"This is a significant step in creating a common, worldwide platform for privacy notices," said Martin Abrams, executive director for the Center for Information Policy Leadership at global law firm Hunton & Williams, which facilitated a Berlin workshop that led to the consideration of the plan by the Article 29 Working Party. European consumer advocates and data protection commissioners also participated in the Berlin workshop.
The Article 29 Working Party adopted the joint report (or "common position") on privacy notices at its November 25-26 meetings. It is now published on the EU Data Protection website. The multi-layered approach may facilitate the use by companies of a common notice throughout Europe, using "very short," "condensed" and "complete" notice options. The Article 29 Working Party's action does not result in any reduction in the information given to consumers in privacy notices, rather it will increase transparency by allowing notices to be given in a more easily understandable format.
Business leaders hailed the news. "This regulatory guidance enables us to create user-friendly notices," said Peter Fleischer, Microsoft's European public policy leader. He noted that Microsoft conducted focus group research in Germany and Hong Kong that was cited in the common position. "Consumers want privacy notices that are short and easy to read. The collaboration between the regulators and industry will allow us to give consumers what they want," said Fleischer.
Lucy Hodgson of Procter & Gamble believes these notices will help her company become even more consumer-driven. "The short notice allows us to tell consumers about our data collection while maintaining the integrity of our consumer communication." Procter & Gamble already has a condensed privacy notice on its website.
Malcolm Crompton, former Australian Data Protection Commissioner, suggested businesses should not underestimate the significance of this action. "Multi-layered notices are on the work-plans of both the OECD and APEC, and the US financial services regulators are conducting research on privacy notices," he said. "This concept has real momentum." Mr. Crompton organized the 25th International Data Protection Conference mentioned in the common position.
"There is still a great deal of work to be done," Abrams concluded. "Business needs to embrace this standard and work with the Data Protection Commissioners to develop best practice examples. Consumer advocates need to be involved in this process as well."
"Consumer and privacy advocates must be part of the process to assure consumer interests are respected," agreed Paula Bruening of the Center for Democracy and Technology. CDT has led an ongoing dialogue between consumers, business and government on effective privacy notices.
