4 Informed consent and 'terms and
conditions'
36. The issue of how informed consent was obtained
from users, for the rights to process their personal data, was
raised early in the inquiry and was a central issue throughout.[85]
Informed consent to participate in research is defined by the
Council for International Organizations of Medical Sciences, as
that given:
by a competent individual who has received the
necessary information; who has adequately understood the information;
and who, after considering the information, has arrived at a decision
without having been subjected to coercion, undue influence or
inducement, or intimidation.[86]
37. As the use of social media data and its financial
value continues to grow, it is clear that social media platforms
potentially have a very important asset at their disposal, but
the ability of organisations and researchers to use that data
is limited by law. In the UK, this law is the Data Protection
Act 1998, which maintains that consent must be obtained from individuals
before their data can be used for research purposes.[87]
38. The University of Cambridge told us that
Signing social media platforms' terms and conditions
does not necessarily correlate to informed consent, as research
has shown that users sign these complicated documents without
reading them in order to open their accounts.[88]
The University of Manchester described the example
of an individual using the social media platform, Twitter, where
"there is a process of consent as part of creating a Twitter
account" but even then, "it may not be entirely clear
to the account holder how their Tweets might be used for secondary
purposes, including research".[89]
39. The call for ethical behaviour was not limited
to the users of services. Sureyya Cansoy, techUK, reported that
an "increasing number of companies" were "concerned
about ethics questions" and Professor McAuley, Horizon Digital
Economy Research Institute, said that "many small companies,
even large ones, want to be seen to be behaving ethically and
are getting somewhat annoyed at some of the unethical behaviours
of others".[90]
Timo Hannay, Digital Science, told us that "we want to be
able to abide by any reasonable requests that users may make to
remove things".[91]
40. The primary method for obtaining consent on social
media platforms and their equivalents is by asking users to agree
to terms and conditions when they register to use the service.
Terms and conditions can be defined as "special and general
arrangement[s], rule[s], requirements, standards etc. forming
integral parts of a contract or agreement".[92]
Dr Kevin Macnish, University of Leeds, commented
on the problems in using this process.
It is widely known that these forms are rarely
read in detail or understood. The print is small and the eventual
use often obscure. Even if signing the form could be considered
an act of consent, it is often not an act of informed consent.
Caveat emptor is an unfair response if a large number are
signing up for the service on a (widely recognized) limited understanding
of the future use of the information they will provide.[93]
41. Professor John Preston, University of East London,
told us that "people treat social media a bit like they treat
the pub".[94] He
continued:
They feel that if they go into a pub and have
a private conversation, it does not belong to the pub; it is their
conversation. They interpret Twitter or Facebook in the same wayas
a place to have a conversation.[95]
He thought that "people need to know what they
are signing up to".[96]
42. It could be argued that users are compelled to
either accept terms and conditions (which they might disagree
with) or relinquish access to services like social media platforms.
While the Internet Association maintains that "companies
compete on privacy and understand that there are few barriers
to switching among providers should consumers lose confidence
in an online platform or service"; if a Tesco customer wants
to collect points using the Tesco club card, they have to sign
up to Tesco's terms and conditions.[97]
Similarly, if a person wants to connect with their friends on
Facebook, it is necessary to use the Facebook service and sign
up to their data use policy.[98]
43. During this inquiry we sought to understand the
issues surrounding informed consent, its importance in ensuring
users understood what they were agreeing to, the manner in which
companies communicated that to users, the difficulties in services
that are often sourced outwith jurisdictional boundaries and how
these issue might be addressed.
Length and complexity
44. Professor David De Roure, Economic and Social
Research Council, highlighted that a primary problem with terms
and conditions is that "few people read [what] they are signing
up to".[99] Dr Mark
Elliot, University of Manchester, speculated that users just want
to "get to the good stuff", and Carl Miller, Demos,
told us that there was "a wonderful statistic that if you
read all the terms and conditions on the internet you would spend
a month every year on it".[100]
Mr Miller concluded that "there has been little incentive
for many platform providers to do anything other than issue 100-page
documents, because everyone clicks 'Yes'", and, to change
the status quo, "pressure" would have to be applied
from "outside the company".[101]
The lack of attention people pay to the terms and conditions was
emphasised when, in 2010, GameStation temporarily added a clause
to its terms and conditions that stated the company now owned
the user's "immortal soul".[102]
Given the widespread acceptance of the clause, GameStation concluded
that 88% of signatories did not fully read the terms and conditions
documents.[103]
45. To compound the problem of length, terms and
conditions contracts have been found to employ unnecessarily complex
language. Dr Elliot identified the complex language used in terms
and conditions as a barrier to reading them, "even if you
made your terms and conditions only 500 words, I still do not
think people are going to read them, partly because of the language
they are written in".[104]
Sir Nigel Shadbolt, Web Science Trust, labelled the contracts
"totally impenetrable" and "more complex than Shakespeare",
necessitating a reading age of "19.2 years to get through".[105]
Dr Kevin Macnish, University of Leeds, commented on the fact that
these terms and conditions were often accepted by children and
thus "if we are going to make the terms and conditions understandable
to schoolchildren, that gives us a level of English and understanding
that I think is sensible to be aiming at".[106]
46. We wrote to a number of social media platforms
(or their parent companies) to ask questions about their commitment
to informed consent and their use of terms and conditions. YAHOO!
