Information asymmetries: recognizing the limits of the GDPR on the data-driven market

(1)

Information asymmetries

Waerdt, van de, Peter

Published in:

Computer Law & Security Review

DOI:

10.1016/j.clsr.2020.105436

IMPORTANT NOTE: You are advised to consult the publisher's version (publisher's PDF) if you wish to cite from

it. Please check the document version below.

Document Version

Publisher's PDF, also known as Version of record

Publication date:

2020

Link to publication in University of Groningen/UMCG research database

Citation for published version (APA):

Waerdt, van de, P. (2020). Information asymmetries: recognizing the limits of the GDPR on the data-driven

market. Computer Law & Security Review, 38, [105436]. https://doi.org/10.1016/j.clsr.2020.105436

Copyright

Other than for strictly personal use, it is not permitted to download or to forward/distribute the text or part of it without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license (like Creative Commons).

Take-down policy

If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.

Downloaded from the University of Groningen/UMCG research database (Pure): http://www.rug.nl/research/portal. For technical reasons the number of authors shown on this cover page is limited to 10 maximum.

(2)

Availableonlineatwww.sciencedirect.com

journalhomepage:www.elsevier.com/locate/CLSR

Information

asymmetries:

recognizing

the

limits

of

the

GDPR

on

the

data-driven

market

Peter

J. van

de

Waerdt

1 ,∗

Security,Technologyande-Privacy(STeP)ResearchGroup,UniversityofGroningen,Groningen,TheNetherlands

a

r

t

i

c

l

e

i

n

f

o

Articlehistory: Availableonlinexxx Keywords: InformationAsymmetry Data-drivencompanies Behavioralprofiling Transparency Dataprotection

GeneralDataProtectionRegulation

a

b

s

t

r

a

c

t

Onlinesearchengines,socialmediaplatforms,andtargetedadvertisingservicesoften em-ploya“data-driven” businessmodelbasedonthelarge-scalecollection,analysis,and mon-etizationofpersonaldata.Whenprovidingsuchservicessignificantinformation asymme-triesarise:data-drivencompaniescollectmuchmorepersonaldatathantheconsumer knowsorcanreasonablyoversee,anddata-drivencompanieshavemuchmore(technical) informationabouthowthisdataisprocessedthanconsumerswouldbeabletounderstand. Thisarticledemonstratesthevulnerablepositionconsumerscontinuetofindthemselves inasaresultofinformationasymmetriesbetweenthemanddata-drivencompanies.The GDPR,byitself,isinpracticeunabletomitigatetheseinformationasymmetries,norwould itbeabletoprovideforeffectivetransparency,sinceitdoesnotaccountfortheunique characteristicsofthedata-drivenbusinessmodel.Consumersarethusfacedwithan insur-mountablelackoftransparencywhichisinherentin,aswellastheinevitableconsequence of,themagnitudeoftheinformationasymmetriespresentonthedata-drivenmarket.

1. Introduction

Due to continued improvements in the field of informa-tiontechnologyandtheriseinitsusage,newmarketshave

∗_{Corresponding}_author._Department_of_{Transboundary}_Legal_Studies,_Security,_Technology_and_e-Privacy_(STeP)_Research_Group,

Uni-versityofGroningen,OudeKijkin’tJatstraat26,Room13150465,9712EKGroningen,TheNetherlands.Telephonenumber:+315036 35527.

E-mailaddress:p.j.van.de.waerdt@rug.nl

1_Peter_van_de_Waerdt_is_a_PhD_researcher_at_the_department_of_{Transboundary}_Legal_Studies,_University_of_Groningen_(The_{Netherlands),}

andpartoftheSecurity,Technologyande-Privacy(STeP)ResearchGroup.Hisresearchfocusesontherelationsbetweendataprotection lawandcompetitionlawondata-drivenmarkets.

2_“Personal_{data” is}_defined_as:_any_information_relating_to_an_identified_or_identifiable_natural_person._{‘Regulation}_(EU)_2016/679_of_the

EuropeanParliamentandoftheCouncilontheProtectionofNaturalPersonswithRegardtotheProcessingofPersonalDataandonthe FreeMovementofSuchData’,art.4(1).

emergedwhichoperateprimarilyonthecollection,analysis, processing,andmonetizationofpersonaldata.2_This_is cur-rentlythe case for many socialmedia platforms, advertis-ingnetworksand other onlineserviceproviders: theyhave

https://doi.org/10.1016/j.clsr.2020.105436

(3)

become ‘data-driven’. While Google and Facebook are the mostprominentoperatorsofadata-driven businessmodel, thecombinedweightofallofthesmalleractorsonthe on-line advertising market should not be underestimated ei-ther. Data-drivenness hasbecomeubiquitous on the Inter-net,anditiseasy tosee howitcan behighlybeneficial to theconsumer:itallowsvarioususefulservicestobeprovided foralowpriceand inapersonalizedmanner.Despitesuch benefits, however,it is notcompletely without its costs or risks.

In this article, the conduct of data-driven companies (DDCs)ontheirrespectiveonlinemarkets,aswellasthe con-sequencesthereof,willbeexaminedfromtheperspectiveof information asymmetries.Theterm ‘information asymme-tries’inthiscontextreferstothesubstantialdifferencesthat existbetweentheinformationavailabletotheDDCsversus thatavailabletotheconsumersthemselves.Although infor-mationasymmetriesarecommoninnearlyallmarkets,and arethereforealsoasubjectofconsumerprotectionlaw,they areespeciallyproblematiconthedata-drivenmarket.Onthis marketthereisasymmetrynotonlywithregardstothe con-tractbut,crucially,alsowithregardstothevolumeandthe mannerofpersonaldataprocessing.Asaresult,consumers findthemselvesinavulnerablepositionvis-à-visDDCs. Seri-ousrisksarisethatconsumerswillbeunabletomake well-informeddecisionsabouttheuseoftheirdata,ortoinvoke theirrights.Theusageoftheterm“informationasymmetries” throughoutthisarticleshouldbeunderstoodinthisfull con-text.

While thereisawealthofliteratureinthe field ofdata protectionrecognizinginformationasymmetriesasa signif-icant concern,3_there_has_not_been_an_exhaustive examina-tion ofhowinformationasymmetries comeinto beingand how intertwinedtheyare withtheinner workingsof data-drivenmarkets.Thefullcomplexity ofDDCs’data process-ing,andhowtheresultinginformationasymmetriesare in-terconnectedwiththedifficultiesofensuringtransparencyon thesemarkets,hasnotbeenexaminedindetail.Thisarticle aimstoprovidesuchinsightand indoingsoillustratewhy DDCspresentauniquechallengeforEuropeandata protec-tionlaw.Indeed,theinformationasymmetriesperspectiveis valuablebecause itvividlyillustratesjusthowmuchofthe data collection, dataanalysis, profiling,and behavioral tar-geting processremainsunknown,incomprehensible,or un-workable to the average consumer. Thevolume and com-plexity of the data processing conducted by DDCs makes

3_For_example:_Bart_Schermer,_‘Risks_of_Profiling_and_the_Limits_of

DataProtectionLaw’inBartCustersandothers(eds), Discrimina-tionandPrivacyintheInformationSociety:DataMiningandProfilingin LargeDatabases(Springer2013),p.139– 140.;EmreBayamlioglu, ‘ContestingAutomatedDecisions’[2018]EuropeanData Protec-tionLawReview(EDPL)433,p.435.M.H.C.Rhoen,BigData,BigRisks, BigPowerShifts:EvaluatingtheGeneralDataProtectionRegulationasan InstrumentofRiskControlandPowerRedistributionintheContextofBig Data(Ridderprint2019),p.11– 13.MireilleHildebrandt,‘Profiling: FromDatatoKnowledge:TheChallengesofaCrucialTechnology’ (2006)30DatenschutzundDatensicherheit-DuD548,p.551;via ClaudeCastelluccia,‘BehaviouralTrackingontheInternet:A Tech-nicalPerspective’inSergeGutwirthandothers(eds),EuropeanData Protection:InGoodHealth?(Springer2012),p.22.

forauniquesourceofsubstantialinformationasymmetries, whichinturnputsupanimmensewalltoensuringeffective transparency.

Specifically,thisarticleaimstoanswerthefollowing ques-tions:Howdoinformationasymmetriesbetweenconsumers andDDCsarise;towhatextentistheGeneralDataProtection Regulation(GDPR)oftheEuropeanUnion(EU)abletomitigate thisdiscrepancyonthedata-drivenmarket;howare informa-tionasymmetrieslinkedtolackingtransparency;andtowhat extentwouldensuringeffectivetransparencyevenbe possi-bleinlightoftheinformationasymmetries?Thetiesbetween informationasymmetryand transparencyareespecially vi-talelementsofthisresearch,sinceeffectivetransparencyis aprerequisiteforcitizenstoexercisetheirrightsunderthe GDPR.Lackingtransparencybecauseofinformation asymme-trycouldresultinconsumersbeingunawarethattheirrights arebeingviolatedinthefirstplace,orwhomtoaddresstheir concernstoeveniftheydorealize.

