I’ve enjoyed an occasional luxury of following some rather interesting and lively discussions about intermediary liability for web based IPR-content. The issue is without a doubt more than current in the world of digital networks and internet economy.
To me it – and I assume to majority of others – it seems that setting limits of liability to those creating possibilities for us to connect with each other is crucially important. IPR holders surely have an interest for widening that liability beyond traditional common sense. This goes without saying especially when there’s money on table. But there is really no considerable option for an internet service provider today to be in control of all and every piece of information running through their pipes.
But how would one go about personal data protection from the perspective of an ISP? The liability issue certainly hasn’t been raised up on a large volume and scale… not so far at least. And european regulation is lagging behind by far. We certainly do possess somewhat adequate rules for the IPR trouble – although applying of it seems to be troublesome – that were enacted at times when cases of real world were already up front… we all knew well enough to draft proper regulation. For European data protection fact of the matter is essentially different. The fundamental law (Data Protection Directive) was drafted at a time before the first commercial web browser, and certainly ages before web 2.0 and the world of internet it created. No one simply did not have a clue of what was to be created in the future. And so most of the directive seems to have been prepared with linear social relationships in mind – a data controller collecting information from data subject.
Rule of the thumb for personal data collection requires that all personal data be collected for specific reason, and for that specific reason only. Reasoning should to be clear and consistent enough so that anyone can reach full and clear awareness of existence of his or her personal information being collected.
Idea behind this logic works well with strictly linear relationship, from A to B. But what happens in a connected world where someone offers people a platform and tools to play around with? But you and your peers create the content all by theirselves? Who’s in control of data on the platform?
Data Protection Directive claims that personal data regulation applies even for strictly automated processing of personal data, even if it would de facto be considered completely passive computing in reality (though I may be willing to disagree…). And all computers certainly process a whole lot of data without any of us really being aware of it.
Social media and probably the whole of Web 2.0 has its fundamental foundation on the rule of sharing information. Without this movement we would certainly fall short of so many things. But… personal data regulation seems to offer no clear protection for those who are kind enough to offer you free tools and platform – or even clever enough to hit the market with a solid income strategy. European Data Protection Directive makes an assumption that all legally acceptable personal data processing (exceptions aside) are based either on an actual informed consent of a private person, or at least on a contractual and linear relationships.
This very idea and structure of legal thinking puts a substantial burden on web technology and innovation on new models of web services. It does not easily support the business for coming up with new ideas to meet people for their needs, wishes and desires (and I’m not saying it always should).
Needs of business surely can’t justify deregulation or liberation of it. But we do need to keep in mind that most of internet was created – and it still is based on – something else than business market. Free and effective ways to improve information access and networking is a perfectly valid reason for private people to appreciate internet, regardless of economic interests. It is certainly not evil to create business on the basis of satisfying people’s social needs. The road builder shouldn’t generally be held liable for a man driving over another. Surely quality requirements are at place, but assumption of liability should rather be on those who have their hands on the wheel.
This very to topic seems to be showing up from time to time in forms of privacy violation related cases. Google execs are currently facing criminal charges in Italy for privacy violations on YouTube (and I can’t, for the life of myself, really figure out any possible grounds for legal basis… but the case is standing for now). In the end it all falls down to two questions about legality of processing personal data: Do we need consent? And who’s in respons for acquiring that consent?
Much like in copyright liability, we are at the point where we simply must find a clear and understandable way to define intermediary liability on privacy protection.
Oh and by the way…. If anyone has any legal facts to offer about the Google/YouTube case in Italy, please, let me know…