wrote that it provided information to users via dedicated privacy
webpages;[107] LinkedIn
aimed to "provide clarity" to members about how the
company used their information in a similar manner,[108]
claiming it had earned the trust of users by respecting members'
"privacy and properly protecting their personal information".[109]
Facebook explained that it had "introduced a simplified Data
Use Policy," which offered "a slimmed-down, jargon-free
guide to the way that Facebook manages data" [110]
(see image below).[111]
However, with the exception of a comment by Twitter,
stating that "during the registration process users must
give their consent to our Terms of Service, Privacy Policy and
Cookie Use"[112]
and a brief Facebook reference to Terms,[113]
there was little comment on how the terms and conditions documents
(and their use to indicate consent for data use) were utilised
by those organisations.
47. Steve Wood, Information Commissioner's Office,
told us that often terms and conditions documents "will come
from a culture within an organisation where lawyers are heavily
involved. [
] It comes from the point of view that you need
to cover everything".[114]
He speculated that "there may be some organisations that
sometimes are able to exploit the opacity of the notice".[115]
48. The Minister agreed that terms and conditions
were too complex, saying that
the idea that people read 150 pages of terms
and conditions is simply laughable; it is a complete nonsense.
We all know what lawyers are likeevery t is crossed and
every i is dotted. But the consumer needs something that is easy
to understand and straightforward.[116]
He reported that "the Information Commissioner's
Office is going to be the conduit for this kind of work, with
the industry coming forward with proposals to simplify terms and
conditions online".[117]
49. We
are not convinced that users of online services (such as social
media platforms) are able to provide informed consent based simply
on the provision of terms and conditions documents. We doubt that
most people who agree to terms and conditions understand the access
rights of third parties to their personal data. The terms and
conditions currently favoured by many organisations are lengthy
and filled with jargon. The opaque, literary style of such contracts
renders them unsuitable for conveying an organisation's intent
for processing personal data to users. These documents are drafted
for use in American court rooms, and no reasonable person can
be expected to understand a document designed for such a niche
use. We commend the
Information Commissioner's Office for investigating ways to simplify
the contents of terms and conditions contracts and ask the Government,
in its response to this report, to detail how the public at large
will be involved in arriving at more robust mechanisms for achieving
truly informed consent from users of online services. Clear communication
with the public has been achieved in the past, for example in
the use of graphic health warnings on cigarette packets. Effective
communication with the public can be achieved again.
