What if it’s *not* the enforcement? Reflections post #EDPSConf2022

What worries me is not that Meta or Google continuously choose to infringe the GDPR. What I fear is that, despite all their data collection and usage, such companies are actually in compliance with the Regulation. If so, no amount of enforcement will change the status quo.

What happened in Brussels on June 16-17, 2022?

Europeans think that the problem with the GDPR is insufficient enforcement.

On June 16-17, 2022, several hundred privacy professionals gathered in Brussels at a conference titled “The future of data protection: effective enforcement in the digital world,” convened by the European Data Protection Supervisor, Wojciech Wiewiórowski. Don’t let the generic title fool you; this was a major political event and attracted the top players in the GDPR game. Among one hundred speakers, one could find prominent policymakers (Margrethe Vestager, Věra Jourová, Birgit Sippel, Karen Melchior, Axel Voss, Juan Fernando López Aguilar), regulators (Marie-Laure Denis, Ulrich Kelber), activists (Ursula Pachl, Max Schrems), industry representatives (Julie Brill, Microsoft; Jane Horvath, Apple; William Malcolm, Google), and academics (Orla Lynskey, Paul De Hert, Michael Veale). All the people whose job is to shape the narrative and the trajectory of the data protection law in Europe were present.

What motivated the conference was a shared disappointment with the GDPR’s influence on the Big Tech. Four years after the law has become applicable, we still live in a world of commercial surveillance. In 2022, just like in 2012, when work on the GDPR began, essentially everything we do gets recorded as data and used to advance some corporate interests.

The participants seemed to agree about the reason behind the GDPR’s suboptimal performance: insufficient enforcement in cross-border cases. The GDPR applies directly throughout the Union but is enforced locally by the national Data Protection Authorities. What works well regarding local matters fails when transnational corporations are concerned. Under the so-called “One Stop Shop” mechanism, corporations like Meta and Google can choose one DPA to be overseen by (and they usually select Ireland). Meaning: one member state is overburdened with enforcement costs and overendowed with enforcement power, vis a vis the Big Tech coming from oversees.

The disagreement concerned the way forward: what shall we do about the suboptimal enforcement? On the one hand, the defenders of the status quo called for more time, funding, and mutual dialogue. The law is fine; no need to reform – they seemed to say – just give the DPAs and the NGOs more money and let us do our work. Until about a year ago, this has been the orthodox view in European mainstream circles: the GPDR is perfect on paper; if any intervention is needed, it concerns the factual capacities of the DPAs.

On the other hand, an increasingly larger and louder chorus of calls for legal reform could be heard. Among several ideas, including harmonization of procedural rules, the most straightforward has been the proposal to centralize the enforcement in cross-border cases. Let’s leave the 99% of enforcement as is, with the national DPAs – the reformers seemed to suggest – but carve out the truly expensive, complex, and politically loaded cases for a supranational body, like the EDPB, EDPS, or a newly created entity. From a purely academic standpoint, this proposal seems commonsensical. Indeed, this is the way the EU enforces many of its regulations, including competition law. As personal data protection has been enshrined as a fundamental right in the Charter, one is left puzzled seeing how the EU, on the ground, treats the market economy as more important than human dignity. Do as I say, not as I do, I suppose. Politically, though, centralization would require opening a new battle that few have an appetite for now.

So, what happens now? What will be the results of the conference? In the short term, probably nothing. The EU is busy finishing the DSA and DMA business (which all feature centralized enforcement mechanisms, btw) and in the trenches fighting over the AI Act, the Data Act, and a whole range of the digital policy pieces already on the agenda. In the mid-term, however, centralization of enforcement in cross-national cases seems hard to avoid. When the new Commission and the new European Parliament begin their terms in two years, given how often scandals regarding data processing hit nowadays, the idea that today seems practically impossible might turn into a politically inevitable one. In this sense, the reformists at the EDPS Conference succeeded. An idea has been planted, moved from the academic outskirts into the political mainstream, and sooner or later will become a reality.

So let us imagine that five years from now, the GDPR enforcement concerning the Big Tech has been centralized in the hands of a powerful, well-financed, and stuffed regulatory body. Will we then, finally, move from the world of commercial surveillance into a world of perfect privacy and data autonomy?

I have my doubts.

Unpopular view: the problem with the GDPR is its substance

As we are in the moment when unpopular opinions are uttered, let me express a view considered an absolute heresy in Europe: the GDPR is just a bad law, on substance, when it comes to taming the excesses of data collection and usage by the Big Tech. It could not have stopped the commercial surveillance, and it will not save us, regardless of beefed up the enforcers become.

