Is a Picture Worth a Thousand Terms? Visualising Contract Terms and Data Protection Requirements for Cloud Computing Users

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9881)

Abstract

The following article evaluates two models for providing purchasers of online digital content, including cloud computing services, with visual notice of contract terms and data collection practises. Visualisation of contract terms and privacy policies has the potential to provide cloud consumers with an improved means of understanding the contract terms they are accepting when entering into an agreement with a Cloud Service Provider (CSP). The following paper examines two concrete proposals or models for the visualisation of contract terms and privacy practises as compliance tools in the European context. The article focuses primarily on consumer and data protection law. Although the visualisation models are not currently binding or legally required, they start an important conversation on how such terms can be more effectively conveyed.

Keywords

Visualisation of law Contract terms Consumer protection law Data protection law Cloud computing 

1 Introduction

Cloud computing is being promoted as the future of IT consumption [1]. Promises of cost savings, worldwide availability, and state-of-the-art technologies are enticing to many users [2]. In addition to businesses, consumers are also adopting cloud computing and making changes in the way they consume IT. Despite the many upsides, cloud computing continues to contain challenges for consumers. Many of these challenges revolve around uncertainty regarding privacy, security, access, and portability.

The current barriers to increasing user adoption of cloud computing extend beyond measures that are purely technical or purely legal, including also informational barriers. These barriers have proved significant in Europe, where only 21 % of the population aged 16–74 using the Internet reported using cloud storage [3]. Although this number could be interpreted as encouraging for a relatively young technology, 44 % of users that were aware of cloud computing did not use the services. Of those ‘cloud-aware’ users not adopting the services, many cited concerns over privacy and the reliability of CSPs as their main reasons for not using cloud computing [3].

Many of the risks described above and the protections and obligations that consumers have are designated in the contracts consumers enter into with CSPs [4]. However, given the complexity of the agreements, a general asymmetry of information exists. It is not that consumers necessarily lack information. Reading the quantity of contract terms, privacy policies, and terms of use the average consumer is presented with on a yearly basis is in practise insurmountable [5]. Given the extreme quantity of information, the quality of that information and the legal requirements to provide such information are not always clear. It is not difficult to imagine a situation where a consumer is presented with too much information and suffers from so-called ‘information overload’. As a result, contracts, and privacy policies are seldom read.

Although various consumer protection mechanisms require that a substantial amount of information must be provided to consumers regarding their rights under the agreement, many providers of digital content fail to make available the information required by law. Even when such information is provided, it can be difficult for the consumer to find and understand. These rights, if understood and appreciated by consumers, could serve to alleviate some of the concerns consumers have with adopting cloud computing. Additionally, it may provide the would-be reader with a greater ability to comprehend the legal risks inherent in the text [6].

At least one tool—the use of graphical language represented in legal icons—is being actively pursued as a means of providing consumers in the contracting and data protection context with information they can appreciate and understand. Legal icons have the potential to communicate legal norms including obligation, prohibition, and permission [6]. Pursuant to EU consumer protection and data protection law, CSPs must abide by a variety of norms at various levels. Using legal icons has the potential to provide CSPs with an alternative and accessible means of compliance. It also empowers users by providing a means of understanding key information regarding their rights under their contract with a CSP concerning how their data will be processed and used by a provider.

In the following article, we consider some of the core informational requirements present in both consumer and data protection law and evaluate visual tools designed to meet informational or other legal requirements by communicating legal concepts to consumers via icons. These icons, visualising legal concepts, have the benefit of providing CSPs with a means of communicating information to users on a non-textual basis. Although visualisation of legal concepts has many uses in the processes of contracting, this article primarily focuses on the use of icons to communicate contract and privacy policy terms to a consumer at the conclusion of an agreement [7].

The article has the following structure. First, we describe some of the main concepts and theory behind the visualisation of legal information. Second, we outline these requirements from the perspective of EU data protection law. Third, we describe informational requirements pursuant to consumer protection law. In each of the respective sections, the article explains the means used to present information visually and evaluates some limitations. Finally, we provide a conclusion evaluating positive and negative aspects of visualising legal information in consumer and data protection law. As a final note, this article focuses on cloud services contracted for by consumers on a non-negotiated basis, as opposed to business-to-business transactions.1

2 Visualising Legal Information

In the early days of computing, the interface between man2 and machine was not graphical. Many will remember the days when written commands had to be input into the computer, which then, hopefully, complied by producing a new line of text on the screen. Users of today’s graphical user interfaces may believe that this textual and mathematical representation of code has vanished. However, the human-readable programme code is merely hidden behind a graphical user interface that can be manipulated by clicking on icons for discs, documents, and apps. The details of that revolution are beyond the remit of this article, but it suffices to state that graphical representations have essentially simplified the utilisation of devices and made technology accessible to a far larger group of users.

