To date, the EU-US Safe Harbor Program leads in governing the complex and multi-directional flows of personal information online.   As commerce began to thrive in the online context, the European Union was faced with the challenge of ensuring that personal information exchanged through online services were granted levels of protect on par with provisions set out in EU privacy law.  This was important, notably as the piecemeal and sectoral approach to privacy legislation in the United states was deemed incompatible with the EU approach.  While the Safe Harbor program did not aim to protect the privacy of citizens outside of the European Union per say, the program has in practice set minimum standards for online data privacy due to the international success of American online services.

While many citizens outside of the US and EU benefit from the Safe Harbor Program, it remains unclear how successful the program will be in an online ecosystem where third-parties are being granted increasingly more rights over the data they receive from first parties.  Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.  First, I will argue that the safe harbor program does not do enough to ensure that participants are held reasonably responsible third party privacy practices.  Second, I will argue that the information asymmetries created between first party sites, citizens, and governance bodies vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US Safe-Harbor Agreement

In 1995, and based on earlier OECD guidelines, the EU Data Directive on the “protection of individuals with regard to the processing of personal data and the free movement of such data” was passed [1].  The original purpose of the EU Privacy Directive was not only to increase privacy protection within the European Union, but to also promote trade liberalization and a single integrated market in the EU.  After the Data Directive was passed, each member state of the EU incorporated the principles of the directive into national laws accordingly. 

While the Directive was successful in harmonizing data privacy in the European Union, it also embodied extraterritorial provisions, giving in reach beyond the EU.  Article 25 of the Directive states that the EU commission may ban data transfers to third countries that do not ensure “an adequate level of protect’ of data privacy rights [2].  Also, Article 26 of the Directive, expanding on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of protection” if the data controller does not enter into a contract that adduces adequate privacy safeguards [3].  

In light of the increased occurrence of cross-border information flows, the Data Directive itself was not effective enough to ensure that privacy principles were enforced outside of the EU.  Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law.  Therefor, the EU-US Safe-Harbor was established by the EU Council and the US Department of Commerce as a way of mending the variant levels of privacy protection set out in these jurisdictions, while also promoting online commerce. 

Social Networking Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease with which data is transferred, processed, and stored between jurisdictionas.  While many of the top social networking sites are registered American entities, they continue to attract users not only from the EU, but also internationally.  In agreement to the EU law, many social networking sites, including LinkedIn, Facebook, Myspace, and Bebo, now adhere to the principles of the program.  The enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector.  TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program among social networking sites. 

Drawing broadly on the principles embodied within the EU Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor were developed.  These principles include Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity and Enforcement.   The principle of “Notice” sets out that organizations must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it disclosures the information, and the choices and means the organization offers individuals for limiting its use and disclosure. 

“Choice” ensures that individuals have the opportunity to choose to opt out whether their personal information is disclosed to a third party, and to ensure that information is not used for purposes incompatible with the purposes for which it was originally collected.  The “Onward Transfer” principle ensures that third parties receiving information subscribes to the Safe Harbor principles, is subject to the Directive, or enters into a written agreement which requires that the third party provide at least the same level of privacy protection as is requires by the relevant principles.

The principles of “Security” and “Data Integrity” seek to ensure that reasonable precautions are taken to protect the loss or misuse of data, and that information is not used in a manner which is incompatible with the purposes for it is has been collected—minimizing the risk that personal information would be misused or abused.    Individuals are also granted the right, through the access principle, to view the personal information about them that an organization holds, and to ensure that it is up-to-date and accurate.  The “Enforcement” principle works to ensure that an effective mechanism for assuring compliance with the principles, and that there are consequences for the organization when the principles are not followed.

The principles of the program are rather quite clear and enforceable in the first party context, despite some prevailing ambiguities.  The privacy policies of most social networking services have become increasingly clear and straightforward since their inception.  Facebook, for example, has revamped its privacy regime several times, and gives explicit notice to users how their information is being used.  The privacy policy also explains the relationship between third parties and your personal information—including how it may be used by advertisers, search engines, and fellow members.    