The GDPR is – to its core – a neoliberal regulation delegating political choices to the market. Europeans hate to hear this; they do not believe it in good faith, but it’s true. Under all the rhetoric about the fundamental rights and the substantive principles, procedural requirements, and data subjects’ rights, the GDPR is exactly the same as the American “notice and choice” model, just with extra steps.

Don’t close this blog post; let me elaborate.

At the foundation of the GDPR model lay several principles that seem to distinguish it from the American in-your-face-neoliberal counterpart: the purpose limitation principle (data can only be processed for the purposes for which it was gathered), the data minimization principle (one cannot collect more data than necessary for a particular purpose), or the legality principle (one must secure a legalizing basis, like consent or a necessity to perform the contract, for processing to be lawful). In addition, one faces robust transparency and accountability obligations, paired with people’s rights to know what data is processed, correct it, or object to further processing. This sounds promising, doesn’t it?

The problem with the GDPR system is that it says nothing about the legality of particular purposes of processing or the lawfulness of specific contracts or business models. On substance, corporations are essentially unconstrained when it comes to specifying what purposes they want to processes the data for, or what place this processing has in the overall commercial transaction. Following the adoption of the Digital Content Directive 2019/770 which (in a supposedly pro-consumer attempt to extent the legal protection to “free” services for which consumers “pay” with personal data) effectively legalized the B2C contracts treating personal data as “payment,” corporations are free to specify what processing they consider necessary to perform the contract.

Consequently, if Facebook or Google hire stellar lawyers to draft their terms of service and privacy policies (which they do), they are absolutely free to decide what purposes to process the data for, or how to construct their contracts. Sure, a lot of legal engineering needs to happen around this – accountability procedures need to be established, and lengthy documents that no one will need must be drafted – but this is a monetary cost, not a substantive constraint, on data collection and usage.

Do you want to collect data to addict users to your platform? Do you want to use data to influence your users’ opinions or behaviors? As long as you openly admit to that in the privacy policy, and as long as you can demonstrate that such a use makes up part of the contract the consumer has concluded with you, and as long as you play by the GDPR’s procedural rules, GDPR gives you the green light. That is why nothing has changed since 2018.

What I fear, as a citizen concerned about the Big Tech’s power over individuals’ lives, impacts on autonomy and mental health, is not that Facebook or Google choose to continuously infringe the GDPR, for whatever reasons (lax enforcement among them). What I fear, as an academic who empirically studies their terms of service and privacy policies in the light of the binding law, is that what Facebook and Google do is perfectly complaint with the GDPR. Sure, they might be infringing the law on the margins – personal advertising systems need to be improved, disclosures could be clearer, etc. – but the very core of their business models is not only outside of the GDPR’s policing power; the GDPR legalizes these practices.

Meta and Google do what they did before; just now they have hundreds of pages of documents explaining how, under the GDPR, these practices are legal. If this is the case, no amount of enforcement will help us.

So, what can be done?

The GDPR, in its name and ambitions, is a general law, applying to both private and public bodies, in the same way, throughout the Union. And, in many cases, it works well. For example, regarding the public administration, which does not come up with purposes of processing on its own, but is endowed with competencies by legislation, the GDPR is a perfect tool to safeguard individuals’ privacy. And in many private sector contexts, like the paradigmatic “pizzeria does not need more than your address and phone number to deliver pizza, and should not use your data to send you further ads” it curtails unwanted commercial communications.

However, the GDPR was not designed for the Big Tech, basing its entire business model on data collection and advertising.

Of course, we need more enforcement, and the centralization in cross-border cases is a no-brainer for anyone who thinks about it seriously. But centralization itself won’t help. We need substantive regulation of purposes of processing.

Put simply: the EU, or the Member States, should take some purposes of processing, some contract types, and some business models outside of the realm of market choices and regulate them directly. Maybe there are some data practices that we want to forbid across the board, like using addictive design in apps used by minors, or directly promoting self-harm and eating disorders, like Instagram did. Or maybe we want to create some specific conditions for other practices, like mental-health protection measures for social media, or pointing out the kinds of products we don’t want to be advertised based on specific data, or in specific hours, or to some social groups. These are political, not technocratic, decisions to be taken.

Regulation of purposes of processing needs to be done case-by-case and sector-by-sector, something the Europeans don’t like. And yet, as problems are very specific (different normative considerations, and different solutions, come into play when speaking about data leading to discrimination in hiring, and contributing to depression in teens) responses need to be tailor-made as well.

In a world in which almost everything is data-driven, the activities of the Big Tech are no longer a personal data protection problem (only). They are consumer law problems, employment law problems, discrimination law problems, mental health law problems, etc. And they need to be addressed as such, by these laws, with a deep understanding of the technology and business models beneath them.

