University of Liverpool graduate Pritpal Kaur Bhambra discusses how ever more powerful tech companies are using our data
In today’s digital age, many of us are devoted to the online realm. We rely on the web for social interactions, financial transactions, work and entertainment. Yet, as we become more intertwined with technology, our personal data is being collected, tracked, and potentially exploited without our consent or understanding. As governments and corporations collect our personal data, do any of us have privacy? This growing intrusion upon our digital activity has created the urgent need for online consumers to become more aware about how their data is used. This will allow consumers to maintain their privacy in the digital space. If the disappearance of privacy is not addressed, many will likely be subjected to corporate surveillance without their knowledge. If this happens, digital ecosystems, rather than regulatory organisations, will redefine privacy in a digital space, potentially leading to an abuse of power.
Despite numerous marketing techniques to lull users into a false sense of security, online retailers and application providers could be more transparent in their commitment to user privacy. Currently, more clarity is needed on what expectations users have towards their perceived privacy and the distorted privacy they obtain. Moving from physical surveillance cues to a digital environment, there are growing concerns that tracking technologies facilitate the “unwanted gaze”. The UK’s regulator for data protection and information rights, known as the Information Commissioner’s Office (ICO), monitors companies and ensure they comply with data protection legislation. These standards are compliant with the European Convention on Human Rights (ECHR) which safeguards citizens’ fundamental freedoms. Nevertheless, it has become apparent over time that stronger regulations could be enforced to minimise loopholes when collecting data.
Turning to the Privacy and Electronic Communications Regulations 2003 (PECR), this UK regulation sets out the rules for protecting user privacy. The PECR regulates email and text marketing, tracking technologies such as cookies and service providers who handle electronic communications. As more people interact with each other online, the PECR’s relevance increases. This regulation helps protect users from unwanted marketing or intrusive tracking as well as providing a framework for businesses and service providers to comply with to enhance user trust. Regulation 6(1) of the PECR prohibits service providers from accessing a user’s data unless the user has been provided with and has consented to “clear and comprehensive information” about the data’s purpose. This demonstrates that the law acknowledges privacy is complex and is thus concerned with users exercising their right to several normative values such as self-determination, agency, and autonomy.
Regulation 6 of the PECR places the individual’s privacy at the heart of its principles. This notion aligns with Apple’s stated commitment to user privacy as a “core value” and a “fundamental human right”. Yet, according to Apple’s latest UK Transparency Report, Apple transferred 78% of its data requests to the government. Under the law, Apple states that its Transparency Report is limited to “disclose what…data may be sought through these requests” . Although Apple is in compliance with the law, it is difficult for users to understand whether these requests were necessary and proportionate as no context was given. Thus, policymakers should aim to minimise regulatory loopholes and strike a balance between public and private interests so that tech giants are unable to redefine privacy.
Moreover, the recent example of over 2.6 billion iCloud records leaked by hackers in two years raises concerns about how secure users’ data actually is. Although this statistic is alarming, Apple’s Senior Vice President of Software Engineering states that they will “keep finding ways to fight back on behalf of our users by adding even more powerful protections.” Accordingly, Apple’s innovative design features illustrate its proactive engagement with user privacy. For example, “In 2005, Safari became the first browser to block third-party cookies by default.” Since then, Apple has introduced Intelligent Tracking Prevention which minimises third-party tracking when using Safari browser. This illustrates that Apple’s claims towards enhancing user privacy are supported. To maintain its influence as a market monopoly for electronics and services like Apple News and Apple Music, Apple must go beyond innovating hardware design to protect data privacy. This will ensure its transparency mirrors its active commitment towards safeguarding consumers.
