rooting around for grubs in diverse soils

Tag: privacy

The age of (trying to regulate) surveillance capitalism

For a while now the most interesting discussions about tech and privacy have been happening in the United States. In politics, the US Congress in 2018-2020 was awash with proposals for a federal privacy law. Privacy academia is also in full spate, and there are few more incisive and erudite contributors than Julie Cohen, who in her latest blockbuster suggests what such a federal privacy law should and should not do if it is to address what she calls the ‘dysfunctions of the networked information economy’. 

Privacy has been viewed through the prism of individual rights, even if there is a general acceptance that individual rights and freedoms are social goods. Cohen focuses on the limitations of this perspective. ‘Atomistic, post hoc assertions of individual control rights … cannot meaningfully discipline networked processes that operate at scale. Nor can they reshape earlier decisions about the design of algorithms and user interfaces.’  She takes aim especially at ‘The continuing optimism about consent-based approaches to privacy governance’, which she finds ‘mystifying, because the deficiencies of such approaches are well known and relatively intractable.’  The landscape is too complex and manipulation too easy for consent to be the answer. Tech firms can game user control rights with ‘synthetic data’ that tends to lie outside the framework. She (like Paul Schwarz much earlier) sees the consent requirement as akin to property rights, which have failed to safeguard the interests of the marginalized and poor. ‘It makes no sense whatsoever where networked, large-scale processes are involved.’ 

Novel and creative apparatuses that aim to compensate for the limitations of individual control, like ‘user governed data cooperatives’ or ‘automated consent management panels’, might work for ‘smaller, more homogeneous communities’ where it is obvious which resources are to be protected. But their effect, Cohen argues, is to ‘turn consent into a fig leaf’, useful only ‘to achieve compliance with a regime that requires symbols of atomistic accountability.’

Moreover, the hoped for ‘trust’ and ‘duty of care’ often touted – festishised even – as an all-purpose salve, a sort of soft law social contract between commercial digital players and society, would never be considered sufficient for banks, pharma or insurance companies. We are too aware of the risks in those fields to allow such latitude. In the digital economy, ‘dominant actors’ could only be expected to change their surveillance-based business models, if their ‘corporate ownership and control structures’ as well as ‘licensed flows of data’ were disrupted. They set the terms and protocols for data use that developers and ‘marginal actors in networked information ecosystems’ – from media companies to white supremacists – have every incentive to follow.

Until recently, there were vast swathes of the planet without any general privacy and data protection laws. Those regulatory deserts are now dwindling, with Brazil and soon India adopting rules that will extend legal protection to billions of people. (See especially the work of Gabriela Zanfir-Fortuna at the FPF in tracking these developments.)  Authoritarian China is also aping GDPR-styles rules, reflecting popular exasperation with their own surveillance capitalists, though the rules are clearly subservient to the far greater priority of state coercion and control. Ironically, the United States could soon become the global outlier.

Cohen however critiques data protection on grounds that it ‘relies on prudential obligations’ and ‘invites death by a thousand cuts’, unable to scale to today’s tech leviathans and systemic privacy depredations, reducing well-meaning laws to ‘an exercise in managerial box-checking’. She takes the GDPR to task, for example, for requiring data protection-by-design without specifying what the design ought to be: ‘There is a hole at the center where substantive standards ought to be—and precisely for that reason, data protection regulators often rely on alleged disclosure violations as vehicles for their enforcement actions, reflexively reaching back for atomistic governance via user control rights as the path of least resistance.’  She notes that the proposed privacy bills all shy away from regulating government use of data, so they would not remedy the shortcomings identify in the two CJEU Schrems judgments. Nor, for that matter, do they seem interested in the principle of purpose limitation in the use of personal data. It is unclear, however, what Cohen would prefer to see. The GDPR and its fellow travellers are criticised for their tendency towards over-prescriptiveness, but at their core is an attempt less to micromanage business practices, even less to outlaw business models, but instead to make them accountable for whatever they choose to do with the data they control. Consent is not, in fact, at the heart of the GDPR.

