Introduction
In most cases, we click on “I agree,” while navigating webpages on the internet, we fail to acknowledge what we are consenting to. While this practice is encouraged as a privacy protection, it is still a porous mode considering how complex cyberspace is and the weak relationship between users and online platforms. Privacy models that rely on consent do not give considerable user control. Instead, platform power determines digital privacy. Thus, this post argues that due to the information asymmetry, manipulative design, and overwhelming platform power, more robust consent mechanisms are insufficient, and structural regulation is the key.
The Limits of Privacy as Control in Digital Contexts
The individual control and privacy as the central concept of data protection has been traditionally the foundation of legal and policy frameworks regarding data protection. However, it is becoming unhelpful in the cyber setting, where data are being harvested routinely, and the systems of information flows are extremely complex. Traditional conceptualizations of privacy (like that of Warren and Brandeis, which is called the right to be left alone) presuppose that one can actually control what points to his or her personal data. Nevertheless, modern digital systems provide a challenge to this assumption as they code the process of gathering data into daily interactions, and most of the time, the process is done unknowingly or incomprehensibly by users.
Nissenbaum believes that privacy is not a matter of control but a matter of how properly information should flow in particular social situations (Nissenbaum, 2010). These contextual norms are often broken in the platformed environments. An example would be when users agree to allow the use of personal information to fulfill a particular purpose, like chatting with friends on their social media. However, the same information can be reused at a later time by someone to produce targeted advertisements or algorithmic profiling. Revelations by Acquisti, Brandimarte, and Loewenstein (2015) confirm that internet users are unlikely to understand and manage the flows perfectly, given the complex nature of cyberspace. According to the authors, internet privacy does not emanate from an individual user’s choice but is also shaped by forces that include regulations in place and the aligned market incentives.
Practical demonstrations show the failure of the model of control in practice. The mobile apps continuously collect geolocation data even in cases where it is not important to the functionality of the application, and the users are usually offered a large, non-negotiable consent mechanism. The introduction of App Tracking Transparency in 2021 attempted to improve the control over users by scanning apps that seek access permission prior to activity tracking within additional apps and websites of other companies. Although this policy reform resulted in people being more aware of the tracking of their data, research shows that users tend to have only a vague idea of what they are agreeing to, and these types of measures do not work as effectively (Kollnig et al., 2022). Similarly, the popularity of cookies and dark patterns on websites illustrates how interface design can control users into accepting data harvesting practices, determining meaningful consent even more. In other words, even when users appear to have control, that control is often superficial.
Platform Power, Information Asymmetry and the Illusion of Consent
The power centralization by the platforms and the information asymmetry between the users and technology companies make consent a good means of protecting digital privacy. Consent can be defined as a sense of personal agency, where, in practice, however, it is practiced as a service in concert with platforms that predefine data collection, data processing, and transfer practices. Big technology (via Suzor, 2019) is a key digital platform that also performs the role of a private governor when establishing the regulations that organize digital interaction and implementing them as they appear to govern the interactions without much democracy. Such a build-up of rule-making power robs the users of a decision to negotiate or challenge the treatment of their information and renders their consent meaningless, but more of a formality.
Flew (2021) also cites that platform dominance is perpetuated using data-driven business models, which are built on mass surveillance and profiling of behaviors. Consumers are forced to accept complex and understandable conditions of service to access the required online services; this, therefore, creates a take-it-or-leave-it feeling. This critique is backed by empirical research findings, which have shown that privacy policies tend to be too long and hard to read, as well as frequently changed, making informed consent only an ineffective possibility to do so (Obar & Oeldorf-Hirsch, 2020). Thus, the problem is not that users fail to make good choices. The problem is that meaningful choice is structurally limited by how platforms are designed.
Practical cases also make it clear that consent can be ingrained in the exploitation of data. The case of Cambridge Analytica showed that the data of millions of Facebook users were collected using a personality quiz app, as the data was allegedly collected under the guise of academic use; later, it was repurposed in the form of political advertisements and voter profiling. This case illustrates that consent can be indirectly gathered by data collection and secondary uses that are not within the scope of the reasonable expectations of the users. Likewise, the proliferation of the term dark pattern (e.g., a box marked by default value) in cookie consent banners (e.g., using confusing wording, designing the interface in a way that triggers a user to accept it) makes the consent inactive. According to research conducted by Nouwens et al. (2020), the policy of such design greatly affects user behavior in that people tend to accept tracking their data despite the desire to be the ones who opt out.
Although the Cambridge Analytica scandal is often cited, it is no longer an isolated case but part of a broader pattern of data exploitation. These dynamics disclose that consent is not a meaningful privacy protection but more so a tool that authorizes the extraction of data in asymmetrical power relations. Currently prevailing systems of consent lead to blinding the systemic characteristic of privacy risks by transferring the responsibility of making a rational choice to those whose information is insufficient and who do not have the ability to make an informed choice.
Regulatory Frameworks: Progress and Structural Limitations
The range of regulatory structures on privacy, security, and digital rights has grown tremendously during the last ten years due to increasing awareness of the dangers of business and platform dominance and data-driven business practices. The General Data Protection Regulation (GDPR) of the European Union and the Digital Services Act (DSA) will serve as a powerful step towards digital governance. They are utilized with the intention to increase transparency, emphasize user rights, and place responsibility limitations on platforms.
In the year 2018, the global standard on data protection came into effect, which is known as GDPR. It introduced rights to access, delete, and port data, and it had rigorous standards of consent and processing of data (European Union, 2016). Even though GDPR introduced a formidable framework against privacy concerns, it has failed to be consequential in dealing with deepened lop-sidedness between users and online programs. Flew (2021) confirms this lop-sidedness, indicating that the regulations have mostly reinforced personal rights but have been weak in amending the influence that cyberspace poses to users. The argument is that agreeing to terms does not mean the end of having proper control or independence of the data, considering that online platforms rely on data mining as a business model and not just a secondary effect of platform services.
