Review: Internet Privacy Rights: Rights to Protect Autonomy

Book Review

Paul Bernal, Internet Privacy Rights: Rights to Protect Autonomy

Published March 2014, Hardback, Cambridge University Press, Isbn: 9781107042735

Philip Leith [1]

Cite as Leith, P., Review of Bernal, P., Internet Privacy Rights: Rights to Protect Autonomy, (2015) 21(2) EJoCLI.

Since its publication Bernal's text has received a relatively positive response and indeed his general position has been confirmed by the Court of Justice of the European Union in the Google v Spain judgment [2] as well as in the thrust of bringing privacy into Data Protection law via the proposed Regulation. It looks to become a core text in the privacy debate - for example, I have recently examined a Brazilian PhD thesis which takes Bernal's text as a starting point. It is useful, perhaps, to put forward something of a critique (positive, of course) from someone who is not so taken by Bernal's argument and who finds it mirrors the confusion which is so current in the privacy debate.

I lie in the grouping which Bernal describes as 'communitarian' opponents of privacy: that is, those who would argue that concentration upon privacy underplays the importance of the social element of communication (his only other noted group of critics are those taking a feminist approach). This would certainly be my view: if you demand a right which takes into the private sphere something which I might believe belongs in the public sphere, then you reduce both my right to know and also the general and perhaps useful knowledge base of the community. The debate then becomes about how to balance Art. 8 rights against Art. 10 rights and this is the central issue in my - the communitarian - view of how we approach the need for privacy and the need for social knowledge. [3] Unfortunately, as the CJEU similarly ignored in their Google judgment, Bernal does not pay much attention to this need to balance competing rights, merely noting it in passing (p52). He can do so because the privacy argument is not really (contrary to the title of the text) what his text is about. These privacy rights are much more contentious than the ones which Bernal is interested in - so contentious in fact that Lord Kilmuir in the 1960s was asserting that he did not think that judges should be involved in the matters of what should be private and what was in the public interest, since it essentially made the judiciary censors. [4] How times change: we now have European judges more than happy to plunge into privacy cases with gay abandon.

It is this lack of attention to Art. 10 which alerts one to the real focus of Bernal's interest: the commercial concerns who provide services (particularly free ones) and who monetize through selling advertising on your screen. This is not a text about privacy per se, rather about what information commercial internet concerns may be allowed to collect upon their users and their customers. It could almost be a text on an element of ecommerce or consumer law.

As with many of the texts by privacy advocates, there is a lack of actual evidence of 'a problem'. There are certainly a number of scenarios developed, but the evidence is sparse. The Germans provide Bernal with two examples: 30,000 citizens signed up to legal action against the Data Retention Directive (p229) and 250,000 citizens who had asked for their houses to be blocked from Google Streetview (p285). Germany has a population of some 82 million. Those involved in legal action amounted to 0.037% of the population and those blocked from Streetview amounted to 0.3%. The costs of processing the offer to opt out of Streeview led to Google deciding not to continue with the service in Germany, a service which is clearly popular with users in other countries. The evidence which Bernal provides in his text does not seem to be particularly strong to prove that there a groundswell for privacy rights on the internet. Indeed, one can counter this with the fact that there appear to be some 25,332,440 Facebook users in Germany (30.1% of the population) using a social networking system which is not exactly renowned as a privacy locus. [5]

Although there are clearly many problems with the original Data Protection Directive, it was created in an environment where there was plenty of evidence of harm. Credit could be impossible for some to get because of incorrect data held; companies refused to change data; and a general attitude that low standards in data handling were fine all led to a need to provide a basic level of access and rectification. These, we might say, were two primary goals of that original legislation and whatever the critics of that regime may say, the Directive imposed positive change upon data handlers and led to rights which affected many. Clearly, data security (a third target) has been more problematic in the digital environment when we moved away from large magnetic tapes and heavy disk platters, but that is hardly the fault of the Directive given that it made this a requirement. The Directive was never a privacy law.

In contrast to these real problems Bernal gives us a number of scenarios which he hopes will make us aware of the dangers of a lack of privacy, and it is here that we see where his interest lies. It is the collection of data through service providers: ISPs, free services, search engines as well as those who we do business with. In the terminology of today, he is interested in Consumer to Business data collection rather than what we might properly call 'privacy'. Indeed, the term 'data protection' might provide a better title for this text than privacy. His interest therefore does not impinge too much upon my Art. 10 rights, which perhaps explains why there is such a dearth of discussion on these in the text. However, that makes his mention of communitarian and feminist critiques seem out of place: why would either grouping care about denying the rights of commercial concerns to collect data unless they thought commercial freedom of speech to be vital? Both groups might well agree with him that such collection is potentially problematic. But both groups might want clearer evidence before they commit.

Bernal uses the concept of a 'symbiotic web' which I read to mean simply the goal of the Information Society project of the EU [6] where a European population take up the information products which were becoming available. Given a radical move proposed for the Information Society towards an economy which was to be based upon information rather more than on shipbuilding and suchlike, and that this was to be left in the hands of private enterprise, where we are today is perhaps not much different from what one might have predicted. We might have been surprised by the centralisation of services around so few players (Facebook in a short period of three or four years effectively destroyed the opposition). On the other hand, perhaps Marx could have predicted that a new technology not based upon physical and capital demands of setting up manufacturing facilities would simply speed up the process of accumulation of commercial power.

