You don’t crowbar the problem into an old system
BY:
Catherine Nicci
Legal Affairs Analyst / Reporter
PROJECT COUNSEL MEDIA
15 August 2022 (Washington, DC) – The U.S. Federal Trade Commission (FTC) announced a public consultation to create new rules around privacy, drawn very broadly to cover almost anything that touches the consumer. I think most people would agree that the U.S. badly needs coherent privacy laws of some kind, preferably national, but what, and how?
The FTC is taking a somewhat controversial approach, since it is proposing to assert new powers and new interpretations of laws, without explicit legislative backing, even though there is a pretty advanced (but heavily flawed) process in the actual U.S. Congress to write a new privacy law. In general, I think that if you want something to be illegal that has not been so far, you should pass a systematic set of new laws – not ask for people to propose “new legal theories” which is what the FTC is doing here.
You make a new test – you don’t crowbar the problem into an old test.
And you need to be specific and rigorous about the problems you’re trying to solve, rather than make incredibly vague and vacuous statements about “surveillance” and “targeted advertising” (note to the FTC: all advertising, without exception, is “targeted”).
This is what killed Europe’s much vaunted General Data Protection Regulation (GDPR).
The aims of GDPR and oversight efforts were good ones, in principle: protecting consumers and giving them more control over their data. But GDPR missed all its targets. While fines have been levied against Amazon, Apple, Google and Facebook they were minuscule and would do nothing to change Big Tech behavior. Yes, the EU’s Digital Services Act and Digital Markets Act are now on the books but they have similar faults.
What GDPR did do is seriously hurt smaller competing tech companies, in some cases beyond repair. And we saw the continuing mess. British Airways and Marriott were substantially fined for violations under the new law. But the precarious data-hoarding practices of companies like Google and Facebook, not hospitality brands or airlines, were the impetus behind GDPR.
In effect, it’s a scattershot crackdown on any firm — very large, very small, or anywhere in between — that interacts with EU consumers, has a business model dependent on internet infrastructure, and fails to comply, even in simple ways, with consumer privacy rules. Small and midsize technology companies in the adtech lanes dominated by Facebook and Google have lost the most.
The modern tech monopolies have the capital, infrastructure, and preexisting market dominance to weather the storm of laws like GDPR. No matter how hard the hits, Big Tech is virtually assured to stay afloat while smaller competitors sink.
You see it in the most recent financial results in Big Tech’s advertising and market figures across Europe. Record advertising revenues and since the activation of GDPR in May 2018 Big Tech advertising market share increased, on average, 2% a year across Europe while most other adtech vendor competitors in North America and Europe lost ground.
The unintended impact of GDPR on smaller businesses and startups: GDPR has conferred a market advantage to exactly those companies who need it the least: the tech platform monopolies. While they may not like the new regulations, Facebook and Google can afford as many technologists, product specialists, and lawyers as they wish to ensure GDPR compliance and insulate themselves against any incidental losses. Smaller competitors can’t. Smaller companies are hard-pressed to come up with the time, money, and personnel to tackle privacy compliance.
Again, crowbarring the problem into the old systems – and not knowing how capital, infrastructure, and preexisting market dominance work. As we have noted before, EU regulators have zero knowledge how the network of commercial tracking technologies work, how it is baked into the web’s modern data collection regime.
So the EU regulators crowbarred the problem into the old system. They did not design a new system. The old system always talked about “control” as the issue. And so everybody involved in the GDPR drafting process emphasized “control” of personal data as core to privacy.
But control is the wrong goal for data protection in general. Too much zeal for control dilutes efforts to design information tech correctly. This idealized idea of control is impossible. Control is illusory. It’s a shell game. It’s mediated and engineered to produce a particular control. If you are going to focus on anything, it is stopping the collection of data at the very beginning. That would have been a new system.
But the EU got played by the Big Tech lobbyists and so what did you get? The forcing of complex control burdens on citizens, and not real rules that mandated the deletion or forbid the collection of data in the first place. Because despite all the sound and fury, the implication of fully functioning privacy in a digital democracy is that individuals would control and manage their own data and organizations would have to request access to that data. Not the other way around. But the tech companies knew it is was far too late to impose that structure – and made sure any new laws that might seek to redress that issue worked in their favor, preserving what was baked into the web’s modern data collection regime.
The FTC lacks effective privacy enforcement and does not have sufficient regulatory or penalty authorities to address the privacy threats posed by modern internet services. And there are significant limitations in the patchwork of data protection authorities at the FTC’s disposal. Let’s see how far they get with this new initiative.