Bits of privacy

Some days ago I read that the publisher of a gay magazine from New Jersey (XY) filed a bankruptcy and their creditors aimed to take the database containing information about their subscribers. The publisher also maintained a website, and had more than a million custumers which had given personal information, including (obviously) their sexual preferences. Well, it's sure that the only thing that could be valuable in that business was that database, like in most cases.  The controversy reached the FTC, which sent to the publisher's business partners a letter telling them that any sell, transfer or disclosure of the information could be illegal and against the privacy policy promised by XY, where it stated that 'the information would not be given or sold to anybody'. They could violate the FTC Act and commit unfair or deceptive trade practices.

Finally the parties reached this agreement: the publisher must destroy all the information, and retain only some personal information to give some back issues to customers that asked for. The EFF describes the real problem:

…the Bankruptcy Code itself doesn't handle this scenario very well. Companies that possess customers' personal information are likely — through their own privacy policies — to give themselves permission to sell that information if they go out of business or have a change in ownership. And in the rare case where a company promises its customers that their personal information will never be disclosed to anyone, a bankruptcy court can still allow the data to be leased or sold if that transfer wouldn't otherwise violate the law.

In such cases, Spanish legislation is permissive, as stated in Royal Decree implementing our Data Protection Law. Companies don't have to foresee this event:

Should the data controller change as a result of an operation of merger, demerger, global assignment of assets and liabilities, contribution or transfer of business or branch of business activity, or any corporate restructuring operation of a similar nature contemplated by company law, a disclosure of data shall not be deemed to have occurred, without prejudice to compliance by the data controller of the provisions of Article 5 of Organic Law 15/1999, of 13 December.

So easy. That's not considerated a disclosure, because creditors in XY Magazine case which would be given the database by a court, would be the legitimate 'data controllers'. They will only have to inform the customers about the new situation, and respect the initial conditions given to them by the initial company. But USA companies are obligated by their own privacy policies, written when they don't  think absolutely being in bankruptcy…

It’s been a surprise. Apple’s new iphone launch hided a treacherous manoeuvre: to collect the location data of its users. We were used to Google tricks, but here we have a novelty. Again an example of unique privacy policy, and multiple and international users… with their different legislations.

I’m sure that the invasion of ‘location services’ made the company consider that it has a lot of tracking possibilities and wants to monetize them. Just think a moment about the number of iphones sold through the world. And here we have the first step: give prompt notice to your users about your future activities.

What’s up then? The new privacy policy, in ‘Collection and use of non-personal information’, states the following:

We also collect non-personal information ? data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

- We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

Here we have Apple’s definition of ‘non-personal information’: data in a form that does not permit direct association with any specific individual… really? I underlined ‘unique device identifier’ and ‘location’. Device identifiers and location are very easy to associate with a determined person, I think. It’s your phone, connected once a day with your computer… having iTunes or another Apple application installed. Imagine yourself buying a song at iTunes store; just one time, Apple receives your ‘unique device identifier’ and your ‘location’. You’re going to be tracked, and your information will be shared with undetermined companies.

But, guys, did you take European definition of ‘personal data’? Your services are too for europeans… you can review the definition here, where you’ll discover that if you have any information, and you can identify a subject indirectly… you have a ‘personal data’, and then data protection legislation is applicable. It also doesn’t offer complete information about the purposes of the collection, and doesn’t give any information about the cathegories of data recipients. You didn’t give too much information, but information to final user is the key. Not only in Europe, but also everywhere if you want to do ‘fair business’.

German Justice Minister, Sabine Leutheusser-Schnarrenberger, asked Apple to implement the transparency often promised by Steve Jobs. In a statement, Apple said that iphone 4 users will be given the opportunity to ‘opt-out’; they will be able to deny the transfer of any personal information to third parties. Ok, Apple, but, what about the rest of us? Do we have to be german to be offered this possibility?