Information asymmetries
Waerdt, van de, Peter
Published in:
Computer Law & Security Review
DOI:
10.1016/j.clsr.2020.105436
IMPORTANT NOTE: You are advised to consult the publisher's version (publisher's PDF) if you wish to cite from
it. Please check the document version below.
Document Version
Publisher's PDF, also known as Version of record
Publication date:
2020
Link to publication in University of Groningen/UMCG research database
Citation for published version (APA):
Waerdt, van de, P. (2020). Information asymmetries: recognizing the limits of the GDPR on the data-driven
market. Computer Law & Security Review, 38, [105436]. https://doi.org/10.1016/j.clsr.2020.105436
Copyright
Other than for strictly personal use, it is not permitted to download or to forward/distribute the text or part of it without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license (like Creative Commons).
Take-down policy
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.
Downloaded from the University of Groningen/UMCG research database (Pure): http://www.rug.nl/research/portal. For technical reasons the number of authors shown on this cover page is limited to 10 maximum.
Availableonlineatwww.sciencedirect.com
journalhomepage:www.elsevier.com/locate/CLSR
Information
asymmetries:
recognizing
the
limits
of
the
GDPR
on
the
data-driven
market
Peter
J.
van
de
Waerdt
1 ,∗Security,Technologyande-Privacy(STeP)ResearchGroup,UniversityofGroningen,Groningen,TheNetherlands
a
r
t
i
c
l
e
i
n
f
o
Articlehistory: Availableonlinexxx Keywords: InformationAsymmetry Data-drivencompanies Behavioralprofiling Transparency DataprotectionGeneralDataProtectionRegulation
a
b
s
t
r
a
c
t
Onlinesearchengines,socialmediaplatforms,andtargetedadvertisingservicesoften em-ploya“data-driven” businessmodelbasedonthelarge-scalecollection,analysis,and mon-etizationofpersonaldata.Whenprovidingsuchservicessignificantinformation asymme-triesarise:data-drivencompaniescollectmuchmorepersonaldatathantheconsumer knowsorcanreasonablyoversee,anddata-drivencompanieshavemuchmore(technical) informationabouthowthisdataisprocessedthanconsumerswouldbeabletounderstand. Thisarticledemonstratesthevulnerablepositionconsumerscontinuetofindthemselves inasaresultofinformationasymmetriesbetweenthemanddata-drivencompanies.The GDPR,byitself,isinpracticeunabletomitigatetheseinformationasymmetries,norwould itbeabletoprovideforeffectivetransparency,sinceitdoesnotaccountfortheunique characteristicsofthedata-drivenbusinessmodel.Consumersarethusfacedwithan insur-mountablelackoftransparencywhichisinherentin,aswellastheinevitableconsequence of,themagnitudeoftheinformationasymmetriespresentonthedata-drivenmarket.
© 2020PeterJ.vandeWaerdt.PublishedbyElsevierLtd. ThisisanopenaccessarticleundertheCCBYlicense. (http://creativecommons.org/licenses/by/4.0/)
1.
Introduction
Due to continued improvements in the field of informa-tiontechnologyandtheriseinitsusage,newmarketshave
∗Correspondingauthor.DepartmentofTransboundaryLegalStudies,Security,Technologyande-Privacy(STeP)ResearchGroup,
Uni-versityofGroningen,OudeKijkin’tJatstraat26,Room13150465,9712EKGroningen,TheNetherlands.Telephonenumber:+315036 35527.
E-mailaddress:p.j.van.de.waerdt@rug.nl
1PetervandeWaerdtisaPhDresearcheratthedepartmentofTransboundaryLegalStudies,UniversityofGroningen(TheNetherlands),
andpartoftheSecurity,Technologyande-Privacy(STeP)ResearchGroup.Hisresearchfocusesontherelationsbetweendataprotection lawandcompetitionlawondata-drivenmarkets.
2“Personaldata” isdefinedas:anyinformationrelatingtoanidentifiedoridentifiablenaturalperson.‘Regulation(EU)2016/679ofthe
EuropeanParliamentandoftheCouncilontheProtectionofNaturalPersonswithRegardtotheProcessingofPersonalDataandonthe FreeMovementofSuchData’,art.4(1).
emergedwhichoperateprimarilyonthecollection,analysis, processing,andmonetizationofpersonaldata.2Thisis cur-rentlythe case for many socialmedia platforms, advertis-ingnetworksand other onlineserviceproviders: theyhave
https://doi.org/10.1016/j.clsr.2020.105436
0267-3649/© 2020PeterJ.vandeWaerdt.PublishedbyElsevierLtd.ThisisanopenaccessarticleundertheCCBYlicense. (http://creativecommons.org/licenses/by/4.0/)
become ‘data-driven’. While Google and Facebook are the mostprominentoperatorsofadata-driven businessmodel, thecombinedweightofallofthesmalleractorsonthe on-line advertising market should not be underestimated ei-ther. Data-drivenness hasbecomeubiquitous on the Inter-net,anditiseasy tosee howitcan behighlybeneficial to theconsumer:itallowsvarioususefulservicestobeprovided foralowpriceand inapersonalizedmanner.Despitesuch benefits, however,it is notcompletely without its costs or risks.
In this article, the conduct of data-driven companies (DDCs)ontheirrespectiveonlinemarkets,aswellasthe con-sequencesthereof,willbeexaminedfromtheperspectiveof information asymmetries.Theterm ‘information asymme-tries’inthiscontextreferstothesubstantialdifferencesthat existbetweentheinformationavailabletotheDDCsversus thatavailabletotheconsumersthemselves.Although infor-mationasymmetriesarecommoninnearlyallmarkets,and arethereforealsoasubjectofconsumerprotectionlaw,they areespeciallyproblematiconthedata-drivenmarket.Onthis marketthereisasymmetrynotonlywithregardstothe con-tractbut,crucially,alsowithregardstothevolumeandthe mannerofpersonaldataprocessing.Asaresult,consumers findthemselvesinavulnerablepositionvis-à-visDDCs. Seri-ousrisksarisethatconsumerswillbeunabletomake well-informeddecisionsabouttheuseoftheirdata,ortoinvoke theirrights.Theusageoftheterm“informationasymmetries” throughoutthisarticleshouldbeunderstoodinthisfull con-text.
While thereisawealthofliteratureinthe field ofdata protectionrecognizinginformationasymmetriesasa signif-icant concern,3therehasnotbeenanexhaustive examina-tion ofhowinformationasymmetries comeinto beingand how intertwinedtheyare withtheinner workingsof data-drivenmarkets.Thefullcomplexity ofDDCs’data process-ing,andhowtheresultinginformationasymmetriesare in-terconnectedwiththedifficultiesofensuringtransparencyon thesemarkets,hasnotbeenexaminedindetail.Thisarticle aimstoprovidesuchinsightand indoingsoillustratewhy DDCspresentauniquechallengeforEuropeandata protec-tionlaw.Indeed,theinformationasymmetriesperspectiveis valuablebecause itvividlyillustratesjusthowmuchofthe data collection, dataanalysis, profiling,and behavioral tar-geting processremainsunknown,incomprehensible,or un-workable to the average consumer. Thevolume and com-plexity of the data processing conducted by DDCs makes
3Forexample:BartSchermer,‘RisksofProfilingandtheLimitsof
DataProtectionLaw’inBartCustersandothers(eds), Discrimina-tionandPrivacyintheInformationSociety:DataMiningandProfilingin LargeDatabases(Springer2013),p.139– 140.;EmreBayamlioglu, ‘ContestingAutomatedDecisions’[2018]EuropeanData Protec-tionLawReview(EDPL)433,p.435.M.H.C.Rhoen,BigData,BigRisks, BigPowerShifts:EvaluatingtheGeneralDataProtectionRegulationasan InstrumentofRiskControlandPowerRedistributionintheContextofBig Data(Ridderprint2019),p.11– 13.MireilleHildebrandt,‘Profiling: FromDatatoKnowledge:TheChallengesofaCrucialTechnology’ (2006)30DatenschutzundDatensicherheit-DuD548,p.551;via ClaudeCastelluccia,‘BehaviouralTrackingontheInternet:A Tech-nicalPerspective’inSergeGutwirthandothers(eds),EuropeanData Protection:InGoodHealth?(Springer2012),p.22.
forauniquesourceofsubstantialinformationasymmetries, whichinturnputsupanimmensewalltoensuringeffective transparency.