With respect to third party advertisers, principles of “choice” are clearly granted by most social networking services.  For example, the Network Advertising Initiative, a self-regulatory initiative of the online advertising industry, clearly lists its member websites and allows individuals to opt out of any targeted advertising conducted by its members.  In Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s opt out features is given, allowing individuals to make somewhat informed choices about their participation in such programs.  This point is, of course, in light of the fact that most users do not read or understand the privacy policies provided by social networking sites [4]. It is also important to note that Google—a major player in the online advertising business, does not grant users of Buzz and Orkut the same “opt-out” options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the Safe Harbor Program has also successfully investigated and settled several privacy-related breaches which have taken place on social networking sites.  Of the most famous cases is Lane et al. v. Facebook et al., which was a class action suit brought against Facebook’s Beacon Advertising program.  The US Federal Trade Commission was quick to insight an investigation of the program after many privacy groups and individuals became critical of its questionable advertising practices.  The Beacon program was designed to allow Facebook users to share information with their friends about actions taken on affiliated, third party sites.  This had included, for example, the movie rentals a user had made through the Blockbuster website. 

The Plaintiffs filed a suit, alleging that Facebook and its affiliates did not give users adequate notice and choice about Beacon and the collection and use of users’ personal information.    The Beacon program was ultimately found to be in breach of US law, including the Video Privacy Protection Act, which bans the disclosure of personally identifiable rental information.  Facebook has announced the settlement of the lawsuit, not bringing individual settlements, but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to privacy and data-related issues.  Other privacy related investigations of social networking sites launched by the FTC under the Safe Harbor Program include Facebook’s privacy changes in late 2009, and the Google’s recently released Buzz application.

Despite the headway the Safe Harbor is making, many privacy related questions remain ambiguous with respect to the responsibilities social networking sites through the program.  For example, Bebo reserves the right to supplement a social profile with addition information collected from publicly available information and information from other companies.  Bebo’s does adhere to the “notice principle”—as it makes know to users how their information will be used through their privacy policy. However, it remains unclear if appropriate disclosures are given by Bebo as required by Safe Harbor Framework, notably as the sources of “publicly available information” as a concept remains broad and obscured in the privacy policy.  It is also unclear whether or not Bebo users are able to, under the “Choice” principle, refuse to having their profiles from being supplemented by other information sources.  Also, under the “access principle”, do individuals have the right to review all information held about them as “Bebo users”?  The right to review information held by a social networking site is an important one that should be upheld.  This is most notable as supplementary information from outside social networking services is employed  to profile individual users in ways which may work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe Harbor has improved, and most of these sites now have privacy policies which explicitly address the principles of the Program.   It should also be noted that public interest groups, such as Epic, the Center for Digital Democracy, and The Electronic Frontier Foundation, have played a key role in ensuring that data privacy breaches are brought to the attention of the FTC under the program.  While the program has somewhat adequately addressed the privacy practices of first party participants, the number of third parties on social networking sites calls into question the comprehensiveness and effectiveness of the Safe Harbor program.  Facebook itself as a first party site may adhere to the Safe Harbor Program.  However, its growing number third party platform members may not always adhere to best practices in the field, nor can Facebook or the Safe Harbor Program guarantee that they do so.

The Safe Harbor Program does require that all participants take certain security measures when transferring data to a third party.  Third parties must either subscribe to the safe harbor principles, or be subject to the EU Data Directive.  Alternatively, an organization can may also enter into a written agreement with a third party requiring that they provide at least the same level of privacy protection as is required by program principles.  Therefore, third parties of participating program sites are, de facto, bound by the safe harbor principles by the way of entering into agreement with a first party participant of the program.  This is the approach taken by most social networking sites and their third parties.

It is important to note, however, that third parties are not governed directly by the regulatory bodies, such as the FTC.  The safe harbor website also explicitly notes that the program does not apply to third parties.  Therefore, as per these provisions, Facebook must adhere to the principles of the program, while its third party platform members (such as social gaming companies), only must do so indirectly as per a separate contract with Facebook.  The effectiveness of this indirect mode of governing of third party privacy practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that third parties use information from Facebook in a manner which is consistent to the safe harbor principles, the company explicitly waives any guarantee that third parties will “follow their rules”.   Prior to allowing third parties to access any information about users, Facebook requires third parties to agree to terms that limit their use of information, and also use technical measures to ensure that they only obtain authorized information.   Facebook also warns users to “always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information”.  Not only are users required to read the privacy policies of every third party application, but are also expected to report applications which may be in violation of privacy principles.  In this sense, Facebook not only waives responsibility for third party privacy breaches, but also places further regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to a great degree on enforcement by the private sector.  However, it is likely that a self-regulatory framework may lead the industry into a state of regulatory malaise.  Under the safe harbor program, Facebook must ensure that the privacy practices of third parties are adequate.  However, at the same time, the company may simultaneously waiver their responsibility for third party compliance with safe harbor principles.  Therefore, it remains questionable as to where responsibility for third parties exactly lies.  When third parties are not directly answerable to the governing bodies of safe harbor program, and when first parties can to waive responsibility for their practices, from where does the incentive to effectively regulate third parties to come from? 