Thus far, this revolution has primarily been limited to what Lessig [8] calls West Coast Code (i.e., computer code). In East Coast Code (i.e., legal code), there are far fewer examples of graphical user interfaces for legal information. Similarly, IT professionals use a variety of graphical languages, such as the Unified Modelling Language [9], to visualise IT systems. These visual representations are of key importance, particularly during systems design and analysis because fairly complex cases can be easily visualised, and computer code is not user-friendly or even comprehensible by most decision-makers. Again, there is a parallel between computer code and legal code: If it is useful to employ a graphical language to represent the functions of an IT system constituted by code, then perhaps we should not exclude the possibility that visualising legal code may also have some utility at some point in the future. Luckily, many examples of graphical representation of legal information are readily accessible on the Internet, or even commonly known.

The representation of such information is far from uncommon. Perhaps the most obvious examples are traffic signs and lights that visually communicate binding legal rules to road traffic users. In addition, more comprehensive graphics, pictures, or combinations thereof (e.g., in comics) are created primarily to communicate normative information. For example, the New York Street Vendor Guide translates the most commonly violated rules regarding sales activities on the city’s streets into easily accessible diagrams [10]. These diagrams illustrate the rules for vendors selling food, souvenirs, or other products in a much more accessible fashion than traditional textual code.

Moreover, there are examples of comics that illustrate the potential of visualising legal information [11, 12, 13, 14]. Although comics often also include written text, they still contain a significant visual element that can play a key role in drawing attention to the text or making it more easily accessible to the audience. A particularly nice example is a comic submitted as an amicus curiae brief to a US court [15], complete with references to relevant case law.

Visual representations of norms are by no means a new phenomenon. Historically, legal iconography has had an important function in communicating legal rules to illiterate people. Moreover, crime prevention has sometimes taken the task of general prevention to an exhibitionistic extreme.3 Thus, there is no doubt that graphical representations can have a significant impact on the act of communicating legal information. Its functions include, but are not limited to, drawing attention to the legal information and communicating key aspects fairly quickly. However, visual representations have limitations because they often cannot achieve the same level of abstraction as a textual representation [14, 16]. Moreover, visual representations may be overly ambiguous when they are not based on a graphical language that is sufficiently well known and clear.

Legal icons, such as road traffic signs, are arguably the best examples of an existing graphical language that is universally understood. Road traffic signs are essentially icons that condense a rule into a singular graphic representation that can be recognised by everyone who has learned this visual language. Traffic education focuses on learning this graphical language, and an international convention ensures that the language is universally understood, based on a common legal iconography. These signs form part of internationally understood visual semiotics, which has spread beyond the context of road traffic to include other domains (e.g., no smoking signs) [17].4 As will be shown in the next sections, similar icons could potentially be used in many other fields including data privacy and consumer protection domains.

3 Information Provision Under the EU Data Privacy Framework

3.1 Fairness of Processing

One of the core principles of the European Data Privacy framework is that personal data must be processed fairly. The fairness principle requires that processing operations are able to meet the reasonable expectations of the individuals. This principle ensures that the processing of personal data does not exceed the expectation of individuals and that its further processing is not objectionable in light of these expectations. Under the Data Protection Directive [18], the concrete application of the fairness principle is anchored in two main rules. The first requires the data controller (i.e., any entity processing personal data) to file a notification with the relevant national Data Protection Authority (DPA) before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes. This allows data subjects consulting the national publicly accessible register to find out how their personal data are processed.

The other aspect of fairness requires the data controller to provide each individual with a minimum amount of information about the processing and the identity of the data controller (i.e., the transparency requirement). This right is part of the broader right to information self-determination and the right to information, which is a fundamental right under the EU legal framework. Furthermore, economists have always analysed the importance of information in making rational decisions in a market [19]. Information asymmetry between market players is considered to lead to inefficient transactions because the party without the relevant information cannot make a rational choice and might be forced to engage in other transactions to replace or remedy the defects of the initial inefficient transaction. In economics, the common remedy for such a problem is to force the party with information to disclose information relevant to the other party. The transparency rule embodied in the fairness principle reinforces the need to remedy the information asymmetry between the company who has the information about the processing and the individual that needs access to the information to enter into an efficient transaction. In this sense, this principle has a strong foothold in economic ideals and seeks to prevent potential market failures due to information asymmetry [20].

The focus of this section is the transparency requirement, which is at the centre of the fairness principle.5 Article 12 of the Directive [18] aims to ensure the transparency of the processing of personal data by providing the data subject information regarding its purpose, recipients, retention period, and so forth. Compliance with this requirement would dictate having a policy for how the company treats the personal data. The transposition of this rule in some member states—for example, in the UK, —explicitly requires having a privacy policy [21]. Outside the EU, the US Federal Trade Commission (FTC) encourages companies to deploy privacy policies.