Toexplainthisinmoredetailthisarticlewillcommencein Section2withadescriptionofwhattheinformation asym-metriesbetweenDDCs and consumersare,as wellas how theyariseoverthecourseofprovidingaservice.Thiswillbe followedinSection3withanexplanationofhowtheGDPR addresses theseinformationasymmetries and to what ex-tentitsucceedsinclosingthegapbetweenthecitizen and DDCs.Havingdiscussedtheexistenceofandresponseto in-formationasymmetries onthe data-driven market,Section 4willthenaddressthemainargumentofthisarticle.Namely, thatinformationasymmetryandtransparencyareintegrally connected,andthatapushforgreatertransparencyinitself willnoteffectivelymitigatetheinformationasymmetriesor strengthenthedataprotectionofcitizensonthedata-driven market.4 _To_do_so, _this_section _will_explain_the fundamen-tal differences betweenDDCs and conventional companies intermsofdatacollectionandprofiling.Furthermore,itwill examinetheongoingdevelopmentofexplainablealgorithms andwhethertheycanaiditmitigatinginformation asymme-tries.Finally,thisSection willdelveintotheclose interrela-tion betweeninformationasymmetry,lacking transparency andpotentialbiasinalgorithmicprofilingactivities,focusing onhowthesefactorsexacerbateoneanother.

Thus,thisarticleaimstoprovideathoroughoverviewofa specificproblemindataprotectionlaw,namelytheeffectsof informationasymmetriesonthedata-drivenmarket.Itdoes sobyfocusingontheGDPR;examiningwhethertheGDPRin itselfhasthepotentialtomitigatethisproblemthrough stim-ulatingtransparency orprovidingdatasubjectrights. Obvi-ouslythereareotherperspectivesfromwhichtoexaminethis issueaswell:notablyEUcompetitionlawandconsumer pro-tectionlaw,orindeedacombinationofvariousfieldsoflaw. Robustlong-termsolutionstotheproblemsinherentin far-reachinginformationasymmetriesanddominantdata-driven companiesareexpectedtobevaried,complex,andtake ac-countof many relevant areas oflaw.They are the subject

4 _For_the_purposes_of_this_article_the_term_{‘citizen’}_refers_to

cit-izensoftheEuropeanUnion,astheyaretheonescoveredbythe GDPR.Theyarealsoreferredtoastheconsumersofonline ser-vices,usersofonlineplatforms,orasdatasubjects.

(4)

offurtherresearchandassucharenotdealtwithindetail here.

2. How

and

why

information

asymmetries

arise

In order to understand how information asymmetries be-tweenconsumersandDDCsarise,itmustfirstbeunderstood howDDCsearntheirrevenue.Whilethedata-drivenmarket isoftenpopularlycharacterized as“sellingpersonaldata”,5 this isnotalwaysaccurate.Nevertheless,itistruethatthe monetization ofpersonaldataisthe primary sourceof in-comeforprominentDDCssuchasGoogleandFacebook.This isachievedbywayofadvertising,specificallytargeted adver-tising.6 _For _instance,_Google_has_acquired _its _own advertis-ingnetworkinDoubleClick,whichhastiestothemajorityof themostvisitedwebsitesintheworld.7_Facebook,_meanwhile, servesadsonitssocialmediaplatformandonInstagrambut focusesspecificallyonmobileadvertising.8

Targetedadvertising,otherwiseknownasbehavioral tar-geting,isamethodwherebyDDCsanalyzepersonaldatain or-dertodeterminetheinterestsofanindividualconsumerand showthemadvertisementswhichcorrespondtothose inter-ests.9_For_example:_if_a_user_visits_a_website_related_to_movies andtelevisionshowstheDDCwilltakenoteofthisinterest.It cansubsequentlyusethistodisplaymoreadvertisementsfor thelatestblockbusters.Thismethodofadvertisingisefficient becausetargetedadsleadtogreaterprofitabilitythan general-izedads:companieswillsimplywastefewerresources show-ing adstoconsumerswhowillneverbeinterestedintheir product.10_In_essence,_DDCs_provide_a_service_to_advertisers. Aservicetoshowtheiradstothoseconsumersmostlikelyto

5_For _example: _Hamish _McRae, _‘Companies _Have _Been

Sell-ing Our Data in Exchange for “Free” Products and Services for a Long Time – Facebook’s Not so Different’ (The Indepen-dent, 7 April 2018) <https://www.independent.co.uk/voices/ facebook-data-scandal-free-products-sheryl-sandberg-a8294006. html>accessed13February2019.

6_In _2016, _Facebook _earned _$26 _billion _of _its _$27

bil-lion total revenue with advertising.; ‘Facebook Reports Fourth Quarter and Full Year 2016 Results’ <https: //investor.fb.com/investor-news/press-release-details/2017/ facebook-Reports-Fourth-Quarter-and-Full-Year-2016-Results/ default.aspx> accessed 29 June 2017.; Google over that same year earned $79 billion of its total $89billion through adver-tising. ‘Alphabet Annual Report’ <https://abc.xyz/investor/pdf/ 2016_google_annual_report.pdf>accessed6February2017.p.22.

7_‘Onderzoek _CBP _Naar _Het _Combineren _van

Persoons-gegevens Door Google’ <https://autoriteitpersoonsgegevens. nl/sites/default/files/downloads/mijn_privacy/rap_

2013-google-privacybeleid.pdf>accessed12April2017,p.12.

8_‘Mobile _Advertising _Drives _Strong _Facebook _Quarter’ ₍_USA

TODAY) <https://www.usatoday.com/story/tech/news/2017/02/ 01/facebook-earnings-fourth-quarter-2016-beat/97340988/> accessed29June2017.

9_Lillian_Wallace,_Hidden_Hazards_of_Online_Advertising_:_An

Investi-gationofConsumerSecurityandDataPrivacyProtection(NovaScience Publishers2014),p.14,22– 23.

10_Ganesh_Iyer, _David_Soberman_and_J_Miguel_Villas-Boas,_‘The

TargetingofAdvertising’(2005)24MarketingScience461,p.473.

beinterestedinthem.11_Put_differently,_DDCs_rent_out adver-tisingspace,aswellastheattentionofInternetusers,tothe advertisers.12

SincethemainsourceofrevenueforDDCs,targeted adver-tising,isbasedpredominantlyonthecollectionandanalysis ofpersonaldata,informationasymmetriescanquickly mate-rialize.Theinformationasymmetriesthatarisefromthiscan bedividedintotwocategories:thosewhich arisefrom per-sonaldatacollection,and those whicharise from personal dataanalysis.

2.1. Informationasymmetriesfrompersonaldata collection

Informationasymmetriesstarttoarisefromthemomentthe actualcollectionofpersonaldatatakesplace.Inparticular, DDCsamasspersonaldatathroughmethodsandin quanti-tiesthattheconsumercannotoverseeorcontrol.Therearea numberofwaysinwhichthisoccurs.

Firstly,DDCsdonotonlycollectdataactivelyand know-inglyprovidedbytheuser.Theyalsoamassdata“observed” from the consumer’s usage of the social media platform, searchengineorotheronlineservice whichtheyprovide.13 DDCscollectandstoredatapointsbasedoneveryactionthe usertakesontheplatformorwhileusingtheservice.For ex-ample,commentingonaphotoofkittensissimultaneously theordinaryuse-caseofasocialmediaplatformaswellasa datapointfortheserviceprovider.Bysignalingtohisfriends thathelikescats,theuserisunconsciouslydoingthesame fortheDDCinquestion.14_In_the_case_of_search_engines_the processofdatacollectionisevenmorevast:alloftheusers’ searchqueries canbecollected,combined,storedina per-sonalprofile,andsubsequentlyusedfortargeting.15

Thereareevenscenariosinwhichusersprovide informa-tiontocertainDDCs merelybycheckingintotheiraccount, suchasthecollectionofIP-addressesorgeolocationdata.16_If geolocationtrackinghasnotbeendisabled,oriftheuserdoes notrealizethatheruploadedphotosandvideoscontain ge-olocationdata,aDDCcancollectinformationonwherea spe-cificaccountiscurrentlybeingaccessedfrom.17_If_the_service

11_This_is_known_as_operating_on_a_dual-sided_market._Online

ser-vicessuchassocialmediaplatformssimultaneouslyoffer differ-entservicestotwogroupsofmarketparticipants:afreeplatform toconsumers,andanadvertisingservicetoadvertisers.

12_Frederik_Zuiderveen_Borgesius,_Improving_Privacy_Protection_in_the

AreaofBehaviouralTargeting(UvA-DARE(DigitalAcademic Reposi-tory)2014),p.71.