While Facbeook may in fact take reasonable legal and technical measures to ensure third party compliance, the room for potential dissonance between speech and deed  is worrisome.  Facebook is required to ensure that third parties provide “at least the same level of privacy protection” as they do.  However, in practice, this has yet to become the case.  A quick survey of twelve of the most popular Platform Applications in the gaming category showed that third parties are not granting their users the “same level of privacy protection”[5].  For example, section 9.2.3 of Facebooks “Rights and Responsibilities” for Developers/Operators of applications/sites states that they must “have a privacy policy or otherwise make it clear to users what user data you are going to use and how you will use, display, or share that data”. 

However, out of the 12 gaming applications surveyed, four companies failed to make privacy policies available to users before they granted the application access to the personal information, including that of their friends [6].  After searching for the privacy policies on the websites of each of the four social gaming companies, two completely failed to post privacy policies on their central websites.   This practice is in direct breach of the contract made between these companies and Facebook, as mentioned above.  In addition to many applications failing to clearly post privacy policies, many of provisions set out in these policies were questionable vis-à-vis safe harbor principles. 

For example Zynga, makes of popular games Mafia Wars and Farmville, reserve the right to “maintain copies of your content indefinitely”.  This practice remains contrary to Safe Harbor principles which states that information should not be kept for longer than required to run a service.  Electronic Arts also maintains similar provisions for data retention in its privacy policy.   Such practices are rather worrisome also in light of the fact that both companies also reserve the right to collect information on users from other sources to supplement profiles held.  This includes (but is not limited to) newspapers and Internet sources such as blogs, instant messaging services, and other games.   It is also notable to mention that only one of the twelve social gaming companies surveyed directly participates in the safe harbor program. 

In addition to the difficulties of ensuring that safe harbor principles are adhered to by third parties, the information asymmetries which exist between first party sites, citizens, and governance bodies vis-à-vis third parties complicate this model.  Foremost, it is clear that Facebook, despite its resources, cannot keep tabs on the practices of all of their applications.   This puts into question if industry self-regulation can really guarantee that privacy is respected by third parties in this context.  Furthermore, the lack of knowledge or understanding held by citizens about how third parties user their information is particularly problematic when a system relies so heavily on users to report suspected privacy breaches.  The same is likely to be true for governments, too.  As one legal scholar, promoting a more laisse-fair approach to third party regulation, notes—multiple and invisible third party relationships presents challenges to traditional forms of legal regulation [7]. 

In an “open “social ecosystem, the sheer volume of data flows between users of social networking sites and third party players appears to have become increasingly difficult to effectively regulate.  While the safe harbor program has been successful in establishing best practices and minimum standards for data privacy, it is also clear that governance bodies, and public interest groups, have focused most attention on large industry players such as Facebook.  This has left smaller third party players on social networking sites in the shadows of any substantive regulatory concern.    If one this has become clear, it is the fact that governments may no longer be able to effectively govern the flows of data in the burgeoning context of “open data”.  

As I have demonstrated, it remains questionable whether or not Facebook can regulate third parties data collection practices effectively.  Imposing more stringent responsibilities on safe harbor participants could be a positive step.  It is reasonable to assume that it would be undue to impose liability on social networking sites for the data breaches of third parties.  However, it is not unreasonable to require sites like Facebook go beyond setting “minimum standards” for data privacy, towards taking a more active enforcement, if even through TRUSTe or another regulatory body.  If the safe harbor is to be effective, it cannot allow program participants to simply wave the liability for third party privacy practices.  The indemnity granted to third parties on social networking sites may deem the safe harbor program more effective in sustaining the non-liability of third parties, rather than protecting the data privacy of citizens.

[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit, A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy on Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, Rock You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom, Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing with third parties the information of their friends if they do not specifically  opt out of this practice.

[7]See  Milina, S. (2003). Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to Online Profiling. Cardozo Arts and Entertainment Law Journal .

The Indian judiciary is facing mounting pressures to reform its apparatus. Even the judiciary itself has come to recognize, on the books, that change is long overdue. Some estimates have it that it would require almost three years to clear the current backlog of cases in High Courts. While technocrats herald that the enormous backlog of cases may eventually be the death knell for India's judicial branch, reform efforts must go beyond achieving the speedier delivery of justice and work towards tackling other inadequacies of the system if “access to justice for all”(1) is to become a reality.