Cohen is at her most convincing when highlighting the gap between legislative promise and delivery of outcome. ‘If one wants to appear reformist while moving the needle only very slightly—one confers authority to make rules and bring enforcement actions, and then one waits to reap the predicted beneficial results.’ This model has broken down, she says. It’s like a car manufacturer or (at least before the 2007-8 crisis) mortgage lender that fawns over its prospective customers before neglecting them after the purchase has been made and whenever problems arise. The ruthless injunction to ‘Always Be Closing’ in David Mamet’s Glengarry Glen Ross becomes Always Be Legislating, and let the enforcement look after itself. ‘Enforcement practice,’ however, ‘has largely devolved into standard-form consent decree practice, creating processes of legal endogeneity that simultaneously internalize and dilute substantive mandates.’ The dirty secret of these enforcement strategies is that Big Tech’s excesses remain and have if anything got worse during their implementation.

These ‘litigation-centered enforcement mechanisms’ can only ever be as effective as access to justice which, at least in the United States, has diminished over the years as standing and class-action have been curtailed. Public enforcers have been underfunded and become increasingly risk-averse.  Infringements of privacy being systemic, Cohen thinks it is insufficient to single out individual actions of bad actors pour encourager les autres, as the effect is to ‘validate the mainstream of current conduct rather than meaningfully shifting its center of gravity’.  The behaviour regulators seek to penalise and reform is so profitable that occasional enforcement can be planned for, and absorbed, by the bigger companies as an acceptable business overhead – Cohen cites the size of the 2019 FTC $5bn settlement with Facebook which broke records but changed nothing.

What is the alternative? Privacy regulation should move out of its silo and borrow from post-crisis financial regulation’s ‘operating requirements for auditing, benchmarking, and stress testing,’ and for ‘public-facing transparency about information-handling practices’. ‘Honoring the public’s right to know requires a less deferential approach to the secrecy claims that have become endemic in the networked information era.’ Instead of drop-in-the-ocean civil fines, public enforcers should be able to reverse the incentive bias by disgorging profits accruing from unlawful activity, and return those ill-gotten gains not only to the individuals affected but also plough them back into the public enforcement budget. Where violations with knowledge and intent have been proven, it should be possible to target the personal wealth of those accountable board members, and especially where they happen also to be majority shareholders. These are means for internalizing the externalities of their immensely profitable enterprises.

Julie Cohen’s remedies echoed and coincided with those proposed by the apparently chastened former CFO of Goldman Sachs. Writing in The Economist, Martin Chavez said, ‘Just as CCAR places limits on the leverage in derivatives portfolios by imposing capital requirements, digital regulators would insist that platforms constrain the algorithmic amplification of outrage and emotional resonance by limiting the propagation of viral content. Regulators would base their rules on a deep and shared understanding between the regulator and the regulated of how digital companies make money, just as banks simulate their complex chain of interlinked businesses into the future in a stress test.’ Chavez concedes that the Dodd Frank Act and its ilk have hardly ushered in golden era of financial morality, but he is not alone in wondering why what’s good for the banking goose cannot equally be served up to the digital gander.  

These are worthy and thoughtful additions to the debate on how to forestall the failure of tech companies that have become ‘too big to fail’, by means of a concoction of intricate technocratic rules that only the biggest can be expected to be able to comply with. For engagement with the underlying questions of growing inequality, digital or otherwise, and of when a company may simply be ‘too big’ for a purported democracy of human rights and equality before the law, we must look elsewhere.

Un omaggio

This reflection on the life of my boss, Giovanni Buttarelli, was originally posted on https://iapp.org/resources/article/memoriam-giovanni-buttarelli/ and has been repatriated here, a year to the day since he passed away.

I don’t have many photos of me and Giovanni. Just as well, because his svelte poise only threw into ever-starker relief the balding squatness of my advancing years. I found one, though, captured when with the assistance of my (surly) two year old, I had rushed a document for his signature before he went through the security gates at Brussels airport.

He was entitled to be confident, and not only because of his debonair demeanour. He had a global fan base, the extent of which we are only beginning to fathom, as the tributes come flooding in. But a more important endowment was his self-doubt. He concealed it expertly, but I believe it was what made him intensely sensitive to what other people thought and said, and what gave him his insatiable hunger always to do more and do better.

Thanks to him, our floor was suffused with the smell of proper coffee. “No coffee, no meeting,” he warned his personal assistant, arriving in the office one morning. On another occasion, she was scandalised when I said he had asked me for another tazzina. That would be his fifth of the morning, she said. No way. I will make him a decaffeinato.  

