GDPR is a missed opportunity for real privacy protection

The European Union’s well-publicized General Data Protection Regulation that went into force on May 25 is a much-needed update to its 1995 Data Protection Directive and in many ways a substantial improvement.  As leading privacy scholar Daniel Solove says it provides a “blueprint for protecting data that is more thorough and complete than nearly any other privacy law…”

Unfortunately, it did not update its core premise of protecting privacy through a right of individuals to control their own data.   

Individual control of data is not effective

Under U.S. law, financial institutions, doctors and websites produce privacy notices that no one reads.  The existing EU cookie directive requires websites to notify visitors that they use cookies, but people click through or ignore them. Privacy law scholar Woodrow Hartzog’s recent book, Privacy’s Blueprint,  contains many illustrations of how control mechanisms fail to protect privacy. Consent fatigue simply wears people down and makes them ignore the messages designed to protect them.

In GDPR, the EU had an opportunity to respond to this recognized failure with a creative new approach.  Instead, the EU doubled down on consent, requiring an affirmative indication of agreement before organizations can collect information.

One result was the blizzard of consent notices in our inboxes over the last month or so. Since consent conditions have changed, everyone who operates a mailing list that might contain European contacts has sent an unsubscribe notice.  

Some U.S. publishers temporarily have prevented Europeans from accessing their websites, for fear of running afoul of these new consent rules. Ad networks and publishers dispute who should be responsible for collecting the new affirmative consents for targeted ads.

Over time these transition issues will sort themselves out.  But enterprises will still have to manage cumbersome and expensive consent mechanisms that consumers will continue to treat as distracting irritants.

The privacy lessons of Cambridge Analytica and the Golden State Killer

Even rational and fully informed consumers cannot choose to protect themselves from privacy harms, because their safety does not depend solely on their own actions.  Their privacy depends in large part on what others reveal about themselves.

That’s one lesson of the Cambridge Analytica episode.  Researchers at Cambridge University created a Facebook app that asked users to share their Facebook profile data and answer some psychological questions from a standard personality questionnaire.  They used the answers to create user personality profiles.

The researchers had millions of records linking psychometric scores and Facebook data that allowed astonishingly accurate predictions about Facebook users. Even if some people were careful about disclosing race, sexual orientation and political leanings, others were not.  This allowed the researchers to predict those sensitive facts  that people had not disclosed from less intimate facts that they had revealed.

Cambridge Analytica developed a similar psychological test.  Perhaps a couple of hundred thousand people took it, but inferences revealed the politically salient preferences of millions of potential votes.  Despite the dispute about whether their model was accurate or effective, it is clear that models like it could be used to influence the voting behavior of people who had never revealed their political views. 

Here’s another example.  California law enforcement officials recently identified a suspect in a series of rapes and murders from the 1970s and 1980s. To locate this “Golden State Killer,” they matched DNA from the original crime scenes with genetic data that been uploaded to a publicly available genetic information matching site. But the information in the website was not the suspect’s.  He had not disclosed his genetic information.  The genetic information in the data base came from his relatives who had voluntarily chosen to put it there.  Unbeknownst to the killer, his family provided the genetic clues that enabled law enforcement to track him down.

As these cases show, even if some people practice perfect data hygiene, personal information can be gleaned using other available sources.  People can still be indirectly harmed through political manipulation or exposure of individual genetic weaknesses. We can all think of ways to protect information privacy in these cases, but none of the effective measures depend on individual control.

Protecting privacy is like protecting the environment

Protecting privacy cannot be done on an individual basis because people are linked to each other through biological, psychological and social similarities and relationships. These similarities are how science itself has always worked.  What is new is the extent to which observation and inference based on these similarities are unavoidable in today’s digital world.

For years, privacy advocates and scholars have noted the limits of individual data control. In 2009 comments to the Federal Trade Commission, the privacy advocacy group World Privacy Forum said, “Even the most information conscious, privacy-sensitive consumer cannot escape being profiled through careful information habits.” 

These profiles can be used for good – to identify people with undiagnosed illness or at risk of failing in school without extra help or likely to commit a terrorist act—as well as evil.  But they cannot be eradicated or controlled by individual choice.  Even if ordinary consumers could be persuaded to pay close attention to data collection practices, which is unrealistic, they will still be subject to indirect information leakages like the ones in Cambridge Analytica and the Golden State Killer cases.

I drew attention to these information externalities in a 2011 law review article.  Recently privacy scholars Karen Levy and Solon Barocas have begun work on a taxonomy of these privacy dependencies where information about one person reveals information about others.  

The ability of data analytics to draw increasingly accurate inferences from easily available data means that these externalities and dependencies will not be rare freakish curiosities.  They will be ubiquitous elements of everyday life.

In such an interconnected world, sole or predominant reliance on consumer control over information will be even less effective than it has been in the past.  Despite the missed opportunity in GDPR, all of us—privacy scholars, industry representatives, advocates, and policymakers—need to focus on better ways to protect people from real privacy harms.