Major online platforms are facing intensifying calls for transparency on how they govern their users’ data. Smaller EU-based platforms such as CPN may have an advantage but need to make sure their privacy measures are up to the task.
On 24 July 2019, Facebook was fined 5 billion dollars by the U.S. Federal Trade Commission (FTC) for violation of their 2012 decree on obtaining consent from users. What is more, the FTC also required Facebook to change its governance structure: the company was ordered to establish an independent privacy committee and compliance officers. The aim of this enforcement action is for Facebook’s data practices to become more transparent and accountable.
Facilitating or shaping?
The accountability of platforms has grown as a theme in public debates about online services. Over the past decades, as platforms became ubiquitous, they have been presenting themselves as mere impartial facilitators - neutral intermediaries providing users, businesses, advertisers, and other parties with the means to interact. We have grown as accommodated to their environments as fish are to water. The composition and architecture of platforms are invisible to us, and yet, this architecture steers us, the way a door steers us to enter a room from a certain angle. Choices in software and interface design shape our interactions and influence our responses, and we need to be able to understand how this is done, where this may lead us and who benefits from this.
Accountability is the main principle behind the E.U.’s General Data Protection Regulation (GDPR), but also outside circles concerned with the protection of privacy, calls are growing for platforms to explain and justify their governance of data. Discussions are ongoing on regulations that aim to curtail the distribution of disinformation via social media sites; platforms’ responsibilities to protect intellectual property rights are being reviewed; and competition authorities the world over are looking into the monopolistic effects of imbalances in data collections and data-handling capacities that are making such tech giants as Alphabet, Amazon, and Microsoft invincible in multiple markets.
We should distinguish ‘governance of platforms’ from ‘governance by platforms’, says communication researcher Tarleton Gillespie (2017). While governance of platforms refers to such regulatory interventions as mentioned above, it is the governance by platforms we should investigate more closely. While platforms generally don’t create content, they host, store, organize and distribute content of others, and they make important decisions about that content. For example, they decide on the distribution of risks and rewards for users, by ordering and presenting content along algorithmically optimized lines and by playing regulatory arbitrage. Choices in the architecture of platforms currently turn mostly on corporate strategies and profit motives, even if some platforms express a sense of public obligation.
Translating accountability into practice
While there has been criticism of the ‘leniency’ of the FTC’s enforcement action, it should be commended for paying attention to Facebook’s governance as well: the order to install a privacy committee is aimed at improving governance by the platform, introducing independent oversight and more transparency on the choice architecture. What is as yet unclear in this case is what ‘independent’ and ‘transparent’ mean in practice; who selects the committee members and compliance officers, will reviews and evaluations be published, and what will they include? Nevertheless, this type of enforcement shows promise: we need to start thinking about practical translations of accountability and transparency in order to introduce values beyond profit motives.
In the European Union, the GDPR already requires independent Data Protection Officers at board level to advise on and safeguard the protection of personal data. The European Data Protection Supervisor has called repeatedly for closer collaboration with other supervisory authorities to address issues that surpass personal data protection. The FTC enforcement action may be a baby step, but it is quite possibly leading in the right way.
What does this mean for CPN and smaller EU-based platforms?
In a sense, smaller EU-based media organizations already have a unique selling point in being less adept at re-using personal data. Moreover, as they are local, they know their communities and truly care. The following recommendations may help boost the privacy-friendliness of their data governance:
Ensure that transparency and privacy become part of the platform DNA.
Smaller platforms will fall under the same regulations, so find ways to conduct automated IP checks and content moderation.
Cut loose from providing the big platforms with even more personal data.
Invest in data governance by appointing a chief data officer, mapping data flows and assigning data governance responsibilities throughout organizational units.