“We need to be more communicative,” was one of his refrains. But not too communicative: “We have to speak in an institutional language,” he would say if my drafts got too fruity. Overall, he wanted data protection to descend from its ivory tower, and demonstrate its relevance and value in the real world. He likened arid legal opinions to recitals of the Mysteries of the Rosary, which he would recall in monotone solemnity:

Nel primo mistero gaudioso ricordiamo l’annunciazione dell’Angelo a Maria Vergine…

Nel secondo mistero gaudioso ricordiamo la visita di Maria Santissima a Santa Elisabetta...

He worried about parochial jargon being a barrier for reaching out to non-specialists. Data protection was about showing respect for people. It was not an absolute right. It does not block technological progress or public safety or other things that society cares about; it’s essential for ensuring these things are done responsibly and sustainably. Take risks, don’t hide behind consent, but own those risks. Data protection lawyers, Giovanni would say, should not be like the Trappist monk from Non ci resta che piangere who appears from nowhere to harangue the unsuspecting Massimo Troisi with a reminder of his mortality: Ricordati che devi morire! Engage with the policy and be persuasive.

Giovanni’s priority as Supervisor was to be more ‘conversant with technology’. So in the first year of his mandate he went to Silicon Valley. He left convinced that the biggest challenge was not compliance with arcane data protection rules. Rather it was the assumption, across boardrooms, venture capitalists and garage start-ups, that the only way for digital services to be profitable was to track people, profile and target them. Giovanni began to pepper his talks and articles with the mantra of ‘the dominant business model’, before it became cool to do so. Only latterly did he have the chance to connect with fellow traveller Shoshana Zuboff when at the beginning of this year she came to Brussels to unveil her monumental exposé of “Surveillance Capitalism”. At his last public event, a high-powered powwow on privacy and competition that he co-hosted with the German Federal data protection commissioner, each of his fellow panellists echoed the phrase. Giovanni’s diagnosis was no longer eccentric and ‘out there’, it had become the new orthodoxy.

Giovanni was a policy entrepreneur. He spotted opportunities and threats on the horizon before others did. In 2015, with the data protection world absorbed with the GDPR negotiations and the judgments in Schrems and Google Spain, he pitched the concept of ‘digital ethics’. He argued that artificial intelligence and smart-this-that-and-everything challenged not so much privacy as the basic, universal and inviolable right to human dignity. He got the world talking about ethics and technology at the 2018 international conference of privacy commissioners. Now chatter about “ethics and AI” has become so commonplace it risks descending into banality.

Giovanni, following his predecessor Peter Hustinx, saw – again long before it became cool – that privacy in the age of digitisation was inseparable from market power and therefore competition enforcement. It was in his garage, setting off to deliver a speech to antitrust lawyers, that the idea of a ‘Digital Clearinghouse’ was hatched. It would bring together all willing enforcement agencies with responsibilities for digital markets. By July this year, he would share a platform with an outgoing Secretary General of the European Commission who called on multiple regulators to act as if they were single regulators, and predicted that the convergence between privacy and competition would be ‘a running theme’ for the next five years.

Giovanni was alone in 2017 in telling us that the novel obsession with ‘fake news’ pointed to an underlying, systemic data protection problem. Data protection was not just about the individual – it was a core safeguard for societal cohesion and democracy itself. It is now cool to say this. There is no greater compliment to the man than that he has others now reading from his playbook.

It was on such broad canvasses that Giovanni painted. But what most engaged him were the finer details of legal texts; he was a magistrate probing arguments, teasing out potential ramifications. Watching him in action from close quarters was a great privilege. He would not impose his views but lead you through legal quandaries to a satisfactory conclusion. For several brain-sapping weeks in early summer 2015, he convened marathon sessions with the EDPS’s best lawyers to pick over three competing versions of GDPR, by then into its fourth year of negotiations (the Commission’s original proposal, the European Parliament and Council amendments), along with the EDPS’s own extensive opinion from 2012. The result was a GDPR mobile app juxtaposing the different texts with the EDPS’s advice on how to resolve the discrepancies.

Privacy was his last profession and he practiced what he preached. He did not burden his closest colleagues with his personal affairs. And he never meddled with mine, except after I told him my wife was expecting again and he advised us to go buy ourselves a TV. There was no need for him to pry, because I know he cared.