So, is the GDPR a bad law, as I provocatively wrote a couple of paragraphs earlier? Today, in action, it is. It does not have to be, if it is accompanied by substantive regulation of specfic purposes of processing, business models, and types of contracts. If one looks at the history of the idea that ultimately became the GDPR, this was the plan back in the 1970s. But then, you know, Ronald Regan and Margaret Thatcher happened, followed by Bill Clinton, Gerhard Schroeder, and Tony Blair, and we all kind of fell in love with neoliberalism, and delegated these choices entirely to the market. It’s time to wake up.

Concluding: the reformists’ call for the centralization of GDPR’s enforcement in cross-border cases – against companies like Meta or Google – is a step in the right direction but will solve much less than participants in the EDPS Conference have been assuming. It is a necessary move but, by far, insufficient. Or, put differently: it is a second-order problem, discussed widely, while the first-order problem remains unaddressed. The good thing is that regulation of purposes of processing might actually be easier than re-opening the GDPR. The bad thing is that no one thinks about doing it.

Shall we try to plant this idea now?

Zuboff v. Hwang, or: are targeted ads a bubble?

The Internet runs on ads. Ads pay for the operations of Google and Facebook, and a lot of other stuff, including journalism. You might dislike them, but they’re really important. However, what if they’re just one, huge bubble; a scam waiting to fall apart like the subprime mortgage derivatives back in 2008?

tl;dr: Read Tim Hwang’s Subprime Attention Crisis: Advertising and the Time Bomb at the Heart of the Internet, or at least listen to this podcast with him.

Advertising is the prime source of revenue for big tech companies like Google or Facebook. It is also the cornerstone of the “Grand Bargain” — you get access to services and content for free, but we get to collect data about you and use it to personalize the ads you see. Even though everyone’s (correctly) upset about all this data collection and threats to privacy, one must admit: the consumption of the Internet’s perks is still extremely egalitarian. One might be unable to afford a dentist appointment or a daily healthy dinner, but with a smartphone and internet access, everyone can “afford” to use Instagram, Google Maps, Gmail, Whatsapp, YouTube, and everything else. Ads subsidize all this.

Now, there are two narratives about online ads that seldom meet. On the one hand, academics and privacy/digital rights advocates tell the story of how personalized ads influence our minds and behavior, stripping us of autonomy. Because ads are based on data about us and millions of others, their timing/content/context, etc. can be so good as to influence purchasing behavior to a degree threatening human freedom. This, also, provides an incentive to keep collecting all this data.

The most well-known elaboration of this critique has been Shoshana Zuboff’s 2019 “The Age of Surveillance Capitalism.” Zuboff not only described the phenomenon of data-driven marketing; she also provided a conceptual framework to talk about it, and a theory explaining it. In her view (admittedly criticized by some academics), the mechanisms behind online ads are so reliable that corporations now trade in so-called “behavioral futures.” The idea is this: if I’m a marketer, I am so good and sophisticated that I can guarantee that if you spend X on my services, I will increase your sales by Y in the Z period of time. Of course, we don’t know who exactly will buy your product – this is just statical certainty – but we know that someone will. Because of this certainty, you can already now sell this future profit, or use it as collateral in some other transaction. A complex web of financial products surrounds online ads.

Scary isn’t it? Or exciting, if you want to make money.

The second narrative about online ads is somehow contradictory: they suck. How many times has it happened to you that you already bought something, and yet keep receiving the ads for the same/similar product? How many times have you seen an ad and thought “how can they be so dumb?” Lately, a colleague of mine, who’s a law professor at an American law school got an ad suggesting to them a part-time law degree program at the same law school. A Google ad, the best on the market! This is just an anecdote, I know, but I’m sure you have your own.

A tremendous book I just read (well, listened to on Audible) is Tim Hwang’s “Subprime Attention Crisis.” Hwang analyses lots of data available about the efficacy of online ads and makes a case that they’re just one, huge bubble. Many corporations think they are valuable and actually work, but it might soon turn out that they don’t. Once this happens, the whole financial ecosystem funding the operation of the internet will collapse. How could that happen?

One option is that the companies will simply realize they’re overpaying and limit their ad spending with programmatic ads. This could lead to some sort of “Internet recession” but not necessarily a crisis. The other option, however – and here we get back to Zuboff’s claim that “behavioral futures” already serve as collateral – is that at some point we’ll realize that all this promised value, value already reinvested, does not exists. That’s when the bubble bursts.

Now, whether this is actually the case – that behavioral futures are packed together and sold to a degree threatening the stability of the internet ecosystem – or who’s betting on this future value – is beyond my ability to know. But the idea is so intriguing it got me back to blogging after a couple of years of a pause.

