Assessing Global Data Privacy Laws: Effectiveness vs. Surveillance Capitalism

This article discusses the effectiveness of global data privacy laws over 50 years, focusing on enforcement criteria, responsive regulation theory, and evolving expectations. It analyzes the impact of surveillance capitalism and the changing tech landscape on data privacy regimes.

• Data Privacy
• Surveillance Capitalism
• Enforcement
• Global Regulations
• Privacy Laws

amil_2 Follow

Uploaded on Mar 13, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Assessing global data privacy laws after 50 years Part II: Effectiveness vs Surveillance Capitalism Graham Greenleaf Independent Scholar; Senior Researcher, AustLII Asian Privacy Scholars Network (APSN) Conference, Taiwan, August 2024

2. Step 3: Assessing effectiveness of enforcement by objective criteria Various approaches allow legislation to be assessed by criteria which are independent of the assessor ( neutral ): 1. Effective use of Act s own mechanisms? Does the DPA make good use of whatever tools it is given, no matter how limited? 2. Measured against international standards? (esp. GDPR) Problem: Until GDPR, international instruments rarely prescribed enforcement measures GDPR prescribes (art. 58(2)) numerous orders concerning processing; judicial remedies (art. 79); representative actions (art. 80); compensation (art. 82); admin fines up to 4% global turnover (art. 83) 3. Measured against theory of responsive regulation Many of the GDPR s innovations fit this theory

3. Assessing enforcement effectiveness (cont): 3 Measured against theory of responsive regulation Elements of Responsive regulation (based on Braithwaite, Parker et al) 1. Effective regulation requires multiple types of sanctions of escalating seriousness 2. It is an enforcement pyramid: sanctions at the top get used far less than the cheaper bottom layers 3. All forms of sanctions must be actually used when necessary 4. Use of each level of sanction must be visible to those regulated, consumers and the representatives of both 5. The higher levels are incentives for the lower levels to be made to work Enforcement pyramid in a licensing system (Braithwaite 1993) (An additional pyramid: systemic, rather than reactive, enforcement measures.)

4. Step 4: Assessing effectiveness of data privacy regimes against our own expectations Overall assessment (principles + enforcement) can also be against ourexpectations of what these regimes (or individual principles) do/could/should achieve. Such expectations are personal & political, & change over time Context changes over time: 1970 vs 2020/24 1970 s strong regulation = 2020 s legitimation No PCs until 1980; no Internet until late-80s; no social media until 2000; no mass AI use until 2020s There is a chasm b/w 1970 and 2020/24, created by tech. change, neo-liberalism & social change Would be surprising if our expectations of data privacy laws had not also changed

5. What are our expectations of the purposes of data privacy regimes and principles? Data privacy regimes (and their components) can be assessed as functioning at three increasingly strong levels: 1. Remedying unintended injustices of surveillance systems, but without limiting any further expansion of such surveillance, or questioning the business/social models on which it is based. (including efficiency criterion analyses) 2. Limiting some further expansions of surveillance systems, but without rejecting the business/social models on which it is based. (extent of limits constantly contested) 3. Reversing already excessive surveillance (+ limiting its further expansion), based on the rejection of the underlying business/social models on which it is based. My personal position: can surveillance capitalism be reversed?

6. Step 5: What can data privacy laws contribute to reversing surveillance capitalism? 2013: Edward Snowden disclosed extent of global surveillance programs by US NSA + 5 Eyes extent of public sector access to private sector data was unknown Whistle-blowers reveal extent of surveillance 2021 Frances Haughen discloses huge quantities of Facebook documents to show it prioritises profits over public safety.

7. Activists start fighting back Justice Puttaswamy (Retd.) At 92, lead plaintiff before the Indian Supreme Court, establishing a fundamental constitutional right of privacy Max Schrems 24 year old Austrian law student whose NGO (NOYB) has twice defeated Facebook and invalidated data transfers from the EU to the US. NOYB is the EU s privacy driving force.

8. Theory: Zuboff coined surveillance capitalism

9. Implications of Zuboffs theory There is widespread unease that the liberating promise of the early Internet is becoming dystopian An experience of constant surveillance and marketing If Zuboff s analysis of the problem is correct Surveillance capitalism is a deviant form of capitalism so dangerous to humanity that it requires suppression; and It should be replaced by a more humane form of information capitalism. Zuboff does not specify what to do next? What legal (and non-legal) mechanisms would be necessary and sufficient to achieve the reversal, and eventual decline, of surveillance capitalism?

10. Surveillance capitalism: 10 Key elements (based on Zuboff s analysis) 1. Basis: Capture and re-use of behavioural surplus , ( digital exhaust ) of our interactions with all digital platforms services : the shadow texts Google, 2001, followed by Facebook, Amazon etc. 2. Analytics turn shadow text into marketable products concerning future behaviour: behavioural marketing 3. Increase volume of shadow texts: like button. 4. Ethical axiom: right to expropriate human experience : Google StreetView; Clearview AI 5. Scaling-up: a relentless search for new high-volume supplies of surplus behaviour : new free products; ideals of global connectivity; universal knowledge.