13_{‘Guidelines} _on _the _Right _to _Data _{Portability’} _<_http:

//ec.europa.eu/information_society/newsroom/image/document/ 2016-51/wp242_en_40852.pdf>accessed17February2017,p.8– 9.

14_Arnold_Roosendaal, _‘We_Are _All _Connected_to _{Facebook...by}

Facebook!’inSergeGutwirthandothers(eds),EuropeanData Pro-tection:InGoodHealth?(Springer2012),p.4– 5.

15_Frederik_Zuiderveen_Borgesius_(n_12),_p.₅₅_{– 56.}

16_Bo _Liu _and _others, _Location _Privacy _in _Mobile _Applications

(Springer Singapore 2018) <http://link.springer.com/10.1007/ 978-981-13-1705-7>accessed13November2019,p.34– 35.

17_Sangmee_Lee,_Ki_Joon_Kim_and_S_Shyam_Sundar,_{‘Customization}

inLocation-BasedAdvertising:EffectsofTailoringSource, Loca-tionalCongruity,andProductInvolvementonAdAttitudes’(2015)

(5)

isbeingusedonasmartphonethiscould,intheextreme, al-lowtheserviceprovidertocomposeamapoftheuser’sdaily routine.18

Inaddition toprovidedpersonaldataand observed per-sonaldata,DDCscanbolsterapersonaldatasetthroughother means.Facebookisabletocross-referenceinformation pro-videdbyauser’sfriendsandincludeitinthedataset,19_and itcancollectpersonaldataonthird-partywebsitesthrough itswidespreadLikebutton.20_This_practice_of_combining per-sonal datafrom across differentFacebook services, includ-ing subsidiaries suchas the imagehosting platform Insta-gramandtheVirtualRealityplatformOculus,wasthesubject ofthemuch-discussedBundeskartellamtcaseagainst Face-book.21_The_{Bundeskartellamt}_held_that_Facebook_had_not ob-tainedvalidconsentforthesedatacollectionpractices,asit hadmadetheuseofthemainFacebooksocialmediaplatform conditionalonconsentingtothefullrangeofsubsidiarydata collectionpractices.22

Furthermore,in2019theUnitedStatesFederalTrade Com-mission(FTC)broughtanactionagainstFacebook.Init,the FTCallegedthatFacebookallowedthirdpartydevelopersto accessnotonlythepersonaldataofuserswhohadconsented tohavingtheirdatacollected,butalsotothedataofallof thoseusers’Facebookfriends.23_This_included_the_collection ofinterestdata,videoactivity,andevenwebsiteURLhistory data,24_all_without_the_consent_of_the_affected_friends.25_While usersweretheoreticallyabletopreventtheirfriendsfrom con-sentingontheirbehalf,fewFacebookuserswereawarethis practiceevenexisted.Fewerstillwereabletofindthe, unhelp-fullylabeled,applicablesetting.26_In_short,_there_are_worrying examplesofDDCscollectinglargequantitiesofpersonaldata withouttheknowledgeorconsentofthedatasubject.

Theaboveare allexamplesofdatacollectionby compa-nieswhichprovideaservicedirectlytotheconsumer.

How-51ComputersinHumanBehavior336.;ClaudeCastelluccia(n4), p.26.

18_Claude_Castelluccia_(n_3),_p._26.;_Joseph_Turow,_The_Daily_You:

HowtheNewAdvertisingIndustryIsDefiningYourIdentityandYour Worth(YaleUniversityPress2011),p.150– 151.Liuandothers(n 16),p.36.

19_‘Onderzoek _Naar _Het _Verwerken _van _{Persoonsgegevens}

van Betrokkenen in Nederland Door Het Facebook-Concern’ <https://autoriteitersoonsgegevens.nl/sites/default/files/atoms/ files/onderzoek_facebook.pdf>,p.22.

20_Arnold_Roosendaal_(n_14),_p.₄_{– 5.}

21_{Bundeskartellamt,}_6th_Decision_Division,_{‘Administrative}

Pro-ceedingsDecisionunderSection32(1)GermanCompetitionAct (GWB), FacebookInc.i.a.-The UseofAbusiveBusiness Terms PursuanttoSection19(1)GWB’.‘BundeskartellamtProhibits Face-bookfromCombining UserDatafromDifferent Sources: Back-groundInformationontheBundeskartellamt’sFacebook Proceed-ing’<https://www.bundeskartellamt.de/SharedDocs/Publikation/ EN/Pressemitteilungen/2019/07_02_2019_Facebook_FAQs.pdf? __blob=publicationFile&v=6>accessed13February2019.

22_{Bundeskartellamt,}_6th_Decision_Division_(n_21),_paras._522,_564,

601– 603.

23_United_States_of_America_v_Facebook,_Inc_[2019]_United_States

Dis-trictCourt,DistrictofColumbiaCaseNo.19-cv-2184,Document 1.

24_ibid.,_para._23. 25_ibid.,_para._22.

26_ibid.,_paras._26,₄₀_{– 42,}₅₁_{– 58.}

ever,notallDDCsareserviceproviderstoEuropeancitizens: somedonotrequireanyopeninteractionwiththeconsumer, yet are still able to collect a wealth of personal data. Ad-vertisingnetworksarethemostprominentexampleofthis phenomenon.27_Ad_networks_are_DDCs_which_offer advertise-mentstotheInternetuseronbehalfofthehostwebsiteshe visits.Whenauservisitsawebsitethathasoutsourcedits advertisementstoanadnetwork,herbrowserreceivesthe in-structiontocontactthatadnetwork.28_Along_with_the adver-tisementtheadnetworkwillalsosendacookietobeplacedon theuser’scomputer.29_The_ad_network_is_then_able_to_collect theuser’spersonaldataacrosseverywebsiteonwhichit deliv-ersitsadsbyusingitsowncookietoidentifytheuser.30_In par-ticular,theadnetworkcanreadandstorethewebaddresses (URLs)fromwhichtheuser’sbrowserrequestsitsads.31_Over timetheadnetworkwillusethisinformationtocreatea be-havioralprofile.Asauservisitsmoredifferentwebsites,enters newsearchqueries,oroffersupdatapointsinotherways,her profilebecomesmoredetailed:shemaybecategorizedbyage, location,incomelevel,andaplethoraofotherfactors.32

Whencomparedtotheothermoreovertformsofdata col-lection,consumersareunlikelytobeawarethattheir infor-mationisbeingcollectedbythewebsitestheyvisit,muchless thattheseadnetworksalsodoso.33_{Nevertheless,}_ad_networks areubiquitousontheInternet:evenin2013Google’s adver-tisingnetworkwasalreadyoperatingon70% ofwebsites.34 WhileGoogle’sadvertising networkisthelargest andmost recognized,adnetworksareinfactrunbyamassofDDCs whichareunfamiliartomostconsumers.35_They_deliver_their

27_Claude _Castelluccia _(n _3). _p. _26; _Federal _Trade

Commis-sion,‘Protecting ConsumerPrivacy inanEra ofRapid Change’ <https://www.ftc.gov/sites/default/files/documents/reports/ federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf> accessed23August2018,p.68.

28_Lillian_Wallace_(n_9),_p._15.

29_This_is_known_as_a_{“third-party}_{cookie” since}_it_is_embedded

inthehostwebsitebutbelongstoadifferentcompanyaltogether. Contrastthiswithfirst-partycookies,whichareusedbythe web-siteoperatortoensurethatthesiteworkssmoothly,remembers users’preferences,andallowsfortheuseofthe“cart” functional-ityofwebshops.

30_Frederik_Zuiderveen_Borgesius_(n_12),_p._40. 31_ibid.

32_Ibid._p.₅₆_{– 60.;}_J._Gerards_and_R._Nehmelman,_Algoritmes_En

Grondrechten(BoomJuridisch2018).p.20– 22.

33_FTC _Staff _Report, _{‘Self-Regulatory} _Principles _For _Online

Be-havioral Advertising’ <https://www.ftc.gov/sites/default/files/ documents/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising/

p085400behavadreport.pdf> accessed 29 March 2019. p. 26 – 27;viaJosephTurow(n18),p.175.

34_Steven _Englehardt _and _Arvind _Narayanan, _‘Online

Track-ing: A 1-Million-Site Measurement and Analysis’ <http: //randomwalker.info/publications/OpenWPM_1_million_site_ tracking_measurement.pdf>accessed29May2017,p.8.

35_Jeff_Chester,_‘Cookie_Wars:_How_New_Data_Profiling_and

Target-ingTechniquesThreatenCitizensandConsumersinthe“BigData” Era’inSergeGutwirthandothers(eds),EuropeanDataProtection:In GoodHealth?(Springer2012),p.60– 63.;MauritsMartijnand Dim-itriTokmetzis,JeHebtWélIetsTeVerbergen:OverHetLevensbelang vanPrivacy(DeCorrespondent2018).p.188.