Often, data controllers try to comply with this requirement, as mandated or voluntarily, by adopting lengthy and bulky privacy policies that are hardly read or understood by data subjects. According to the 2015 Eurobarometer survey on data protection, only one in five respondents (18 %) fully read privacy statements [22]. These privacy policies are so lengthy that it would take an average person, according to one study, about 250 working hours (30 full working days) every year to read the privacy policies of the websites they visit [23]. Another study, from 2008, uses monetary value and estimates that the opportunity cost of reading the privacy policies could reach up to $780 billion dollars annually [24]. However, it is not only that such policies are often long and time-consuming. Even when one decides to read the policies, they are obscure and full of legalese. Leaving data subjects in the dark—i.e. confusology, as it is currently referred to in the literature—in terms of how their data is being used is becoming a prevalent business practise, by which firms ‘purposefully introduce uncertainty and confusion into consumer transactions’ [25].

Such practises present a significant challenge for the exercise of individual rights to privacy. In the absence of adequate and sufficiently understandable information regarding how data is processed, effective control of data by users becomes challenging and, as a result, data subjects are unable to make informed decisions about their data. This also makes it challenging for both regulators and individuals to hold the entities accountable. This, in turn, affects consumer trust in using digital services, signifying the need for systematic and innovative ways of communicating information to data subjects. Some of the changes under the EU data protection reform are aimed at mitigating these problems associated with the cognitive limitations of data subjects. A notable development to this end is related to the initiatives to standardise certain aspects of such information provision by introducing standards for communicating with data subjects in very concise and understandable manner, which is discussed in the next section.

3.2 Towards Iconised Privacy Policies

Unlike the Directive, the Regulation makes an explicit reference to the principle of transparency. Article 5(a) of the Regulation [26] provides that ‘personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject’. Article 14 of the Regulation still contains an obligation to provide extensive information regarding the processing. It is even considered to increase the amount of information that must be provided to data subjects [27]. As noted above, the challenge with such information provision rules has always been to provide information to the extent and in a form useful to data subjects. In his work on information regulation, Cass Sunstein underlines that ‘[w]ith respect to information, less may be more’ [28]. Furthermore, as the famous adage goes, ‘a picture is worth a thousand words’. The Regulation attempts to standardise certain aspects of this information provision by introducing the possibility of using standard icons. Article 12(7) of the Regulation indicates that the information to be provided by the controller under Articles 13 and 14 ‘may be provided in combination with standardised icons’. Initially, the use of such visual icons was suggested by the European Parliament [29] and was an integral part of the Regulation. However, in the final draft of the Regulation [26], which is published in the official journal, the implementation of such standardised icons are left to the Commission’s delegated act. Under Article 290(1) of the Treaty on the Functioning of the European Union (TFEU) [30], delegated acts are non-legislative acts that supplement or amend non-essential elements of a legislative act. Once enacted, and absent objection from the Parliament or the Council, delegated acts will have a binding effect [30]. Given that the market has been slow in taking the initiatives upon itself, the requirement under the Regulation would give a much needed push in the undertaking of such simplified and easy-to-grasp ways of communicating information. Similar initiatives by the EU to introduce mandatory standardised information provision through labelling in the energy sector have yielded encouraging and positive results in enhancing consumer understanding [21].

According to Article 12(8) of the Regulation [26], the Commission’s delegated acts should elaborate what information needs to be presented by the icons and the procedures for providing standardised icons. It is not clear whether the Commission would adopt exactly the same icons and procedures as suggested by the Parliament, although it is reasonable to assume that the Commission would make use of the already existing work from the Parliament. However, it is important to note that the use of icons is not meant to replace the more detailed provision of textual information. Instead, it aims to complement the existing ways of providing information, as stipulated under Article 14 of the Regulation. As noted above, such icons are initially suggested by the Parliament, and it is this draft that contains more detailed information about the icons. Even though the icons as suggested by the Parliament did not make it to the final draft, it at least started the conversation and will likely feature in the Commissions’ delegated works. Thus, in the following paragraphs, the visual icons and procedures suggested by the Parliament are highlighted, followed by brief discussion of their implications in the cloud computing context.

In this regard, apart from the information to be provided under Article 14, Article 13a of the suggestion from the Parliament [29] requires the controller to use of standardised icons in providing certain essential information regarding the underlying data processing operations. The information relevant for the standardised notice includes the following:
  • whether personal data are collected beyond the minimum necessary for each specific purpose of the processing;

  • whether personal data are retained beyond the minimum necessary for each specific purpose of the processing;

  • whether personal data are processed for purposes other than the purposes for which they were collected;

  • whether personal data are disseminated to commercial third parties;

  • whether personal data are sold or rented out; and

  • whether personal data are retained in unencrypted form.