All this to say: a “shock” enabling policymakers to radically remake the Internet as we know it might be around the corner. And to follow Naomi Klein’s reading of Milton Friedman: our job is to keep ideas on how a better world could look like alive.

The World of Fifty (Interoperable) Facebooks on SSRN

I have uploaded The World of Fifty (Interoperable) Facebooks (forthcoming in Seton Hall Law Review, Vol. 51, No. 4, 2021) to ssrn. Access it here. Below, I paste the abstract:

This essay envisions a “world of fifty facebooks,” where numerous companies would offer interoperable services, similar to the one currently provided by Facebook Inc. As is the case with telephones, where customers of AT&T can call and text those of T-Mobile or Verizon, users of A-Book should be able to find, communicate with and see the content of customers of B-Book, C-Book, etc. Facebook Inc. should be obliged by the law to allow potential competitors to become interoperable with its platform and to grant them access to its network. Today, Facebook Inc. uses its artificially created monopolistic position to impose excessive costs and unnecessary harms on consumers and on the society.

A contribution of this piece is a new theory of “price” that Facebook Inc. charges for its services, going beyond the conventional wisdom that users pay for access with their “personal data and attention.” Instead, it argues that Facebook Inc. imposes on its users: (i) cognitive harms (emotional manipulation, risk of psychological and mental of health problems); (ii) behavioral harms (unwanted purchases, wasted time, risk of addiction); and (iii) privacy/security harms (risk of having the sets of amassed personal data stolen by hackers). The company also (iv) freerides on users’ creative content and labor. Each of these harms constitutes a higher “price” or lower quality than could be available in a competitive market. Importantly, these costs do not result from the necessary features of “a facebook” but rather from Facebook Inc.’s data-collection-heavy, targeted-advertising-driven, business model. However, less harmful models are available.

The essays surveys possible legal strategies for achieving and sustaining “the world of fifty facebooks.” As the debates about regulation of large platforms continue in the US and the EU, the piece serves as a reminder that, as a society, we face a choice. We might accept the central role that platforms like Facebook Inc. currently play in our socioeconomic lives and focus solely on taming the most abusive behaviors they engage in. Alternatively, we might embrace the fact that there’s nothing natural nor necessary about this position and concentrate on re-structuring the online power relationships. Doing so requires imagination and political will, and this essay aims at fostering both.

CfP: Scientific Laws Reform Conference

The International Physicists Society (IPS) and the Institute for Overcautious Inquiry (IOI) invite you to submit abstracts for the 1st International Interdisciplinary Conference on the Moral and Ethical Aspects of the Scientific Laws Reform.

Last October the American Physics Association announced their plans to reform the scientific laws. In particular, the suggestions that gravity could be suspended once a year, teleportation allowed on weekends, and reading of minds enabled in criminal proceedings, prompted heated reactions on all sides of the political spectrum. The benefits of the reform of laws of physics are clear, but the risks are also not absent. The aim of the conference is to create a space for exchange of thoughts and ideas regarding this topical problem.

The suggested areas of inquiry include, but are not limited, to:

  • Teleportation and climate change: is saving the planet worth making airline companies go bankrupt?
  • Reading your mind instead of your texts: individual preference for people learning what one wrote while drinking vs. what one actually thinks.
  • Physical dogmatics: benefits and risks of a naturalist approach to gravity. Are we ready to change the G?
  • Walking through the walls, comparative approach: European brick-houses, American paper-houses and need of standardization of something.
  • Laws of physics, laws of language: if sleep is no longer needed, can you still “sleep with someone”?
  • Getting over the hangover. Will switching the day-after headache make us less human?
  • Jurisdiction of Science: the transnational effects of scientific laws’ reform.

Abstracts of up to 200 words should be posted as comments below.

All names in this post are fictional. Any resemblance to real entities is unintended, even if unavoidable.

How to Write a Paper about the Crisis of Democracy?

Cheerful reception of the “How to Write a Law and Technology Paper?” convinced me that the format has comedy potential. The same disclaimer as previously applies here: this post is for laughs. Of course, I am worried about the state of democracy. But I am also skeptical of the value of repeating the same diagnosis and analysis over and over again. On a theoretical level, a question is crystalizing in my mind: “what is the value of repeating stuff that everyone in a community already knows?” There must be some, otherwise, why do we keep doing it? One day I will attempt an answer. After a few more “ten steps” is suppose. Today, however, enjoy the Friday piece of sit-down-comedy:

Are you concerned about the course that local and global politics have taken lately? Would you like to be remembered as someone who was not indifferent, and tried to have an impact? Does the prospect of actually going to the streets to talk to people and maybe help someone scare you as too much movement and effort? If the answer to all these questions is “yes”, you probably should write a paper about the crisis of democracy. A perfect way to feel like you’re doing something good for society, without actually having to do much.

“But I am no political theorist / constitutional lawyer! what do I know?” – is the thought that might pop up in your head, but be sure to disregard it. Unlike with natural (real) sciences, everyone is an expert on politics, constitution, and democracy.  After a couple of beers especially. Plus, you can use our instruction: How to write a paper about the crisis of democracy (in ten steps):

  1. Start by saying that it seemed in 1989 that it’s the end of history. Cite Fukuyama (and call him a “Neo-Con”. Mention he seems to have changed his mind. Make a little joke about that).
  2. Say that now, however, there are problems all around the world. Be sure to mention Russia, Trump, Turkey, Poland, Brexit, Philipinnes, Brazil and Hungary in the same sentence.
  3. Cite some numbers about how inequality is rising, growth stagnating, whatever, you need numbers (quote Piketty). Say that people nowadays will not be richer than their parents. Call them “losers of globalization”.
  4. Mention China and that maybe actually there is no necessary connection between democracy and market economy. Remind people that Hayek was friends with Pinochet.
  5. Be sure to include that democracy in the West might not be that democratic at all – refer to Citizens United and money in politics in general.
  6. Indicate that causes are actually even more complicated: economy, culture, ideology all play some role.
  7. Say that we are probably doomed. Add an analogy between today and the 1930s. Then say that we do not really know how it’s gonna go. Say that you predict that democracy will go down, or not, or maybe it will change.
  8. Add a splash here and there of buzzwords like “democratic backsliding”, “populism”, “illiberal”, “losers of globalization”. DO NOT ever explain what you mean by democracy or crisis. You must use the term “rule of law” very abundantly and make sure you conflate it with democracy.
  9. Propose to solve the problem by something that sounds simple but is actually very unclear: education, inclusion, regulation of social media. If you want to call your work “interdisciplinary”, mention blockchain.
  10. Say that of course more research is needed, but you wanted to just “start a debate” which is very important.

Congratulations! You just landed on a good side of history! If everything indeed goes down, you will be able to demonstrate that you cared. And if not, one of your predictions materialized, and you were a part of the movement! win-win.

Thanks to Nik and Fil for their comments about the “first draft”, haha.

Published: Automatic detection of unfair contract clauses

The paper summarizing our experimental research on automatic detection of potentially unfair terms of service using machine learning has just been published in the online-first repository of “Artificial Intelligence and Law” journal.

We tagged 50 terms of online service in search of clauses seeming unfair under the European 93/13 Directive, and show that accuracy of the predictor is as high as 93% for some types of clauses, and 78% overall. This could be a first step towards developing tools to empower individual consumers and civil society organizations, as well as public agencies protecting consumer rights.

If you are interested in other papers we have on the matter (explaining the turn towards consumer-empowering AI, and potential to use the same tech to analyze privacy policies), feel free to check out project’s website.

How to Write a Law and Technology Paper?

This post is for laughs, a piece of a sit-down comedy. Admittedly, it’s making fun of some things I have written in the past. I wrote it a while ago, on a plane from law&tech conference to another. I wanted to pair it with a serious part: a reflection on what is it that we do, what we should do, what’s the point etc. Somehow, however, I never managed. On the same time, I keep showing this to people on my phone during conferences and they laugh. And laughing is good for you! Hence, I thought I’ll share it, so you can smirk, and maybe someone wiser than me will come up with a serious comment on what is behind this. Ready? Let’s go!

How to write a generic law and technology paper

So, you have given a lecture using the speech generator and now they asked you to write a paper. Worried? No need! The instruction below will help you develop a state-of-the-art contribution in ten steps.