(6)

cookies through virtuallyinvisible means,suchas asingle pixelonthehostwebsite.36

Additionally, ad networksalsoenterinto contracts with one another on a vast scale, distributing personal data amongstthemselvesinordertobringnewindividual users intotheirpersonaldatanetworkorimprovethedatasetsthey alreadyhaveavailable.37_Research_by_{Junqué de}_Fortuny_et_al. suggeststhat,intermsofaccuracyandpredictivemodeling,it isindeedworthwhileforsmallerDDCstobroadenanddeepen theirdatasetsbypoolingtheirdata.38 _Companies_have_also emergedtooffercomplementaryservices,suchasmatching differentcompanies’cookiestothesameuser,additionaldata analytics,ordatabrokering.39

Takentogether,allofthesecompaniesandnetworksare engagedinacomplicatedtangleofcontracts,subcontracts, andpartneringnetworks.40_Van_Eijk_charted_all_of_these net-works andtheirinterconnections,usingDenmarkasacase study,andfoundhundredsofdifferentcompanies contract-ing amongsteachother.41 _Similarly,_one_estimate_held_that theaverageDutchcitizenisalreadyincludedinhundredsof differentdatabasesacrossmanydifferentactors.42_Due_to_the complexityandfragmentationofthedata-drivenmarket,the flowsofpersonaldataarenearlyimpossiblefortheaverage citizentooversee.Aconsumerthuscannotrealistically super-viseormakedecisionsastowhichcompanieshavecollected whattypeofinformationonhim,howmuch,andwhatthey havelearnedfromanalyzingit.Intheforeseeablefutureeven moredataflowsareexpectedtomaterializefromevenmore companies,asanincreasingnumberandrangeofvaried de-vicesbecomeconnectedtotheInternet.Itwouldgobeyond thescopeofthisarticletoexaminetheseInternetofThings dataflowsindetail,butsufficeittosaythataddingthoseto thevastdatacollectionwhichalreadyexistswillincreasethe levelofcomplexityfurtherstill.

Evenwhenaconsumertakesactivestepstopreventdata collectionbythirdparties,suchasbyinstallingbrowser ex-tensionswhichblockcookies,itisnotguaranteedthathis per-sonaldatawillnotbecollected.Othermeanstoidentify indi-vidualusersalsoexist:devicefingerprintingisonesuch tech-nique.Inthisprocessacomputerisrecognizedbythe combi-nationofitsbrowsersettings,operatingsystem,installed add-ons,andotherfeatures.Takentogether,theseformapattern thatisalmostcertainlyuniquetoanindividual.43_Google_itself

36_Lillian_Wallace_(n_9),_p._14.;_Joseph_Turow_(n_18),_p.₆₀_{– 61.} 37_Robbert_J._van_Eijk,_Web_Privacy_Measurement_in_Real-Time

Bid-dingSystemsAGraph-BasedApproachtoRTBSystemClassification (Ip-skampPrinting2019),p.152.

38_Enric _{Junqué de}_Fortuny,_David_Martens _and_Foster_Provost,

‘PredictiveModelingWithBigData:IsBiggerReallyBetter?’(2013) 1BigData215,p.223.

40_Robbert_J._van_Eijk_(n_37),_p._152,₂₆₆_{– 273.} 41_ibid.,_p.₂₆₆_{– 268.}

42_J._Gerards_and_R._Nehmelman_(n_32),_p._124.

43_Bernard_Marr,_‘How_Businesses_Can_Use_Device_{Fingerprinting}

ToIdentifyAndTrackCustomers’ (Forbes)<https://www.forbes. com/sites/bernardmarr/2017/06/23/how-businesses- use-controversial-device-fingerprinting-to-identify-and- track-customers/> accessed 29 March 2019.; Claude Castelluccia (n 3),p.25.;FrederikZuiderveenBorgesius(n12),p.48– 49.

wasfinedbytheFTCforusingaworkaroundwhichitusedto continueplacingcookiesbycircumventingbrowsersettings designedtopreventitfromdoingso.44

Ultimately,atafundamentallevelconsumerslackan in-sightintohowDDCscollecttheirpersonaldataandhow com-prehensivethis collectioncanbe.Informationasymmetries betweenconsumersandcompaniesarisebothintermsofthe volumeandthemeansofdatacollection:muchmoredatais beingamassedthantheconsumercanreasonablyoversee,by anexorbitantamountofinterconnectedparties,througha va-rietyofmeanswhicharefarfromself-evident.

2.2. InformationasymmetriesfrompersonalData Analysis

Inadditiontothemanywaysinwhichpersonaldatais col-lectedfromtheuser,DDCsalsohaveothermeansofamassing information.Besidesdatathatwasactivelysharedbythe con-sumerordataobtainedthroughobservinghisactions,there exists“inferred” data:personaldata acquiredthrough data analysis.45_Data_analysis,_also_known_as_data_mining,_is par-ticularlysignificantintermsofinformationasymmetries be-causeitcanbeusedtogatherpersonaldatawithouttheuser’s continuousinvolvement.

Dataanalysisaimstofindcorrelationsbetweeninterests andattributes,andestablishespredictiveindicatorsrelatedto theuserinordertoachievethisaim.Theprecise function-ingofdataminingisintricateand employsmany different methodsofanalysis,suchasclusteringdataintogroupsbased onsimilarity,orclassifyingnewdatapointsintopredefined categories.46_In_essence,_however,_all_data_analysis_works_by extrapolatingtheinformationwhichtheDDChaspreviously collectedonthetotalityofitsusers.Fundamentally,the algo-rithmstudiesgroupdynamics:ifmanyusersbornbefore1985 haveaknowninterestinvisitingmuseumsandsubsequently clickonURLsrelatedtoclassicalmusic,thisrevealsa num-berofdatapoints.47_There_is_an_indication_that_interests_in museumsandclassicalmusicarerelatedandusersoverthe ageofthirty-fivearemorelikelytobeinterestedinthose pas-times.OnceanewuserentersintotheDDC’spersonaldata networkand exhibitsoneoftheseattributes,thealgorithm willusethisandotherfactorstodeterminethelikelihoodthat shewillalsoexhibittheotherassociatedattributes.48_Group informationisthususedtodeterminethatapersonwith cer-tainattributesislikelytoalsohaveotherspecificattributeson thebasisthatmanyotherusersalsosharethiscombinationof

45_{‘Guidelines}_on_the_Right_to_Data_{Portability’}_(n_13),_p._8. 46_Toon_Calders_and_Bart_Custers,_‘What_Is_Data_Mining_and_How

DoesItWork?’inBartCustersandothers(eds),Discriminationand PrivacyintheInformationSociety:DataMiningandProfilinginLarge Databases(Springer2013),p.31– 38.

47_Frederik_Zuiderveen_Borgesius_(n_12),_p.₆₅_{– 70.}

48_ibid.,_p.₆₈_{– 70.}_Note_that_data_analysis_always_results_in_a

cer-tainpercentagechancethatauserwillhaveacertaintrait.For ex-ample,someoneinterestedinmuseumscouldbe85%likelytoalso enjoyclassicalmusic.Whileitisvirtuallyimpossibletoachieve completecertaintysimplybecauseeveryindividualisunique, pro-ficientalgorithmscancomesufficientlyclosetomaketargeting advertisementsbasedonthefindingsviable.

(7)

traits.49_The_data_analysis_that_DDCs_perform_is_based_around millionsofsuchcorrelations.Asaresult,DDCsobtainnew per-sonaldataaboutindividualsontheirownaccord:aconsumer whodirectlyprovidesasocialmediaplatformwithfive differ-entdatapointsaboutherselfmayinfactbeprovidingmany moreindirectly,includingpotentiallysensitiveones.50_An es-timatebytheEuropeanDataProtectionSupervisorheldthat majorDDCsareabletoprofiletheirusersbasedonasmany as52.000differentattributes.51

Thealgorithmswhichperformdataanalysisareexpected toimprovefurtherinthefuture,makingtheirinferencesmore accurateaswellasmoreexpansive:theanalysiswillbeboth broaderanddeeper.Forexample,itisnotagreatleapoflogic todeterminethatcomputerenthusiastsareoftenalso inter-estedinvideogamesandviceversa;thiscanalreadybedone presently.However,itmayalsobethecasethatcomputer en-thusiaststendtopreferspecificclothingstyles,music,food anddrink,ornewssources,eventhoughsuchbehaviorhas notbeenobservedthusfar.Asalgorithmsimprove,such rela-tionsaswellasevenmoredistantonescouldbeestablished withincreasingaccuracyandsubsequentlyusedfor advertis-ingpurposes.Scalingupthedatacollectiontoserveasnew inputswillaidthisdevelopmentevenfurther.52

Technologicalmeanshavealsomadeitincreasingly feasi-bletofurtheranalyzedatasubjectspsychologically;toknow the character of the user indetail.53 _There _is_a _significant amountofresearchregardinghowmanydifferentkindsof in-formationcanbeusedtoinferpsychologicaltraitsof individ-uals.Forexample,researchbyReeseandDanforthfoundthat theimagesauserpostsonInstagramcanrevealthelikelihood thattheysufferfromdepression.54_Their_study_suggests_that depressedpersonsaremoreinclinedtopostpicturesin black-and-whiteandsharefewergroupphotos.55_Similarly,_the lan-guageapersonemploysintheirFacebook postscanreveal their mentalwellbeing through a broadprogramof “senti-mentanalysis”.56_These_results_do_not_have_to_be_based_on

49_Toon_Calders_and_Bart_Custers_(n_46),_p._31.

