What did the privacy regulations do for us?
On the technicality of the GDPR and privacy regulations
In Hungarian, we say that sometimes you can’t see the forest from the tree anymore. Well, this applies to some privacy policies: once you read them, you won’t necessarily understand how your privacy is protected.
The European General Data Protection Regulation (GDPR) has been in force for nearly 7 years now, and it was followed by several privacy regulations across the world. There are more and more reports coming to measure the impacts of the GDPR from the regulators, NGOs, and so on.
The question is: what did the privacy regulations do for us?
The “privacy paradox”
This is a famous concept mostly used to discredit personal data protection.
According to the behaviour valuation argument against privacy, people’s behaviour shows that the majority doesn’t care about this.1 Or to revert it: almost all people care about their privacy to some extent, but only very few are actually doing something to preserve it. This critique against privacy is usually saying that “I have nothing to hide”, “I don’t care what you do with my data” or simply just giving up, “I can’t control what happens with my data anyway”. This argument is often used to justify some sneaky marketing strategists to put aside privacy altogether.
Another argument against privacy is behaviour distortion coming from psychology: the data used on privacy-related behaviour is not reliable anyway, as people often make biased decisions. Giving you flashy cookie banners, privacy setting pages and a myriad of privacy notices might give a false sense of control to users. This is a kind of behaviour where you act in a more risk-accepting way, simply because you were given the illusion of complete safety, similarly to driving: you might tend to speed more in a car that feels safe and reliable.
Both arguments go in the same direction: if the stats show that people don’t care about how their data are used, and even the stats are unreliable, why bother then at all?
The role of privacy regulations
The GDPR or any privacy regulation should be able to disarm these arguments. A privacy regulation should reassure the belief that it is possible to protect privacy without much burden, and that this is possible by design, i.e. how a product or a website is created. There are also concepts in the GDPR to reassure this as a requirement, such as data protection by default and by design.
This deficit of trust in the ever-developing technology was supposed to be reinforced by the privacy regulations across the world, to create an environment where we know what happens with our data, we have rights related to them, and we can enforce those rights if needed. This leads us to the concept of informational self-determination, an environment where we are fully in charge of what happens with our personal data with reasonable effort.
The reality as presented by Meta
The practice is somewhat dull: cookie banners2, endless privacy notices of hundreds of pages, labyrinths of links and documents all over the place, in a language that is not so easy to decipher even for professionals in this field. And even if you put the time and effort to actually read these documents, and try to exercise your rights, hidden walls will come at some point.
To show you an example of some of the privacy-washing that impacts nearly any person having access to the internet, I recommend the “Privacy Centre” of Meta3 made from 5.5 billion US dollars. To highlight some phenomena on this centre:
You will find yourself in a privacy maze of several pages, drop-downs, links with cross-references and some flashy buttons.
Meta’s privacy policy can be downloaded here in just 123 pages.
If you search for “Access and correct information”, you can request access to your data, which will be most likely an even heavier documentation.
Most of this policy applies strictly in the context of Facebook, while different rules might applies for different platforms.
If you feel that you managed to get an idea of all this, the Privacy Centre’s structure will most likely change altogether in a matter of months – something that I have experienced since I last reviewed it in 2022.
If this is not enough, the European Data Protection Board published a complete assessment of dark practices by social media platforms.
If you still don’t fully understand how exactly Meta is using your data, it is not your fault. For example, it is generally known that Meta actively shapes politics by targeted ads, which led to the Cambridge Analytica scandal, heavily impacting elections. Supposedly, this should be addressed in detail in the privacy policy - after all, it has 123 pages. However, there is only a vague statement on this, with only one mentioning of processing political views as information under “special protection”, and that the processing is based on the user’s explicit consent.
Considering that Meta has a pay or consent model, this statement is not only cynical, but factually incorrect, showing that there is almost no value to do an in-depth analysis of this policy.
Privacy self-management
Meta’s example shows another burning issue with privacy: the unbearable scale of self-management for the average internet user. While Meta provides products that are necessary for most people’s daily lives, many of us visits hundreds and thousands of other websites with different providers behind them, and with their own privacy practices.
When we are presented with such a privacy policy, we face a three-way road, with none of the directions very appealing:
Seeing the effort it would take to fully understand how data is processed, the user accepts everything and proceeds. Assumably, this is more than 90% of the users.
Some users might take some effort to check the privacy policy. After seeing the amount of texts and settings, the user assumes safety and accepts most options but potentially reject some. This should be less than 10% of the users.
The user takes significant time and effort to review the policies, requests access to personal data, and even attempts to double-check if some statements are correct, as in this article. The user only realizes that most of the options are delusional, irrelevant or factually incorrect. These are mostly privacy professionals with too much freetime such as the author – way below 1% of the users.
Takeaway: make privacy easier
As Solove put, “Managing one’s privacy is a vast, complex, and never-ending project that does not scale; it becomes virtually impossible to do comprehensively”. Indeed, if you take some time to check your privacy settings only on the main social networks – like Google-related products, LinkedIn, or even here on Substack – it is a considerable effort and workload for something that should be provided to you by default.
To blame the end user for not taking care of their privacy despite the options they are presented is a cynical statement. I agree with Solove’s conclusion that the privacy paradox does not exist as such, i.e. it is an impression created by major tech companies to discredit data protection regulations, and to save on implementation costs.
However, it is a valid criticism against privacy regulations that their correct implementation creates a large administrative burden not only for the companies, but for users as well, often with questionable outcomes as above.
Therefore, regulators and privacy professionals should have the task of making privacy easily accessible to everyone, without putting much of the burden on the end user, or without blaming them that they are not willing to review several hundreds of pages before clicking “yes” or “no”, or worse: forcing them to pay if they want to say “no”.
As presented in more details in The Myth of the Privacy Paradox by Daniel J. Solove, 2020, GWU, https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2738&context=faculty_publications
Like the absurdities of the practice on cookies as I explained in my previous article: https://substack.com/home/post/p-157759166
Meta is the company owning Facebook, Messenger, Instagram, WhatsApp and several other products which combines your data across these platforms.