Specifically,thisarticleaimstoanswerthefollowing ques-tions:Howdoinformationasymmetriesbetweenconsumers andDDCsarise;towhatextentistheGeneralDataProtection Regulation(GDPR)oftheEuropeanUnion(EU)abletomitigate thisdiscrepancyonthedata-drivenmarket;howare informa-tionasymmetrieslinkedtolackingtransparency;andtowhat extentwouldensuringeffectivetransparencyevenbe possi-bleinlightoftheinformationasymmetries?Thetiesbetween informationasymmetryand transparencyareespecially vi-talelementsofthisresearch,sinceeffectivetransparencyis aprerequisiteforcitizenstoexercisetheirrightsunderthe GDPR.Lackingtransparencybecauseofinformation asymme-trycouldresultinconsumersbeingunawarethattheirrights arebeingviolatedinthefirstplace,orwhomtoaddresstheir concernstoeveniftheydorealize.
Toexplainthisinmoredetailthisarticlewillcommencein Section2withadescriptionofwhattheinformation asym-metriesbetweenDDCs and consumersare,as wellas how theyariseoverthecourseofprovidingaservice.Thiswillbe followedinSection3withanexplanationofhowtheGDPR addresses theseinformationasymmetries and to what ex-tentitsucceedsinclosingthegapbetweenthecitizen and DDCs.Havingdiscussedtheexistenceofandresponseto in-formationasymmetries onthe data-driven market,Section 4willthenaddressthemainargumentofthisarticle.Namely, thatinformationasymmetryandtransparencyareintegrally connected,andthatapushforgreatertransparencyinitself willnoteffectivelymitigatetheinformationasymmetriesor strengthenthedataprotectionofcitizensonthedata-driven market.4 Todoso, thissection willexplainthe fundamen-tal differences betweenDDCs and conventional companies intermsofdatacollectionandprofiling.Furthermore,itwill examinetheongoingdevelopmentofexplainablealgorithms andwhethertheycanaiditmitigatinginformation asymme-tries.Finally,thisSection willdelveintotheclose interrela-tion betweeninformationasymmetry,lacking transparency andpotentialbiasinalgorithmicprofilingactivities,focusing onhowthesefactorsexacerbateoneanother.
Thus,thisarticleaimstoprovideathoroughoverviewofa specificproblemindataprotectionlaw,namelytheeffectsof informationasymmetriesonthedata-drivenmarket.Itdoes sobyfocusingontheGDPR;examiningwhethertheGDPRin itselfhasthepotentialtomitigatethisproblemthrough stim-ulatingtransparency orprovidingdatasubjectrights. Obvi-ouslythereareotherperspectivesfromwhichtoexaminethis issueaswell:notablyEUcompetitionlawandconsumer pro-tectionlaw,orindeedacombinationofvariousfieldsoflaw. Robustlong-termsolutionstotheproblemsinherentin far-reachinginformationasymmetriesanddominantdata-driven companiesareexpectedtobevaried,complex,andtake ac-countof many relevant areas oflaw.They are the subject
4 Forthepurposesofthisarticletheterm‘citizen’refersto
cit-izensoftheEuropeanUnion,astheyaretheonescoveredbythe GDPR.Theyarealsoreferredtoastheconsumersofonline ser-vices,usersofonlineplatforms,orasdatasubjects.
offurtherresearchandassucharenotdealtwithindetail here.
2.
How
and
why
information
asymmetries
arise
In order to understand how information asymmetries be-tweenconsumersandDDCsarise,itmustfirstbeunderstood howDDCsearntheirrevenue.Whilethedata-drivenmarket isoftenpopularlycharacterized as“sellingpersonaldata”,5 this isnotalwaysaccurate.Nevertheless,itistruethatthe monetization ofpersonaldataisthe primary sourceof in-comeforprominentDDCssuchasGoogleandFacebook.This isachievedbywayofadvertising,specificallytargeted adver-tising.6 For instance,Googlehasacquired its own advertis-ingnetworkinDoubleClick,whichhastiestothemajorityof themostvisitedwebsitesintheworld.7Facebook,meanwhile, servesadsonitssocialmediaplatformandonInstagrambut focusesspecificallyonmobileadvertising.8
Targetedadvertising,otherwiseknownasbehavioral tar-geting,isamethodwherebyDDCsanalyzepersonaldatain or-dertodeterminetheinterestsofanindividualconsumerand showthemadvertisementswhichcorrespondtothose inter-ests.9Forexample:ifauservisitsawebsiterelatedtomovies andtelevisionshowstheDDCwilltakenoteofthisinterest.It cansubsequentlyusethistodisplaymoreadvertisementsfor thelatestblockbusters.Thismethodofadvertisingisefficient becausetargetedadsleadtogreaterprofitabilitythan general-izedads:companieswillsimplywastefewerresources show-ing adstoconsumerswhowillneverbeinterestedintheir product.10Inessence,DDCsprovideaservicetoadvertisers. Aservicetoshowtheiradstothoseconsumersmostlikelyto
5For example: Hamish McRae, ‘Companies Have Been
Sell-ing Our Data in Exchange for “Free” Products and Services for a Long Time – Facebook’s Not so Different’ (The Indepen-dent, 7 April 2018) <https://www.independent.co.uk/voices/ facebook-data-scandal-free-products-sheryl-sandberg-a8294006. html>accessed13February2019.
6In 2016, Facebook earned $26 billion of its $27
bil-lion total revenue with advertising.; ‘Facebook Reports Fourth Quarter and Full Year 2016 Results’ <https: //investor.fb.com/investor-news/press-release-details/2017/ facebook-Reports-Fourth-Quarter-and-Full-Year-2016-Results/ default.aspx> accessed 29 June 2017.; Google over that same year earned $79 billion of its total $89billion through adver-tising. ‘Alphabet Annual Report’ <https://abc.xyz/investor/pdf/ 2016_google_annual_report.pdf>accessed6February2017.p.22.
7‘Onderzoek CBP Naar Het Combineren van
Persoons-gegevens Door Google’ <https://autoriteitpersoonsgegevens. nl/sites/default/files/downloads/mijn_privacy/rap_
2013-google-privacybeleid.pdf>accessed12April2017,p.12.
8‘Mobile Advertising Drives Strong Facebook Quarter’ (USA
TODAY) <https://www.usatoday.com/story/tech/news/2017/02/ 01/facebook-earnings-fourth-quarter-2016-beat/97340988/> accessed29June2017.
9LillianWallace,HiddenHazardsofOnlineAdvertising:An
Investi-gationofConsumerSecurityandDataPrivacyProtection(NovaScience Publishers2014),p.14,22– 23.
10GaneshIyer, DavidSobermanandJMiguelVillas-Boas,‘The
TargetingofAdvertising’(2005)24MarketingScience461,p.473.
beinterestedinthem.11Putdifferently,DDCsrentout adver-tisingspace,aswellastheattentionofInternetusers,tothe advertisers.12
SincethemainsourceofrevenueforDDCs,targeted adver-tising,isbasedpredominantlyonthecollectionandanalysis ofpersonaldata,informationasymmetriescanquickly mate-rialize.Theinformationasymmetriesthatarisefromthiscan bedividedintotwocategories:thosewhich arisefrom per-sonaldatacollection,and those whicharise from personal dataanalysis.
2.1. Informationasymmetriesfrompersonaldata collection
Informationasymmetriesstarttoarisefromthemomentthe actualcollectionofpersonaldatatakesplace.Inparticular, DDCsamasspersonaldatathroughmethodsandin quanti-tiesthattheconsumercannotoverseeorcontrol.Therearea numberofwaysinwhichthisoccurs.
Firstly,DDCsdonotonlycollectdataactivelyand know-inglyprovidedbytheuser.Theyalsoamassdata“observed” from the consumer’s usage of the social media platform, searchengineorotheronlineservice whichtheyprovide.13 DDCscollectandstoredatapointsbasedoneveryactionthe usertakesontheplatformorwhileusingtheservice.For ex-ample,commentingonaphotoofkittensissimultaneously theordinaryuse-caseofasocialmediaplatformaswellasa datapointfortheserviceprovider.Bysignalingtohisfriends thathelikescats,theuserisunconsciouslydoingthesame fortheDDCinquestion.14Inthecaseofsearchenginesthe processofdatacollectionisevenmorevast:alloftheusers’ searchqueries canbecollected,combined,storedina per-sonalprofile,andsubsequentlyusedfortargeting.15
Thereareevenscenariosinwhichusersprovide informa-tiontocertainDDCs merelybycheckingintotheiraccount, suchasthecollectionofIP-addressesorgeolocationdata.16If geolocationtrackinghasnotbeendisabled,oriftheuserdoes notrealizethatheruploadedphotosandvideoscontain ge-olocationdata,aDDCcancollectinformationonwherea spe-cificaccountiscurrentlybeingaccessedfrom.17Iftheservice
11Thisisknownasoperatingonadual-sidedmarket.Online
ser-vicessuchassocialmediaplatformssimultaneouslyoffer differ-entservicestotwogroupsofmarketparticipants:afreeplatform toconsumers,andanadvertisingservicetoadvertisers.