50_Nancy_J_King_and_Jay_Forder,_‘Data_Analytics_and_Consumer

Pro-filing:FindingAppropriatePrivacyPrinciplesforDiscoveredData’ (2016)32ComputerLaw&SecurityReview696,p.699– 700.

51_Giovanni _Buttarelli, _‘Opinion _3/2018 _on _Online

Manipula-tion and PersonalData’<https://edps.europa.eu/sites/edp/files/ publication/18-03-19_online_manipulation_en.pdf> accessed 7 March2019,p.8.

52_{Junqué de}_Fortuny,_Martens_and_Provost_(n_38),_p._224. 53_Sandra_C_Matz_and_Oded_Netzer,_‘Using_Big_Data_as_a_Window

intoConsumers’Psychology’(2017)18CurrentOpinionin Behav-ioralSciences7,p.8.

54_Andrew _G _Reece _and _Christopher _M _Danforth,

‘Insta-gram Photos Reveal Predictive Markers of Depression’ [2016] arXiv:1608.03282 [physics] <http://arxiv.org/abs/1608.03282> accessed23May2017.

55_ibid._Note_that_algorithms_can_only_determine_correlation,_not

causation.Itisunknownifanindividualpostsfewergroup pho-tosbecauseheisdepressed,orifheisdepressedbecausehehas fewfriendswithwhomtotakegroupphotos.Algorithmsmerely recognizearelationbetweentwodatapoints.

56_Johannes _C_Eichstaedt_and _others,_‘Facebook_Language

Pre-dictsDepressioninMedicalRecords’(2018)115Proceedingsofthe NationalAcademyofSciences11203;ZeynepTufekci,‘Opinion| ThinkYou’reDiscreetOnline?ThinkAgain’TheNewYorkTimes

overtdatapointsthatdirectlyrevealsensitivedetails: suffi-cientlyadvancedalgorithmscanmakesuchdeductionseven basedonseeminglyinnocentdata.Onestudy,inwhich Face-bookLikeswereusedtoaccuratelypredictindividuals’ sex-ualorientation,foundthat,forunclearreasons,withinthe re-viewedstudygroupalikingofBritneySpearswasmoderately indicativeofhomosexuality.57_A_later_study_found_that_under somecircumstancespersonalitydeterminationsmadeby al-gorithmscanbemoreaccuratethanthosemadebyhuman beings.58

Suchinformationaboutanindividual’sinnerworldcanbe highlyvaluableforthepurposesofadvertising.Knowingan individual’spersonalitytraitsmeansthatacompanycan cre-ateandshowadsdesignedtoappealtotheirsetofvalues.59 Ahighlyintrovertedpersonmaynotbeconvincedbya smart-phoneadwhichemphasizeshowpopulartheproductalready is,buthemaybereceptivetoanademphasizingthe smart-phone’soptionsforpersonalization.Researchhasshownthat consumersrespondpositivelytoproducts,brandsand mar-ketingmessagesthat representthe same valueshe orshe holds.60 _{Additionally,}_by_tracking_and_analyzing_how_a_user browsesthroughanonlinestorefront,algorithmscanlearn howshebehavesduringherpersonaldecision-making pro-cessandthereforehowbesttoappealtoherinthatcritical moment.DDCs thereforehavean incentivetobolster their datasetsthrougheverdeeperlevelsofanalysis.

Alloftheaboveservestoillustratethattheinformation asymmetrieswhicharisefromthecollectionofpersonaldata byDDCsaremagnifiedgreatlythroughtheuseofdata min-ing.Havingpreviouslycollectedasetofpersonaldatafrom theconsumer,dataanalysisisusedtoexpandandenrichthe datasetwithoutrequiringfurtherinvolvementorknowledge ofthedatasubject.Thepersonalinformationobtainedinthis mannercanbehighlysensitiveanddetailed.Althoughitis currentlyuncleartowhatextentpracticessuchas psycholog-icalprofilingarebeingusedfortargetedadvertisingpurposes, thefactremainsthatsuchinformationisreadilyavailableto anumberofmajorDDCs.Indeed,theveryfactthatitis un-knownhowextensivelyandtowhatlevelofdetailusersare beingprofiledisindicativeofthe informationasymmetries onthedata-drivenmarket.Ultimately,DDCscanattainever morepersonaldatathroughdataanalysiswhilecostumersare (26 April 2019) <https://www.nytimes.com/2019/04/21/opinion/ computational-inference.html> accessed 8 May 2019.; Darren Davidson, ‘FacebookTargets “insecure” YoungPeople’ The Aus-tralian(1May2017).

57_M_Kosinski,_D_Stillwell_and_T_Graepel,_‘Private_Traits_and

At-tributesArePredictablefromDigitalRecordsofHumanBehavior’ (2013)110ProceedingsoftheNationalAcademyofSciences5802, p.5804 – 5805.; For one possibleexplanationon howsuch an outcome might occur even ifthe two data points seem com-pletelyunrelated,see:Jennifer Golbeck,YourSocialMedia‘Likes’ Expose More than You Think (2013) <https://www.ted.com/talks/ jennifer_golbeck_the_curly_fry_conundrum_why_social_media_ likes_say_more_than_you_might_think>accessed14March2019.

58_Wu_Youyou,_Michal_Kosinski_and_David_Stillwell,

‘Computer-BasedPersonalityJudgmentsAreMoreAccuratethanThoseMade byHumans’(2015)112ProceedingsoftheNationalAcademyof Sciences1036.

59_Maurits_Martijn_and_Dimitri_Tokmetzis_(n_35),_p.₁₃₄_{– 135.} 60_Matz_and_Netzer_(n_53),_p._9.

(8)

unabletoassessifortowhatextentthisishappening,what newdatapointshavebeenfound,howsuchaconclusionwas reached,andwhateffectsitwillhaveontheirInternet expe-rienceingeneralortheadstheyarebeingservedspecifically.

3. GDPR

approach

to

information

asymmetries

In the foregoingSection it was discussed how information asymmetriesbetweenconsumersandDDCsform.Withthe GeneralDataProtectionRegulation,theEUlegislatorhas en-deavoredto protectthe personal datarights ofits citizens asoneofitsprimarygoals.61_The_question_then_presents it-selfwhethertheGDPRsucceedsinmitigatingtheinformation asymmetriesonthedata-drivenmarket.Doesitinfactensure thatconsumerscanmakeinformeddecisionsabouttheir on-linedata?ThisSectionwillfocusonafewfacetsoftheGDPR indetail:theinformationrightsofdatasubjects,the restric-tionsonprofiling,andtherequirementsofconsent.

3.1. Informationrightsandobligations

ChapterIII,subsection2oftheGDPRisentirelydevotedtothe informationthatshouldbeprovidedtodatasubjects62_as_well astherightsthathavebeengrantedtothemtoaccessthe per-sonaldatabeingprocessed.

Firstandforemost,anydatacontroller63_must_provide_the datasubject withasignificant amountofspecific informa-tion when processing their personal data. Arts. 13 and 14 GDPR mandate that informationrelatingtothe processor’s ownidentity,thepurposesandlegalbasesoftheprocessing, anythird-partyrecipientsofthedata,thedatasubject’sGDPR rights,andagreatdealmoremustbeprovided.64_The_same obligationsalsoapplyifaDDCplacesacookieonthedata sub-ject’sdevice.65_If_the_data_processing_activities_also_involve au-tomateddecision-makingorprofiling,theobligationtoinform theconsumerintensifiesfurther.Thedatasubjectsmustbe informedofthefactthatprofilingwillbeusedandtheymust begrantedaninsightintothe“logic” behindtheprofiling.66_To

61_However,_it_is_equally_meant_to_“ensure_the_free_flow_of_personal

databetweenMemberStates”.‘Regulation(EU)2016/679ofthe Eu-ropeanParliamentandoftheCouncilontheProtectionofNatural PersonswithRegardtotheProcessingofPersonalDataandonthe FreeMovementofSuchData’(n2),Preamblepara.3.