  1. Start with a story. Write a couple-paragraph-long horrifying/utopian story about how a technology you are talking about will soon completely change the world, and undermine one of the legally protected values: property, freedom, equality, transparency, non-discrimination, safety, privacy, anything. Don’t explain what you mean by “technology”, but be sure to mention that it is “disruptive”. If you can find some data (numbers are always impressive), cite it; even better if you can find someone (anyone, really) who has published a prediction that in 5 years everyone will be using this. You can also start with some inspirational quote.
  2. Name the technology: robotics, AI, internet of things, big data, blockchain, algorithms, platforms, sharing economy, wearables, again anything. Say that there is no agreed upon definition of it, then define it anyhow, give a few more examples. If you write about IoT, make sure your example is a fridge ordering milk when you are out of it.
  3. Indicate what are some laws that could apply to this technology – cite some statues, some cases, no need to be comprehensive – just have one that would be unclear in application. Alternatively, take some established concept: liability, personality, accountability etc. and show how this new technology makes its application complicated. This will make everyone think that this is a legal paper. Lawyers usually don’t know much about tech, and non-lawyers seldom read cases – this will make you seem like an expert in the other area than the reader comes from.
  4. State that we need to regulate, in a way that will “mitigate the risks, without impeding the benefits”.
  5. Say that obviously there are some benefits, and list them: pay special attention to how this could be used in education, or medicine, or for any type of empowerment (no need to define).
  6. Say that, however, there are of course also some risks/challenges, and list them. No need to indicate what the criteria of distinction was, also don’t worry about explaining your normative theory (just say “criminal law”, or “consumer law”, or “privacy” etc.). Just list the problems.
  7. Now it’s time to solve a problem: throw around one/three/five ideas on what to do. If you are creative here that’s ok, but you can also go for some safe bets: create a new administrative agency (“FDA for algorithms/robots/databases etc.), incentivize self-regulation and creation of codes of conduct, and education – education is the most important.
  8. (Optional: write a couple of paras explaining why your solutions are better than what other people proposed, or what is already in place. This takes more time, because you actually need to read something. But will make you look like an expert. If you treat people nicely, you might even become a member of a #citationCartel).
  9. Mention blockchain. You can just literally put the word “blockchain” in a random place somewhere in the solution section.
  10. Finish by saying that the issue is obviously complex, so more interdisciplinary perspectives are needed, and that you know you might be wrong, but your first ambition was to draw attention to the problem and start a discussion.

There you go! The paper is essentially ready. You just became an expert in something new, congratulations!!!

Fixing Social Media: Hit the Cause, not Effects, of Grand Bargain

social mediaThis post builds, in part, on the ideas I got during 1st Istanbul Privacy Symposium: Data Protection and Innovations, especially conversations with R.E. Leenes. Everything that is wrong here is obviously my fault; but want to acknoweldge that many point here were inspired by others. 

In his excellent Fixing Social Media’s Grand Bargain Jack Balkin demonstrates how the “nature” of digital capitalism creates perverse incentives for social media companies to surveil, addict and manipulate their users. He then surveys a range of regulatory options, ranging from treating social media as public actors in some ways, to antitrust and pro-competition law, to finally reiterate his intriguing idea to treat social media companies as “information fiduciaries”.

In this brief post, I would like to build upon Balkin’s idea, and offer an additional perspective on both the problem and the possible solutions. I want to argue that the role for law is not only to mitigate the results of the “nature” of digital capitalism, but to disrupt the very incentives that led to the Grand Bargain. I first look at the conditions that led the current model, and put to question the assumption that this model is necessary. I also question the assumption that the surveillance and manipulation problem can be fixed within this paradigm. Then, I take look at the “information fiduciaries” proposal, and iterate my reservations towards it, also re-characterizing the ways in which GDPR is constructed. It’s an imperfect instrument, but in my opinion, for different reasons than Balkin puts forward. Finally, I throw in a couple of alternative ideas – coming from consumer law mindset – which are one way to go about changing the very incentives that led to the Grand Bargain.

Where are we?

Obviously, there is not one problem with the ways social media companies currently operate, and so there will be not one solution to all of them. Hence, at some point we could do with a map of what exactly are the challenges, what precisely are the regulatory goals, and what regulatory means have  a chance of bringing these goals about. However, it seems to me that an analysis of the causes and possible cures for the “grand bargain” makes for a good start.

The “grand bargain”, according to Balkin, is: online companies (social media, search engines etc.) offer their marvelous products to users without asking for money, but in exchange collect, analyze and act upon user’s personal data. These companies make money out of advertising. The more time users spend using their products, the more ads they will see. The more data companies have about users, the more effective targeted ad campaigns will be. Hence, the incentive to surveil, addict and manipulate.

This bargain is the “nature” of digital capitalism, Balkin tells us. I could not agree more, if by “nature” we mean an explanation of how things are right now. However, I would question the assumption – especially if we are to talk about political economy – that the things must be this way. Two questions are worth addressing: how did we get where we are; and how can we get out?

How did we get here?

Jaron Lanier interestingly argues that the mistake has been made at the very begging of the Internet’s public existence. We allowed two, possibly contradictory, ideas to flourish at the same time. On the one hand, a radical idea that stuff online should be free. That one should not pay for using browsers, visiting websites, sending emails etc. On the other, the liberal idea that innovation is good and tech entrepreneurship should be incentivized. Given the strong commitment to both, advertising was the only solution. And when online companies realized that the by-product data can be useful, and machine learning algorithms can squeeze a lot of knowledge out of it, the arms race in micro-targeted, behavioral advertising started. Two observations here.