12FrederikZuiderveenBorgesius,ImprovingPrivacyProtectioninthe
AreaofBehaviouralTargeting(UvA-DARE(DigitalAcademic Reposi-tory)2014),p.71.
13‘Guidelines on the Right to Data Portability’ <http:
//ec.europa.eu/information_society/newsroom/image/document/ 2016-51/wp242_en_40852.pdf>accessed17February2017,p.8– 9.
14ArnoldRoosendaal, ‘WeAre All Connectedto Facebook...by
Facebook!’inSergeGutwirthandothers(eds),EuropeanData Pro-tection:InGoodHealth?(Springer2012),p.4– 5.
15FrederikZuiderveenBorgesius(n12),p.55– 56.
16Bo Liu and others, Location Privacy in Mobile Applications
(Springer Singapore 2018) <http://link.springer.com/10.1007/ 978-981-13-1705-7>accessed13November2019,p.34– 35.
17SangmeeLee,KiJoonKimandSShyamSundar,‘Customization
inLocation-BasedAdvertising:EffectsofTailoringSource, Loca-tionalCongruity,andProductInvolvementonAdAttitudes’(2015)
isbeingusedonasmartphonethiscould,intheextreme, al-lowtheserviceprovidertocomposeamapoftheuser’sdaily routine.18
Inaddition toprovidedpersonaldataand observed per-sonaldata,DDCscanbolsterapersonaldatasetthroughother means.Facebookisabletocross-referenceinformation pro-videdbyauser’sfriendsandincludeitinthedataset,19and itcancollectpersonaldataonthird-partywebsitesthrough itswidespreadLikebutton.20Thispracticeofcombining per-sonal datafrom across differentFacebook services, includ-ing subsidiaries suchas the imagehosting platform Insta-gramandtheVirtualRealityplatformOculus,wasthesubject ofthemuch-discussedBundeskartellamtcaseagainst Face-book.21TheBundeskartellamtheldthatFacebookhadnot ob-tainedvalidconsentforthesedatacollectionpractices,asit hadmadetheuseofthemainFacebooksocialmediaplatform conditionalonconsentingtothefullrangeofsubsidiarydata collectionpractices.22
Furthermore,in2019theUnitedStatesFederalTrade Com-mission(FTC)broughtanactionagainstFacebook.Init,the FTCallegedthatFacebookallowedthirdpartydevelopersto accessnotonlythepersonaldataofuserswhohadconsented tohavingtheirdatacollected,butalsotothedataofallof thoseusers’Facebookfriends.23Thisincludedthecollection ofinterestdata,videoactivity,andevenwebsiteURLhistory data,24allwithouttheconsentoftheaffectedfriends.25While usersweretheoreticallyabletopreventtheirfriendsfrom con-sentingontheirbehalf,fewFacebookuserswereawarethis practiceevenexisted.Fewerstillwereabletofindthe, unhelp-fullylabeled,applicablesetting.26Inshort,thereareworrying examplesofDDCscollectinglargequantitiesofpersonaldata withouttheknowledgeorconsentofthedatasubject.
Theaboveare allexamplesofdatacollectionby compa-nieswhichprovideaservicedirectlytotheconsumer.
How-51ComputersinHumanBehavior336.;ClaudeCastelluccia(n4), p.26.
18ClaudeCastelluccia(n3),p.26.;JosephTurow,TheDailyYou:
HowtheNewAdvertisingIndustryIsDefiningYourIdentityandYour Worth(YaleUniversityPress2011),p.150– 151.Liuandothers(n 16),p.36.
19‘Onderzoek Naar Het Verwerken van Persoonsgegevens
van Betrokkenen in Nederland Door Het Facebook-Concern’ <https://autoriteitersoonsgegevens.nl/sites/default/files/atoms/ files/onderzoek_facebook.pdf>,p.22.
20ArnoldRoosendaal(n14),p.4– 5.
21Bundeskartellamt,6thDecisionDivision,‘Administrative
Pro-ceedingsDecisionunderSection32(1)GermanCompetitionAct (GWB), FacebookInc.i.a.-The UseofAbusiveBusiness Terms PursuanttoSection19(1)GWB’.‘BundeskartellamtProhibits Face-bookfromCombining UserDatafromDifferent Sources: Back-groundInformationontheBundeskartellamt’sFacebook Proceed-ing’<https://www.bundeskartellamt.de/SharedDocs/Publikation/ EN/Pressemitteilungen/2019/07_02_2019_Facebook_FAQs.pdf? __blob=publicationFile&v=6>accessed13February2019.
22Bundeskartellamt,6thDecisionDivision(n21),paras.522,564,
601– 603.
23UnitedStatesofAmericavFacebook,Inc[2019]UnitedStates
Dis-trictCourt,DistrictofColumbiaCaseNo.19-cv-2184,Document 1.
24ibid.,para.23. 25ibid.,para.22.
26ibid.,paras.26,40– 42,51– 58.
ever,notallDDCsareserviceproviderstoEuropeancitizens: somedonotrequireanyopeninteractionwiththeconsumer, yet are still able to collect a wealth of personal data. Ad-vertisingnetworksarethemostprominentexampleofthis phenomenon.27AdnetworksareDDCswhichoffer advertise-mentstotheInternetuseronbehalfofthehostwebsiteshe visits.Whenauservisitsawebsitethathasoutsourcedits advertisementstoanadnetwork,herbrowserreceivesthe in-structiontocontactthatadnetwork.28Alongwiththe adver-tisementtheadnetworkwillalsosendacookietobeplacedon theuser’scomputer.29Theadnetworkisthenabletocollect theuser’spersonaldataacrosseverywebsiteonwhichit deliv-ersitsadsbyusingitsowncookietoidentifytheuser.30In par-ticular,theadnetworkcanreadandstorethewebaddresses (URLs)fromwhichtheuser’sbrowserrequestsitsads.31Over timetheadnetworkwillusethisinformationtocreatea be-havioralprofile.Asauservisitsmoredifferentwebsites,enters newsearchqueries,oroffersupdatapointsinotherways,her profilebecomesmoredetailed:shemaybecategorizedbyage, location,incomelevel,andaplethoraofotherfactors.32
Whencomparedtotheothermoreovertformsofdata col-lection,consumersareunlikelytobeawarethattheir infor-mationisbeingcollectedbythewebsitestheyvisit,muchless thattheseadnetworksalsodoso.33Nevertheless,adnetworks areubiquitousontheInternet:evenin2013Google’s adver-tisingnetworkwasalreadyoperatingon70% ofwebsites.34 WhileGoogle’sadvertising networkisthelargest andmost recognized,adnetworksareinfactrunbyamassofDDCs whichareunfamiliartomostconsumers.35Theydelivertheir
27Claude Castelluccia (n 3). p. 26; Federal Trade
Commis-sion,‘Protecting ConsumerPrivacy inanEra ofRapid Change’ <https://www.ftc.gov/sites/default/files/documents/reports/ federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf> accessed23August2018,p.68.
28LillianWallace(n9),p.15.
29Thisisknownasa“third-partycookie” sinceitisembedded
inthehostwebsitebutbelongstoadifferentcompanyaltogether. Contrastthiswithfirst-partycookies,whichareusedbythe web-siteoperatortoensurethatthesiteworkssmoothly,remembers users’preferences,andallowsfortheuseofthe“cart” functional-ityofwebshops.
30FrederikZuiderveenBorgesius(n12),p.40. 31ibid.
32Ibid.p.56– 60.;J.GerardsandR.Nehmelman,AlgoritmesEn
Grondrechten(BoomJuridisch2018).p.20– 22.
33FTC Staff Report, ‘Self-Regulatory Principles For Online
Be-havioral Advertising’ <https://www.ftc.gov/sites/default/files/ documents/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising/
p085400behavadreport.pdf> accessed 29 March 2019. p. 26 – 27;viaJosephTurow(n18),p.175.
34Steven Englehardt and Arvind Narayanan, ‘Online
Track-ing: A 1-Million-Site Measurement and Analysis’ <http: //randomwalker.info/publications/OpenWPM_1_million_site_ tracking_measurement.pdf>accessed29May2017,p.8.