According to Article 13a(2), such information should be presented ‘in an aligned tabular format, using text and symbols’ as shown in Fig. 1.

Both Article 13a and the Annex of the Parliament draft provide detail requirements in the implementation of such formats. Among other things, first, the order and format of the above notice cannot be changed by the controller [29]. As shown in Fig. 1, the first column should contain the icons, the second column should describe the icon and the third column should indicate whether that requirement is met. In providing the information in the second column, it must also be noted that some of the words have to be in bold (see more Annex [29]). Similarly, the third column must use the following two icons to indicate whether or not the requirement is fulfilled (Fig. 2):
Fig. 1.

Standardised format for information provision

(adopted from [29])

Fig. 2.

Standard icons for marking compliance

(adopted from [29])

This means that if, for example, the controller does not collect information ‘‘beyond the minimum necessary for each specific purpose of the processing’, then the specific third column of the first row should look like as follows (Fig. 3):
Fig. 3.

Illustration of the standardised formats

(adopted from [29])

Second, when such information is provided electronically, it should be clear, legible, and machine-readable.6 At least the text in column two should also be provided in a language easily understandable by the consumers in the Member State. Third, the controller should not provide additional information or explanation within such formats. If desired, this should be done with the other information as provided under Article 14 [26]. Furthermore, the Annex provides more detailed requirements in terms of the size and width of the icons. Although such detailed guidance is important in ensuring that such icons are used uniformly by different actors processing personal data, it is not clear what would occur if one were to fail to adhere to technical aspects such as the size, width, and the order of the icons. Some work also needs to be done in terms of preventing the use of such icons for purposes other than providing privacy-related information in a way that might create confusion to consumers. In the offline world, a common way of dealing with this problem is to register the icons as trademarks or trade names so that their usage would be limited to privacy contexts.

Standardising the information provision rules is a move in the right direction, at least from the data subject’s point of view. Research shows that the use of such icons facilitates an easy-to-grasp way of communicating complex information, thereby enhancing users’ understanding of privacy policies [21]. Related to this, the use of such icons improves the potential for communicating information uniformly across all studied groups, regardless of their educational and cultural backgrounds [21]. Respondents in a focus-group-based study found icon-based policies to be ‘clear and helpful’ [21]. A more informed customer could only benefit the wider uptake of cloud services. The more confident consumers are in terms of what happens to their data, the more they can trust the cloud. The usefulness of such icons is not limited to communicating information from entities to customers. Cloud providers could improve their internal compliance framework using industry-developed icons. For example, the Prime Life project and the PrivIcons have developed icons for email privacy, which could be used to ensure the confidentiality of email communications that contain customers’ personal data or any confidential information [21]. There are also other icons that could be used to communicate ownership of information over cloud-stored data [31].

However, the use of icons is not without a challenge. On the one hand, assuming that most users do not read the full privacy policies and would depend on such icons, the question is to what extent can such iconography of privacy polices empower user decisions regarding their data. For example, one of the critics of earlier initiatives from the EU on labelling in the energy sector is that they do not allow consumers well-informed cost-benefit analysis because of the limited information they provide [21]. The suggestion under the draft Regulation seems to take such limitations on board by introducing a layered approach, where the icons are used to provide the most essential information, complemented by full privacy polices elsewhere. This might not avoid potential reliance on the icons, but it provides consumers with more detailed information if they are interested in digging deeper into how their personal data are treated.

More importantly, the fact that a controller has to indicate that it has met the requirement does not enhance actual compliance by controllers. Compliance with the standard notice might even lead to a tick-the-box approach and create a false sense of protection for the data subjects. This means that unless such schemes are complemented with an auditing and certification mechanism, they would have limited significance in enhancing the rights of individuals. In fact the Regulation has introduced certification mechanisms, and there are also on-going standardisation initiatives, which can be used to strengthen the use of icons. Similarly, how is the concern of visually impaired people addressed with regard to this standard notice? Does this obligation require the utmost effort from controllers to provide the necessary information in a manner that people can comprehend?

This obligation will affect many cloud providers that have individual users as customers. Those providers will be required to provide information regarding the processing of information in this standard notice. This includes the implementation of a machine-readable format of the standard notice requirements when the information is provided electronically. This means, for example, websites providing privacy policies should implement certain standards, including standards to address readability on different devices such as mobiles. This implies the need to maintain two sets of privacy policies: one presented through icons and one providing more detailed information that is consistent with the information presented through the icons. Furthermore, companies often change their policies from time to time, underlying the need for updating the information provided through icons. There is no doubt that this would be a time-consuming and costly for cloud providers.

