Mission Statement

Scope & Purpose of Privacy Commons

Modeled in the spirit of Creative Commons, Privacy Commons (PC) aims to help individuals and organizations clarify privacy expectations, practices, rights, and mutual responsibilities by providing a series of comprehensive model privacy policies.

Privacy Commons is not affiliated with Creative Commons, though we find their work inspiring.

Privacy Commons Policies exist between a Data Steward (Steward), and a Data Subject (Subject). A PC Policy may be converted into a contract when the Steward and Subject formalize the policy through contract principles of offer, acceptance, and consideration. Unlike Creative Commons, which operates under intellectual property (IP) licensing law, Privacy Commons Policies, Contracts, and Statements operate under contract law.  In the United States, intellectual property and licensing law fail to generate or confer sufficient rights to create binding bilateral privacy responsibilities and protections because nobody owns personal information.

The Need for Complete, Informative, and Enforceable Privacy Policies

Privacy policies in the United States suffer from several deficiencies. First, they are often unsophisticated and incomplete in the scope of information or individuals they protect.  Second, many privacy policies waive, rather than confer, privacy rights.  Third, are often not easily understood or accessible.  But most importantly, courts have consistently interpreted privacy policies as unbinding notices, rather than contracts.  In other words, privacy policies are unenforceable, and a victim of a privacy policy breach usually has no enforceable rights.  As a result, privacy policies can have the unfair effect of creating an expectation of confidentiality, privacy, special technological protections, or even fiduciary responsibility even where there is none.

Even if an entity has adopted a comprehensive privacy policy, the entity must operationalize the policy. In the final analysis, privacy practices are far more important than privacy policies.  Many breaches are due to poor privacy practices, even where there are meaningful privacy policies.

Protecting Personal Information via Contract vs. Intellectual Property

Intellectual property law is not an appropriate legal framework to protect personal information.  Personal information are facts, which are not copyrightable.  Unless a person is famous, a name or SSN can't be trademarked.  An address probably does not qualify for trade secret protection, and a date of birth is certainly not patentable. Even if some sort of property right accrued to personal information, it would most logically belong to the originators of the information.  For example, parents would logically "own" a child's name and date of birth, since they created them.  The government creates social security numbers, and the credit card companies create credit card numbers.  The post office create addresses, and the phone company creates phone numbers. Even third parties create gossip (beneficial or harmful), and it would be difficult to draw a line distinguishing a person's ownership interest in that type of personal information, compared with other third-party-created personal information.

Instead, Privacy Commons is structured around principles of contract, where two parties can bind themselves to mutual obligations through offer and acceptance.  PC also relies on tort and IP law, as well as market forces.

Why Privacy Commons?

We admire what the Creative Commons movement has done for copyright. With its easy-to-understand concepts and clear iconography, Creative Commons is successful because it embodies commonly held cultural notions of intellectual property and copyright, which are not readily apparent on the face of the law itself.  Creative Commons fills the gap between commonly held cultural notions of creation rights, fairness and collaboration, and copyright law.  Likewise, Privacy Commons will be successful only when it can identify, articulate, and empower under-served cultural expectations of privacy with easy-to-understand concepts and clear messages.

Privacy Commons aims to become a non-profit organization, or a project within a relevant nonprofit organization.  However, it currently remains a loosely-organized grassroots effort with no affiliation to any particular organization.

Possible Implementation

This wiki will collect approaches to implementing Privacy Commons.  Privacy Commons aims to develop a set of tools with goals to increase awareness of privacy and empower individuals to shape their own level of privacy.  These tools include include standard TOS/EULA/Privacy Policies in legal, readable, and machine-readable versions, icons, common vocabulary, meta data etc. As a result, the tools can be used as a way to differentiate a business relationship with their customers, and allow individuals to express usage (Personal DRM with out the Technical Protection Mechanisms) and enable various agents to respect others' stated preferences. Privacy Commons should be optimized for adoption, rather than enforcement.