35JeffChester,‘CookieWars:HowNewDataProfilingand
Target-ingTechniquesThreatenCitizensandConsumersinthe“BigData” Era’inSergeGutwirthandothers(eds),EuropeanDataProtection:In GoodHealth?(Springer2012),p.60– 63.;MauritsMartijnand Dim-itriTokmetzis,JeHebtWélIetsTeVerbergen:OverHetLevensbelang vanPrivacy(DeCorrespondent2018).p.188.
cookies through virtuallyinvisible means,suchas asingle pixelonthehostwebsite.36
Additionally, ad networksalsoenterinto contracts with one another on a vast scale, distributing personal data amongstthemselvesinordertobringnewindividual users intotheirpersonaldatanetworkorimprovethedatasetsthey alreadyhaveavailable.37ResearchbyJunqué deFortunyetal. suggeststhat,intermsofaccuracyandpredictivemodeling,it isindeedworthwhileforsmallerDDCstobroadenanddeepen theirdatasetsbypoolingtheirdata.38 Companieshavealso emergedtooffercomplementaryservices,suchasmatching differentcompanies’cookiestothesameuser,additionaldata analytics,ordatabrokering.39
Takentogether,allofthesecompaniesandnetworksare engagedinacomplicatedtangleofcontracts,subcontracts, andpartneringnetworks.40VanEijkchartedallofthese net-works andtheirinterconnections,usingDenmarkasacase study,andfoundhundredsofdifferentcompanies contract-ing amongsteachother.41 Similarly,oneestimateheldthat theaverageDutchcitizenisalreadyincludedinhundredsof differentdatabasesacrossmanydifferentactors.42Duetothe complexityandfragmentationofthedata-drivenmarket,the flowsofpersonaldataarenearlyimpossiblefortheaverage citizentooversee.Aconsumerthuscannotrealistically super-viseormakedecisionsastowhichcompanieshavecollected whattypeofinformationonhim,howmuch,andwhatthey havelearnedfromanalyzingit.Intheforeseeablefutureeven moredataflowsareexpectedtomaterializefromevenmore companies,asanincreasingnumberandrangeofvaried de-vicesbecomeconnectedtotheInternet.Itwouldgobeyond thescopeofthisarticletoexaminetheseInternetofThings dataflowsindetail,butsufficeittosaythataddingthoseto thevastdatacollectionwhichalreadyexistswillincreasethe levelofcomplexityfurtherstill.
Evenwhenaconsumertakesactivestepstopreventdata collectionbythirdparties,suchasbyinstallingbrowser ex-tensionswhichblockcookies,itisnotguaranteedthathis per-sonaldatawillnotbecollected.Othermeanstoidentify indi-vidualusersalsoexist:devicefingerprintingisonesuch tech-nique.Inthisprocessacomputerisrecognizedbythe combi-nationofitsbrowsersettings,operatingsystem,installed add-ons,andotherfeatures.Takentogether,theseformapattern thatisalmostcertainlyuniquetoanindividual.43Googleitself
36LillianWallace(n9),p.14.;JosephTurow(n18),p.60– 61. 37RobbertJ.vanEijk,WebPrivacyMeasurementinReal-Time
Bid-dingSystemsAGraph-BasedApproachtoRTBSystemClassification (Ip-skampPrinting2019),p.152.
38Enric Junqué deFortuny,DavidMartens andFosterProvost,
‘PredictiveModelingWithBigData:IsBiggerReallyBetter?’(2013) 1BigData215,p.223.
39LillianWallace(n9),p.25.
40RobbertJ.vanEijk(n37),p.152,266– 273. 41ibid.,p.266– 268.
42J.GerardsandR.Nehmelman(n32),p.124.
43BernardMarr,‘HowBusinessesCanUseDeviceFingerprinting
ToIdentifyAndTrackCustomers’ (Forbes)<https://www.forbes. com/sites/bernardmarr/2017/06/23/how-businesses- use-controversial-device-fingerprinting-to-identify-and- track-customers/> accessed 29 March 2019.; Claude Castelluccia (n 3),p.25.;FrederikZuiderveenBorgesius(n12),p.48– 49.
wasfinedbytheFTCforusingaworkaroundwhichitusedto continueplacingcookiesbycircumventingbrowsersettings designedtopreventitfromdoingso.44
Ultimately,atafundamentallevelconsumerslackan in-sightintohowDDCscollecttheirpersonaldataandhow com-prehensivethis collectioncanbe.Informationasymmetries betweenconsumersandcompaniesarisebothintermsofthe volumeandthemeansofdatacollection:muchmoredatais beingamassedthantheconsumercanreasonablyoversee,by anexorbitantamountofinterconnectedparties,througha va-rietyofmeanswhicharefarfromself-evident.
2.2. InformationasymmetriesfrompersonalData Analysis
Inadditiontothemanywaysinwhichpersonaldatais col-lectedfromtheuser,DDCsalsohaveothermeansofamassing information.Besidesdatathatwasactivelysharedbythe con-sumerordataobtainedthroughobservinghisactions,there exists“inferred” data:personaldata acquiredthrough data analysis.45Dataanalysis,alsoknownasdatamining,is par-ticularlysignificantintermsofinformationasymmetries be-causeitcanbeusedtogatherpersonaldatawithouttheuser’s continuousinvolvement.
Dataanalysisaimstofindcorrelationsbetweeninterests andattributes,andestablishespredictiveindicatorsrelatedto theuserinordertoachievethisaim.Theprecise function-ingofdataminingisintricateand employsmany different methodsofanalysis,suchasclusteringdataintogroupsbased onsimilarity,orclassifyingnewdatapointsintopredefined categories.46Inessence,however,alldataanalysisworksby extrapolatingtheinformationwhichtheDDChaspreviously collectedonthetotalityofitsusers.Fundamentally,the algo-rithmstudiesgroupdynamics:ifmanyusersbornbefore1985 haveaknowninterestinvisitingmuseumsandsubsequently clickonURLsrelatedtoclassicalmusic,thisrevealsa num-berofdatapoints.47Thereisanindicationthatinterestsin museumsandclassicalmusicarerelatedandusersoverthe ageofthirty-fivearemorelikelytobeinterestedinthose pas-times.OnceanewuserentersintotheDDC’spersonaldata networkand exhibitsoneoftheseattributes,thealgorithm willusethisandotherfactorstodeterminethelikelihoodthat shewillalsoexhibittheotherassociatedattributes.48Group informationisthususedtodeterminethatapersonwith cer-tainattributesislikelytoalsohaveotherspecificattributeson thebasisthatmanyotherusersalsosharethiscombinationof
44LillianWallace(n9),p.15.
45‘GuidelinesontheRighttoDataPortability’(n13),p.8. 46ToonCaldersandBartCusters,‘WhatIsDataMiningandHow
DoesItWork?’inBartCustersandothers(eds),Discriminationand PrivacyintheInformationSociety:DataMiningandProfilinginLarge Databases(Springer2013),p.31– 38.
47FrederikZuiderveenBorgesius(n12),p.65– 70.
48ibid.,p.68– 70.Notethatdataanalysisalwaysresultsina
cer-tainpercentagechancethatauserwillhaveacertaintrait.For ex-ample,someoneinterestedinmuseumscouldbe85%likelytoalso enjoyclassicalmusic.Whileitisvirtuallyimpossibletoachieve completecertaintysimplybecauseeveryindividualisunique, pro-ficientalgorithmscancomesufficientlyclosetomaketargeting advertisementsbasedonthefindingsviable.
traits.49ThedataanalysisthatDDCsperformisbasedaround millionsofsuchcorrelations.Asaresult,DDCsobtainnew per-sonaldataaboutindividualsontheirownaccord:aconsumer whodirectlyprovidesasocialmediaplatformwithfive differ-entdatapointsaboutherselfmayinfactbeprovidingmany moreindirectly,includingpotentiallysensitiveones.50An es-timatebytheEuropeanDataProtectionSupervisorheldthat majorDDCsareabletoprofiletheirusersbasedonasmany as52.000differentattributes.51
Thealgorithmswhichperformdataanalysisareexpected toimprovefurtherinthefuture,makingtheirinferencesmore accurateaswellasmoreexpansive:theanalysiswillbeboth broaderanddeeper.Forexample,itisnotagreatleapoflogic todeterminethatcomputerenthusiastsareoftenalso inter-estedinvideogamesandviceversa;thiscanalreadybedone presently.However,itmayalsobethecasethatcomputer en-thusiaststendtopreferspecificclothingstyles,music,food anddrink,ornewssources,eventhoughsuchbehaviorhas notbeenobservedthusfar.Asalgorithmsimprove,such rela-tionsaswellasevenmoredistantonescouldbeestablished withincreasingaccuracyandsubsequentlyusedfor advertis-ingpurposes.Scalingupthedatacollectiontoserveasnew inputswillaidthisdevelopmentevenfurther.52
Technologicalmeanshavealsomadeitincreasingly feasi-bletofurtheranalyzedatasubjectspsychologically;toknow the character of the user indetail.53 There isa significant amountofresearchregardinghowmanydifferentkindsof in-formationcanbeusedtoinferpsychologicaltraitsof individ-uals.Forexample,researchbyReeseandDanforthfoundthat theimagesauserpostsonInstagramcanrevealthelikelihood thattheysufferfromdepression.54Theirstudysuggeststhat depressedpersonsaremoreinclinedtopostpicturesin black-and-whiteandsharefewergroupphotos.55Similarly,the lan-guageapersonemploysintheirFacebook postscanreveal their mentalwellbeing through a broadprogramof “senti-mentanalysis”.56Theseresultsdonothavetobebasedon
49ToonCaldersandBartCusters(n46),p.31.