11. Surveillance capitalism: 10 Key elements (cont.) 6. Prediction capacity is expanded by greater depth, not just scope, of captured data: collect more, wherever possible. 7. Rendition of non-textual aspects of human experience into data ( datafication ): location; faces; biometrics; emotions. Crosses boundary from virtual to real worlds. 8. Expansion beyond predictions of action to active intervention in user actions ( economies of action ): Pokemon Go; votes; nudges 9. Ideology: extreme behaviourism (based on B F Skinner): instrumentarianism (see over) 10. Big Other : oligopoly of surveillance capitalists competing to control means for intensified behaviour modification

12. Totalitarianism is not the aim No intent to make everyone believe an ideology; No intent to be the engineer of men s souls .

13. Instrumentarianism is different an extreme version of BF Skinner s behaviourism No aim to change (or know) people s beliefs Aim is to predict (and influence) people s behaviour toward more certain (and profitable) outcomes No Big Brother instead, an oligopoly of competing surveillance capitalists (the Big Other of information asymmetry) Not State surveillance but it contributes to it!

14. Post-GDPR capacity to reverse surveillance capitalism Three types of requirements for success: 1. those essential because of the global nature of surveillance capitalism; 2. specific aspects of GDPR-like laws which undermine or contradict the business models of surveillance capitalism; 3. responses from outside the GDPR, 1. from other types of laws 2. from market forces Following slides give 25 ways surveillance capitalism can be undermined (+ examples). They are not updated.

15. 1 Requirements of globalisation (7) Globalised data processing requires there be no safe havens 1. Globalised enactment of GDPR-like laws Since 2019, almost all new/updated laws are GDPR influenced 2. Some US adoption of GDPR-like elements California s 2020 law: 7/10 2nd Gen principles; + 4 3rd Gen More serious penalties from FTC eg destruction required of algorithm derived from ML on illegal facial recognition data 3. Far more serious sanctions, in many countries 2/3 non-EU laws allow DPAs to issue fines As yet only the EU, US and China have actual multi-$M fines 4. Extra-territorial application (as in GDPR art. 3) Most new laws & Bills incl. extra-territoriality in some form Eg Asia: Thailand; China; Sri Lanka; Japan; Bills: India, Pakistan

16. 1 Requirements of globalisation (cont) 5. GDPR remedies go beyond EU (tho not global) Google v CNIL: RTBF s scope required geo-blocking 6. Joint liability imposed on commercial users of platform services , as joint controllers Fashion ID case: using Like button = joint controller 7. Export limitations are usually based on level of protections in the recipient jurisdiction, or equivalent protections on a company-to-company basis (GDPR arts, 45-49) No uniformity. Globally, this results in over 12,000 export problems between jurisdictions Some also include forms of data localisation

17. 2. Specific GDPR responses disrupting SC business models (9) Responses 8 11 = sanctions genuinely dissuasive to platforms 8. Admin. fines as % of global turnover, repeated (GDPR 83) 9. Shutting down processing for continuous breaches (GDPR 84) 10. Compensation to classes of data subjects for breaches (GDPR 82) 11. Litigation rights to NGOs acting for data subjects (GDPR 80) Responses 12 16 = prohibitions on key platform business practices 12. Prescribed grounds for lawful processing (GDPR 6(1)) which do not allow consent as an alternative (EDPB view) 13. Stronger data minimisation (GDPR 13 18 etc) 14. Secondary processing requiring compatibility with original purpose of collection, or very strict consent (GDPR 6(4)) 15. Restriction on use of sensitive data (GDPR 9) to impede the datafication of human experience & inherent traits 16. Automated processing limitations (GDPR 22) to prohibit algorithmic decision-making not humanly understandable & require human roles

18. IIIA 3rd Generation Common European Principles GDPR & Conv 108+ GDPR 25 C108+ 10(2)-(4) GDPR 5(2) C108+ 10(1) GDPR 33 C108+ 7(2) GDPR 28-31 C108+ 7(1), 10(1) GDPR 7, 8 C108+ 5(2) Threat to SC? 3.01 Data protection by design and by default 3.02 Demonstrable accountability by controllers 3.03 Data breach notification to DPA for serious breaches Direct liability for processors as well as controllers 3.04 3.05 Stronger consent requirements including unambiguous and unbundled; special conditions for children s consent Proportionality required in all aspects of processing GDPR passim 3.06 C108+ 5(1), 10(4) GDPR 58(1) C108+ 12 GDPR 9 C108+ 6(1) GDPR 17, 19 C108+ 9(1)(d),(e) GDPR 50 C108+ 16-21 3.07 DPAs to make decisions and issue administrative sanctions incl. fines Biometric and genetic data require extra protections Stronger right to erasure incl. to be forgotten 3.08 3.09 3.10 DPAs must cooperate with other DPAs in resolving complaints with international elements

