Author
News / Legal Brief
The myth of consent: Big tech meets (big) data protection
Mar 1,2023
Data Privacy & Cybercrime
Consumers rely on digital platforms such as Google, Amazon and Takealot to gain wider and more convenient access to a variety of goods and/or services. Unfortunately, part-n-parcel of such convenience seems to include the little-to-no-control that consumers experience over the use of their personal information.[1] In light of the aforementioned tension between technological innovation and privacy protection, an ever-increasing number of human-rights interest groups, digital platform users and government officials have called for a more comprehensive data privacy regulatory regime.[2]
In acknowledging the need for further privacy and data management policies (and support for same), various leaders in the Information Technology and Communications (“ITC“) industry[3] have stated their desire for more comprehensive data protection regulations.[4]
For example, one of the highlights of the 2020 World Economic Forum’s 50th anniversary (held in Davos, Switzerland) was the call by Big Tech[5] executives for increased regulation in the realm, inter alia, of artificial intelligence and data management regimes.[6] To this end, the likes of Apple’s Chief Executive (Tim Cook) and Meta’s CEO (Mark Zuckerberg) called for laws that expand on consumers’ rights over their data; and while emphasised the need for regulators to set clearer rules regarding, inter alia, the dissemination of online content, data portability and privacy rights.[7]
Since the advent of governments’ increased focus on privacy rights,[8] digital platforms, in general; and Big Tech in particular, have come under fire for their data collection practices, their use of targeted advertising on young users[9] and other (allegedly) anti-competitive business practices.[10]
Background
A digital platform is a website, mobile application (colloquially referred to as an “app”) or digital venue that interacts commercially with users or groups of users.[11] Popular digital platforms include Youtube, Uber, TikTok and Spotify; most of which are owned and operated by a handful of prolific technology companies that operate in the ITC marketplace.[12]
The types/categories of data collected by digital platforms[13] may include a user’s location, search and purchase history, IP address’, emails received and dispatched etc. – depending on the nature of the digital platform.[14] One of the more relevant (and controversial) features of digital platforms’ data collection and/or management practices involves the selling of user data to third parties – including credit agencies, marketers and other similar service providers.[15]
Indeed, the concept of ‘Fair Information Practices‘ (i.e. a prelude to the OECD’s[16] Guidelines on the Protection of Privacy)[17] speaks to the global standard for privacy and data protection.[18] However, the OECD’s initial ‘notice and consent’ model is no longer relevant to a 4IR world in which technological developments have reduced consumers’ ability to understand what they are consenting to in privacy policies.[19] Generally speaking, internet users who click ‘agree’ to such ‘click-wrap’ agreements are often consenting to the lowest denominator of existing privacy protections; and in turn, unknowingly permitting the disclosure of their personal information to third parties.[20]
The European Union’s (“EU“) attempts to regulate the ITC industry have led to unintended consequences.[21] For example, the General Data Protection Regulation (“GDPR“) is aimed at protecting consumer privacy. Unfortunately, Tech Giants have obtained increased access to personal data – with fewer restrictions – by pushing the consent requirements of the GDPR onto digital publishers; and labelling themselves as ‘a controller of personal data’; thus allowing Tech Giants to cement themselves, inter alia, as leading advertising partners.[22]
From a competition law perspective, one of the solutions tabled to circumvent the possible anticompetitive conduct of Big Tech firms and other digital platforms is the concept of interoperability – which would require the tech platforms to exchange information by operating in conjunction with each other, as opposed to the norm of monopolising information in order to entrench dominance in the market. [23] Although this strategy may alleviate competition concerns relating to abuse of dominance, one of its biggest (and most important) pitfalls lies in the nature and extent to which such data-sharing may raise data protection concerns!
Further, while the potential abuse of dominance may be alleviated by interoperability; the concept appears to lend itself to cartel conduct. The reality of this pitfall is demonstrated by the merger of Sanlam Emerging Markets Proprietary Limited and Allianz Europe B.V./SAN JV (RF) Proprietary Limited, wherein the CCSA recommended the approval of the merger, subject to conditions that mitigate the exchange of competitively sensitive information between the impugned joint-venture partners.[24] Thus, inasmuch as interoperability may lend itself to the levelling of the proverbial ‘playing field’ from a competition perspective, it should not be achieved at the expense of Data Subjects’ right to privacy and data privacy legislation.[25]
POPIA[26] provide for the legal processing of personal information in the absence of consent. In terms of POPIA, consent may be a prerequisite for the processing of certain types of personal information (i.e. special personal information or the personal information of minors), as well as the further processing of personal information. However POPIA is not a consent-driven legislation. In other words, a Responsible Party (or controller) does not necessarily need to obtain the consent of a data subject before processing the personal information of the data subject, provided that such processing occurs on a lawful basis. This approach to demonstrates the South African competition law regulator’s awareness of how the myth of consent in so-called ‘click-wrap’ agreements can ultimately endanger the security, accuracy and integrity of users’ personal information.[27]
Conclusion
Indeed, the recent wave of competition investigations – accompanied by a growing backlash over privacy, encryption, artificial intelligence and content monitoring concerns – has pressured persons (both natural and juristic) into implementing self-regulatory schemes relating to data management. [28] After all, who can forget the big rush (and confusion) into privacy policy formation following the commencement of POPIA.[29]
Be that as it may, it remains important to evaluate the global data governance regime(s) – particularly in the context of Big Tech and digital platforms – with the awareness that building new technologies means more than creating new (virtual) realities; it also includes developing mechanisms that ensure the appropriate application of such new technologies.
In the words of Jim Henson, “There is not a word yet for old friends who’ve just met.” Similarly, there is yet to be a word invented for the ever-present congruency that exists between digital ecosystems, big business (i.e. Big Tech), and (big) data (protection and management).
What is clear, however, is that there can be no denying the intrinsic link between digital platform regulation and consumer data privacy/protection.[30]
Cybercrimes Act: South Africa Finally Joins The Big Boy Table
