The following was submitted to the Australian competiton authority:
Outlined below is MOW’s viewpoint on risk-based approaches to data protection and entails our response to the Proposed Industry Codes for the Online Safety Act 2021. Our views on this issue relate to impact on market competition, the lack of proportionality in penalties for non-compliance, as well as user
functionality.
Market competition.
The issue raised by restricting responsible data exchange is essentially that the largest technology companies have access to far more input data to power their business solutions than smaller businesses. It is in the interest of Google, Apple, Facebook and others to restrict responsible data exchanges and thereby capture as much business as possible.
Despite the attempts made by legislators and policy makers to create a system that protects individuals
and supports digital businesses, their best endeavors have been undermined. For example, GDPR was
intended to support a greater number of businesses’ responsible use of Personal Data. Claiming
compliance with GDPR Google has changed its system and benefited from the changes it made. Before
the regulation came into force, Google, for instance, shared granular, user-level data with advertisers
under the Google Data Transfer system. This was used in competing business solutions such as
attribution, media mix modelling, fraud detection, etc. Those businesses then carried an obligation to put
in place appropriate safeguards. Google has stopped supplying such data claiming it cannot trust third
parties. Meanwhile Google continues, of course, to use the end users’ personal data it has collected across its platforms for its own business solutions: Data Transfer was replaced with Ads Data Hub, whereby Google keeps control over its Google ID and others are denied access to it. [1]
Thus, structurally, it is questionable whether the GDPR has had a significant impact on improving overall
data privacy. The majority of end user generated internet traffic is derived from people using handsets
supplied by manufacturers using Google’s Android operating system or Apple devices where Google
Search is the main gateway. Google’s contracts fail to adequately safeguard end user privacy as they do
not specify the particular uses for the data being gathered. [2]
The system that has now developed is one where, between them, Google and Apple act as the gatekeepers to the web. The idea of having to request permission from Google to gain access to interoperable data runs contrary to the founding principle of the internet, which was designed to be a place for permissionless innovation. This idea, that a permissionless and open internet, already under huge strain, is being splintered by one-size-fits-all legislation is convincingly made by Mark Nottingham, Geoff Huston, and Martin Thomson in their complaint against the Industry Codes for Australia’s Online Safety Act 2021 [3], which proposes to apply a regulatory framework developed for large tech companies to small business and private citizens. However, the same principle applies here – uniform regulation of the tech sector invariably hands the competitive advantage to only the largest players.
Given the considerably greater capacity of these companies to collect data directly from consumers,
allowing this information to only be exchanged among those major players and chosen customers, (as
with Customer Match) [4] serves to reinforce their market power.
Disproportionate impact of penalties.
Mark Nottingham et al also make the point, that the notion of making individuals and non-commercial
bodies perform the same compliance duties as trillion-dollar companies is not proportional. Similarly,
fines for GDPR infringements are an entirely different prospect for different companies. Failure to justify
the legitimacy of data use carries a penalty of up to 20 million euros or 4 percent of a company’s
worldwide annual revenue, whichever is higher. With an annual profit in excess of $100 billion, for
Google this equates to nothing more than a slap on the wrist. It is simply a small cost of doing business. [5] For all smaller rivals, these penalties for non-compliance are business critical. As a consequence, it is clearly the case that smaller businesses who have so much more to lose, have a greater need to comply. According to a PwC report, on average, firms spent $1.4 million preparing for GDPR regulation. [6]
This reality means that major tech platforms not only have competitive advantage from brand familiarity but also benefit from their huge balance sheet strength and lower non-compliance risk.
Big Tech platforms have taken the approach of defining for themselves what constitutes “privacy,” using “Privacy Fixing” as a competitive strategy. [7]
User functionality.
Our final point is based on the principle that digital advertising using de-identified data for real-time
decisioning and aggregations of data for batch-mode analysis does not necessarily need to be at odds with social responsibility. Responsible exchange of data can be a simple win-win, where the privacy of
specific individuals is protected by appropriate privacy-by-design measures, among which is reliance on
pseudonymisation.
Reasonable risk assessments of data collection are needed. This is because banning non-harmful data use
would harm all businesses and undermine the market system. Since information is central to all
commerce, more relevant information about user demands, if only in aggregate and on an anonymized
basis, is nevertheless vital for product development, differentiation, and is a driver of innovation by all
businesses.
Ad-funded models are often preferable to direct payment for access to digital services. Ad funding means
consumers get services that are free at the point of use. Such ad-funded services do not discriminate
against those with lesser financial means. Advertising also informs and connects consumers to products
they might like. Simply put, the more data that can be exchanged responsibly and subject to privacy by
design safeguards, the greater the diversity of free services to users at the point of use.
Before concluding that user A’s interest in a pen is somehow sensitive information that must be shielded
from pen manufacturer B, the more relevant question is how we can continue to support this innocuous
use of information. The harms of overregulation are plain to see for small businesses, who, due to their size, must rely on more partners than larger rivals who can afford to build data-driven software in-house.
The harms of overregulation are plain to see for marketers, who would otherwise see costs of marketing increase, which would indirectly be passed onto consumers. Most importantly, the harms of overregulation are plain to see for consumers, who would otherwise merely see a substitution of which organisation performs business processing – and often by one that advertises how it links their identity to
monetize its services (e.g., again, Google’s Customer Match).
[1] See What is Ads Data Hub? | Croud Digital Marketing Blog
[2] See page 189 of the CMA’s 2020 Market Study into Online Platforms and Digital Advertising. Google’s ‘Privacy Reminder’ lists the ways information is processed by Google and why it is processed, but it ‘does not clearly state up front what types of personal information might be shared and that this will be used for personalised advertising’. The CMA also found that the ‘choice architecture’ and ‘positive framing of the language’ encouraged users to volunteer more information.
[3] See, in particular, page 4 of Nottingham et al’s submission. submission (mnot.net)
[4] See Google’s explanation of Customer Match, which helps businesses reach customers across Search, Shopping, Gmail, YouTube, and Display: Your guide to Customer Match – Google Ads Help
[5] Especially given their notorious avoidance of paying corporate tax commensurate with their immense earnings and the comparative position of smaller local businesses
[6] See report: GDPR-Infographic-design-v4 (insight.com)
[7] See page 58-9 of the Texas AG’s suit against Google which documents meetings between Google, Facebook and others where this strategy was discussed and adopted: Texas vs Google 20201216_1 Complaint (Redacted) (2).pdf
Header image courtesy of creative commons (free to use under the creative commons license)