In real-life applications, companies such as Meta Platforms have had to battle fines with regard to data privacy concerns following the Cambridge Analytica Scandal. Though the perpetrating company was monetarily fined, the outcome did not change significantly as firms continued with predacious data extraction. This proves that firms typically derive many benefits from user data that even monetary fines cannot significantly scare them. As such, it is viable to consider data mining as a revenue- generating model.
The European Commission (2022) came forward with the Digital Service Act as a complementary legal structure to address embedding privacy concerns along the lines of transparency, accountability, and ingrained systematic risks. While the Act stood out as a framework to give more protection, it still needs to be more practical, requiring extra levels of regulations to curb the entrenched data indiscipline. An example of this algorithmic indiscipline is the TikTok controversy. TikTok collects vast amounts of user data to build a database for personalized content delivery, subtly shaping user behavior and making regulation virtually impossible.
Overall, modern regulatory frameworks are an important achievement, but have structural limitations tied to platform capitalism and a complexity of jurisdiction, as well as an insufficient clarity as to how algorithms operate. To mitigate these issues, the focus can no longer be on the rights-oriented approaches of the individual, but instead on more systematic solutions that challenge the hegemony of power and introduce a new economic framework of digital platforms.
Rethinking Digital Governance: Toward Structural and Enforceable Policy Interventions
To resolve the shortcomings of existing privacy and digital rights models, a change of focus towards procedural compliance and structural and enforceable interventions that challenge platform power straight away is needed. Current problem-solving strategies, especially those based on the model of notice-and-consent procedures, have not offered sufficient solutions to the issue of alleviating systemic risks since they do not influence the inherent economic motivation behind data extraction.
Among other suggestions are the shift of individual consent to ex ante regulation of practices in platforms. Instead of leaving the regulation of user privacy to themselves, regulators can restrict the data processing and gathering by default. The strategy designed to restrict some types of targeted advertising to minors by the European Union in the Digital Services Act represents an example of this change in approaches towards proactive protections (European Commission, 2022). However, such measures are mostly surface-level, more so when they need to be exercised at a broader level in such a way that they would have a tangible impact on predatory data practices.
There is another crucial area that requires reform in algorithm accountability. Social media (TikTok and YouTube) is extremely dependent on inaccurate recommendation algorithms that control the user actions and what to watch. Some of the risks that the AI has been antagonized against by the independent audit on such systems proposed in the development of AI governance models include misinformation, discrimination, and manipulation (Gillespie, 2018). It is, however, a difficulty to meaningfully audit them due to such technical complexity and proprietary nature of algorithmic systems, and casts the concept of transparency in an entirely new light.
The alternative important dimension is the necessity to take stricter enforcement actions. Though legislation, such as the GDPR, has imposed hefty fines, the fines tend to be an operational expense to some of the big technology firms. These successive fines that Meta Platforms has faced due to breaches of data protection testify to the fact that punishment in the form of fines is not enough to make a change in behavior. Lastly, digital governance needs to be more global and more coordinated. The arbitrage common to digital platforms is due to their transnational character, as national governments’ attempts to safeguard digital rights falter. International cooperation, as well as the working out of common standards concerning data protection and platform responsibilities, is crucial.
Conclusion
In a platform-based society, the idea of protecting privacy through individual consent is becoming increasingly unrealistic. The three factors: platform, information asymmetry, and structural inequalities, undermine the effectiveness of the existing governance practices, allowing those with the capacity to exert increasingly more or less responsibility through digital spaces. The solution to this menace is to have holistic interventions that hold high the need for transparency, accountability, and power redistribution. Lastly, internet users’ rights should be viewed beyond just the formulation of laws and policies that allow them to agree or consent, but also include additional dimensions that hold platforms answerable.
References
Acquisti, A., Brandimarte, L., & Loewenstein, G. (2015). Privacy and human behavior in the age of information. Science, 347(6221), 509–514. https://doi.org/10.1126/science.aaa1465
European Commission. (2022). The Digital Services Act: Ensuring a safe and accountable online environment. https://digital-strategy.ec.europa.eu/en/policies/digital-services-act
European Union. (2016). General Data Protection Regulation (EU) 2016/679. Official Journal of the European Union.
Flew, T. (2021). Regulating Platforms. Cambridge: Polity, pp. 72–79.
Gillespie, T. (2018). Custodians of the internet: Platforms, content moderation, and the hidden decisions that shape social media. Yale University Press.
Kollnig, K., Binns, R., Van Kleek, M., Lyngs, U., Zhao, J., & Shadbolt, N. (2022). Before and after GDPR: Tracking in mobile apps. Internet Policy Review, 11(4). https://doi.org/10.14763/2022.4.1700
Nissenbaum, H. (2010). Privacy in context: Technology, policy, and the integrity of social life. Stanford University Press.
Nouwens, M., Liccardi, I., Veale, M., Karger, D., & Kagal, L. (2020). Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence. Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, 1–13. https://doi.org/10.1145/3313831.3376321
Obar, J. A., & Oeldorf-Hirsch, A. (2020). The biggest lie on the internet: Ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 23(1), 128–147. https://doi.org/10.1080/1369118X.2018.1486870
Suzor, N. P. (2019). Who Makes the Rules?. In Lawless: the secret rules that govern our lives. Cambridge, UK: Cambridge University Press. pp. 10–24.
Be the first to comment