62_In_the_terminology_of_the_GDPR,_‘data_subject’_means_“the

iden-tifiedoridentifiablenaturalperson” towhomthepersonaldatain questionrelates.ibid.,art.4(1).Forthepurposesofthisarticledata subjectsareconsumers,namelytheusersofdata-drivenservices.

63_In_the_terminology_of_the_GDPR,_‘data_{controller’}_means_“the

natural or legalperson,publicauthority,agency or otherbody which,aloneorjointlywithothers,determinesthepurposesand meansoftheprocessingofpersonaldata”.ibid.,art.4(7).Forthe purposesofthisarticledatacontrollersaretheDDCs.

64_ibid.,_arts.₁₃_{– 14.}

65_Directive_2002/58/EC_of_the_European _Parliament_and_of_the

Councilof12July2002concerningtheprocessingofpersonaldata andtheprotectionofprivacyintheelectroniccommunications sector(Directiveonprivacyandelectroniccommunications)2002 [OfficialJournalL201,31/07/2002],art.5(f).

66_{‘Regulation}_(EU)_2016/679_of_the_European_Parliament_and_of

theCouncilontheProtectionofNaturalPersonswithRegardto

complementthisobligationtoinform,theEUlegislatoralso introducedarighttoreceiveoraccessthepersonaldata perti-nenttothedatasubject.Pursuanttoart.15GDPRconsumers havetherighttorequestinsightintothedataregardingthem whichthedatacontrollerprocesses.67_In_practice_these provi-sionshavebeenimplementedinavarietyofways:Facebook allowsuserstodownloadanarchivefilecontainingtheir per-sonaldata,68_while_Google_gives_users_the_option_to_view_and edittheirownbehavioralprofile,69_as_well_as_a_full_feed_of_their activitywithGoogleservices.70

However,evenwithalloftheseinformationrightsitwill stillbedifficultfortheconsumertoattainaworking knowl-edgeofthedatabeingprocessed.AswasdiscussedinSection 2,These difficultiesarisefrom thefirstmomentof interac-tion.Of the dozensof companies that are involved in the completewebofthetargetedadvertisingmarketveryfew ac-tivelypresentthemselvestotheconsumer.71_More_commonly the consumer isasked by the hostwebsite for consentto placethird-partycookies,leadingtoasituationinwhichmany third-partycookiescanbeplacedbasedonasinglewebsite visit.72_{Consequently,}_few_consumers_even_realize_that_ad net-workscollectpersonaldata.Fewerstillknowwhichspecific companiesareinvolvedorthecomplexstructureinwhichit takesplace.73_Besides_lacking_the_required_information_on_the front-endthisalsomakesitespeciallyproblematicfordata subjectstoeffectively invoketheir righttoaccess: inorder tofilearequestforaccesstheconsumermustobviouslyfirst knowwhichcompanytoaddress.InthecaseoflargeDDCs suchasFacebookandGooglethisisrelativelyeasytodo,but inthemarketofadvertisingnetworksthisismanifestlymore challenging.

Shouldtheconsumernonethelesssucceedindirectinghis requesttothecorrectdatacontrolleritisfarfromguaranteed thathewillreceivealloftheinformationthatheneedstoform acompleteimageofthedataprocessingthatoccurs.For ex-ample,Googleallowsitsuserstoaccesstheirowninterest pro-file,butresearchhasshownthattheseareoftenincomplete. ResearchbyDattaetal.showedthata(fictional)userwho vis-itedmanywebsitesrelatedtorehabilitationfromaddiction re-ceivedadsforrehabilitationclinicseventhoughrehabilitation

theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),arts.13(2)f,14(2)f.

67_ibid.,_art._15.

68_Facebook, _‘Your _Facebook _{Information’} _<_https://www.

facebook.com/settings?tab=your_facebook_information> ac-cessed21February2019.(Facebookaccountandlog-inrequired.)

69_Google, _‘Ad _Settings’ _<_{https://adssettings.google.com/}

authenticated> accessed 21 February 2019. (Google account andlog-inrequired.)

70_Google, _‘My _Activity’ _<_{https://myactivity.google.com/?hl=}

en&utm_source=google-account&utm_medium=web> accessed 21February2019.(Googleaccountandlog-inrequired.)

71_{José Estrada-Jiménez and others,}_{‘Online Advertising:}

Analy-sisofPrivacyThreatsandProtectionApproaches’(2017)100 Com-puterCommunications32,p.38.

72_Ibrahim_Altaweel,_Nathan_Good_and_Chris_Jay_Hoofnagle,_‘Web

PrivacyCensus’<https://ssrn.com/abstract=2703814>accessed29 March2019.;viaFrederikZuiderveenBorgesius(n12),p.54.

73_{Estrada-Jiménez} _and _others _(n _71), _p. ₃₉ _{– 40.;} _Frederik

(9)

wasnotdisplayedintheaccessibleprofile.74_There_is_thus rea-sontobelievethatbehavioralprofilesaremuchbroaderand moredetailedthanwhattheconsumerisshownwhenshe employsherrighttoaccess.75_The_same_is_true_for_Facebook: whileitclaimsnottousemedicalinformationforitstargeted advertisinganddoesnotshowthisdatainaccessrequests,an investigationbytheDutchdataprotectionauthorityrevealed atleastoneexampleofawomanwhohadbeensubjectedto suchtargeting.76_This_casts_serious_doubts_on_whether_DDCs areGDPR-compliantinprovidingfullinsightintothedatathey holdontheirusers.Moreover,itisexceedinglydifficultto ver-ifywhetherfullinsighthasactuallybeengranted,sincethere are nopracticalmethodstocheckifall datahasbeen pro-vided.Theonlyoptionwouldbetopainstakinglyexamineall oftheadsbeingservedandcompare themtotheprovided data:atime-consumingandimperfectmethodatbest. Bar-ringinvestigationsbydataprotectionauthorities,consumers themselvescannotknowwhetherornottheyhavereceived alltherelevantdatainaccordancewiththeGDPR.

AlthoughtheGDPRhasarobustframeworkofinformation obligationstobemetbyadatacontroller,italsocontains pro-visionsthatallowadatacontrollertoescapesomeofthese obligations.Themostpressingoftheseisart.11GDPR: “Pro-cessingwhichdoesnotrequireidentification”.77_This_article concernsthepracticeofpseudonymizationaswellasother situationsinwhichitisnolongernecessaryforadata con-trollertobeabletoidentifyadatasubject.78_If_the_data con-trollerhastiedits datarelatingtoacertainindividual toa pseudonyminsuchawaythatitisnolongerableto iden-tifythisperson,itdoes nothavetomaintainadditional in-formationforthesolepurposeofcomplyingwithits informa-tionobligations.79_A_consumer_making_use_of_her_access_rights wouldneedtodemonstratethatthedatainquestionconcerns herinorderforherinformationrightstoberestored.80_In

ef-74_Amit _Datta, _Michael _Carl _Tschantz _and _Anupam _Datta,

‘Automated Experiments on Ad Privacy Settings’ (2015) 2015 Proceedings on Privacy Enhancing Technologies <http://www.degruyter.com/view/j/popets.2015.1.issue-1/ popets-2015-0007/popets-2015-0007.xml> accessed 14 March 2017,p.103– 104.

75_ibid.

76_‘Onderzoek_Naar_Het_Verwerken_van_{Persoonsgegevens}_van

Be-trokkeneninNederlandDoorHetFacebook-Concern’(n19),p.81 – 82.

theCouncilontheProtectionofNaturalPersonswithRegardto theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),art.11.

78_Runshan_Hu_and_others,_‘Bridging_Policy,_Regulation_and

Prac-tice?ATechno-LegalAnalysisofThreeTypesofDataintheGDPR’ inRonaldLeenes,RosamundeVanBrakelandSergeGutwirth(eds), Dataprotectionandprivacy:theageofintelligentmachines(Hart Pub-lishing2017),p.120– 121.ArnoudEngelfriet,LisetteMeijandPeter Kager,DeAlgemeneVerordeningGegevensbescherming:Artikelsgewijs Commentaar(IusMentis2017),p.60.

79_Arnoud _Engelfriet, _Lisette _Meij _and _Peter _Kager _(n _78), _p.

60; Gabe Maldoff, ‘Top 10 Operational Impacts of the GDPR: Part 8 - Pseudonymization’ < https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/> accessed7August2018.

theCouncilontheProtectionofNaturalPersonswithRegardto

fect,thedatacontrollercanuserobustpseudonymizationin ordertoavoidhavingtoprovideallofthenecessary informa-tionasrequiredbyChapterIII,Section2GDPR.Merely remov-ingalldirectidentifiers,suchastheuser’sname,willnotbe sufficient:theDDCwillalsohavetoensurethatthe combi-nationofallavailabledatapointsdoesnotallowittosingle outthisindividual.81_As_more_data_is_collected_this require-mentwillmakeitincreasinglydifficulttorelyonart.11GDPR. However,forsmalleradvertisingnetworkslowerinthefood chainthismaystillbeavalidoption,makingitdifficultfor datasubjectstoaccesstheirdatawhichhasbeencollectedby thesecompanies.

