Gmail: An Ounce of (Privacy) Protection is Worth a Pound of Cure

Source: Bloomberg. com. “ILLUSTRATION: MATIJA MEDVED FOR BLOOMBERG BUSINESSWEEK”

What is the concern?

Google is facing a new privacy struggle. After some newspapers revealed that third-party developers had access to Gmail data, users expressed their discontent with current privacy policies. Google has alleged that users have consented to these policies, preventing third-party developers from using their personal data without authorization. Nonetheless, they demand affirmative actions from Google to ensure the protection of their privacy right.

What should Google do?

Re-Acknowledge its duty

First things first, Google must address its responsibility regarding the access to user data by third parties. Beyond the users' consent and the possibility of its revocation, Google must adopt greater controls to ensure users’ privacy rights and enforce third parties' compliance.

Map stakeholders and their interests

In this case, it is possible to identify the following stakeholders and their respective interests:

• Users: They want to know what happens to their data and make well-informed decisions about who they share it with. They want to feel that they are in control of their decisions and their information. Finally,
  based on informed consent, they would be willing to enjoy the services and functionalities that third-party developers offer.
• Third-party developers: They benefit from Gmail users’ information to develop and improve their services and applications, improving the user experience for free. Thus, their business models rely on using and sharing the netizens’ information with other entities, mainly for advertisement purposes.
• Google Team: The company wants to attract more users and avoid the backlash of the current ones. Gmail is interested in offering a free added-value service in terms of innovation, security, and privacy. To achieve its objectives, the company should ally with third-party developers. Likewise, the organization must take care of its legitimacy (especially because of its platform utility) and procure its actions are shielded against possible legal conflicts.
• Civil society: There is a social and regulatory interest that society must consider concerning privacy rights expectations. This interest centers on the relationship between the delineation of privacy expectations and the limitation of other civil rights, such as liberty or property. For instance, as seen in different cases resolved by the United States Supreme Court, the fewer expectations there are about privacy, the more government officials have the power to be intrusive (searches, seizures, arrests). Hence, each of the stakeholders must promote privacy expectations in a socially responsible manner from their role.

Evaluate the interests in play and draw policy options

From the above, we could conclude that it is feasible to think of a balanced trade-off that allows the stakeholders' interests to converge smoothly: Gmail could provide its users with an innovative, secure service that protects their right to privacy through the use of third-party vendors that help improve the experience of said service, without affecting the respective business models. To achieve tethering the stakeholders’ interests, the following actions should be considered:

• To ensure users’ informed consent, the Terms and Conditions (T&C) should be brief, clear, and easy to understand for a layperson.
• To ensure that users read the T&C, the company can create a security check that drives users to view/display the T&C content before opting-in.
• Provide simple mechanisms to opt-out of services.
• Improve communication with users on privacy issues. For instance, create a kind of newsletter that allows users to be updated on privacy issues and the company's actions to enforce third parties' rules.
• Reduce the spectrum of use of Gmail data held by third parties.
• Limit the information to which third parties can have access. It should only be information strictly necessary to fulfill their objectives.
• Establish mechanisms for periodic review of the privacy policy
• Be transparent and keep available information regarding the type of data being shared with third parties 24/7
• Establish mechanisms to monitor compliance with the rules by third parties randomly and to hold them accountable in cases of breach
• Demonstrate consistency and interest with the privacy expectations of users and be aware of the repercussions it may have in legal terms

Get down to work!

The company must modify its privacy policy to a conservative one that suits stakeholders' interests and business models. Taking care of users' privacy is a task that benefits everyone, especially Google, who can make the most from adopting the role of guarantor of its users' privacy!