Overall, the initiative to encourage the use of icons to provide information is commendable. However, it can only improve the conveyance of providers’ exiting policies, not their actual commitment to ensure the privacy of customers. If a real change in terms of users’ rights is to come, it would require the willingness to consider adherence to privacy principle rules as a competitive advantage, rather than as a matter of compliance. In the next section, we consider a slightly varied approach to visualising law through icons at the European level in dealings with consumer contracting.

4 EU Consumer Protection Law: Application and Informational Requirements

In this section, we evaluate core EU rules for consumer protection and evaluate a recent attempt to make these rules more accessible to consumers by representing core aspects with icons. At the outset, we note that this system has promise. However, like the graphical user interfaces that are visible in place of programme code, what lies behind is often complex. We evaluate how these complexities might impact the overall effectiveness of the message the icons attempt to convey.

In the EU, an inclusive and multifaceted system of rights in consumer transactions is designed to provide European consumers with perhaps the most expansive level of consumer protection available globally. On that basis, consumers ought to be able to extend this expectation—that their rights are protected—to purchases made in the digital marketplace on a national, and even on an international, basis. This wide-ranging coverage is achieved by offering consumers remedies at several stages or levels of the contracting process in addition to making certain unfair terms offered by sellers unenforceable. By creating a ‘floor’ or minimum standard that allows consumers to disaffirm contracts based on subjective dissatisfaction, or even ‘buyer’s remorse’, the European consumer has substantial rights and remedies when they enter into contracts online. These rights are expressed in a series of directives and regulations.

Central EU directives currently in place to protect consumers include the Unfair Terms Directive (UTD), the Unfair Commercial Practises Directive, and the Consumer Rights Directive (CRD), among others [32, 33, 34]. In addition to consumer-specific legislation, the Rome I Regulation (law applicable in contractual matters) and the Brussels I Regulation (jurisdiction) also have consumer-specific provisions [35, 36]. Additionally, the Electronic Commerce Directive (ECD) provides a framework for harmonising or providing consistent rules for online transactions—ultimately contributing to consistency in e-commerce across European member states [37]. Application of these rules cover the entire duration of a consumer contract from the advertisement of a service, to the contract offer and formation of a contract, through procedural and substantive issues regarding the content of terms, and finally setting the rules governing the how and where disputes will be adjudicated if the need arises.

As consumer protection regulations are contained in many different instruments, it can be difficult for consumers to understand and appreciate the rights they have. At the same time, less sophisticated CSPs and other providers—particularity those without legal counsel—may struggle to meet all of the requirements. As cloud computing is provided on a global scale, foreign providers are also required to conform to EU legal requirements, even if it is difficult for them to provide European consumers with the rights they have in their member states. For example, many of the contract terms offered by US-based CSPs are at odds with mandatory European consumer protection legislation described above, from price and informational terms to choice of law and forced arbitration requirements [38]. The following subsections provide some of the requirements pursuant to EU consumer protection law followed by evaluation of a graphical means, expressed through icons, designed to communicate requirements. Although the icons do not represent all aspects of consumer protection law, they might providers with a basis for complying with principal informational requirements, among others.

4.1 Name Address and Contact Details

Both the CRD and the ECD require that the seller provide information regarding the name of the trader or service provider [34, 37]. The CRD and the ECD also require that the seller provide contact information. Although the requirements are similar, the CRD requires that the seller provide ‘the geographical address at which he is established and his telephone number’. The ECD requires similar information, but does not require that a telephone number be provided (i.e., email address is sufficient).

4.2 Costs, Technical Requirements, and Product Information

If the cost of using a distance communication is above a basic rate, the CRD requires that that cost be communicated to the consumer [34]. In addition to cost, the ECD requires that the seller provide the technical steps needed to conclude the agreement, whether or not the contract will be filed by the service provider, technical means for correcting or rectifying errors in the order, languages available, and receipt of order by electronic means, without undue delay [37]. The CRD requires additional information regarding the functionality and interoperability of the product being offered [34]. Specifically, the seller must present ‘any relevant interoperability of digital content with hardware and software that the trader is aware of or can reasonably be expected to have been aware of’ [34]. This puts the burden on the CSP to be active and provide the required information.

4.3 Price

Both the ECD and the CRD have rules regarding price information to be provided to consumers. The ECD requires that the price term be ‘indicated clearly and unambiguously’ to the consumer [37]. The CRD requires clear information on the total price of the service, including taxes and any other charges that can be calculated [34]. According to the guidance document published on the CRD, the seller must notify the consumer of the total cost per billing period and the total monthly costs [34]. The point of departure is to prevent the many ‘hidden’ charges often associated with digital products and to reduce misrepresentation of prices.