50NancyJKingandJayForder,‘DataAnalyticsandConsumer
Pro-filing:FindingAppropriatePrivacyPrinciplesforDiscoveredData’ (2016)32ComputerLaw&SecurityReview696,p.699– 700.
51Giovanni Buttarelli, ‘Opinion 3/2018 on Online
Manipula-tion and PersonalData’<https://edps.europa.eu/sites/edp/files/ publication/18-03-19_online_manipulation_en.pdf> accessed 7 March2019,p.8.
52Junqué deFortuny,MartensandProvost(n38),p.224. 53SandraCMatzandOdedNetzer,‘UsingBigDataasaWindow
intoConsumers’Psychology’(2017)18CurrentOpinionin Behav-ioralSciences7,p.8.
54Andrew G Reece and Christopher M Danforth,
‘Insta-gram Photos Reveal Predictive Markers of Depression’ [2016] arXiv:1608.03282 [physics] <http://arxiv.org/abs/1608.03282> accessed23May2017.
55ibid.Notethatalgorithmscanonlydeterminecorrelation,not
causation.Itisunknownifanindividualpostsfewergroup pho-tosbecauseheisdepressed,orifheisdepressedbecausehehas fewfriendswithwhomtotakegroupphotos.Algorithmsmerely recognizearelationbetweentwodatapoints.
56Johannes CEichstaedtand others,‘FacebookLanguage
Pre-dictsDepressioninMedicalRecords’(2018)115Proceedingsofthe NationalAcademyofSciences11203;ZeynepTufekci,‘Opinion| ThinkYou’reDiscreetOnline?ThinkAgain’TheNewYorkTimes
overtdatapointsthatdirectlyrevealsensitivedetails: suffi-cientlyadvancedalgorithmscanmakesuchdeductionseven basedonseeminglyinnocentdata.Onestudy,inwhich Face-bookLikeswereusedtoaccuratelypredictindividuals’ sex-ualorientation,foundthat,forunclearreasons,withinthe re-viewedstudygroupalikingofBritneySpearswasmoderately indicativeofhomosexuality.57Alaterstudyfoundthatunder somecircumstancespersonalitydeterminationsmadeby al-gorithmscanbemoreaccuratethanthosemadebyhuman beings.58
Suchinformationaboutanindividual’sinnerworldcanbe highlyvaluableforthepurposesofadvertising.Knowingan individual’spersonalitytraitsmeansthatacompanycan cre-ateandshowadsdesignedtoappealtotheirsetofvalues.59 Ahighlyintrovertedpersonmaynotbeconvincedbya smart-phoneadwhichemphasizeshowpopulartheproductalready is,buthemaybereceptivetoanademphasizingthe smart-phone’soptionsforpersonalization.Researchhasshownthat consumersrespondpositivelytoproducts,brandsand mar-ketingmessagesthat representthe same valueshe orshe holds.60 Additionally,bytrackingandanalyzinghowauser browsesthroughanonlinestorefront,algorithmscanlearn howshebehavesduringherpersonaldecision-making pro-cessandthereforehowbesttoappealtoherinthatcritical moment.DDCs thereforehavean incentivetobolster their datasetsthrougheverdeeperlevelsofanalysis.
Alloftheaboveservestoillustratethattheinformation asymmetrieswhicharisefromthecollectionofpersonaldata byDDCsaremagnifiedgreatlythroughtheuseofdata min-ing.Havingpreviouslycollectedasetofpersonaldatafrom theconsumer,dataanalysisisusedtoexpandandenrichthe datasetwithoutrequiringfurtherinvolvementorknowledge ofthedatasubject.Thepersonalinformationobtainedinthis mannercanbehighlysensitiveanddetailed.Althoughitis currentlyuncleartowhatextentpracticessuchas psycholog-icalprofilingarebeingusedfortargetedadvertisingpurposes, thefactremainsthatsuchinformationisreadilyavailableto anumberofmajorDDCs.Indeed,theveryfactthatitis un-knownhowextensivelyandtowhatlevelofdetailusersare beingprofiledisindicativeofthe informationasymmetries onthedata-drivenmarket.Ultimately,DDCscanattainever morepersonaldatathroughdataanalysiswhilecostumersare (26 April 2019) <https://www.nytimes.com/2019/04/21/opinion/ computational-inference.html> accessed 8 May 2019.; Darren Davidson, ‘FacebookTargets “insecure” YoungPeople’ The Aus-tralian(1May2017).
57MKosinski,DStillwellandTGraepel,‘PrivateTraitsand
At-tributesArePredictablefromDigitalRecordsofHumanBehavior’ (2013)110ProceedingsoftheNationalAcademyofSciences5802, p.5804 – 5805.; For one possibleexplanationon howsuch an outcome might occur even ifthe two data points seem com-pletelyunrelated,see:Jennifer Golbeck,YourSocialMedia‘Likes’ Expose More than You Think (2013) <https://www.ted.com/talks/ jennifer_golbeck_the_curly_fry_conundrum_why_social_media_ likes_say_more_than_you_might_think>accessed14March2019.
58WuYouyou,MichalKosinskiandDavidStillwell,
‘Computer-BasedPersonalityJudgmentsAreMoreAccuratethanThoseMade byHumans’(2015)112ProceedingsoftheNationalAcademyof Sciences1036.
59MauritsMartijnandDimitriTokmetzis(n35),p.134– 135. 60MatzandNetzer(n53),p.9.
unabletoassessifortowhatextentthisishappening,what newdatapointshavebeenfound,howsuchaconclusionwas reached,andwhateffectsitwillhaveontheirInternet expe-rienceingeneralortheadstheyarebeingservedspecifically.
3.
GDPR
approach
to
information
asymmetries
In the foregoingSection it was discussed how information asymmetriesbetweenconsumersandDDCsform.Withthe GeneralDataProtectionRegulation,theEUlegislatorhas en-deavoredto protectthe personal datarights ofits citizens asoneofitsprimarygoals.61Thequestionthenpresents it-selfwhethertheGDPRsucceedsinmitigatingtheinformation asymmetriesonthedata-drivenmarket.Doesitinfactensure thatconsumerscanmakeinformeddecisionsabouttheir on-linedata?ThisSectionwillfocusonafewfacetsoftheGDPR indetail:theinformationrightsofdatasubjects,the restric-tionsonprofiling,andtherequirementsofconsent.
3.1. Informationrightsandobligations
ChapterIII,subsection2oftheGDPRisentirelydevotedtothe informationthatshouldbeprovidedtodatasubjects62aswell astherightsthathavebeengrantedtothemtoaccessthe per-sonaldatabeingprocessed.
Firstandforemost,anydatacontroller63mustprovidethe datasubject withasignificant amountofspecific informa-tion when processing their personal data. Arts. 13 and 14 GDPR mandate that informationrelatingtothe processor’s ownidentity,thepurposesandlegalbasesoftheprocessing, anythird-partyrecipientsofthedata,thedatasubject’sGDPR rights,andagreatdealmoremustbeprovided.64Thesame obligationsalsoapplyifaDDCplacesacookieonthedata sub-ject’sdevice.65Ifthedataprocessingactivitiesalsoinvolve au-tomateddecision-makingorprofiling,theobligationtoinform theconsumerintensifiesfurther.Thedatasubjectsmustbe informedofthefactthatprofilingwillbeusedandtheymust begrantedaninsightintothe“logic” behindtheprofiling.66To
61However,itisequallymeantto“ensurethefreeflowofpersonal
databetweenMemberStates”.‘Regulation(EU)2016/679ofthe Eu-ropeanParliamentandoftheCouncilontheProtectionofNatural PersonswithRegardtotheProcessingofPersonalDataandonthe FreeMovementofSuchData’(n2),Preamblepara.3.