First, it is by no means obvious or proven that targeted advertising leads to “more efficient advertising campaigns, which allow greater revenues”. One obviously assumes that – why else would companies, rational economic actors, spend money on it? But more and more research seems to show that these increased revenues are minimal (if existent at all), and companies’ behavior is a herd phenomenon, based on a hype.

Second, we should seriously ponder the question whether an internet and a public sphere in which stuff is free and on the same time users retain privacy and autonomy is possible. Whether it makes sense to strive for a world where one does not pay with money for using email, social media, browsers and search engines; and in which one retains full (or high) privacy and autonomy. The answer, obviously, will not be binary. But we should spend time thinking whether the trade off between free usage of convenient innovative products, and personal privacy and autonomy, is not inevitable.

“Information fiduciaries” cure symptoms, not the cause

Balkin’s “information fiduciaries” idea has two huge advantages and three problems. It’s a good idea, because it’s 1) simple and 2) possible to realize by courts. It seems to me problematic when one thinks about its 1) operationalization in design process; 2) oversight and enforcement; and 3) the fact that it does not change the perverse incentives, but merely puts legal constraints on how to act upon them.

EU’s adventure with enacting the GDPR seems to make two things clear in the American context. It might be impossible to push any complex data processing regulation through the over-lobbied Congress. And even if it was possible, the result will be so complex and watered-down that it won’t do us any good. That is where employing the concept of a “fiduciary” by the common law courts seems very tempting.

Speaking of GDPR, Balkin is clearly skeptical of this “neoliberal” regulation. As imperfect as GDPR might be, I disagree strongly with his characterization that “GDPR relies heavily on securing end-user consent (…) [and] is still based on a contractual model of privacy protection”. This is an American idea, and with regard to the GDPR, is simply not true. GDPR is an administrative regulation per excellenceIt clearly specifies duties of data controllers, including a need to demonstrate a legal basis of processing, a consent being only one of them. In other words, what companies write in their terms of service and privacy polices does not affect their obligations, and does not change what there are or are not allowed to do with personal data. The “individual rights and transparency” part of the Regulation belongs to the oversight and enforcement side, which relies on the mix of public and private engagement. Realizing that public supervisory authorities will never have enough power to combat huge tech by themselves, GDPR equips individuals with information and access rights, which allows for “class action” by NGOs, increasing the chance of spotting infringements. This is not perfect, but it’s not imperfect for the reasons Balkin invokes. And this helps one see where “information fiduciaries” come short of being the cure.

First, this sounds like a great idea, but even with a good-will company, at some point engineers need guidance on how to implement it. Does showing me ads of sleeping pills at 3 a.m.  go against the duties of care, confidentiality and loyalty? Sure, I guess. Do those duties impose an obligation to pull-off addicting games from my platform? That’s where stuff gets tricky. GDPR’s problem is that it’s long and complex. But the problems caused by social media in 2018 are very complex as well.

Second, if we imagine that social media companies do become information fiduciaries, and even if we assume that their duties are specified sufficiently well, the question is: what do we do if they violate their duties? The big difference between doctors, lawyers and nurses sharing my secret, and social media building up a system that manipulates me and addicts me, is that in the second case I might simply not know. Fiduciary model works perfect, if we assume that people will realize when these duties are infringed. But that is a bold assumption.

Finally, Balkin’s proposal does not really change the incentives to make money out of advertising; it just puts constraints on the ways in which social media companies would be legally allowed to do so. It does not disrupt the grand bargain, it civilizes it. And that is where my biggest skepticism lies. Because, as I wrote above, it just might be impossible to sustain innovation and free access to products without some sort of abuse of power stemming from access to data and control over products.

To “Fix” Social Media, Change their Incentives

Here we get back to the question if the “nature” of the digital capitalism is fixed. And, as Larry Lessig made us see already 20 years ago, the answer is no. Instead of taking it as given and thinking of how to civilize it, let us think how to disrupt the very system that gave rise to these business models.

From the perspective of political economy, my conviction is that we should not (only) regulate data processing, or privacy, directly; but regulate the market in a way that will change the incentives. How?

For example, ban the targeted advertising. Or some forms of it. Or some types of content. Especially if we learn that they do not really work.Ban news feeds shaped by an unknown algorithms. Require that users are in control of the choices. If companies are not allowed to use the data they collect and patterns they infer, the incentive to collect and use it dramatically goes down.

The immediate response I fear is “but the First Amendment!”. I fear it, because I know nothing about it, and cannot properly engage in a discussion. But just let me say: even Americans have bans on ads of cigarettes or alcohol; or rules on ads of medications. Even with the First Amendment there are bans on speech directly endangering the national security (don’t want to use the “t” word, since the perfect surveillance will immediately hit me;). So if social media are/might be addictive and cause mental health problems (as it seems they are); and if they created environments where a foreign power can influence American presidential elections; it seems to me that health or national security could be some arguments justifying such an intrusion.