Communicating the intentions for
data use
50. When questioned about user expectations on the
use of their data by social media platforms, witnesses did not
believe that terms and conditions documents allowed for informed
consent to be provided for the use of that data.[118]
Carl Miller, Demos, held up Twitter as an example of better practice
in this regard; he told us that Twitter was "unapologetically
open" and the "clear statements" it used early
on in the application process were "helpful in informing
people's reasonable expectation about what can happen and what
is possible with their [data]".[119]
51. The Information Commissioner's Office's report,
Big Data and Data Protection, pointed out that the Data
Protection Act 1998 requires an organisation to tell people:
what it is going to do with their data when it
collects it. It should state the identity of the organisation
collecting the data, the purposes for which they intend to process
it and any other information that needs to be given to enable
the processing to be fair.[120]
Despite this, witnesses to this inquiry considered
that the communication of how collected data may be used was rarely
clear and helpful: the University of Leeds even suggested that
the Government should consider "introducing legislation which
requires social media platforms to provide clearer information
about what happens to users' data than currently exists".[121]
52. Social media platforms outlined their policies
about transparency. For example, LinkedIn told us that its transparency
reports were intended:
to provide [their] members and the general public
with information about the numbers and types of requests for member
data that [LinkedIn] receive from governments around the world,
as well as the number of [its] responses.[122]
Similarly, Twitter told us that it "publishes
a bi-annual Transparency Report to inform our users about key
elements of disclosures".[123]
Facebook said that it had taken "extensive steps" to
put "transparency and usability at the heart of our work
on privacy, data use and consent" and outlined a number of
methods it used to promote transparency including "Ad Preferences",
a feature that is currently available to users in the US, which
is "a way for people to learn why they are seeing a particular
ad, and control how we use information about them, both on and
off Facebook, to decide which ads to show them".[124]
53. The Government was supportive of efforts to improve
the transparency of data use, stating that it "expects businesses
to be transparent and open about their use of consumer data. This
transparency is essential if consumers are to feel safe and empowered
in an increasingly digital marketplace".[125]
54. We
consider it vital that companies effectively communicate how they
intend to use the data of individuals and that if terms and conditions
themselves cannot be made easier to understand, then the destination
of data should be explained separately. We
recommend that the Government drives the development of a set
of information standards that companies can sign up to, committing
themselves to explain to customers their plans to use personal
data, in clear, concise and simple terms. In its response, the
Government should outline who will be responsible for this policy
and how it plans to assess the clarity with which companies communicate
to customers. Whilst we support the Government in encouraging
others to meet high standards, we expect it to lead by example.
The Government cannot expect to dictate to others, when its own
services, like care.data, have been found to be less than adequate.
We request that the Government outline how it plans to audit its
own services and what actions it plans to take on services that
do not meet a satisfactory level of communication with users about
the use of their personal data.
Requiring versus requesting information
55. When users sign up to access services, organisations
often require that users provide personal information, usually
without any accompanying explanation to justify such requirements.
One Committee member observed that a flashlight (torch on mobile
phone) application required him to allow the application to access
his location before being able to download the flashlight service.[126]
Professor Derek McAuley, Horizon Digital Economy Research Institute,
agreed that this was an example of an unjustified request and
suspected that the information was not needed for the application
to do its job but the company was "obviously after it for
some other reason".[127]
He indicated that companies were being "duplicitous in their
behaviour" as they were "presenting one experience,
yet asking for a lot more information".[128]
In an article published by the Huffington Post entitled 'The Insidiousness
of Facebook Messenger's Mobile App Terms of Service', marketing
expert Sam Fiorella wrote:
Facebook's Messenger App, which boasts more than
200,000 million monthly users, requires you to allow access to
an alarming amount of personal data and, even more startling,
direct control over your mobile device. I'm willing to bet that
few, if any, of those using Messenger on Android devices, for
example, fully considered the permissions they were accepting
when using the app.[129]
Some of the clauses in the contract highlighted in
his article allow the app to:
· Record
audio with microphone. This permission allows the app to record
audio at any time without your confirmation.
· Read
personal profile information stored on your device, such as your
name and contact information. This means the app can identify
you and may send your profile information to others.
· Take
pictures and videos with the camera. This permission allows the
app to use the camera at any time without your confirmation.[130]
To clarify why this array of permission requests
were made by the Facebook Messenger application, Facebook published
an explanation page on its website, stating that:
Almost all apps need certain permissions to run
on Android, and we use these permissions to help enable features
in the app and create a better experience for you. Keep in mind
that Android controls the way the permissions are named, and the
way they're named doesn't necessarily reflect how the Messenger
app and other apps use them.[131]
It listed a number of examples for permissions justifications,
which included:
Take pictures and videos: This permission
allows you to take photos and videos within the Messenger app
to easily send to your friends and other contacts.[132]
56. We were informed that the Information Economy
Council, a body co-chaired by the Government and the techUK president
that "brings together Government, industry and academia to
drive the information economy in the UK", was "creating
a set of data principles to address how we can reassure consumers
in this new digital age without losing the opportunity to get
the most out of technological innovations".[133]
One working group, led by Professor McAuley, was working on how
companies process personal information something, he indicated,
that "industries are crying out for".[134]
57. There is
a qualitative difference between requesting personal
information when registering for a service and requiring
that same information. Companies should have a greater responsibility
to explain their need to require (and retain) personal information
than when they simply request it. We
welcome the work of the Information Economy Council and recommend
that the Government use that work to provide companies with guidelines
to aid organisations in deciding what information they should
require and how that, and the subsequent use of the data, might
be managed responsibly. We expect the Government, in its response
to this inquiry, to outline a draft timetable for when businesses
might expect to receive Government endorsed guidelines in this
area.