19. IIIB 3rd Generation GDPR additional principles GDPR Threat to SC? 3.11 GDPR 35, 36 Mandatory Data Protection Impact Assessments (DPIAs) for high risk processing Extra-territorial jurisdiction, where goods or services offered, or behaviour monitored Extra-territorial controllers or processors must be represented within jurisdiction (EU/other) Right to data portability (UGC / other) 3.12 GDPR 3 3.13 GDPR 27 3.14 GDPR 20 3.15 Mandatory Data Protection Officers (DPOs) for sensitive processing Data breach notificationto data subjects (if high risk) Representative actions before DPAs or courts by public interest privacy groups Maximum admin. fines based on annual turnover, global or local GDPR 37-39 3.16 GDPR 34 3.17 GDPR 80 3.18 GDPR 83(4)-(6) Globally, there are at least 200 instances of these 3rd generation principles implemented in legislation

20. Examples of GDPR cases threatening surveillance capitalism s business models Google Analytics v NOYB cases Google Analytics = most widely used website statistics NOYB filed 101 complaints, based on Schrems II case Austrian DPA held (13/01/22) Google Analytics, in transferring data to USA, breached art. 44 GDPR; no protections against US investigative access CNIL (French DPA) decided same (10/02/22) re 3 websites; EDPS held likewise. No rulings on penalties yet, only on illegality Clearview AI facial recognition cases Italian DPA banned web scraping of faces, geolocations, by Clearview AI (US company), and issued EUR 20M fine (10/02/22); numerous GDPR breaches; further collection banned; existing data to be destroyed Numerous US cases proceeding, incl. under Illinois facial biometrics law Australia s OAIC held (03/11/21) Clearview breached Privacy Act by collecting sensitive data without consent; ordered collection to stop; both data and templates to be destroyed. Joint investigation with UK ICO (significant).

21. Examples of GDPR cases threatening surveillance capitalism s business models (cont) IAB Europe v IrishCCL & other NGOs case IAB (Internet Advertising Board) operated the Transparency & Consent (T&C) and Real Time Bidding (OpenRTB) system, basis of personalised advertising. Numerous GDPR breaches. Belgian DPA held that both used personal data without consent satisfying GDPR. IAB, as joint controller, was fined 250,000. IrishCCL says the biggest data breach ever recorded La Quadrature du Net v Amazon EUR 746M fine (on appeal to Admin Tribunal) Luxembourg DPA complaint that Amazon s advertising system is not based on free consent; the first significant GDPR ruling against big tech (WIRED); no details until appeal finished Other fines(based on 4 % of turnover or 20 million otherwise) Irish DPA pushed by EDPB - issued (02/09/21) 225 million administrative fine against WhatsApp Ireland Limited, 2nd highest GDPR fine until then By 1/1/21 (2.5 years) total fines under GDPR were 272.5 million; that is now being exceeded in a single case Survey of largest GDPR fines (27/01/22) showed 1 billion fines in 3rd qtr 2021, 20 times total of Q1 and Q2; Amazon 746M; WhatsApp 225M; Google Ireland 90M; Facebook 60M; other Google 110M

22. 3. Regulatory responses outside DP laws other laws & markets (8) Regulation by laws other than data protection 17. Competition laws: asymmetries in understanding of personal information use = anti-competitive conduct 18. Breaking up platforms as one form of competition regulation 19. Anti-discrimination laws: algorithms can t hide discrimination 20. Data localisation completely prohibiting some exports 21. Electoral laws starving micro-targeting of funds 22. Bans on some biometric datafication: face recognition; voice Changing market and political factors 23. End of 20 years political support for innovation impunity 24. Business models change if personal data becomes a toxic asset 25. Disinvestment and share price collapses if medium/long term investment attraction of surveillance capitalism drops

23. The future of surveillance capitalism 1. It is a market form, not a technology Its continuation/expansion is not inevitable 2. Its business model is based on misuse of our personal data, in ways concealed from us 3. Regulation can change this business model It must target key objectionable practices It must be dissuasively enforced, and global 4. The EU s GDPR is starting to lead the way 5. Other countries, and regulators, are helping, particularly verdicts & huge settlements in USA

24. References (Part I) Original version of Part I: Herschel Smith Visiting Fellow lecture, CIPIL, Univ. of Cambridge Faculty of Law, 17/10/19 My web pages link to most of my papers http://www2.austlii.edu.au/~graham/ More easily found at http://ssrn.com/author=57970 G. Greenleaf Global Tables of Data Privacy Laws and Bills (7th Ed, January 2021) (2021) 169 Privacy Laws & Business International Report 6-19, https://ssrn.com/abstract=3836261 G. Greenleaf The Influence of European Data Privacy Standards Outside Europe: Implications for Globalisation of Convention 108 (2012) 2/2 International Data Privacy Law, Vol. 2, Issue 2, 2012, https://ssrn.com/abstract=1960299

25. References (Part II) Original version of What can the GDPR do to reverse surveillance capitalism? at 8th Asian Privacy Scholars Network (APSN) Conference 5 - 6 December, 2019, Faculty of Law, National University of Singapore G. Greenleaf Elements of Zuboff s Surveillance Capitalism (2019) 160 Privacy Laws & Business International Report 29-32 https://ssrn.com/abstract=3479907 G. Greenleaf 4.2 Responsive regulation theory and data privacy regulation pgs. 66-73 Asian Data Privacy Laws (OUP, 2014)