While Apple has made significant strides in enhancing user privacy, as seen in its proactive design features, there are broader concerns on how an ethical dilemma may arise if companies do not comply with regulations. The tensions between consumer choice, brand reputation, and regulatory compliance highlights the importance of ensuring that companies not only meet privacy standards but are also being transparent with their customers. Consumers may feel inclined to choose a service provider which promises to protect user privacy. However, consumers should have the freedom to choose their own electronic devices independently without unconscious bias. If consumers trust a company’s privacy claims without checking these assertions are true, this may create an unfair advantage for well-known brands. These popular companies may benefit from consumer trust, even if they do not fully uphold their privacy claims. In turn, a company’s marketing claims on safeguarding consumer privacy can affect competition law as consumers may favour well-known brands without knowing if their data is truly protected. In 2018, Anita Allen, Professor of Law and Philosophy at the University of Pennsylvania, explored how technology impacts normative values such as privacy, autonomy and self-determination. As a result, Allen encourages the idea that ethics should “complement…the law, rather than undermine…it” when addressing data privacy and shaping societal norms and values.
Want to write for the Legal Cheek Journal?
Find out moreIn addition, market monopoly Facebook, demonstrates how it has made significant changes to protect user data. Two months after Facebook’s pledged compliance with privacy regulations, the Facebook-Cambridge Analytica scandal revealed that Facebook harvested 87 million users’ data without their consent in 2018. This scandal led to increased public awareness on safeguarding data privacy and placed an emphasis on tighter regulation. Mark Zuckerberg, CEO of Facebook, acknowledged a “breach of trust” had occurred and promised to “ban developers that had misused personally identifiable information”. Consequently, Facebook would “learn from this experience to secure our platform…and make our community safer”.
While Facebook’s response to the Cambridge Analytica scandal demonstrated an acknowledgement of the privacy breach, it also highlighted the ongoing challenges of ensuring privacy in the digital age. This scandal raised questions on the effectiveness of self-regulation and the need for stronger oversight. Computer scientists such as Tim Berners-Lee stress the importance of the ICO providing the benchmark for regulation compliance. This standardisation will help prevent companies from redefining privacy as this undermines the PECR. If self-regulation is “managed by big business[es] rather than…the electorate, we lose diversity and get a less democratic system.” As Zuckerberg in 2016 commented that “[t]he age of privacy is over”, this suggests tech corporations may not prioritise privacy or have the public interest at the forefront of their innovations. As such, it is uncertain whether users can trust that their data is safe and will be able to rely on legal protection.
Moving on to more upcoming trending retailers, Temu publicly demonstrates its commitment to data protection by not selling data to third-party companies. However, there have been allegations that Temu’s referral scheme proposes consumers trade their data such as their photo, opinions, and location for worldwide advertising purposes in exchange for £50. Alarmingly, this scheme would undermine Temu’s commitment to user privacy and the effectiveness of Regulation 6(2) of the PECR. Consumers do not know the purpose of this disproportionate data collection, who is accessing it and for how long. This implies that the user’s sanctity of home and private life has likely been violated under Article 8 of the ECHR. Subsequently, in light of recent events, Temu has now changed its terms and conditions because “they were overly broad and inadvertently included promotional uses that Temu does not engage in.” As a result, it has been made clear that Temu only uses “username and profile pictures in promotion for referral functionality and winner announcements.” Therefore, regulators like the ICO should refrain from the light-touch approach of self-regulation to prevent retailers finding loopholes which inadvertently violate consumer privacy and undermine PECR regulations.
Whilst it is not surprising online retailers and application providers publicly display their commitment to user privacy, greater transparency is needed. On balance, it is evident that dominant service providers aim to protect privacy rights. However, their shortcomings towards PECR obligations suggest there may be a trade-off between protecting users’ vulnerable data and companies prioritising their competitive position in the market. At present, it seems there is a power imbalance between users, corporate entities, and the State. The current regulation is not entirely flawed; however, stronger regulatory oversight will help limit quasi-regulatory power and strengthen the effectiveness of the PECR. Therefore, when service providers engage in unfair competition or systemic surveillance, there should be calls for a regulatory response so “that the Society we build with the Web is of the sort we intend.”
Pritpal Kaur Bhambra is a University of Liverpool law with a year abroad graduate, currently pursuing the BTC with an integrated master’s at BPP University.
The Legal Cheek Journal is sponsored by LPC Law.