62IntheterminologyoftheGDPR,‘datasubject’means“the
iden-tifiedoridentifiablenaturalperson” towhomthepersonaldatain questionrelates.ibid.,art.4(1).Forthepurposesofthisarticledata subjectsareconsumers,namelytheusersofdata-drivenservices.
63IntheterminologyoftheGDPR,‘datacontroller’means“the
natural or legalperson,publicauthority,agency or otherbody which,aloneorjointlywithothers,determinesthepurposesand meansoftheprocessingofpersonaldata”.ibid.,art.4(7).Forthe purposesofthisarticledatacontrollersaretheDDCs.
64ibid.,arts.13– 14.
65Directive2002/58/ECoftheEuropean Parliamentandofthe
Councilof12July2002concerningtheprocessingofpersonaldata andtheprotectionofprivacyintheelectroniccommunications sector(Directiveonprivacyandelectroniccommunications)2002 [OfficialJournalL201,31/07/2002],art.5(f).
66‘Regulation(EU)2016/679oftheEuropeanParliamentandof
theCouncilontheProtectionofNaturalPersonswithRegardto
complementthisobligationtoinform,theEUlegislatoralso introducedarighttoreceiveoraccessthepersonaldata perti-nenttothedatasubject.Pursuanttoart.15GDPRconsumers havetherighttorequestinsightintothedataregardingthem whichthedatacontrollerprocesses.67Inpracticethese provi-sionshavebeenimplementedinavarietyofways:Facebook allowsuserstodownloadanarchivefilecontainingtheir per-sonaldata,68whileGooglegivesuserstheoptiontoviewand edittheirownbehavioralprofile,69aswellasafullfeedoftheir activitywithGoogleservices.70
However,evenwithalloftheseinformationrightsitwill stillbedifficultfortheconsumertoattainaworking knowl-edgeofthedatabeingprocessed.AswasdiscussedinSection 2,These difficultiesarisefrom thefirstmomentof interac-tion.Of the dozensof companies that are involved in the completewebofthetargetedadvertisingmarketveryfew ac-tivelypresentthemselvestotheconsumer.71Morecommonly the consumer isasked by the hostwebsite for consentto placethird-partycookies,leadingtoasituationinwhichmany third-partycookiescanbeplacedbasedonasinglewebsite visit.72Consequently,fewconsumersevenrealizethatad net-workscollectpersonaldata.Fewerstillknowwhichspecific companiesareinvolvedorthecomplexstructureinwhichit takesplace.73Besideslackingtherequiredinformationonthe front-endthisalsomakesitespeciallyproblematicfordata subjectstoeffectively invoketheir righttoaccess: inorder tofilearequestforaccesstheconsumermustobviouslyfirst knowwhichcompanytoaddress.InthecaseoflargeDDCs suchasFacebookandGooglethisisrelativelyeasytodo,but inthemarketofadvertisingnetworksthisismanifestlymore challenging.
Shouldtheconsumernonethelesssucceedindirectinghis requesttothecorrectdatacontrolleritisfarfromguaranteed thathewillreceivealloftheinformationthatheneedstoform acompleteimageofthedataprocessingthatoccurs.For ex-ample,Googleallowsitsuserstoaccesstheirowninterest pro-file,butresearchhasshownthattheseareoftenincomplete. ResearchbyDattaetal.showedthata(fictional)userwho vis-itedmanywebsitesrelatedtorehabilitationfromaddiction re-ceivedadsforrehabilitationclinicseventhoughrehabilitation
theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),arts.13(2)f,14(2)f.
67ibid.,art.15.
68Facebook, ‘Your Facebook Information’ <https://www.
facebook.com/settings?tab=your_facebook_information> ac-cessed21February2019.(Facebookaccountandlog-inrequired.)
69Google, ‘Ad Settings’ <https://adssettings.google.com/
authenticated> accessed 21 February 2019. (Google account andlog-inrequired.)
70Google, ‘My Activity’ <https://myactivity.google.com/?hl=
en&utm_source=google-account&utm_medium=web> accessed 21February2019.(Googleaccountandlog-inrequired.)
71José Estrada-Jiménez and others,‘Online Advertising:
Analy-sisofPrivacyThreatsandProtectionApproaches’(2017)100 Com-puterCommunications32,p.38.
72IbrahimAltaweel,NathanGoodandChrisJayHoofnagle,‘Web
PrivacyCensus’<https://ssrn.com/abstract=2703814>accessed29 March2019.;viaFrederikZuiderveenBorgesius(n12),p.54.
73Estrada-Jiménez and others (n 71), p. 39 – 40.; Frederik
wasnotdisplayedintheaccessibleprofile.74Thereisthus rea-sontobelievethatbehavioralprofilesaremuchbroaderand moredetailedthanwhattheconsumerisshownwhenshe employsherrighttoaccess.75ThesameistrueforFacebook: whileitclaimsnottousemedicalinformationforitstargeted advertisinganddoesnotshowthisdatainaccessrequests,an investigationbytheDutchdataprotectionauthorityrevealed atleastoneexampleofawomanwhohadbeensubjectedto suchtargeting.76ThiscastsseriousdoubtsonwhetherDDCs areGDPR-compliantinprovidingfullinsightintothedatathey holdontheirusers.Moreover,itisexceedinglydifficultto ver-ifywhetherfullinsighthasactuallybeengranted,sincethere are nopracticalmethodstocheckifall datahasbeen pro-vided.Theonlyoptionwouldbetopainstakinglyexamineall oftheadsbeingservedandcompare themtotheprovided data:atime-consumingandimperfectmethodatbest. Bar-ringinvestigationsbydataprotectionauthorities,consumers themselvescannotknowwhetherornottheyhavereceived alltherelevantdatainaccordancewiththeGDPR.
AlthoughtheGDPRhasarobustframeworkofinformation obligationstobemetbyadatacontroller,italsocontains pro-visionsthatallowadatacontrollertoescapesomeofthese obligations.Themostpressingoftheseisart.11GDPR: “Pro-cessingwhichdoesnotrequireidentification”.77Thisarticle concernsthepracticeofpseudonymizationaswellasother situationsinwhichitisnolongernecessaryforadata con-trollertobeabletoidentifyadatasubject.78Ifthedata con-trollerhastiedits datarelatingtoacertainindividual toa pseudonyminsuchawaythatitisnolongerableto iden-tifythisperson,itdoes nothavetomaintainadditional in-formationforthesolepurposeofcomplyingwithits informa-tionobligations.79Aconsumermakinguseofheraccessrights wouldneedtodemonstratethatthedatainquestionconcerns herinorderforherinformationrightstoberestored.80In
ef-74Amit Datta, Michael Carl Tschantz and Anupam Datta,
‘Automated Experiments on Ad Privacy Settings’ (2015) 2015 Proceedings on Privacy Enhancing Technologies <http://www.degruyter.com/view/j/popets.2015.1.issue-1/ popets-2015-0007/popets-2015-0007.xml> accessed 14 March 2017,p.103– 104.
75ibid.
76‘OnderzoekNaarHetVerwerkenvanPersoonsgegevensvan
Be-trokkeneninNederlandDoorHetFacebook-Concern’(n19),p.81 – 82.
77‘Regulation(EU)2016/679oftheEuropeanParliamentandof
theCouncilontheProtectionofNaturalPersonswithRegardto theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),art.11.
78RunshanHuandothers,‘BridgingPolicy,Regulationand
Prac-tice?ATechno-LegalAnalysisofThreeTypesofDataintheGDPR’ inRonaldLeenes,RosamundeVanBrakelandSergeGutwirth(eds), Dataprotectionandprivacy:theageofintelligentmachines(Hart Pub-lishing2017),p.120– 121.ArnoudEngelfriet,LisetteMeijandPeter Kager,DeAlgemeneVerordeningGegevensbescherming:Artikelsgewijs Commentaar(IusMentis2017),p.60.
79Arnoud Engelfriet, Lisette Meij and Peter Kager (n 78), p.
60; Gabe Maldoff, ‘Top 10 Operational Impacts of the GDPR: Part 8 - Pseudonymization’ < https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/> accessed7August2018.
80‘Regulation(EU)2016/679oftheEuropeanParliamentandof
theCouncilontheProtectionofNaturalPersonswithRegardto
fect,thedatacontrollercanuserobustpseudonymizationin ordertoavoidhavingtoprovideallofthenecessary informa-tionasrequiredbyChapterIII,Section2GDPR.Merely remov-ingalldirectidentifiers,suchastheuser’sname,willnotbe sufficient:theDDCwillalsohavetoensurethatthe combi-nationofallavailabledatapointsdoesnotallowittosingle outthisindividual.81Asmoredataiscollectedthis require-mentwillmakeitincreasinglydifficulttorelyonart.11GDPR. However,forsmalleradvertisingnetworkslowerinthefood chainthismaystillbeavalidoption,makingitdifficultfor datasubjectstoaccesstheirdatawhichhasbeencollectedby thesecompanies.