4.4 Contract Information: Duration and the Right to Withdraw

The CRD requires that information regarding the duration of the contract, renewal requirements (i.e., automatic extensions of the agreement), and the consumer’s obligations under the agreement are provided [34]. Cloud contracts are often provided on a monthly or yearly subscription basis, without a set duration. Therefore, under the CRD, the CSP must provide the consumer with information regarding conditions for terminating the contract [34]. The CRD also requires that consumers be provided with certain information regarding their right to withdraw from a service, including application of the right, procedures for exercising the right, the consumer’s obligations for the costs of returning goods, and the obligation of the consumer to bear the traders’ reasonable costs [34, 39].

4.5 Codes of Conduct

In the EU, there has been a push to create codes of conduct and other ‘self-regulatory’ initiatives to provide consumers with better information on products and to provide traders or sellers with guidance on how to comply with applicable laws. The starting point of these initiatives may be self-regulatory (set by the industries to be regulated) or co-regulatory (set by the industry with input from governments and regulators). The point of departure is that many instruments, such as codes of conduct and so-called ‘trust seals, are voluntary, but members may have certain conditions imposed on them as a requirement of membership’. If members fail to meet those conditions, their actions may have consequences. For example, if a trader has earned the right to use a trust seal, and they act in a manner incompatible with the principles for using that seal, the industry organisation may require that the seal be removed or even ‘black-listed’ the seller from further use of the seal.

One problem with codes of conduct is they are often difficult for consumers to find and pair with the products they are purchasing [40]. To address this problem, the CRD requires the seller to inform the consumer of relevant codes of conduct where applicable and provide information on how copies of such codes can be obtained. The ECD provides a similar requirement, albeit a more limited one requiring only that ‘[a]ny relevant codes of conduct to which he [the trader] subscribes and information on how those codes can be consulted electronically’ [37].

4.6 Visualisation of Contract Terms

A unique aspect of the CRD is an ‘optional model’ that sellers may adopt for displaying contract terms visually. Visualisation, or adding supplemental information to a contract in the form of icons or other information, potentially provides a clearer means for communicating legal requirements. Much like traffic signs represent laws or regulations—such as the direction of traffic or parking restrictions—icons or symbols in a contract might also be used to communicate legal concepts or principles in a much more user-friendly manner. For example, the following icons attempt to provide consumers with accessible points of reference to access information (Fig. 4):
Fig. 4.

CRD ‘Optional Model’

(adopted from [41])

There are some clear advantages to displaying legal information in this manner. For example, icons are much easier for consumers to read on a mobile screen than are dense contracts or privacy policies. If consumers understand the icons and the icons are consistently used, consumers will have a pretty good idea of where they need to look in order to obtain the information relevant for their purchase. To some extent, the icons also avoid the problem of presenting consumers with a great deal of complex information right before concluding a contract. Even if the terms are not fully understood, the icons potentially provide a much greater opportunity for at least a basic understanding of the contract terms, compared to providing a 30,000 word document alone for a mobile application.

Sellers adopting these tools may also be taking an important step towards providing less ambiguous contract terms, as required by several consumer protection instruments [32]. Although sellers are not required to use this model to comply with the information requirements of the CRD Article 6, the icons provide a readily available tool [41]. CSPs may adopt their own means of displaying legally operative information. However, the model provided in the CRD Annex provides a possible path for presenting information that will not require new development on the part of CSPs. Additional icons might aid in presenting general information, such as trader name, legal information including ‘termination’, ‘contract duration’, and technical information that impacts use of the service, in addition to payment and even certain privacy implications (i.e., ‘tracking’). The following icons provide potential for expressing many contract terms:

Although the icons above, represented in Fig. 5 provide a potential step forward in providing consumers with complex information in a form that they are more able to understand, there are also clear limitations. Most users of cloud services are not lawyers. Without training or education, they will likely have difficulty understanding the rights represented by the icons. Like drivers are educated to recognise traffic signs, consumers will need to be educated and learn the visual language of the CRD model. Although somewhat intuitive, many of the rights represented by icons are far from obvious. For example, looking at Icon 17, it is not immediately apparent that the icon represents ‘resolution’. Similarly, the arrow and box in Icon 18 represents the right to withdraw from a contract, but it could easily have many other meanings, including portability. Although others may be clearer, such as the lock used in Icon 7 or the price in Icon 15, the exact meaning and legal implications requires a deeper knowledge of the concepts represented. Building familiarity and understanding of the icons among consumers is therefore a crucial step to ensuring their effectiveness.
Fig. 5.

CRD ‘Optional Model’

(adopted from [41])

5 Conclusion

Even if consumers do not read or understand complex contract terms and privacy policies, they still care about whether they are being treated fairly in the contracts they enter and that their privacy is protected. Exploring alternative methods for delivering vital information to consumers is a move in the right direction towards providing more complete notice and obtaining meaningful consent. Even if the current EU suggestions and icon models are not obligatory, they mark significant progress in the advancement of these ideas.

