Jan Möller, Independent Centre for Privacy Protection Schleswig-Holstein
The P3P specification has a double nature. On the one hand it is standardizing technical issues to facilitate the exchange of privacy meta information. On the other hand it requires the website to provide certain information necessary to enable the user of do-it-yourself privacy protection (e.g. the entity processing the data, types of collected data, purpose of collection and the type of processing). Requiring this information P3P sets a (minimum) privacy standard.
By offering a P3P policy, websites are giving a binding promise to their users that they will follow the P3P standard as a whole. It is part of the promise to provide the information required by the P3P specification truly and comprehensively. It also includes a careful interpretation according to the P3P specification of what personal identifiable data actually is. All things considered using P3P means agreeing on a legally binding (minimum) privacy standard between the parties.
Some countries have their own data protection laws requiring i.e. special user information or allowing data use for special purposes only. These legal privacy standards are especially within European Union member states higher than the P3P specification's requirements (e.g. which information has to be provided in the P3P policy).
The relations between the P3P privacy standard, other legal privacy standards and the parties involved are illustrated in the following chart.
Websites operating from one of those countries are bound to their national legal privacy standard (which incorporates the EU Directive on Data Protection's minimum standard). P3P policies of such websites have to reflect these additional requirements, they have to be legally localized.
If websites do not incorporate all binding legal privacy standards into their P3P policy, they reveal a breach of law or agreement (depending on where the legal privacy standard derives from) on their website. This could draw the attention of supervising authorities or competitors and their lawyers. Maybe even worse, sub-standard P3P policies might warn the users of a violation of their privacy rights by the website and deter them from using it.
In the contrary to the P3P specification's minimum privacy standard which is included in every technically valid P3P policy, the national legal privacy standard has to be taken into account while building the statements of a P3P policy.
For a privacy enhancing effect legal localization has to take place on both sites, in the website's P3P policy and in the user's P3P agent. P3P agents can inform the user of the violation of legal privacy standards by a website. To provide this warning the P3P agents need default preferences reflecting the national legal privacy standard.
Without such default preferences the majority of users will not be warned that their legal privacy rights are violated and therefore they cannot control and enforce their rights. Legal localization of P3P agents is an added value for the user as he is not only informed on what is happening with his personally identifiable information but he also gets legal reference if this kind of data use is acceptable.
Data protection laws for the internet exist in Germany since 1997. Nevertheless a recent surveyfor Germany showed that 74% of 139 company websites had deficits in following data protection laws concerning cookies. 68% were major violations. 70% of the websites did not inform their users concerning data collection as required by law. 60% were major law breaches. That means there is a major discrepancy between the German legal privacy standard concerning websites and the de facto privacy standard. This surprises to some extent as there are effective remedies against privacy violations available (e.g. petition to supervising authorities, penal measures and competition or contractual law claims). Can P3P help on closing the gap? How can P3P enhance internet privacy?
In countries with a higher legal privacy standard than P3P privacy demands, the website has to adapt their data processing practices and their P3P policy to the national legal privacy standard. For websites run from such countries, the offer of P3P does not result in new legal obligations. Respectively there is no enhancing effect of P3P to legal privacy standard.
This is different to countries whose legal privacy standard is lower than the demands of the P3P specification. Websites from these countries gain new legal obligations by offering P3P to their users as the offer includes the promise to comply with the P3P specification's privacy standard. The legal situation of users of these websites is improving as the self-commitment of websites to the P3P Privacy Standard results in new enforceable rights.
A reason for the gap between the legal and de facto privacy standards seems to be that the violation of privacy in the internet often goes unnoticed by users. Another reason might be the lack of information on what rights and remedies exist for personal privacy protection.
A widespread P3P usage will give the internet user more insight to what actually happens with his data on a website. Privacy in general will be more permanently into focus of users. Comprehensive knowledge about data collection by websites as delivered by P3P enables the user to a better use of an existing legal framework to enforce privacy rights. Control and enforcement of privacy rights by the user would minimize the gap between legal privacy standards and the de facto privacy standard in the internet.
Using P3P to empower the user to do-it-yourself privacy protection by making available information on rights and reality of data processing on websites requires a legal localization of P3P. Legal localization is especially necessary if legal privacy standards of the country are higher than the P3P privacy standard.
Legal localization of the P3P agents means preferences reflecting national (regional - EU Directive) legal privacy standards. Preferences set to a lower standard do not inform the user sufficiently and as a result he can not enforce his privacy rights. In this case P3P has no privacy enhancing effect as the user cannot work towards the approach of the legal and the de facto privacy standard. Currently the user can legally localize some P3P agents by uploading preference files reflecting his national legal privacy standard but not all P3P agents offer an uploading function and not all P3P agents use standardized APPEL. Moreover a collection of APPEL preference files reflecting different legal privacy standards should be available for download on a website. P3P agents should link to this website. Even more important as enabling the user to legally localize its P3P agent would be offering a P3P agent with default preferences reflecting national or at least regional (EU Directive) legal standards.
Legal localization of P3P policies means incorporating national (regional - EU Directive) legal privacy standards in the statements of P3P policies. In doing that, websites will have to rise their de facto privacy standard to the national legal standard or at least to the P3P specification's requirements, otherwise a breach of law or agreement will be visible to all website users. As adapting a P3P policy to legal privacy standards is not easy, policy generators should assist in this task. There should be optional legal localization files for policy generators which influence the policy generating process that options of P3P that are illegal according to the legal privacy standard cannot be chosen or necessary information will be a required field for finishing the policy generating process.
Finally websites offering a P3P policy compliant with national legal privacy standards could receive a privacy seal. In this way the website could proove its reliability and trustworthiness by taking customers privacy serious.