Furthermore,theabovescenariosareallbasedonthe infor-mationthatmustbeprovidedby,orcanberequestedfrom,a singledatacontroller.Yetitmustberecognizedthatthe data-drivenmarketfortargetedadvertising ischaracterized bya largenumberofcompetingandcooperating DDCs.Asa re-sult,thepersonaldataonanyoneindividualiswidelyspread out.Someinformationmaybeavailabletoseveralcompanies becausetheyall placedacookiethroughthesamewebsite, whereasotherdataisonlystoredbyasingleDDCafteritwas foundthroughanalysis.Inordertogetacompletepictureof one’sonlinedatafootprintthedatasubjectmustsomehow managetoidentify,beinformedby,andinvoketheirrights vis-à-vispotentiallyhundredsofdifferentcompaniesatthesame time.82Inpractice,thisishardlyarealisticscenario.83
Morefundamentally,evenifthedatasubjectdoesreceive allofthenecessarydatarequiredbytheGDPRshewillstilllack anessentialpieceofinformation.Namely:howexactlydidher clicksandsearchqueriesleadtotheadsbeingshown?Toa certainextentananswertothisquestionisalreadyrequired bytheGDPR:meaningfulinformationaboutthelogicinvolved intheprocessofprofilingmustbeprovidedtotheconsumer. However,theGPDRisunclearonhowdetailedthislogicmust betocomplywithArts.13(2)fand14(2)f.Afterall,thereisa worldofdifferencebetweenprovidingtheconsumerwiththe completealgorithmsthatcarryouttheprofilingactivities,or attheotherextremetomerelytelltheconsumersuch algo-rithmsexist.AsKamarinouet.alobserve:“doestheterm‘logic’ refertothedatasetusedtotrainthealgorithm,ortothewaythe algorithmitselfworks ingeneral,forexample themathematical/ statisticaltheoriesonwhichthedesignofthealgorithmisbased,or tothewaythelearnedmodelworkedintheparticularinstancewhen processingthedatasubject’spersonaldata?”84
Whiledatasubjectsdohavetherighttoaccessinformation regardingthelogicbehindbehavioraltargeting,itishighly un-likelythatcompleteinformationonthismattercouldpossibly begiventotheconsumerinanunderstandableand mean-ingfulway.AlgorithmsusedbyDDCsfortheirtargeted adver-theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),art.11(2).;ArnoudEngelfriet,LisetteMeijandPeter Kager(n78),p.60.
81RunshanHuandothers(n78),p.128– 129. 82RobbertJ.vanEijk(n37),p.266– 267.
83MauritsMartijnandDimitriTokmetzis(n35),p.43– 44. 84DimitraKamarinou,ChristopherMillardandJatinder Singh,
‘Machine Learning with Personal Data’ in Ronald Leenes, RosamundeVanBrakelandSergeGutwirth(eds),Dataprotection andprivacy:theageofintelligentmachines(HartPublishing2017),p. 107.
tisingwillcertainlybeincomprehensibletotheaverage con-sumerand eventhemoreexperiencedandtech-savvy con-sumerswouldstillfindthemdifficulttounderstand.85Indeed, theArticle29WorkingPartyhasclarifiedthatthereisno obli-gationondatacontrollerstoprovide“acomplexexplanation ofthealgorithmsusedordisclosureofthefullalgorithm”.86 Conversely,theWorkingPartyalsostatesthatcomplexityis notinitselfanexcuseforfailingtoprovidemeaningful infor-mation.87
The information asymmetries that arise from profiling thusexposeaninherentdifficultywiththeinformation obli-gationsintheGDPR.TheGDPRappearstoaskforadifficult,if notimpossible,balancebetweentransparencyanddetail.On theonehand,acontrollerisobligedtoprovidetheconsumer withawealthofinformation,especiallyifshemakesuseof herrighttoaccessherpersonaldata.88Ontheotherhand,the datacontrollerisalsoobligedtoprovideallofthisinformation inanunderstandableandlegiblemanner.89However, provid-ingmoreinformationand,inparticular,moredetailed infor-mationwillalsomakeitharderforconsumerstounderstand. Eveniftheinformationisframedinalegibleandsimpleway it willremainvirtuallyimpossible foraconsumertoderive anyactualmeaningfromhavingaccesstoalloftheirGoogle search queries,previously watched Youtube videos,Google Mapslocations,andalloftheotherdatapointswhichGoogle processes.Ineffect,adatacontrollercanoverloadaconsumer withdata,essentiallyreducingtransparencybyincreasing in-formation.Asaresult,thedatasubjectwillstillbeunableto determinewhichactionsorwhichdatapointsledtohim be-ingplacedinacertaincategoryforthepurposesoftargeted advertising.
Ultimately,whiletheGDPRcontainsanumberofmeasures intendedtoensurethattheconsumerisfullyinformed re-gardinganydataprocessingthatmighttakeplacefortargeted advertising purposes,these measuresare difficult to effec-tivelyinvokeinpracticeandwillnotontheirownsolvethe in-formationasymmetriesonthedata-drivenmarket.TheGDPR alsoleavesapointedcatch-22:byrequiringDDCstogivethe consumermoreinformationabouttheprocessingactivitiesit willalsomakeitincreasinglytime-consumingandcomplex forconsumerstoachieveacomprehensiveunderstandingof thedataset.Onbalancetheinformationasymmetriesandthe abilityofconsumerstomakeinformeddecisionswill there-forebroadlyremainthesame.
85J.GerardsandR.Nehmelman(n32),p.49.
86Article29WorkingParty,‘GuidelinesonAutomatedIndividual
Decision-Making and Profiling for the Purposes of Regulation 2016/679’ <https://ec.europa.eu/newsroom/article29/document. cfm?action=display&doc_id=49826>accessed 28 February 2019, p.25.
87ibid.
88‘Regulation(EU)2016/679oftheEuropeanParliamentandof
theCouncilontheProtectionofNaturalPersonswithRegardto theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),arts.13– 15.
89ibid.,art.12.
3.2. Profilingandautomateddecision-making
AshasbeendiscussedinSection2,theinformation asymme-triesinthedata-drivenmarketprimarilyariseoverthecourse andforthepurposeofbehavioral targeting:thecreationof personalinterestprofiles.Assuch,itisnoteworthythatthe GDPRalsohasanumberofprovisionsspecificallyregulating profiling.
Art.22GDPRestablishestherightnottobesubjectedto de-cisionsbasedsolelyonautomateddecision-making,ifthose decisionsproducelegaleffectsorsimilarlysignificantlyaffect thedatasubject.90Whilethisprovisionisphrasedasaright forthedatasubject,itisinterpretedasaprohibitionimposed onthedatacontroller.91Forthepurposesofthisarticle,art. 22GDPRcanbesummarizedas:DDCsmaynotmake signifi-cantdecisionsaboutconsumerswithoutsomeformofhuman involvement.
Sinceart.22GDPRisframedasanindividualright,itdoes notmakeanypronouncement onthe profilingofgroups.92 Thispoorly reflectscurrent DDC practice,however, as pro-filingalgorithmsare programmedspecificallytofirstdefine groupsofsimilarpeople,whichareassumedtostaythesame overtime,andsubsequentlyplacenewindividualsintothese groups.93Whilethedecisiontoplaceanindividualinacertain groupbasedonheranalyzedbehaviorwouldbecoveredbyart. 22GDPR,theunderlyingdecisionsidentifyingspecificgroups andassigningcharacteristicstothemarenotcaught.Thiswill makeitdifficultfordatasubjectstochallengebase assump-tionsofthedecision-makingprocess.Hasthealgorithm accu-ratelydefinedthegroupsinwhichitiscategorizingindividual users,andaretheattributesithasassignedtoitsgroupsfair? Themorechallengingandfundamentalquestion regard-ingart.22GDPR,however,isexactlywhendecisionsare suffi-cientlysignificanttotriggeritsprotection.Firstandforemost, art.22GDPRcoversthosedecisionswhichproducelegal ef-fectsforthedatasubject,suchaswhenamunicipalitytakes adecisiononwhetherornottograntgovernmentbenefitsto aperson.94However,themorechallengingandthemore rel-evantelementisthatdecisionswhichdonotstrictlyhavea legaleffect,butstillsignificantlyaffecttheconsumerina sim-ilarway,arealsocaught.95Anexampleofthiscouldbethe
90ibid.,art.22;HKranenborgandLFMVerhey,DeAlgemene
Veror-dening Gegevensbescherming in Europees En Nederlands Perspectief (WoltersKluwer2018),p.220.