At the same time, visualisation of legal concepts is not without challenges—for example, oversimplification of or inadequate communication around nuanced and complex data protection or contract principles. Such concepts are difficult to convey with a picture. Where conveyed, such representations may oversimplify data collection practises or fail to convey the breadth of the fundamental rights that data subjects or consumers have in the EU. Similarly, there are concerns that although visual expressions may increase access for users with literacy impairment, such visual expressions could also potentially overlook the interests of the visually impaired. Making certain that users are not left behind is a difficult but important task.

Although some terms, like price or duration, are easy to express, more abstract principles, such as ‘fair and lawful processing of data’ will remain difficult. Perhaps the road forward on the data protection front involves providing additional options or a greater selection of symbols for providers to choose from. Conceivably, an expansion of icons similar to those provided in the Optional Model of the CRD is a good step in this direction, but it would again require public education to ensure that users understand the message being communicated to them [41]. Although it is important to consider and acknowledge the limitations of the visualisation of legal concepts, we should be careful not to become fixated only on these limits. After all, in the current system, where contract terms and privacy policies are all but designed not to be read, is far from perfect. Greater visualisation using icons is an area with great promise for both users and providers.

Footnotes

  1. 1.

    In the business-to-business context, many of the consumer protection rules described herein are inapplicable. Cloud services obtained by consumers are often of the Software as a Service (SaaS) variety, but are not limited as such and protections apply to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployment models.

  2. 2.

    This expression is meant to refer to humans, irrespective of their gender.

  3. 3.

    For example, the severed hand of a presumed criminal is still exhibited today in the town hall of the German city of Münster, constituting one of the more extreme symbols of legal risk.

  4. 4.

    See Annex 1 of Vienna Convention on Road Signs and Signals.

  5. 5.

    Recital 38 of the preamble of Directive 95/46/EC provides that ‘if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection.’

  6. 6.

    The machine-readable requirement also comes from Recital 60 of the final draft of the Regulation. See also Article 13a(3) of the Parliament draft.

Notes

Acknowledgment

This work was partly supported by EU-funded (FP7/2007-2013) Coco Cloud project [grant no. 610853] and the SIGNAL project (Security in Internet Governance and Networks: Analysing the Law) funded by the Norwegian Research Council and UNINETT Norid AS.

