personal information is “total nonsense.”

“We’ve written to Facebook and told them they’re not abiding by the law in Europe,” he said.

The probes by the German and Swiss privacy watchdogs are still preliminary and would not have immediate consequences elsewhere. However, Weichert said the issue is being discussed with other data protection officials in the 27-nation European Union, which in 2000 declared privacy a fundamental right that companies and governments must respect.

The European stance differs strongly from the self-regulatory, free market approach favored in the United States, where Web companies have flourished by offering users free services if they provide personal information to help advertising target them better, according to Columbia University law professor Eben Moglen.

“If the European regulators get serious, it will create a significant conflict,” said Moglen, who has been examining online privacy issues since the early days of the Web.

Richard Allan, director of policy for Facebook Europe, said some of the functions being scrutinized — such as those allowing users to upload their friends’ e-mail addresses to find them online — were common across the industry. The company has recently added a tool for nonusers to have their data removed, he said.

“As a global company what we’re trying to do is to make sure that our systems meet the requirements of all the jurisdictions in which we operate,” Allan said.

This seems like an area of great conflict between the rights of free expression and the rights of privacy.

The European Convention on Human Rights asserts freedom of expression:

Article 10 – Freedom of expression

1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.

2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.

In principle, this suggests that taking photos of other people and publishing them cannot be abridged by governments. However, there is a lot of wiggle room in the second clause.

This comes into conflict with Article 8, privacy:

Article 8 – Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Article 8 seems mostly oriented toward prohibiting governments from snooping into private life, not prohibiting people from publishing information about people that they might want to keep private, like who they are drinking with in a bar, or the color of their front door — both of which are plainly evident to anyone who happens to be present.

In the EU’s Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data), the framers of the document are attempting to direct how personal data can be managed and used. It is incredibly restrictive, and if a person’s face in a photo taken in a public setting should be considered personal data, it could in principle be illegal to upload it to a public website without their permission:

Transparency

The data subject has the right to be informed when his personal data are being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11)

Data may be processed only under the following circumstances (art. 7):

• when the data subject has given his consent
• when the processing is necessary for the performance of or the entering into a contract
• when processing is necessary for compliance with a legal obligation
• when processing is necessary in order to protect the vital interests of the data subject
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn’t being processed in compliance with the data protection rules. (art. 12)

I guess it gets murky when the photo is analyzed by a facial recognition system or user-generated tags are read and used to establish identities. That starts to feel like data processing, although it is a big stretch from medical or financial records. Especially when a human being can perform the same task simply by looking at the photo.

So this raises some basic questions of global norms of privacy, especially the core question of whether such norms exist or might be legislated into existence.

The US has canted pretty far into publicy territory — where the default expectation is that I can upload pictures from my party or a walk down the street — and the subjects in the photos don’t have any say about it. The EU has veered pretty far into a protection of privacy stance that is strongly at variance with what services like Facebook are doing. Maybe Facebook will have to follow Google, and simply stop supporting European use, until the EU changes its views, just as Google turned off China to thwart censorship.

(via Matthew Ingram, GigaOM, Facebook Feeling More Privacy Pain in Europe)