Furthermore,theabovescenariosareallbasedonthe infor-mationthatmustbeprovidedby,orcanberequestedfrom,a singledatacontroller.Yetitmustberecognizedthatthe data-drivenmarketfortargetedadvertising ischaracterized bya largenumberofcompetingandcooperating DDCs.Asa re-sult,thepersonaldataonanyoneindividualiswidelyspread out.Someinformationmaybeavailabletoseveralcompanies becausetheyall placedacookiethroughthesamewebsite, whereasotherdataisonlystoredbyasingleDDCafteritwas foundthroughanalysis.Inordertogetacompletepictureof one’sonlinedatafootprintthedatasubjectmustsomehow managetoidentify,beinformedby,andinvoketheirrights vis-à-vispotentiallyhundredsofdifferentcompaniesatthesame time.82_In_practice,_this_is_hardly_a_realistic_scenario.83

Morefundamentally,evenifthedatasubjectdoesreceive allofthenecessarydatarequiredbytheGDPRshewillstilllack anessentialpieceofinformation.Namely:howexactlydidher clicksandsearchqueriesleadtotheadsbeingshown?Toa certainextentananswertothisquestionisalreadyrequired bytheGDPR:meaningfulinformationaboutthelogicinvolved intheprocessofprofilingmustbeprovidedtotheconsumer. However,theGPDRisunclearonhowdetailedthislogicmust betocomplywithArts.13(2)fand14(2)f.Afterall,thereisa worldofdifferencebetweenprovidingtheconsumerwiththe completealgorithmsthatcarryouttheprofilingactivities,or attheotherextremetomerelytelltheconsumersuch algo-rithmsexist.AsKamarinouet.alobserve:“doestheterm‘logic’ refertothedatasetusedtotrainthealgorithm,ortothewaythe algorithmitselfworks ingeneral,forexample themathematical/ statisticaltheoriesonwhichthedesignofthealgorithmisbased,or tothewaythelearnedmodelworkedintheparticularinstancewhen processingthedatasubject’spersonaldata?”84

Whiledatasubjectsdohavetherighttoaccessinformation regardingthelogicbehindbehavioraltargeting,itishighly un-likelythatcompleteinformationonthismattercouldpossibly begiventotheconsumerinanunderstandableand mean-ingfulway.AlgorithmsusedbyDDCsfortheirtargeted adver-theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),art.11(2).;ArnoudEngelfriet,LisetteMeijandPeter Kager(n78),p.60.

81_Runshan_Hu_and_others_(n_78),_p.₁₂₈_{– 129.} 82_Robbert_J._van_Eijk_(n_37),_p.₂₆₆_{– 267.}

83_Maurits_Martijn_and_Dimitri_Tokmetzis_(n_35),_p.₄₃_{– 44.} 84_Dimitra_Kamarinou,_Christopher_Millard_and_Jatinder _Singh,

‘Machine Learning with Personal Data’ in Ronald Leenes, RosamundeVanBrakelandSergeGutwirth(eds),Dataprotection andprivacy:theageofintelligentmachines(HartPublishing2017),p. 107.

(10)

tisingwillcertainlybeincomprehensibletotheaverage con-sumerand eventhemoreexperiencedandtech-savvy con-sumerswouldstillfindthemdifficulttounderstand.85_Indeed, theArticle29WorkingPartyhasclarifiedthatthereisno obli-gationondatacontrollerstoprovide“acomplexexplanation ofthealgorithmsusedordisclosureofthefullalgorithm”.86 Conversely,theWorkingPartyalsostatesthatcomplexityis notinitselfanexcuseforfailingtoprovidemeaningful infor-mation.87

The information asymmetries that arise from profiling thusexposeaninherentdifficultywiththeinformation obli-gationsintheGDPR.TheGDPRappearstoaskforadifficult,if notimpossible,balancebetweentransparencyanddetail.On theonehand,acontrollerisobligedtoprovidetheconsumer withawealthofinformation,especiallyifshemakesuseof herrighttoaccessherpersonaldata.88_On_the_other_hand,_the datacontrollerisalsoobligedtoprovideallofthisinformation inanunderstandableandlegiblemanner.89_However, provid-ingmoreinformationand,inparticular,moredetailed infor-mationwillalsomakeitharderforconsumerstounderstand. Eveniftheinformationisframedinalegibleandsimpleway it willremainvirtuallyimpossible foraconsumertoderive anyactualmeaningfromhavingaccesstoalloftheirGoogle search queries,previously watched Youtube videos,Google Mapslocations,andalloftheotherdatapointswhichGoogle processes.Ineffect,adatacontrollercanoverloadaconsumer withdata,essentiallyreducingtransparencybyincreasing in-formation.Asaresult,thedatasubjectwillstillbeunableto determinewhichactionsorwhichdatapointsledtohim be-ingplacedinacertaincategoryforthepurposesoftargeted advertising.

Ultimately,whiletheGDPRcontainsanumberofmeasures intendedtoensurethattheconsumerisfullyinformed re-gardinganydataprocessingthatmighttakeplacefortargeted advertising purposes,these measuresare difficult to effec-tivelyinvokeinpracticeandwillnotontheirownsolvethe in-formationasymmetriesonthedata-drivenmarket.TheGDPR alsoleavesapointedcatch-22:byrequiringDDCstogivethe consumermoreinformationabouttheprocessingactivitiesit willalsomakeitincreasinglytime-consumingandcomplex forconsumerstoachieveacomprehensiveunderstandingof thedataset.Onbalancetheinformationasymmetriesandthe abilityofconsumerstomakeinformeddecisionswill there-forebroadlyremainthesame.

85_J._Gerards_and_R._Nehmelman_(n_32),_p._49.

86_Article₂₉_Working_Party,_{‘Guidelines}_on_Automated_Individual

Decision-Making and Profiling for the Purposes of Regulation 2016/679’ <https://ec.europa.eu/newsroom/article29/document. cfm?action=display&doc_id=49826>accessed 28 February 2019, p.25.

87_ibid.

theCouncilontheProtectionofNaturalPersonswithRegardto theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),arts.13– 15.

89_ibid.,_art._12.

3.2. Profilingandautomateddecision-making

AshasbeendiscussedinSection2,theinformation asymme-triesinthedata-drivenmarketprimarilyariseoverthecourse andforthepurposeofbehavioral targeting:thecreationof personalinterestprofiles.Assuch,itisnoteworthythatthe GDPRalsohasanumberofprovisionsspecificallyregulating profiling.

Art.22GDPRestablishestherightnottobesubjectedto de-cisionsbasedsolelyonautomateddecision-making,ifthose decisionsproducelegaleffectsorsimilarlysignificantlyaffect thedatasubject.90_While_this_provision_is_phrased_as_a_right forthedatasubject,itisinterpretedasaprohibitionimposed onthedatacontroller.91_For_the_purposes_of_this_article,_art. 22GDPRcanbesummarizedas:DDCsmaynotmake signifi-cantdecisionsaboutconsumerswithoutsomeformofhuman involvement.

Sinceart.22GDPRisframedasanindividualright,itdoes notmakeanypronouncement onthe profilingofgroups.92 Thispoorly reflectscurrent DDC practice,however, as pro-filingalgorithmsare programmedspecificallytofirstdefine groupsofsimilarpeople,whichareassumedtostaythesame overtime,andsubsequentlyplacenewindividualsintothese groups.93_While_the_decision_to_place_an_individual_in_a_certain groupbasedonheranalyzedbehaviorwouldbecoveredbyart. 22GDPR,theunderlyingdecisionsidentifyingspecificgroups andassigningcharacteristicstothemarenotcaught.Thiswill makeitdifficultfordatasubjectstochallengebase assump-tionsofthedecision-makingprocess.Hasthealgorithm accu-ratelydefinedthegroupsinwhichitiscategorizingindividual users,andaretheattributesithasassignedtoitsgroupsfair? Themorechallengingandfundamentalquestion regard-ingart.22GDPR,however,isexactlywhendecisionsare suffi-cientlysignificanttotriggeritsprotection.Firstandforemost, art.22GDPRcoversthosedecisionswhichproducelegal ef-fectsforthedatasubject,suchaswhenamunicipalitytakes adecisiononwhetherornottograntgovernmentbenefitsto aperson.94_However,_the_more_challenging_and_the_more rel-evantelementisthatdecisionswhichdonotstrictlyhavea legaleffect,butstillsignificantlyaffecttheconsumerina sim-ilarway,arealsocaught.95_An_example_of_this_could_be_the

90_ibid.,_art._22;_H_Kranenborg_and_LFM_Verhey,_De_Algemene

Veror-dening Gegevensbescherming in Europees En Nederlands Perspectief (WoltersKluwer2018),p.220.