References

  1. 1.
    Mell, P., Grance, T.: The NIST Definition of Cloud Computing (Special Publication 800-145 edn., Version 15 (2011)Google Scholar
  2. 2.
    Jansen, W., Grance, T.: NIST guidelines on security and privacy in public cloud computing. In: U.S. Department of Commerce (ed.) (Special Publication 800-144: National Institute of Standards and Technology (2011)Google Scholar
  3. 3.
    Reinecke, P., Seybert, H.: EuroSTAT Internet and cloud services - statistics on the use by individuals (2014)Google Scholar
  4. 4.
    Waelde, C., Edwards, L.: Law and the Internet, 3rd edn. Hart Publishing, Oxford (2009)Google Scholar
  5. 5.
    Matwyshyn, A.M.: Privacy the hacker way. Southern California Law Review, vol. 87(1) (2013)Google Scholar
  6. 6.
    Mahler, T.: Visualisation of legal norms. In: Jon Bing: En Hyllest/A Tribute. Gyldendal Norsk Forlag A/S, pp. 137–153 (2014). ISBN: 9788205468504Google Scholar
  7. 7.
    Barton, T.D., Berger-Walliser, G., Haapio, H.: Visualization: seeing contracts for what they are, and what they could become. J. Law Bus. Ethics 19, 47–64 (2013) Google Scholar
  8. 8.
    Lessig, L.: Code version 2.0 (Basic Books) (2006)Google Scholar
  9. 9.
    Rumbaugh, J., Booch, G., Jacobson, I.: The Unified Modeling Language Reference Manual, 2nd edn. Addison-Wesley, Boston (2004)Google Scholar
  10. 10.
    Chang, C.: Street Vendor Guide: Accessible City Regulations (2009)Google Scholar
  11. 11.
    Hilgendorf, E.: Beiträge zur Rechtsvisualisierung (Logos) (2005)Google Scholar
  12. 12.
    Röhl, K.F., Ulbrich, S.: Recht anschaulich: Visualisierung der Juristenausbildung. Halem, Köln (2007)Google Scholar
  13. 13.
    Hoogwater, S.: Beeld‘‘al voor juristen: Grafische modellen om juridische informatie toegankelijker te maken (Boom Juridische uitgevers) (2009)Google Scholar
  14. 14.
    Brunschwig, C.: Visualisierung von Rechtsnormen legal design (Schulthess) (2001)Google Scholar
  15. 15.
    Kohn, B.: Amicus Curiae, Brief to the United States District Court for the Southern District of New YorkGoogle Scholar
  16. 16.
    Brunschwig, C.: Tabuzone juristischer Reflexion, Zum Mangel an Bildern die geltendrechtliche Inhalte visualisieren. In: Schweighofer et al. (ed.), Zwischen Rechtstheorie und e-Government, Aktuelle Fragen der Rechtsinformatik (2003)Google Scholar
  17. 17.
    Wagner, A.: The rules of the road, a universal visual semiotics. Intl. J. Semiotics Law 19, 311–324 (2006)CrossRefGoogle Scholar
  18. 18.
    Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281/31Google Scholar
  19. 19.
    Posner, R.A.: Economic Analysis of Law, Aspen Casebook Series, 8th edn. Aspen Publishers, New York (2011)Google Scholar
  20. 20.
    Lynskey, O.: Deconstructing data protection: the “added-value” of a right to data protection in the EU legal order. Intl. Comp. Law Q. 63(03), 569–597 (2014)CrossRefGoogle Scholar
  21. 21.
    Edwards, L., Abel, W.: The use of privacy icons and standard contract terms for generating consumer trust and confidence in digital services. CREATe working paper series. 10.5281/zenodo.12506
  22. 22.
    Special Eurobarometer 431, Data Protection (European Commission, 2015) Catalogue Number DS-02-15-415-EN-NGoogle Scholar
  23. 23.
    World Economic Forum, Unlocking the Value of Personal Data: From Collection to Usage (2013)Google Scholar
  24. 24.
    McDonald, A., Cranor, L.: The cost of reading privacy policies. In: Proceedings of the Technology Policy Research Conference, 26–28 September 2008Google Scholar
  25. 25.
    Calo, R.: Digital market manipulation. Geo. Wash. L. Rev. 82, 995 (2013)Google Scholar
  26. 26.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive Directive 95/46/EC (General Data Protection Regulation, hereinafter GDPR) OJ L 119/1Google Scholar
  27. 27.
    De Hert, P., Papakonstantinou, V.: The proposed data protection Regulation replacing Directive 95/46/EC: a sound system for the protection of individuals. Comput. Law Secur. Rev. 28, 130–142 (2012)CrossRefGoogle Scholar
  28. 28.
    Sunstein, C.R.: Information regulation and information standing: akins and beyond. University of Pennsylvania L. Rev. 147, 613 (1999)CrossRefGoogle Scholar
  29. 29.
    Committee on Civil Liberties, Justice & Home Affairs, Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 21 November 2013. Available at (LINK) (Hereinafter Parliament Draft)Google Scholar
  30. 30.
    Consolidated Version of the Treaty on the Functioning of the European Union, Article 289(1) (2012) O.J (C 326)Google Scholar
  31. 31.
    Helton, A.: Privacy Commons Icon Set (2009). http://aaronhelton.wordpress.com/2009/02/20/privacy-commons-icon-set/
  32. 32.
    Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts, OJ L 095, 21/04/1993, pp. 0029–0034 (Unfair Terms Directive)Google Scholar
  33. 33.
    Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98//27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council, OJ L 149, 11/06/2005, pp. 0022–0039 (Unfair Commercial Practices Directive)Google Scholar
  34. 34.
    Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council Text with EEA relevance (Consumer Rights Directive)Google Scholar
  35. 35.
    Regulation (EC) No. 593/2008 of 17 June 2008 on the law applicable to contractual obligations (Rome I)Google Scholar
  36. 36.
    Council Regulation (EC) No. 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels I)Google Scholar
  37. 37.
    Consumer Rights Directive Art. 3. See also Rec. 22. The ECD introduces concepts such as the ‘country of origin rule’ to harmonize the rules (licensing etc.) that online actors must comply with. Essentially, this requires that CSPs only have to follow the regulations of the country where they are established, not the rules of all member statesGoogle Scholar
  38. 38.
    Rustad, M.L., Onufrio, M.V.: Reconceptualizing consumer terms of use for a globalized knowledge economy. Univ. Pennsylvania J. Bus. Law 14, 1085 (2012)Google Scholar
  39. 39.
    Millard, C.J.: Cloud Computing Law. Oxford University Press, Oxford (2013)CrossRefGoogle Scholar
  40. 40.
    Loos, M.B.M.: Analysis of the applicable legal frameworks and suggestions for the contours of a model system of consumer protection in relation to digital content contracts. University of Amsterdam (2011)Google Scholar
  41. 41.

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Samson Esayas
    • 1
  • Tobias Mahler
    • 1
  • Kevin McGillivray
    • 1
  1. 1.Norwegian Research Center for Computers and LawUniversity of OsloOsloNorway

Personalised recommendations