Companies based in foreign jurisdictions
58. Several of the larger social media platforms,
like Facebook and LinkedIn, are headquartered in the USA, outside
of the jurisdiction of UK and the EU and thus subject to different
pressures when producing terms and conditions.[135]
59. Steve Wood, Information Commissioner's Office,
noted that data protection issues possess a "global dimension".[136]
The global nature of the internet can blur the traditional physical
boundaries between legal jurisdictions and cause confusion when
considering regulation. Carl Miller, Demos, stated that "legal
jurisdiction" was coming up against "rapid technological
change and globalised information architectures".[137]
This issue was aptly demonstrated by a recent dispute between
Microsoft and the US courts. The US Magistrate Judge James Francis
in New York said "internet service providers such as Microsoft
Corp or Google Inc. cannot refuse to turn over customer information
and emails stored in other countries when issued a valid search
warrant from U.S. law enforcement agencies".[138]
The judge ordered Microsoft to hand over the contents of email
stored on a server in Ireland, despite Microsoft having previously
reassured global customers that their "data should not be
searchable by U.S. authorities and said it would fight such requests".[139]
60. Dr Mathieu d'Aquin told us that "the organisations
that will have the best ability to misuse personal data are certainly
private companies, especially large-scale private companies not
located in the UK".[140]
It has been revealed, for example, that Facebook had been manipulating
the information presented to users in an experiment to assess
user's emotional reactions to being presented with posts containing
positive or negative sentiments.[141]
This experiment attracted controversy as it was not clear that
Facebook's users had consented to take part in an experiment which
"manipulated" people's thoughts and emotions.[142]
Dr Mark Elliot, University of Manchester, said that Facebook's
experiment was a "clear example of misuse" of data and
that a "boundary [had been] crossed" by Facebook.[143]
However, Facebook's Data Use Policy indicates that users' data
may be shared if Facebook has:
· received
your permission;
· given
you notice, such as by telling you about it in this policy; or
· removed
your name and any other personally identifying information from
it.[144]
61. According to the Information Commissioner's Office,
the proposal for the EU General Data Protection Regulation
(GDPR) would "extend the scope of data protection to apply
to data controllers outside the EU that are processing the personal
data of people in the EU, if the processing relates to offering
them goods or services or monitoring their behaviour (article
3)".[145] We understand
that negotiations about the contents of the GDPR are ongoing and
that, in June 2014, the Council agreed a partial, general approach
on limited elements of the proposal, including territorial scope
and Article 3.
62. The United States has also been wrestling with
where the balance should lie in facilitating new data based business
and protecting privacy. In response to a request for comment
concerning big data and the Consumer Privacy Bill of Rights, the
Internet Association, a trade association representing internet
companies such as Yahoo!, wrote:
UL@We are concerned that any legislative proposal
to address "big data" may create a "precautionary
principle problem" that hinders the advancement of technologies
and innovative services before they even develop.[146]
The Internet Association considered that internet
service users "trust" member companies (of the Internet
Association) to "use their data responsibly" and that
it should be sufficient for member companies to "voluntarily
abide by self-regulatory codes such as the Interactive Advertising
Bureau (IAB)'s Self-Regulatory Principles, Digital Advertising
Alliance's (DAA) Self-Regulatory Program, and the Network Advertising
Initiative (NAI) Code of Conduct, which are subject to enforcement
by the FTC [Federal Trade Commission]".[147]
63. We are also aware of the "US-EU safe harbour"
[sic] agreement, which operates as an "interoperability mechanism",
outlining "internationally accepted data protection principles".[148]
The website for the agreement says that:
The European Commission's Directive on Data Protection
went into effect in October of 1998, and would prohibit the transfer
of personal data to non-European Union countries that do not meet
the European Union (EU) "adequacy" standard for privacy
protection. While the United States and the EU share the goal
of enhancing privacy protection for their citizens, the United
States takes a different approach to privacy from that taken by
the EU. In order to bridge these differences in approach and provide
a streamlined means for U.S. organizations to comply with the
Directive, the U.S. Department of Commerce in consultation with
the European Commission developed a "safe harbor" framework
and this website to provide the information an organization would
need to evaluateand then jointhe U.S.-EU Safe Harbor
program.[149]
The Internet Association thought that the US-EU Safe
Harbour agreement must "remain strong for Internet businesses".[150]
64. In
our report Malware and cybercrime we noted that
the UK Government has a responsibility to protect UK citizens
online, in an extension of the protections that are conferred
on citizens in the offline world: a responsibility the Government
accepted in its written evidence to this inquiry. As
the majority of popular social media platforms are head-quartered
in the US, we find it essential that the Government revisit all
international agreements, including the US-EU safe harbour, to
ensure that they protect UK citizens. We ask that, in its response
to us, the Government outlines the international agreements that
currently exist where it has ensured that the data of UK citizens
will be guarded as well as if it were within UK legal jurisdictions.
