by Rikke Frank Jørgensen & Tariq Desai
The paper explores the conflict between users’ right to privacy and data protection and the practices of online platforms such as Google and Facebook. Based on the collection of a data set of 13 complaints against the two companies in the period 2011 to 2016, the authors provide an overview of the field and a critical look at the current systems of privacy and data protection in the US and Europe, including the new General Data Protection Regulation (GDPR). The paper argues that whereas the two systems differ on a number of accounts neither of them critically engage with the online business model that lie beneath these platforms, including its incentive for maximising data collection.
The right to privacy has never been more pressured or paradoxical. On the one hand, the international human rights system has reiterated that the right to privacy applies online as well as offline.1 This message has been codified in UN resolutions, by the UN High Commissioner for Human Rights, the Council of Europe, the European Court of Human Rights (ECtHR), and the European Court of Justice (ECJ). On the other hand, the character of the online domain facilitates data capture, extraction and control to an unprecedented extent. Data is collected from platforms used by billions of people every day as part of the online business model; users routinely give their consent as a premise for using the services; and privacy policies are read by few if any of the users. Essentially, there is a zone of contestation between the business practices of collecting, processing and exchanging personal data, in order to maximise targeted advertisements, and users’ right to privacy and data protection.
While the research field pertaining to privacy and data protection has been extensively covered from a variety of disciplines, there is still limited research that explores how the conflict between the online business model and the right to privacy has been addressed in concrete cases. Both the US and Europe have had an increasing number of complaints concerning online platforms and privacy, yet their regulatory frameworks and enforcement mechanisms around privacy differ essentially. Based on a review of 13 complaints and a research report involving Google and Facebook in the two regions, the paper will first outline the US and European privacy and data protection frameworks, focusing on areas where the two legal regimes diverge. Second, it will identify the key privacy concerns that can be drawn from the complaints, and third examine the strength and weaknesses of either system in terms of addressing these concerns. The paper argues that despite clear differences in the US and European approach towards privacy protection, the complaints raise a number of similar concerns related to (lack of) user knowledge and consent. Both the US consumer approach and the European data protection framework are based on the presumption that users may decide not to use the services if provided with the necessary information. However, limited protection is offered by either regime to shield against the fundamental power asymmetry between the users and the platforms.