The world was robbed of Giovanni too soon. His mind was awash with ideas. Recently he was finalising a ‘manifesto’* for the future of privacy. In one of his last messages to me, he said, to paraphrase, “This had better be the best document of all time. I want the whole world talking about it. Balls of steel.” Then, after a pause, “You too are playing with your future with this document. Get it wrong and you will end up in la merda.” In our final conversations, we spoke about the climate crisis and how technology instead of being part of the solution had instead become part of the problem with its carbon-emitting data-madness and reckless natural resource extraction. He had plans to visit China.

I wish I could remember more. I wish I had written down all his obscure Latin phrases and his tawdry Roman dialect expressions. But he has left us with plenty to be getting on with. So many words. Parole, parole. Some receding, others lingering, like ghosts at cockcrow.

Grazie, caro Consigliere.

* Giovanni Buttarelli’s manifesto, Privacy 2030: A New Vision for Europe, was published posthumously in November 2019.

‘Privacy 2030’, Giovanni Buttarelli’s ‘manifesto’

manifMy presentation of ‘Privacy 2030: A vision for Europe’ at IAPP Data Protection Congress, Brussels, 21 November 2019

What would Giovanni have said if he was still with us?

Well, first of all he would have noted that this event has coincided precisely with the
future-fictional setting of Bladerunner.

Now here we are, Brussels, 21 November 2019, and reports of imminent tech dystopia
are greatly exaggerated; at least in Belgium.

Shortly after Giovanni asked me to work for him, I would learn that there were three
moments in the now very congested privacy calendar where he would want to shake
things up, say something new – qualcosa di fico.

Two of these moments were IAPP moments: in springtime Washington DC around time
the cherry blossom briefly adorn the National Mall; and here in grey, soggy, autumnal
Brussels, when the people take refuge in cafes and strong dark beers.

Trevor Hughes and Omer Tene would always offer Giovanni a platform for his insights,
and it spoke to a deep mutual affection between them.

A year ago, he was here and announced his intention to publish a manifesto on the
future of privacy and digital society, looking beyond the GDPR.

So he would be grateful to the IAPP for publishing this week ‘Privacy 2030: A Vision for
Europe’, and to his seven eminent ‘fellow travellers’ – Omer, Maria Farrell, Malavika
Jayaram, Jules Polentsky, Rocco Panetta, Marc Rotenberg and Shoshana Zuboff – for
contributing their own reflections on the big theme.

He would have been moved that the first lecture in his memory would be delivered by
Commissioner – soon to be Executive Vice President Margrethe Vestager.

There was a special chemistry between these two great thought leaders, though they
come from very different backgrounds, at opposite ends of Europe. It is clear that much
of what he believed in will be continued by her as she tackles the huge challenges ahead.

Giovanni’s three children Serena, Gianluca and Eleonora are with us today, and in their
charming company you sense their father’s calmness, lucidity and Sphinx-like
inscrutability, in this still traumatic period of coming to terms with such a loss.

Among the myriad Buttarelli awards, foundations and even meeting rooms being
proposed, it is Serena, Gianluca and Eleonora who will be the ultimate custodians of
their father’s legacy. And I want to thank them for their moral support in this project.

The manifesto is a meditation on the big challenges and a call to action.

It talks about the power of big companies and governments to do things with data and
technology. And it talks about the vulnerabilities of children, low paid workers,
migrants who have those things done to them.

It makes the link between digitisation and the environmental crisis. Our insatiable
enthusiasm for throwaway devices and generating more and more data is actually
increasing our carbon and biodiversity footprint precisely at the moment we are
supposed to be urgently reducing it.

It proposes ways the EU can empower people and address genuine social and
environmental problems.

It reflects what you could call ‘late style’ Buttarelli.

‘Late style’ in an artist is when she ‘constructs an alternative universe which somehow
helps us understood the world we live in now.’ If you read his blogposts, speeches and interviews over recent years, you see that
Giovanni wanted to call out things that were wrong.

But, at the same time, he retained a fervent pragmatic optimism for an alternative
future, and especially for the role of Europe in constructing it.
It may be the fate of most manifestos never to be implemented – but the good ones will
at least get people talking.

And indeed, the one instruction he gave me was to be provocative.
He warned that unless it made the cover of Time magazine, I would have failed and
could pack up my belongings and leave the building.
Well, Giovanni, if you’re listening it has not yet made Time magazine, though it has
featured in the latest MLEX data and security daily briefing. Baby steps.

So this is my last ghost-written tribute to Giovanni. And the best tribute I can offer him
is to help keep you talking about him long after he is gone.

I hope his manifesto will do just that.