A Kitemark
65. One solution to the lack of international governmental
agreements on data protection, discussed during our inquiry, was
the use of a 'kitemark' on the contents of terms and conditions
documents.[151] Professor
Derek McAuley, Horizon Digital Economy Research Institute, stated
that this would provide users with confidence that any particular
set of terms and conditions met a "higher standard".[152]
He thought that as a result, people might be able to "reflect
on what they do and do not use".[153]
66. According to Carl Miller, Demos, the potential
benefits of a kitemark system may include incentivising companies
"to put in plain English in a few pages what the implications
of people putting their data on those platforms really is"
and an independent and authoritative authentication of "whether
or not the terms and conditions were clear".[154]
67. One initiative that already exists to look specifically
at the clarity of text on the internet is the Plain English Campaign,
a citizen-led campaign launched in 1990. The organisation awards
the "crystal mark", which is a "seal of approval
for the clarity of a document" and currently used internationally,
applying to 21,000 documents in the UK, USA, Australia, Denmark,
New Zealand and South Africa.[155]
The Campaign states that it is "the only internationally-recognised
mark of its kind".[156]
68. The Minister was attracted to the introduction
of a kitemark. He told us that the Information Economy Council
during its work on terms and conditions would be engaging industry
to come up with proposals for a kitemark, something he considered
would be welcomed by industry.[157]
69. We
consider an internationally recognised kitemark to be the first
step in ensuring the responsible use of the data of UK citizens
by both social media platforms and other organisations. We
are pleased that the Government seems to be working toward this
end and recommend that, in its response to this report, it provides
a draft timetable for when proposals for a kitemark can be expected.
85 See, for example, Q18 [Carl Miller]. Back
86
Council for International Organizations of Medical Sciences,
'International Ethical Guidelines for Biomedical Research Involving Human Subjects',
2002. Available at chioms.ch. Accessed 24 October 2014. Back
87
Data Protection Act, 1998. Back
88
SMD 013 [para 13]. Note, thie witness cites the research of
Beninger et al, 'Research using Social Media; Users' Views',
NatCen Social Research, February 2014. Available at natcen.ac.uk.
Accessed 24 October 2014. Back
89
SMD 015 [para 17] Back
90
Q16 [Sureyya Cansoy]; Q89 [Professor McAuley] Back
91
Q15 [Timo Hannay] Back
92
The Law Dictionary, 'Terms and conditions', thelawdictionary.org.
Accessed 24 October 2014. Back
93
SMD 001 [para 7] Back
94
Q67 [Professor Preston] Back
95
Q67 [Professor Preston] Back
96
Q67 [Professor Preston] Back
97
The Internet Association, Request for Comments Concerning
Big Data and the Consumer Privacy Bill of Rights (Docket No. 140514424-4424-01),
published 5 August 2014, page 3. See also Tesco Clubcard, 'Terms and conditions',
tesco.com. Accessed 24 October 2014. Back
98
Facebook, 'Data use policy', en-gb.facebook.com. Accessed 24
October 2014. Back
99
Q91 [Professor De Roure] Back
100
Q180 [Dr Elliot]; Q18 [Carl Miller] Back
101
Q27 [Carl Miller] Back
102
Joe Martin, 'GameStation: "We own your soul"', bitgamer,
15 April 2010, bit-tech.net. Accessed 24 October 2014. Back
103
Joe Martin, 'GameStation: "We own your soul"', bitgamer,
15 April 2010, bit-tech.net. Accessed 24 October 2014. Back
104
Q180 [Dr Elliot] Back
105
Q91 [Sir Nigel Shadbolt] Back
106
Q176 [Dr Kevin Macnish] Back
107
SMD 028. See also Yahoo, 'Yahoo privacy centre', yahoo.com. Accessed
24 October 2014. Back
108
SMD 027 Back
109
SMD 027 Back
110
SMD 026 Back
111
www.facebook.com/about/privacy accessed 9 September 2014 Back
112
SMD 029 Back
113
SMD 026 Back
114
Q172 [Steve Wood] Back
115
Q172 [Steve Wood] Back
116
Q209 [Ed Vaizey MP] Back
117
Q209 [Ed Vaizey MP] Back
118
Q67 [Professor Yates] Back
119
Q19 [Carl Miller] Back
120
Information Commissioner's Office, Big data and data protection,
July 2014, paragraph 106, page 33. Available at ico.org.uk. Accessed
24 October 2014. Back
121
SMD 011 [para 20] Back
122
SMD 027. See LinkedIn, 'Our transparency report', linkedin.com.