Bernal is correct that data collection is happening in this information society at a growing rate. Tesco's Clubcard was the first which demonstrated the power of customer data, and others have followed. Advertising revenue has effectively left the newsprint industry and gone online - because it can be seen to be more effective when you target advertising at someone who may be responsive rather than using a scatter gun approach and hoping that sufficient readers will be interested in your product. The online approach allows 'tailoring' which is something which Bernal views as pernicious: "If a business can learn enough about a customer to know how much they might be willing to pay for something … they can set prices individually for that customer …" (p68) Yes, they certainly can as can the business in the street - antique dealers who rarely put visible prices on items come to mind. At least with the online world you don't have to tramp around shops to compare prices, you can simply use an online comparison site or two or three. He also notes that, "… search results, too, are chosen taking into account what the search engine knows about the user … " (p69). Some consumers might think that that is a positive aspect of the online world rather than a negative - why would one want to receive adverts for products in which one has no interest?

There certainly are some business practices in the online world which are not exactly impeccable and some which touch the limits of legality (he notes the Phorm system), but in business there are always those who test the limits. Why would this be any more different in the online world? Particularly when the rewards for success can be so substantial.

Bernal proposes three rights for his 'internet privacy' thesis. First, that there be a right to roam with privacy. In effect that search engines and ISPs should not be allowed to (without consent) to collect data on the perambulations of users around the internet. This seems a relatively easy task to accomplish: service providers could offer two services - a free one where the consumer enters the contract to allow information to be collected, and a paid-for service where that data is not. A prediction would be that the user would use the first - they may complain a bit about loss of privacy, but the evidence is (despite Bernal's assertions) that between privacy and not paying, they much prefer the latter. Where there is unauthorized access to a computer system (to leave flash cookies etc.) perhaps we already have criminal sanctions available, even though these are not enforced. It may be time to do so if there is sufficient evidence of harm.

His second right is that of a right to monitor the monitors. This appears sensible and I for example - as a privacy sceptic - have been arguing this for some years. The registration process undertaken by the Information Commissioner, could collect and publish much more information on what the data controllers are actually doing with the collected data. At present there isn't even information on how many records are being kept by registered data controllers on the Register. [7] The system was simply used to generate revenue for the ICO rather than be a real indication of what data controllers are doing. There is no legal constraint upon the European national information offices to change this system and if they wished they could do so lawfully.

His third right is a 'right to delete' - not the much more controversial right which the CJEU has just introduced to be forgotten but one where data held by a commercial concern would be removed from their database. Once again, this may not be such a problem - Facebook users, are for example, able to delete their own files. [8] It may be a problem when users demand that information collected by other users is also removed (akin, perhaps, of the pre-digital days of going into an ex-friend's house and demanding all letters are returned) but Bernal does not discuss this option. Neither does he discuss the question of ownership of information: he presumes that this 'belongs' to the person about whom it concerns. It is not clear that this is necessarily correct: if information is collected by someone then surely they have a measure of ownership over that data?

How are these rights to be enforced? It is not clear from Bernal's argument how they might be. Is it in the court system? Some extra-national system following the ICANN domain name resolution service? What happens when the commercial concern is in the US and the user in Lithuania? Or the service is in the Philippines? What are the costs? It is always easy in the online world to suggest regulation is required, but the problem is really how to regulate in a world which is diverse, commercially driven, and where users don't want to pay for services and seem happy to accept the consequences of that particular Consumer to Business relationship. Certainly, the strongest evidence to date is certainly that obtaining free access to services is much more important than protecting privacy. Bernal and the Article 29 Working Party may not like this, but it is what has made the US information industry such a success in comparison to those in Europe who have been curtailed and will be even more curtailed by these developments in EU law. This does not sound the ideal way to move towards the successful economy built upon information which the EU has claimed it wishes to build.

[1] Queen's University of Belfast.

[2] Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD)

[3] Leith, P., 2006, "The socio-legal context of privacy", International Journal of Law in Context, 2, pp 105-136.

[4] "It would, no doubt, be possible for Parliament to leave it to the courts to decide in what circumstances a newspaper could successfully raise a defence of "public interest". Matters of public interest might be defined as "matters on which a reasonable man would consider himself entitled as a member of the public to be informed". The application of this definition would mean conferring on the courts a discretionary power so wide that it must, in effect, constitute them, in this field, virtual censors of the Press. My own view is that such a course is neither acceptable nor desirable." Right Of Privacy Bill [H.L.] Hansard Debate 15 June 1961 Vol 232 cc289-99


[6] Epitomized by the Bangemann Report of 1996 (Europe and the global information society Recommendations to the European Council). This, perhaps, is one of the most important EU documents in terms of understanding where we are now.


[8] "If you don't think you'll use Facebook again, you can request to have your account permanently deleted. Please keep in mind that you won't be able to reactivate your account or retrieve anything you've added. Before you do this, you may want to download a copy of your info from Facebook. Then, if you'd like your account permanently deleted with no option for recovery, log into your account and let us know." Facebook "How do I permanently delete my account?" Accessed September 2015.