The rural penetration of courts in India is extremely low, which significantly limits access to justice for the many citizens living far beyond the district courts of city centers. An extremely low judge to population ratio in India only contributes further to the already high incidence of pending cases, making delays in justice a regular occurrence. Mr. P.K. Malhotra from the Department of Legal Affairs has noted that increased litigation within the government has also caused a stark increase in the number of pending cases. While the need for reform can be demonstrated quite clearly on a practical level, the right to information (RTI) movement has also provided further impetus for reform on a more fundamental level. Well organized citizens are now demanding the right to a more transparent and accountable judiciary.

As e-government initiatives continue to transform the nature of India's bureaucracy and enhance the quality of government services, there is a mood of great optimism that ICT will also come to play a central role in judicial reform efforts. Speakers at the seminar enthusiastically cited innovative practices such as Singapore's “paperless court” which makes a compelling case for automation.  Notable success in implementing ICT in the judiciary have also been achieved in Canada, Australia, and in several countries across Latin America. This is not to say, however, that the appropriation of ICT is uniform in every case. Variables such as political will and context, institutional capacity and reform goals all play a role in shaping the outcome.  Plans could, for example, take more of an operational approach by prioritizing the improved efficiency and the rationalization of resources by implementing electronic case management systems. Other strategies may be designed and implemented from an access perspective, seeking to restore faith in the justice system by increasing transparency and accountability. This could be done, for example, by installing video technology in court rooms, or publishing legal information online.

At the seminar, India's consortium of well-organized and highly ambitious technocrats were not shy in suggesting the many ways ICT may be used to transform the judicial system, and, additionally, the many ways such an endeavor provides the IT sector with “new opportunities”.  Dr M. Veerappa Moily, Union Minister for Law and Justice, has proposed for India a centrally funded and administered National Judicial Technology Program.  Such a program aims to use ICT in the courtrooms to free the legal system of “historical inefficiencies".  It is of no doubt that ICT can reduce the duplicity of the paper world and make courts more green through electronic case filing and video conferencing. Online case filing systems can increase speed in which citizens can have their cases heard, and real time access to online repositories of legal information drastically expedites the case cycle.

Mr. C P Gurnani, CEO of Tech Mahindra made the bold assertion that with ICT, India's 300 year case backlog can be reduced to three years, in a span of only three years (2). Features of this newly envisioned e-justice system include the use of video hearings to reduce transportation costs, case filing operation systems, RFID based file tracking, and the creation of a publicly accessible and easily searchable e-library. While others were much less optimistic than Mr. Gurani and recognize that the use of ICT in the reform process is “no instant coffee”, the question of whether or not ICT can be a strategically appropriated in the Indian context still remains.

Optimistic accounts of how ICT will increase access to justice, incorporate the marginalized into the law-making process, and increase judicial transparency and accountability all sounds uncomfortably techno-utopian. While ICT should facilitate the reform process, past experiences have shown that the over zealous use of technology has too-often resulted in less than impressive results (3). To ensure that the reform process in India is not driven mainly by the IT sector, it is important that the use of technology remains complimentary to a sound national judicial reform strategy.  An abundant supply of technical support with little demand for the reform process from within the judicial branch may spell disappointing results for all stakeholders. Seeing that India's first seminar discussing the role of IT in the judiciary has been organized by the IT industry, it is safe to assume that reform strategies are being crystallized through the gaze of technocrats rather than the judiciary itself. Technology has an important role to play, but India's technocrats may be jumping the gun.

Many deep-seated challenges must be overcome before the use of ICT can be truly transformative. Often cited is the level of resistance judicial cultures express towards externally imposed change. Quite logically, those required to make change are also those who may have the most to lose in the short-term by doing so. Similarly, it is also difficult garnering the levels of political support judicial reforms require to be effective.  Because the judiciary is such a highly politicized apparatus, efforts to fundamentally transform the system will require the support of a vast number of stakeholders . The low level of technological literacy which exists among India's judges is also problematic. Not only will members of the judiciary be open to new ways of doing business, they will also have to be diligent in adopting a new skill-set in which they may be more than a decade behind in acquiring.