Accessed 24 October 2014. Back
123
SMD 029 Back
124
SMD 026 [para 5] Back
125
SMD 020 [para 11] Back
126
Q89 [Jim Dowd MP] Back
127
Q89 [Professor McAuley] Back
128
Q89 [Professor McAuley] Back
129
Sam Fiorella, 'The Insidiousness of Facebook Messenger's Mobile App Terms of Service',
The Huffington Post, huffingtonpost.com. Accessed 24 October
2014. Back
130
Sam Fiorella, 'The Insidiousness of Facebook Messenger's Mobile App Terms of Service',
The Huffington Post, huffingtonpost.com. Accessed 24 October
2014. Back
131
Facebook, 'Why is the Messenger app requesting permission to access features on my Android phone or tablet?',
en-gb.facebook.com. Accessed 24 October 2014. Back
132
Facebook, 'Why is the Messenger app requesting permission to access features on my Android phone or tablet?',
en-gb.facebook.com. Accessed 24 October 2014. Back
133
Q5 [Sureyya Cansoy] Back
134
Q89 [Professor McAuley] Back
135
See Q67 [Professor Preston]. Back
136
Q180 [Steve Wood] Back
137
Q19 [Carl Miller] Back
138
Joseph Ax, 'U.S. judge rules search warrants extend to overseas email accounts',
reuters.com, 25 April 2014. Accessed 24 October 2014. Back
139
Joseph Ax, 'U.S. judge rules search warrants extend to overseas email accounts',
reuters.com, 25 April 2014. Accessed 24 October 2014. Back
140
Q123 [Dr d'Aquin] Back
141
BBC, 'Facebook emotion experiment sparks criticism', BBC News
Online, 30 June 2014, bbc.co.uk. Accessed 24 October 2014. Back
142
http://www.bbc.co.uk/news/technology-28051930 accessed 5 September
2014 Back
143
Q159 [Dr Elliot] Back
144
https://www.facebook.com/about/privacy/your-info Back
145
Information Commissioner's Office, Big data and data protection,
July 2014, paragraph 124, page 39. Available at ico.org.uk. Accessed
24 October 2014. Back
146
The Internet Association, Request for Comments Concerning
Big Data and the Consumer Privacy Bill of Rights (Docket No. 140514424-4424-01),
published 5 August 2014, page 2. See also National Telecommunications
and Information Administration, 'NTIA Seeks Comment on Big Data and the Consumer Privacy Bill of Rights',
ntia.doc.gov. Accessed 24 October 2014. Back
147
The Internet Association, Request for Comments Concerning
Big Data and the Consumer Privacy Bill of Rights (Docket No. 140514424-4424-01),
published 5 August 2014, pages 3 and 4. Back
148
The Internet Association, Request for Comments Concerning
Big Data and the Consumer Privacy Bill of Rights (Docket No. 140514424-4424-01),
published 5 August 2014, page 15. Back
149
Export.gov, 'Welcome to the U.S.-EU Safe Harbor', export.gov.
Accessed 24 October 2014. Back
150
The Internet Association, Request for Comments Concerning Big
Data and the Consumer Privacy Bill of Rights (Docket No. 140514424-4424-01),
published 5 August 2014, page 15. Back
151
The Kitemark is a registered certification mark owned and used
by the British Standards Institute. References in this report
are to an analogous mark. Back
152
Q91 [Professor McAuley] Back
153
Q91 [Professor McAuley] Back
154
Qq27;18 [Carl Miller] Back
155
Plain English Campaign, 'Crystal Mark', plainenglish.co.uk. Accessed
24 October 2014. Back
156
Plain English Campaign, 'Crystal Mark', plainenglish.co.uk. Accessed
24 October 2014. Back
157
Q210 [Ed Vaizey] Back
|