The platform compliance pitfall¶
Roads don’t have to accept responsibility of who drives on them. There are some standards for being safe, though. Imagine how much all construction would get slowed down if it gets bogged down in administartive work looking in detail about who goes over the road?
Even if, like me, you don’t want the world overflowing with cars, hopefully you agree that the best way to do that isn’t to excessively increase the costs of roads.
The point¶
In my work, we maintain various learning platforms. This is what one of their privacy notices could drop like:
Privacy notice for student data
Data contains: whatever you upload
Data source: you, when you upload
Data usage: as you choose to analyze it
Data removal: when you delete it
To update or correct data: correct it yourself
Or this, for the assignments submitted via the platform
Privacy notice for student data
Data contains: whatever your teacher requests you submit (in accordince with privacy notice for teaching)
Data source: you (in accordince with privacy notice for teaching)
Data usage: as decided by your teacher (in accordince with privacy notice for teaching)
Data removal: when your teacher deletes it or requests we remove their course page (in accordince with privacy notice for teaching)
To update or correct data: contact your teacher (in accordince with privacy notice for teaching)
As you can see from this, the we and the platform itself isn’t deciding how the data is used. Students can use in for their own work, in which case students decide themselves. For the submitted assignments, teachers decide how date is used (hopefully in compliance with the privacy notice for studies!).
The problem comes when we are required (by others in the university compliance teams) to make a privacy notice just for this platform covering everything that happens on it. In legal terms, we are forced to act like the controller of the data on the platform. For the data submitted as assignments, this is somewhat reasonable, since there is only one legal entity involved. For students, it makes no sense since legally, the closest model is that we are a data processor to the data the control themselves.
Note: I expect someone to say “no, what you describe isn’t what is actually required. Well, then please help us to avoid spending so much time in meetings related to the above. The purpose of this post is to help us realize when this is happening and change our mindset, not to complain or claim I know the best.
Note that the metadata of the platform, such as the login details would be covered under its own privacy notice.
The effect¶
What happens? We spend huge amounts of time trying to align things that don’t make sense together. You know how people say EU over-regulation reduces innovation? I think this is an example of it. All the goals are good: transparency of how data is processed and stored. But when you are pushing the limits of normality (“innovating”), the real world doesn’t line up with the expectation, and when you are in a risk-adverse society (because of huge penalties of doing things wrong), lawyers will slow down everything that isn’t normal-looking.
Instead of time doing productive work (our final goal or understanding the complexities of the situation), we spend time fighting ourselves..
What to do¶
Disclaimer: I’m not a lawyer but have been involved in these things for a while. I know the problem exists, but you need someone else to tell you if the below is possible and how to do it. Or hire someone who will make it possible.
Part of this is baked into the system and there is not much to do.
But our organizations need to spend more time trying to interpret things usefully, not make our documents look as normal and boring as possible. This actually takes skill, which I would think would be more interesting than debating documents the way is done now.
We should accept that some things are platforms and the privacy notices can be delegated to another part of our organizations. And better acknowledgment that sometimes we are a data processor but not controller (and the controller may be a private individual or a different part of the organization).
This will both be more transparent for our users (which is the actual intention after all), easier for us to document (long term, once we understand how to do it), and more interesting for our legal services who are supervising things. I’m not saying it will be easy, or even possible, but it will be useful.
While I haven’t been that involved in these “platform compliance problems”, I’ve seen this and think we should give more thought to the platform effects in the future.