Other deep-rooted limitations of India's judicial system are becoming increasingly apparent today. Questions surrounding access to justice remain deeply embedded in the asymmetries of class power, which are often reinforced by the political nature of the judiciary. Constitutional law in India also remains unstable, as the principles informing judicial action have become increasingly less clear (5). Furthermore, the courts have come to maintain a disproportionate share of power and influence in the Indian political sphere (6). It is questionable if ICT can work to ameliorate some of these malignancies, or if its use will only come to reinforce them.  If technology is appropriated in a way which serves to make the judicial process more transparent and accountable, protect the rights of citizens, and provide greater and more equitable access to justice, it may be safe to assume that a more tech-savvy judiciary is a positive development for citizens.  Publishing legal information online, for example, currently allows for greater transparency in the law making process and allows dialogue on important issues of governance and citizenship. 

However, it is almost unnecessary to reiterate that such outcomes are not guaranteed.  Technology is often seen as neutral– the evaluative outcome of its application remains dependent on numerous variable factors. Most important is whether or not the government provides a legal framework conducive to the appropriation of ICT in ways which are considered to further the public interest. It may be useful to view the successful appropriation of ICT to judicial reform as a cumulative process, each step being a precondition to the other. It is clear to see how basic infrastructure such as civil courts in rural areas must be in place before the use of ICT can facilitate access to justice for individuals who remain peripheral to the legal system. Similarly, one would assume that laws would have to first be to be nondiscriminatory to all members of society before it could it can be widely accepted that more technology will better safeguard our rights and freedoms.

Without a legal framework which is considered to be socially just, greater speed of the judicial process, aided by technology, may become a tool which enables the judiciary to act more arbitrarily, more efficiency.   This could be troubling for individuals who are already marginalized by certain policies or legal practices.  Technology can also make it possible for judges to insulate themselves from the necessary checks and balances required in the law-making process.  While Mr Gurani stated that ICT can help preserve judicial independence, it is questionable if the use of technology is an appropriate strategy to mitigate politicization of the judicial branch.  Any frivolous efforts to spearhead the reform process through the introduction of ICT without the required commitment of judges and policy makers may be naïve at best. At worst, it could serve to reinforce what judicial bodies believe they do well without critically re-examining the fundamental roles, norms and principles of the Indian judicial system itself.

Online case-filing services may unintentionally, due to cost or lack of awareness, erect further barriers to justice for individuals who traditionally remained outside of the sphere of access.  In the same vein, if ICT is favored for use in criminal rather than civil courts, technology may simply become a tool used to sentence people, more quickly.  This scenario sits quite polemic to visions of technology  serving as a tool to empower individuals to better assert their rights and seek justice. Foreshadowing the role ICT may play in the future of India's judicial reform process, SPANCO Technologies is currently piloting the use of video technology in criminal courts.  Furthermore, India's judiciary has made several attempts to insulate itself from the provisions of the RTI act, indicating that new laws, and even new technologies, may not be able to change practice.  There are also strong doubts looming that the Gramin Nyayalayas Act will be successful in leveraging the required financial support needed to construct civil courts in rural areas.  Without the basic building blocks, it is difficult to envision how a National Judicial Technology Program will be successful in bringing "justice" to all who are awaiting it.   Such instances serve as a light warning that technology, even within a favorable legal framework, may not necessarily spell a more accessible, transparent and accountable justice system.

A well-functioning judicial system is required to keep up with the demands of modern democratic society.  It is unquestionable that technology can play an influential role in ensuring that the relationship between citizens and the government is strong and communicative. However, it is important to ask under what conditions may it be beneficial to implement technology’s use. Inferring from last week’s seminar, proposals and rationale behind potential reforms were made from an economic perspective; how ICT can be used to see that cases are filed and judgments are delivered more quickly to improve efficiency and rationalize resources.  Whether technology will be appropriated to facilitate a more equitable justice system is unknown, but it is certain that such will require a coherent national reform strategy with long-term political backing.  Short-shorted technological fixes may improve India's judicial efficiency in the short term, but may, however, overshadow opportunities to bring about a more transparent and accountable system in the long-term.

Notes

1. This was a notion emphasized often throughout the seminar.

2. Where these estimates were drawn is unknown.

3. For a concise account of how the use of ICT may be misappropriated in the judicial reform process, see E-Justice: Towards a Strategic Use of ICT in Judicial Reform by Waleed H. Malik

4. For an interesting account of India's judicial system, see "The Rise of Judicial Sovereignty" by Pratap Bhanu Mehta in "The State of India's Democracy", Oxford University Press, 2009.

5. Pratap Bhanu Mehta.

6. Ibid.