Law in the Internet Society

Beyond Conset-Based Privacy Regulations

-- By AikenLarisaSerzo - 16 Jan 2022


Rather than encouraging ethical software and data processing, existing privacy regulations legitimize and empower data exploitation of private enterprises. The start of December brings with it a deluge of people sharing their Spotify Wrapped -- an end-of-the-year feature provided by Spotify which summarizes the listening habits of its users. It provides information -- in digestible 5-second clips -- on the top songs, artists and podcasts streamed, the number of minutes spent streaming songs, and comparative insights. Users are then given the option to share the insights in various social platforms. Incredible how Spotify made everyone immediately and proudly share insights gathered about them by a private company with laser-like precision.

Spotify, like other tech companies, made the collection and processing of personal information acceptable, if not natural. Users voluntarily share data in exchange for insights and convenience.

The GDPR and regulations like it makes processing of personal information legal provided that consent is obtained. Countries that enacted general privacy laws, like the Philippines, have largely adopted consent-based and accountability principles. The Philippines actually made it stricter by making violations criminal. This incentivized tech companies to engage lawyers, conduct audits, and draft privacy policies. This results in lengthy and legalese consent forms, which Zuboff aptly calls surveillance policies. The implementation of audits and privacy policies renders the processing of personal information legal provided that the extent of such processing is captured in the consent forms. However, privacy regulations only appear to legitimize the comprehensive and unscrupulous scraping and processing of personal data. In the Philippines, the strict privacy laws have not prevented companies from engaging in the wide scale exploitation of data. During the height of the pandemic, Huawei provided local governments with AI technology that enables doctors to identify probable COVID cases through the patients’ CT scans. The Philippines essentially volunteered itself to be the testing ground (and an additional resource of data sets) for Huawei’s algorithms. A basic version of Facebook may also be accessed by users for free. Such an act, disguised as philanthropy, allows Facebook to collect behavioral data about the population. The political polarization of the population, as described by Maria Ressa, and the prevalence of misinformation clouding the upcoming elections could be manifestations of the echo chambers enabled and empowered by Facebook.

Possible Solutions

Existing consent-based regulations will not be sufficient to protect privacy rights of individuals. It is difficult to regulate behavior when there is no guarantee that the subject matter of the regulations possesses the required competencies and resources to understand the extent of the consent they are giving. Even the drafters of consent forms will not be able to completely capture the extent of their processing activities.

Other methods should be implemented to supplement existing regulations:

End user-facing online service providers should be prohibited by regulation, by the country where data subjects reside, from (i) conducting expansive and general processing of data, and (ii) lumping with its general consent form, provisions related to the processing of personal data for purposes beyond the services which a user is primarily signing up for, and processing for the monetizing personal data through cross selling or upselling products from itself or third parties.

Service providers usually include blanket provisions that would allow them to use personal data “to improve services or products”. The use of personal data vis a vis improvement of services should be limited to specific risks and harms to which a user is exposed to: virus or spam risks; customer service provision.

In the interest of providing users with autonomy over their personal data, users may still be allowed to actively allow other third parties to access data collected by another party. However, such sharing should actively be initiated by the user, not the processor. Further and more importantly, any functionality or prompt within a service that would implement such user-initiated command, must be presented to the user in a manner that is clear and apparent, separate from the general consent of the provider.

To ensure compliance with the foregoing limitations and because it’s impractical to predict how technology will evolve and how data will be processed, an independent government agency must be empowered to regularly evaluate online services’ data processing activities. The agency should identify what services a user obviously signed up for when onboarding with the provider. Processing activities conducted which include expansive and general processing, or those which are not directly necessary to the fulfillment of the provider’s apparent obligations to the user should be prohibited by government. To illustrate, if the user signed up to access music streaming services, data processing for the purpose of cross selling logistics or delivery services, or collection of data for purposes of credit scoring, should be prohibited. To mitigate corruption, the government agency should be headed by a panel of unelected officials that have staggered terms that go beyond the appointing authority’s.

Providers that refuse to comply with directives provided by the agency should be blocked domestically, making it harder for the provider to gain users and revenue from the relevant jurisdiction. National governments may have some leverage to successfully implement this against offshore providers, especially those that earn revenue from local customers. Revenue earned by offshore platforms still needs to go through the domestic banking system. Any infraction may be pursued and pressure may be done by blocking off the providers’ access to the banking systems.


Consent-based regulations are not sufficient to enhance or protect privacy rights. These laws have unrealistic assumptions about data subjects and controllers. The regulations assume that users have the ability and the resources to understand consent forms. The consent provided is far from being an informed one.

If the objective is to protect the freedoms of individuals, the ability of service providers to process data must be curtailed in a more aggressive way.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 17 Jan 2022 - 03:10:19 - AikenLarisaSerzo
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM