How the use of design principles may aid compliance with data protection rules
One of key principles of the General Data Protection Regulation is that personal data are processed lawfully, fairly and transparently. This is further evidenced by Articles 13 and 14, of which culminate in the ‘right to know’. This means that data subjects must be provided with certain information at the point that there data are first collected and processed. Such information must convey the ‘who, what, where, how and why’ of the processing operations.
The idea behind such an obligation is simple; the processing of one’s data would not be fair or transparent if people were not properly informed about the circumstances surrounding such processing. Thus, privacy notices are a way to achieve the fairness and transparency that the data subjects are entitled to have. In particular, such notices can help people avoid having to passively accept long documents of legalese without fully understanding how their data are processed and who it might be shared with.
This is especially important where consumers are providing their personal data in return for free digital services. Jamie Susskind, the author of Future Politics: Living Together in a World Transformed by Tech, calls this particular transaction “the Data Deal”, which involves companies taking personal data and producing valuable goods and services for consumers from which companies can profit from.
A privacy notice can be of aid where it is able to decipher for consumers the contents of this transaction. The consequence of this is two-fold. Firstly, it encourages companies to make more lucrative offers to consumers in exchange for their data. Secondly, it can help consumers realise the true value of their data and therefore be more diligent about who they provide it to.
However, such a clean transaction is only possible if data subjects can actually comprehend the privacy notices provided to them. This is one of the drawbacks that Susskind notes with the Data Deal; it presumes that consumers understand, at least to a significant extent, the implications of providing their data to companies.
Some would argue that such a presumption ignores reality. Last month, the UK Parliament produced a report criticising the current state of privacy in the digital realm. It stated that individuals are “high unlikely to read or fully understand complex and lengthy terms and conditions and privacy notices” of which are presented in a “take-it-or-leave-it manner”. Shoshana Zuboff, the author of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, echoes this point by arguing that traditional privacy notices have allowed those processing personal data to conduct their operations with little accountability and transparency.
Yet, a promising solution has slowly emerged in the midst of this injustice. Legal design, which used to be a niche and perhaps overlooked practice, may soon be recognised as the standard method for delivering privacy notices to better accomplish the mandates of data protection law.
Margaret Hagan, the Director of the Legal Design Lab and a lecturer at Stanford Institute of Design, defines legal design as “the application of human-centred design to the world of law to make legal systems and services more human-centred, usable and satisfactory”. Ultimately, it is about delivering legal services and content in way that is useful and engaging to a wider range of people. This is achieved by incorporating certain design principles in order to communicate legal concepts in a more accessible manner.
According to Hagan, part of executing effective legal design is focusing on the needs of the target audience and using that insight to shape the delivery of legal information that meets their demands. The application of such an approach to privacy notices may therefore be a particularly valuable way of achieving the fairness and transparency required under the GDPR by helping data subjects discern what is happening with their personal data.
A good example of this is the privacy notice of Juro, a contract collaboration and management platform. The notice was designed with the help of Stefanie Passera, a specialist in contract and legal design based in Finland. Three basic aims can be deduced from her work with Juro. The first was to identify the key points that users wanted to know about the data processing, so that such information could be prominently displayed. The second was to avoid using “a wall of text” to convey information so as to encourage users to actually read the material presented to them. The third was the use of a layered notice, whereby the most important information is presented initially with the option for users to view the full notice. Such a practice has been recommended by regulators, including the Information Commissioner’s Office.
In addition to this, Passera also used other innovative methods to deliver Juro’s privacy notice, in particular the use of a timeline to indicate when data from users was being processed whilst navigating the company’s website or using its services. Passera points out that “users understand information better when they can contextualise it within their experience”.
Presenting privacy notices in this novel way does not just comply with the law though. It can also serve as a way to build trust with consumers and turn privacy compliance into a competitive advantage as opposed to a mere box-ticking exercise. The Law Boutique, a legal consultancy helping in-house lawyers in fast-growth organisations, makes use of images and simple sentences for its short-form privacy notice on its website. Electra Japonas, its founder, recently declared that its notice was its second most visited page.
Thus, the increased use of legal design for privacy notices may help reverse the current imbalances of the digital age. It may also provide a glimpse of kind of work that lawyers will become more frequently involved with in the future, as the profession becomes more user-friendly and streamlined. Consequently, collaborating with designers, marketers and technologists may become more imperative as legal experts seek ways to provide a more fruitful service. A new future awaits.
Jamie Susskind, Future Politics: Living Together in a World Transformed by Tech (OUP 2018).
Shoshana Zuboff, Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Profile Books 2019).
Projects from Dot (a legal design consultancy)
Legal design for in house: the GDPR challenge no one is talking about (YouTube)