Or let’s do something else. Make it obligatory to offer a track-free, ad-free, paid option.  Facebook’s yearly revenue is $40 billion, and it has 2 billion users. That is 20 bucks per user per year. We pay ten dollars for Netflix and Spotify and Amazon Prime monthly; why not for Facebook or Google? Sure, that is not an option for many people in less wealthy countries; as I said, it’s of course more complex. And yes, Amazon and Netflix also surveil and addict us. So such a move is not sufficient. But it’s easier to make them stop, when they have a secured income from sources other than abusive ads, manipulation or political propaganda.

Those are obviously imperfect ideas. But they are just one possible way to go about the claim that I’m certain off: the role for law is to change the incentives that led to the “grand bargain”, not only to mitigate the bargain’s results.

CLAUDETTE: Automating Legal Evaluation of Terms of Service and Privacy Policies using Machine Learning

It is possible to teach machines to read and evaluate terms of service and privacy politics for you.

Have you ever actually read the privacy policy and terms of service you accept? If so, you’re an exception. Consumers do not read these documents. They are too long, too complex, and there are too many of them. And even if they did the documents, they have no way to change them.

Regulators around the world, acknowledging this problem, put in place rules on what these documents must and must not contain. For example, the EU enacted regulations on unfair contractual terms; and recently the General Data Protection Regulation. The latter, applicable since 25th May 2018, makes clear what information must be presented in privacy policies, and in what form. And yet, our research has shown that, despite substantive and procedural rules in place, online platforms largely do not abide by the norms concerning terms of service and privacy policies. Why? Among other reasons, there is just too much for the enforcers to check. With virtually thousands of platforms and services out there, the task is overwhelming. NGOs and public agencies might have competence to verify the ToS and PPs, but lack the actual capability to do so. Consumers have rights, civil society has its mandate, but no one has time and resources to bring them into application. Battle lost? Not necessarily. We can use AI for this good cause.

The ambition of the CLAUDETTE Project, hosted at the Law Department of the European University Institute in Florence, and supported by engineers from the University of Bologna and the University of Modena and Reggio Emilia, is to automate the legal evaluation of terms of service and privacy policies of online platforms, using machine learning. The project’s philosophy is to empower the consumers and civil society using artificial intelligence. Currently artificial intelligence tools are used mostly by large corporations and the state. However, we believe that with efforts of academia and the civil society AI-powered tools for consumers and NGOs can and should be created. Our most technically advanced tool, described in our recent paper, CLAUDETTE: an Automated Detector of Potentially Unfair Clauses in Online Terms of Service, can detect potentially unfair contractual clauses with 80%-90% accuracy. Such tools can be used both to increase consumers’ autonomy (tell them what they accept), and increase efficiency and effectiveness of the civil society’s work, by automating big parts of their job.

Our most recent work has been an attempt to automate the analysis of privacy policies under the GDPR. This project, funded and supported by the European Consumer Organization, has led to the publication of the report: Claudette Meets GDPR: Automating the Evaluation of Privacy Policies Using Artificial Intelligence. Our findings indicate that the task can indeed be automated once a significantly larger learning dataset is created. This learning process was interrupted by major changes in privacy policies undertaken by the majority of online platforms around 25 May 2018, the date when the GDPR started being applicable. Nevertheless, the project led us to interesting conclusions.

Doctrinally, we have outlined what requirements a GDPR-complaint privacy policy should meet (comprehensive information, clear language, fair processing), as well as the ways in which these documents can be unlawful (if required information is insufficient, language unclear, or potentially unfair processing indicated). Anyone – researchers, policy drafters, journalists – can use these “golden standards” to help them asses existing policies, or draft new ones, compliant with the GDPR.

Empirically, we have analyzed the contents of privacy policies of Google, Facebook (and Instagram), Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking.com, Skyscanner, Netflix, Steam and Epic Games. Our normative study indicates that none of the analyzed privacy policies meet the requirements of the GDPR. The evaluated corpus, comprising 3658 sentences (80.398 words), contains 401 sentences (11.0%) which we marked as containing unclear language and 1240 sentences (33.9%) that we marked as potentially unlawful clauses, i.e. either a “problematic processing” clause or an “insufficient information” clause (under articles 13 and 14 of the GDPR). Hence, there is significant room for improvement on the side of business, as well as for action on the side of consumer organizations and supervisory authorities.

The post originally appeared at the Machine Lawyering blog of the Centre for Financial Regulation and Economic Development at the Chinese University of Hong Kong