91_Denis _Kelleher _and _Karen _Murray, _EU _Data _Protection _Law

(BloomsburyProfessional2018),p.224.;Article29WorkingParty, ‘GuidelinesonAutomatedIndividualDecision-Makingand Profil-ingforthePurposesofRegulation2016/679’(n86),p.19– 20.

92_Dimitra_Kamarinou,_Christopher_Millard_and_Jatinder_Singh_(n

84),p.96– 97.

93_Toon_Calders_and _Indr_˙e_Žliobait_˙e,_‘Why_Unbiased

Computa-tionalProcessesCanLeadtoDiscriminativeDecisionProcedures’ inBartCustersandothers(eds),DiscriminationandPrivacyinthe Information Society: Data Mining and Profiling in Large Databases (Springer2013),p.46.;ToonCaldersandBartCusters(n46),p.31– 38.

94_Article₂₉ _Working_Party,_{‘Guidelines}_on_Automated

Individ-ualDecision-MakingandProfilingforthePurposesofRegulation 2016/679’(n86),p.21.

(11)

decisiononwhetherornottograntinsurancecoveragetoa person.96_It_is_as_of_yet_uncertain_how_broadly_the_term “simi-larlysignificantlyaffect” mustbeinterpreted.97_The_Article₂₉ WorkingPartyitselfhasstruggledwiththis,offeringthe fol-lowingrathercircularexplanationinitsoriginaldraftofthe GuidelinesonAutomatedDecision-making:“Fordata process-ingtosignificantlyaffectsomeonetheeffectsoftheprocessingmust bemorethantrivialandmustbesufficientlygreatorimportanttobe worthyofattention.”98_The_updated_version_of_the_Guidelines re-movesthisphrasingandaddssomeusefulexamples,butstill acknowledgesthatitisdifficulttobepreciseaboutthescope oftheterm“significantlyaffects”.99

This question is particularly relevant for automated decision-making and profiling fortargeted advertising pur-poses.Forexample,thedecisionwhethertograntaloanisa decisioncomparabletodecisionshavingalegaleffect,100_but doesart.22GDPRalsocoveraskingahigherpricefrom cer-tainindividualsascomparedtoothers,orthedecisionnotto showcertainadvertisementsorjobofferstospecificgroups ofpeople?Insurancecompaniescoulddecidenottoadvertise topeoplewhoseinterestprofilesincludemotocrossormixed martialarts.Inthisscenario,theabilityofthoseconsumersto getinsuredhypotheticallyremainsasis,buttheywillnotbe offeredthesamediscounts,effectivelychargingthemahigher price,ortheymay notbealertedtosomeproductsatall.If suchanoutcomeistheresultoftheadvertisingalgorithms, theyhavestillbeensubjectedtoautomateddecision-making whichaffectsthemandtheirabilitytochooseinsurers.The Article29WorkingPartyalsoenvisionsanumberof scenar-iosinwhichtargetedadvertisingmayleadtoasignificant ef-fectonthedatasubject.Factorscouldbetheintrusivenessof theprofilingactivities,thewaysinwhichtheadsare deliv-ered,exploitingknownvulnerabilitiesofaperson,orraising thepricingforcertainindividualstoapointwhereitbecomes prohibitive.101_{Nevertheless,}_the_precise_point_where_typical targetedadvertisingbecomesadecisionbasedsolelyon au-tomatedprofiling,significantlyaffectingthedatasubjectina mannercomparabletoadecisionhavinglegaleffect,remains unclear.

theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),art.22;KranenborgandVerhey(n90),p.220.

96_Arnoud_Engelfriet,_Lisette_Meij_and_Peter_Kager_(n_78),_p.₁₀₆_–

107.

97_Dimitra_Kamarinou,_Christopher_Millard_and_Jatinder_Singh_(n

84),p.99;Article29WorkingParty,‘GuidelinesonAutomated In-dividualDecision-MakingandProfilingforthePurposesof Regu-lation2016/679’(n86),p.21– 22.

98_Article₂₉_Working_Party,_{‘Guidelines}_on_Automated

Individ-ual Decision-Making and Profiling for the Purposes of Regu-lation2016/679’<https://ec.europa.eu/newsroom/document.cfm? doc_id=47742>accessed18March2019;viaKelleherandMurray (n91),p.225.

99_Article₂₉_Working_Party,_{‘Guidelines}_on_Automated

Individ-ualDecision-MakingandProfilingforthePurposesofRegulation 2016/679’(n86),p.21– 22.

100_ibid.

101_ibid.,_p._22._While_the_Art.₂₉_Working_Party_does_not

explic-itlyacknowledgethis,itcanbearguedthatusingpsychological profilingtechniques,suchasthosementionedinSection2.2,may uncoverpsychologicalvulnerabilitiesofanindividual,whichcan beexploitedthroughadvertisingtechniques.

Whiletheabovemainlyaddressestheuseofpersonal pro-files forthe purposes oftargetedadvertising under art. 22 GPDR,thereremainswithintheGDPRanotherextremely fun-damentalissuewithpersonalprofiles.Namely:their classi-fication.WhiletheGDPRexplicitlyacknowledgesthat behav-ioralprofilesconstitutepersonaldata,102_it_is_not_immediately clearatwhatpointtheywillalsobelongtothespecial cate-goriesofpersonaldataofart.9GDPR.Thisprovisionoffers specialprotectiontodatawhichrevealsrace,ethnicity, reli-gion,sexualorientation,health,and otherequallysensitive typesofdata.103_It_can_be_argued_that_sufficiently_detailed per-sonalprofilesalsoencompassthesetypesofdata.For exam-ple,searchqueriescanrevealanindividual’shealthconcerns orherneedformedication.Inaddition,whilephotographsdo notautomaticallybelongtothespecialcategories,theycan nonethelessqualifyas“biometricdata” iftheyarebeing pro-cessedthroughtechnicalmeansforthe purposesof identi-fication.104 _Facial_recognition_data,_for_instance_for_the pur-posesofrecommendingwhichfriendstotaginapostedgroup photo,couldthereforequalifyasbiometricdata.105_As_such,_it ishighlyprobablethatmanyDDCsalreadyprocessa substan-tialamountofsensitivedataprotectedunderart.9GDPR,and shouldthereforebeconformingtothestrictersetofrulesthe GDPRdemands.

Eveniftheinputdataitselfwouldnotbeprotectedas sensi-tiveinformation,theinferencesdrawnfromitduringthe pro-filingactivitiescanleadtooutputswhichbelongtothespecial categoriesofart.9GDPR.106_Metadata_alone_can_indicate_calls withadoctororpsychologistandanindividual’ssexual orien-tationcouldbededucedfromlocationdataovertime, brows-inghabits,andpotentiallyfrommanymoresources.The Arti-cle29WorkingPartyinitsGuidelinesonAutomated Decision-making cites a study, alsoreferenced in note 57 above,in whichFacebookLikeswereusedtoaccuratelypredictsexual orientation,ethnicity,religion,andpersonalitytraits.107_While humanbeingsmaynotbeabletomaketheseconnectionsat firstglance,ifsufficientlyadvancedalgorithmsusesuchdata asinputstheywillbeabletomakehighlyaccurate determi-nations.

However,theGDPRdoesnotanswerthequestionofwhen abehavioralorinterestprofilebecomesaccurateandspecific

theCouncilontheProtectionofNaturalPersonswithRegardto theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2).Art.4(1).

103_ibid.,_art._9.

104_European _Data _Protection _Board, _{‘Guidelines} _3/2019 _on

Processing of Personal Data through Video Devices’ <https: //edpb.europa.eu/our-work-tools/public-consultations/2019/ guidelines-32019-processing-personal-data-through-video_en> accessed6November2019.,p.15– 16.‘Regulation(EU)2016/679 oftheEuropeanParliamentandoftheCouncilontheProtection ofNaturalPersonswithRegardtotheProcessingofPersonalData andontheFreeMovementofSuchData’(n2),Recital51.

105_European_Data_Protection_Board_(n_104),_p._17.

106_Lilian_Edwards_and_Michael_Veale,_‘Slave_to_the_Algorithm:_Why

aRighttoanExplanationIsProbablyNottheRemedyYouAre LookingFor’[2017]DukeLaw&TechnologyReview18,p.37.

107_Kosinski,_Stillwell_and_Graepel_(n_57);_via_Article₂₉_Working

Party,‘GuidelinesonAutomatedIndividualDecision-Makingand ProfilingforthePurposesofRegulation2016/679’(n86),p.15.