MACHINE READABLE PRIVACY POLICY Version: 0.1 Author: Emir Uzeirbegovic (emir@usgroupltd.uk) Date: 15/05/18 1 OVERVIEW 1.1 Introduction It's been the case that commercial websites tend to feature a privacy notice/policy which outline how the company in question may use a user's data. The recent advent of GDPR strengthens this requirement, and forces privacy policies to be clearer, and the uses of data to be more strictly aligned to the companies lawful basis for processing it. 1.2 Central Issue A central issue remains unaddressed, namely that over the course of time, we may visits dozens of sites and use many different services, all of which may have ever changing privacy policies, and it is extremely impractical for users to actually read through privacy policies prior to using a service. It is thus difficult for users to be or to stay meaningfully informed because the time spent on reviewing policies does not scale practically with the number of services, nor the rate at which privacy policies may change. This leaves the user in the default position of being uninformed and manipulable. 1.3 Solution The aim then is to solve this problem by introducing a mechanism which allows the user to remain informed and stay in control of their privacy regardless of how many online services they use or how often those services may make changes to their privacy policy. This could be done very effectively through the introduction of a "machine readable" policy standard which would make it easy for computers to "understand" policies. It would thus allow for browser extensions which would enable the user to configure their web browser according to their privacy tolerances, so that the web browser could automatically compare the users privacy settings with that of the web site's machine readable privacy policy. If the website's practices are not within the user's tolerance then the web browser can notify the user prior to loading the site thus keeping the user informed and allowing them to consciously decide what to do and thus to be in control of their privacy in a scalable way. 1.4 Transformational Benefits There are other transformational benefits to the wide spread adoption of machine readable policies, namely the mass collection of codified privacy policy information, which when turned into useful aggregate statistics would convey the ability to: a. track and validate the effectiveness and adoption of government level data protection policies and initiatives. b. benchmark compliance, rank sites and set new measurable standards. c. identify systemic risks to privacy (e.g. partners that everyone shares data with). 1.5 In All By allowing users to automate how they handle privacy and requiring website's to be transparent about their privacy policies in a machine readable way, the initiative returns control of privacy to the user and introduces extremely powerful and scalable new tools for the enforcement of law and the protection of users rights. 2 PROPOSAL 2.1 New Standard I propose that we should specify a standard for machine readable privacy policies which captures all of the information required by the GDPR and more, in a form that a computer can easily process and action. This should include the standardised expression of things like: a. Categorical purposes data is used for. E.g. marketing, recommendations, re-sale, etc, and the lawful basis for purpose. b. Which personal information is used for each categorical purpose. c. The business names of others that the data is shared with, and the their categorical purpose. d. Sources of additional data about the user not produced by the user, and which information is contained therein. e. Retention periods for collected data. f. List of URLs on the site for actioning individual rights. It should also include the standardisation of unique identifiers for data processors and controllers (e.g. companies), and the creation of standard taxonomies for the classification of personal information and data processing purposes (amongst other things), so that data collected may be comparable. 2.2 Initial Objectives The following are the initial objectives that the standard should meet if it is successful. 2.2.1 Clear Legal Basis The GDPR, currently being implemented in the EU, provides perhaps the most empowering general data protection framework available to date. It is proposed that the GDPR is used as an initial legal basis and that this project be in support of the GDPR, in view to co-evolve and perhaps eventually become part of the GDPR. 2.2.2 Alignment to Core Use Cases I have suggested a set of core uses cases in section 2.3 of this document. I think that a successful specification of this standard must result in the satisfaction of the core use cases. I.e. the implementation of the standard must directly imply the enablement of the core use cases. 2.2.3 Ease of Implementation The machine readable privacy policy should be easy for websites to implement. At the same time, the way websites implement this standard should make it easy for web browser extension builders, crawlers and application developers at large, to make use of the exposed data in order to deliver on the core use cases. An example of a standard that I believe achieves both at the same time is robot.txt (available here: http://www.robotstxt.org/orig.html). A similar approach ought to be considered for this specification. 2.2.4 Multi-lateral Governance The initial efforts should establish a working group responsible for the steering and governance of the standard such that it is representative of the influences required to make the standard a success. This may include big business, government, privacy advocacy, customer choice, academic and ethical entities amongst others. 2.3 Core Use Cases I believe that the following are the most important general use cases that the development of this standard should aim to facilitate. 2.3.1 Deep Transparency and Standardised Reporting This standard should require websites to expose their purposes, partners and the types of data they collect at a high level, using and standardised taxonomies and unique identifiers (e.g. for identifying partners data is shared with). This helps ensure that the data exposed therein is fit for purpose and thus allows privacy policies to be compared to each other, benchmarked and contrasted to standards. This level of information may in turn be used to: a. track and validate the effectiveness and adoption of government level policies and initiatives. b. benchmark compliance and set new measurable standards. c. identify systemic risks to privacy (e.g. partners that everyone shares data with). 2.3.2 Inversion of Control It is a core aim of the project to make it possible for extensions in a user's browser to be able to apply a user's "acceptability policy" to any given website's privacy policy and intervene if the website uses data in a way that the user does not approve by informing the user, automatically taking pre-approved action, or prompting the user for action. Thus the data which is made machine readable by a website's implementation of the standard must be sufficient for this purpose. 2.3.3 Discoverable and Public The implementation by website's of this standard should make it easy for privacy policies to be discovered and read for any given website such that a systematic crawl of all privacy policies on the public internet could be carried out. The facilitation of this kind of mass data collection allows for all sorts of informative and enforcement related use cases that can be used effect policy on a mass scale. 3 NEXT STEPS 3.1 Establish Interest, Support and Route to Implementation I think that an initial step has to include clear and open interest established through the socialisation of the core idea and benefits of machine readable privacy policies with the would-be stakeholder group, as the standard does not have a chance if such interest cannot be established. This step should include evolving this document; especially the objectives and core use case sections; to suite the interested parties. 3.2 Create a First Draft Once there is interest and it is known who will be initially involved, an agile sub-group can be set up to establish a first draft of the standard which may then be used as a reference document for the discussion of concrete initiatives reliant on the implementation of the standard. I.e. the first draft helps establish a programme of action. 3.3 Establish a Steering Group Finally, a steering committee with clear objectives and KPI can be set up, the goal of which it is to: a. define a programme of action which is in the spirit of the standard but which may impart specific benefits to subsets of stakeholders in the steering group. b. co-evolve the first draft of the standard with the programme, such that a first version of the standard is immediately supported by the programme of action.