Safety & Privacy in a Digital Europe

On May 15, 2012 the Family Online Safety Institute (FOSI) hosted a forum within the European Parliament in Brussels, designed to bring together the European Commission, Parliament, key industry players and civil society for informal discussions. Against the backdrop of an activist European Union, the panels covered key topics in Internet safety, privacy and the need for a complementary international approach.

Brussels has a long history of work in the field of online safety, for example the 'Safer Internet Programme' launched in 1999, has provided over €100 million for a wide variety of initiatives. However, the current level of Commission engagement in the issues has not been seen before. Under the direction of Commissioner for the Digital Agenda, Neelie Kroes, the Information Society and Media Directorate General, (soon to become DG Connect), have taken practical steps to further engage industry in these matters. Viewed in conjunction with the changes to the privacy regime, and particularly children's privacy, contained within the proposed reforms to the data protection framework, from the office of the Commissioner for Justice, Fundamental Rights and Citizenship, as well as the increased commitment from the Parliament, it is safe to say that we are entering an era of unprecedented engagement by the European institutions.

There are four key initiatives that have the potential to dramatically change the debate around children on the Internet, as well as having major implications for the work that is being done in the US and around the world.

Firstly, in December 2011, Commissioner Kroes announced the formation of the 'CEO Coalition to make the internet a better place for kids.' The Coalition includes around 30 industry members and operates under strong leadership by the Commission. There are five strategic areas of work, namely; simple tools for users to report harmful content and contact; age-appropriate privacy settings; wider use of content classification; wider availability and use of parental controls; and the effective take down of child abuse material. Each working group is expected to report back on their initial findings in June 2012, with final results due in 2013.

Industry responded in early 2012 with the 'ICT Coalition for a Safer Internet for Children and Young People.' The group aims to develop innovative ways of enhancing online safety and encouraging responsible use of the internet; empower parents and care-givers to engage with and help protect their children; provide easily accessible, clear and transparent information about online safety and behavior; and raise awareness of abuse reporting functions. It appears that they are following a similar results timetable to the CEO Coalition.

Thirdly, the data protection reforms to the 1995 framework were published in January 2012 by Commissioner Reding. In addition to working to create a digital single market, as proposed in the 2010 Digital Agenda for Europe, the rules create new consent mechanisms for both adults and children, increase individual control over personal data and give rise to a right to be forgotten for all. The heightened consent requirements would bring the EU in line with the US position under the Children's Online Privacy Protection Act, but the newly imagined 'right to be forgotten' would take Europe out on its own with respect to individual data management.

Finally, in May 2012 a joint program was launched by Commissioners Kroes, Reding and Malmstrom. The 'New strategy for safer internet and better internet content for children and teenagers' builds upon much of what is contained within the CEO Coalition, aiming to equip children with the skills that they will need to fully participate in the digital world. The strategy challenges industry, with the support of the Commission and Member States to improve upon the interactive, creative and educational content online for children.

The FOSI forum in May focused on three key areas: safety, privacy and the international approach. As part of the safety discussions, the importance of an holistic approach was highlighted by many in order to ensure that children have safe experiences online, which requires a commitment by all stakeholders. According to FOSI, the essential components of such a culture of responsibility are: 1) Reasonable government oversight and support; 2) Fully resourced law enforcement; 3) Robust and comprehensive industry self-regulation; 4) Tech-savvy teachers; 5) Empowered parents; and 6) Resilient children making wise choices about the content they access and post online, the people they contact, the people they allow to contact them and how they conduct themselves online.

Within the supranational structure of the Europe Union, it was agreed that both the Commission and the Parliament have important roles to play in online safety efforts. Also highlighted was the need for a 'better' Internet for children, not just a safer one. In order to fully embrace the digital world, children need to be able to access content created for their demographic, instead of material aimed at teenagers or adults.

Whether or not the very notion of privacy has changed with the advent of social media formed an interesting conversation with no consensus among industry and representatives from the EU institutions. However, where there was complete agreement on the commitment to children's privacy, no conclusion was reached on how to protect it.

The increased demand for granular controls means more complicated privacy policies and methods of privacy protection, which is the opposite to the simplification of privacy practices demanded by policy makers. They are demanding simpler privacy policies that are comprehensible by children, sometimes without fully considering the consequences of simplification. The true test of privacy awareness comes not from how many people read a privacy policy, but rather if it can be seen in the behavior of users. As people become increasingly aware of their information sharing, they will make demands upon companies, as it has been shown that privacy is of value to users and will continue to be so.

As with any such debate, considerable thought must be given to the truly global nature of the Internet. No country, nor group of countries, exists in a vacuum; any changes made will have effects on other countries' frameworks, as well as to industry. Due to the potential for these global outcomes, considerable time was devoted to the debate about current initiatives around the world.

The need for standardization within the 27 European Union countries is clear, and complies with the work of the Digital Agenda for Europe. However, when it comes to developing a transatlantic or global consensus, it becomes more complicated, and very different norms and morals begin to affect the discussion. Instead, individual countries and companies operating therein should be encouraged to develop their own approaches, while at all times considering the potential consequences for an industry operating at all four corners of the globe.

The EU is considering the four initiatives listed above, while the US contemplates the Obama Administration's privacy report, the Federal Trade Commission's privacy review, as well as the FTC's consideration of the Children's Online Privacy Protection Rule, numerous Do Not Track bills as well as the Do Not Track Kids Act from the 112th Congress. Despite all of the potential for legislation, it currently seems that the US will continue to favor the self-regulatory approach, though perhaps with increased enforcement by the FTC.

There is a perception that the current approach by the Commission is influenced by the absence of a self-regulatory history within the European Union. This subject formed a significant part of the discussion at the FOSI forum, and one speaker forcefully advanced the theory that self-regulation is never enough, particularly in this space. Conversely, it was proposed that over-eagerness to regulate would stifle technology innovation, and this notion received much support.

In 2001, the Commission published a White Paper on governance, part of which involved establishing working groups, one of which focused on 'better regulation'. Although the focus remained on 'co-regulation,' it was noted that 'self-regulation is a tool of the private sector. Much of self-regulation has nothing to do with public policy.' Co-regulation, where regulations are specified, administered and enforced by a combination of the state and the regulated organizations, is seen to combine the flexibility of self-regulation and the binding nature of legislation. This may be the style that is currently being adopted as part of the CEO Coalition, however in discussions a number of interested parties were keen to establish that there is not currently an interest in regulation in this space.

As online safety and privacy continue to ascend both national and international political agendas, it is clear that there will continue to be debate over who should protect and guide children on the Internet, and who is best placed to do so. Although the Europeans arguably lack a history of self-regulation, they are prepared to learn and listen. However, this must be matched by industry commitment and civil society engagement.

Industry must be prepared to share their work and involve the Commission and Parliament in their efforts to ensure the privacy and integrity of children. Technology companies are best placed to appreciate new trends in behavior and to see new risks, a position that enables them to respond swiftly in the best interest of user protection. However, they must take action where necessary, otherwise legislation will result. As one delegate in Brussels advanced, this is a conversation that will be led by principles, and not just by companies. So long as companies share the principles of privacy and safety for all, the call for regulation will diminish.