91Denis Kelleher and Karen Murray, EU Data Protection Law
(BloomsburyProfessional2018),p.224.;Article29WorkingParty, ‘GuidelinesonAutomatedIndividualDecision-Makingand Profil-ingforthePurposesofRegulation2016/679’(n86),p.19– 20.
92DimitraKamarinou,ChristopherMillardandJatinderSingh(n
84),p.96– 97.
93ToonCaldersand Indr˙eŽliobait˙e,‘WhyUnbiased
Computa-tionalProcessesCanLeadtoDiscriminativeDecisionProcedures’ inBartCustersandothers(eds),DiscriminationandPrivacyinthe Information Society: Data Mining and Profiling in Large Databases (Springer2013),p.46.;ToonCaldersandBartCusters(n46),p.31– 38.
94Article29 WorkingParty,‘GuidelinesonAutomated
Individ-ualDecision-MakingandProfilingforthePurposesofRegulation 2016/679’(n86),p.21.
95‘Regulation(EU)2016/679oftheEuropeanParliamentandof
decisiononwhetherornottograntinsurancecoveragetoa person.96Itisasofyetuncertainhowbroadlytheterm “simi-larlysignificantlyaffect” mustbeinterpreted.97TheArticle29 WorkingPartyitselfhasstruggledwiththis,offeringthe fol-lowingrathercircularexplanationinitsoriginaldraftofthe GuidelinesonAutomatedDecision-making:“Fordata process-ingtosignificantlyaffectsomeonetheeffectsoftheprocessingmust bemorethantrivialandmustbesufficientlygreatorimportanttobe worthyofattention.”98TheupdatedversionoftheGuidelines re-movesthisphrasingandaddssomeusefulexamples,butstill acknowledgesthatitisdifficulttobepreciseaboutthescope oftheterm“significantlyaffects”.99
This question is particularly relevant for automated decision-making and profiling fortargeted advertising pur-poses.Forexample,thedecisionwhethertograntaloanisa decisioncomparabletodecisionshavingalegaleffect,100but doesart.22GDPRalsocoveraskingahigherpricefrom cer-tainindividualsascomparedtoothers,orthedecisionnotto showcertainadvertisementsorjobofferstospecificgroups ofpeople?Insurancecompaniescoulddecidenottoadvertise topeoplewhoseinterestprofilesincludemotocrossormixed martialarts.Inthisscenario,theabilityofthoseconsumersto getinsuredhypotheticallyremainsasis,buttheywillnotbe offeredthesamediscounts,effectivelychargingthemahigher price,ortheymay notbealertedtosomeproductsatall.If suchanoutcomeistheresultoftheadvertisingalgorithms, theyhavestillbeensubjectedtoautomateddecision-making whichaffectsthemandtheirabilitytochooseinsurers.The Article29WorkingPartyalsoenvisionsanumberof scenar-iosinwhichtargetedadvertisingmayleadtoasignificant ef-fectonthedatasubject.Factorscouldbetheintrusivenessof theprofilingactivities,thewaysinwhichtheadsare deliv-ered,exploitingknownvulnerabilitiesofaperson,orraising thepricingforcertainindividualstoapointwhereitbecomes prohibitive.101Nevertheless,theprecisepointwheretypical targetedadvertisingbecomesadecisionbasedsolelyon au-tomatedprofiling,significantlyaffectingthedatasubjectina mannercomparabletoadecisionhavinglegaleffect,remains unclear.
theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2),art.22;KranenborgandVerhey(n90),p.220.
96ArnoudEngelfriet,LisetteMeijandPeterKager(n78),p.106–
107.
97DimitraKamarinou,ChristopherMillardandJatinderSingh(n
84),p.99;Article29WorkingParty,‘GuidelinesonAutomated In-dividualDecision-MakingandProfilingforthePurposesof Regu-lation2016/679’(n86),p.21– 22.
98Article29WorkingParty,‘GuidelinesonAutomated
Individ-ual Decision-Making and Profiling for the Purposes of Regu-lation2016/679’<https://ec.europa.eu/newsroom/document.cfm? doc_id=47742>accessed18March2019;viaKelleherandMurray (n91),p.225.
99Article29WorkingParty,‘GuidelinesonAutomated
Individ-ualDecision-MakingandProfilingforthePurposesofRegulation 2016/679’(n86),p.21– 22.
100ibid.
101ibid.,p.22.WhiletheArt.29WorkingPartydoesnot
explic-itlyacknowledgethis,itcanbearguedthatusingpsychological profilingtechniques,suchasthosementionedinSection2.2,may uncoverpsychologicalvulnerabilitiesofanindividual,whichcan beexploitedthroughadvertisingtechniques.
Whiletheabovemainlyaddressestheuseofpersonal pro-files forthe purposes oftargetedadvertising under art. 22 GPDR,thereremainswithintheGDPRanotherextremely fun-damentalissuewithpersonalprofiles.Namely:their classi-fication.WhiletheGDPRexplicitlyacknowledgesthat behav-ioralprofilesconstitutepersonaldata,102itisnotimmediately clearatwhatpointtheywillalsobelongtothespecial cate-goriesofpersonaldataofart.9GDPR.Thisprovisionoffers specialprotectiontodatawhichrevealsrace,ethnicity, reli-gion,sexualorientation,health,and otherequallysensitive typesofdata.103Itcanbearguedthatsufficientlydetailed per-sonalprofilesalsoencompassthesetypesofdata.For exam-ple,searchqueriescanrevealanindividual’shealthconcerns orherneedformedication.Inaddition,whilephotographsdo notautomaticallybelongtothespecialcategories,theycan nonethelessqualifyas“biometricdata” iftheyarebeing pro-cessedthroughtechnicalmeansforthe purposesof identi-fication.104 Facialrecognitiondata,forinstanceforthe pur-posesofrecommendingwhichfriendstotaginapostedgroup photo,couldthereforequalifyasbiometricdata.105Assuch,it ishighlyprobablethatmanyDDCsalreadyprocessa substan-tialamountofsensitivedataprotectedunderart.9GDPR,and shouldthereforebeconformingtothestrictersetofrulesthe GDPRdemands.
Eveniftheinputdataitselfwouldnotbeprotectedas sensi-tiveinformation,theinferencesdrawnfromitduringthe pro-filingactivitiescanleadtooutputswhichbelongtothespecial categoriesofart.9GDPR.106Metadataalonecanindicatecalls withadoctororpsychologistandanindividual’ssexual orien-tationcouldbededucedfromlocationdataovertime, brows-inghabits,andpotentiallyfrommanymoresources.The Arti-cle29WorkingPartyinitsGuidelinesonAutomated Decision-making cites a study, alsoreferenced in note 57 above,in whichFacebookLikeswereusedtoaccuratelypredictsexual orientation,ethnicity,religion,andpersonalitytraits.107While humanbeingsmaynotbeabletomaketheseconnectionsat firstglance,ifsufficientlyadvancedalgorithmsusesuchdata asinputstheywillbeabletomakehighlyaccurate determi-nations.
However,theGDPRdoesnotanswerthequestionofwhen abehavioralorinterestprofilebecomesaccurateandspecific
102‘Regulation(EU)2016/679oftheEuropeanParliamentandof
theCouncilontheProtectionofNaturalPersonswithRegardto theProcessingofPersonalDataandontheFreeMovementofSuch Data’(n2).Art.4(1).
103ibid.,art.9.
104European Data Protection Board, ‘Guidelines 3/2019 on
Processing of Personal Data through Video Devices’ <https: //edpb.europa.eu/our-work-tools/public-consultations/2019/ guidelines-32019-processing-personal-data-through-video_en> accessed6November2019.,p.15– 16.‘Regulation(EU)2016/679 oftheEuropeanParliamentandoftheCouncilontheProtection ofNaturalPersonswithRegardtotheProcessingofPersonalData andontheFreeMovementofSuchData’(n2),Recital51.
105EuropeanDataProtectionBoard(n104),p.17.
106LilianEdwardsandMichaelVeale,‘SlavetotheAlgorithm:Why
aRighttoanExplanationIsProbablyNottheRemedyYouAre LookingFor’[2017]DukeLaw&TechnologyReview18,p.37.
107Kosinski,StillwellandGraepel(n57);viaArticle29Working
Party,‘GuidelinesonAutomatedIndividualDecision-Makingand ProfilingforthePurposesofRegulation2016/679’(n86),p.15.