Reform social media, part IV: Personal privacy and data protection regulations

and

Personal privacy and data protection regulations for social media

Summary: An ongoing problem with several social media platforms is that they’re designed to monitor and manipulate what people can see or experience online. That’s because the goal is to keep users on these sites for as long as possible—namely, by commodifying their attention, collecting their private data, and feeding them click-bait ads or viral content.

Unfortunately, an unintended consequence of this design is that it can incentivize online outrage and harmful disinformation. Why? Because what keeps people online is often what generates more outrage, and what generates more outrage needn’t have any relationship to what’s true. What’s more, this online outrage and disinformation can fuel hate speech (and sometimes dangerous speech too).

One plausible solution to this problem to enhance personal privacy and data protection regulations on social media, which could put a reasonable check on how these platforms can monitor and manipulate users online. In particular, such regulations would need to embody at least three general principles:

  1. Quantitative limits on how much private data social media companies can collect
  2. Qualitative controls to restrict how outside parties may access and use collected data gets
  3. Some degree of individual control over personal information
Mark Zuckerberg F8 2018 Keynote on Personal Privacy and Data Protection Regulations in Social Media
How should personal privacy and data protection regulations apply to social media? [Image Source: Anthony Quintano from Honolulu, HI, United States, CC BY 2.0, via Wikimedia Commons]

Social media’s discontents: online outrage, harmful disinformation, hate speech

As discussed in the prior parts of this article, there’s an ongoing problem with several social media sites. To recap, many of these sites are designed to monitor and manipulate what people can see or experience online. The goal, of course, is to keep users on these sites for as long as possible—namely, by hijacking their attention, harvesting their private data, and selling access to the data—in order to target those users with click-bait ads and viral content.

Unfortunately, an unintended consequence of this design is that it incentivizes a lot of online outrage and harmful disinformation. Why? Because what keeps people online is often what generates more outrage. And what generates outrage need not have any relationship to what’s true.

Not surprisingly, one result is an endless amount of outrageous and erroneous content online. What’s more, this online outrage and disinformation often feeds into harmful speech, including hate speech, and sometimes dangerous speech too (i.e., speech intended to incite violence).

Granted, when it comes to screening and removing dangerous speech, content moderation will have to be part of the solution. But using content-moderation practices to indefinitely censor other forms of speech—including any form of conceivable hate speech—even if it sounds good in theory, just hasn’t worked well in practice. The question is, what would help reduce hate speech, not to mention all online outrage and disinformation behind it—on social media?

A plausible solution: enhanced privacy and data protection regulations

Here, we’ll discuss one plausible solution. Implement policies or laws that enhance personal privacy and data protection regulations for social media.

By protecting people’s personal information and regulating how social media sites can harvest our private data, such policies could put a reasonable check on how these platforms are able to monitor and manipulate users online. That, in turn, might help reduce (or at least disincentivize) online outrage and disinformation that feeds into hate speech on social media platforms.

Here’s how we might think about this challenging, but necessary, regulatory task.

Principles of personal privacy and data protection regulations

Let’s start with some of the general policy principles behind personal privacy and data protection regulations. There are at least three to mention.

Policy principle #1: quantitative limits on data collection

The first principle—perhaps the most obvious—is quantitative limits on how much private data social media companies can collect. The goal would be to limit the amount of personal information that could be collected from social media sites. That way, individual users do not, in effect, lose their right to privacy online.

An example of this policy principle in action would be the European Union’s General Data Protection Regulation (GDPR).

The E.U. has a notable history of leadership on personal privacy and data protection regulations. In fact, its Charter of Fundamental Rights guarantees the protection of private data (see Title II, Article 8). So, it’s no surprise that the EU’s General Data Protection Regulation (GDPR) created what’s now seen as the gold standard for data privacy.

GDPR: E.U. takes the lead on protecting private data

The GDPR (passed in 2016, and in effect by May 2018) updated a previous E.U. data protection law, known as the Data Protection Directive (in effect since 1995). The GDPR is based on seven data privacy principles that apply to companies doing business within the E.U.:

  • Lawfulness, fairness, and transparency
  • Purpose and limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

These principles are based on a simple idea. People have a right to know if their private data was collected and by whom. Thus, the law defines the parameters for collecting and handling private data. In a sense, it takes an Occam’s Razor approach by limiting how much private data companies are allowed to collect.

The GDPR also requires transparency and accountability when it comes to how companies handle private data. For instance, in the event of a data breach, companies must report what happened within 72 hours. And they may face fines for mishandling the data.

Since the GDPR applies to all E.U. members, all companies—including social media companies—will need to comply with its rules to do business in Europe. Granted, some companies might scale back from doing business in the E.U., at least temporarily, for this reason. However, the writing is on the wall, and eventually other countries may adopt similar rules.

Hence, because of the GDPR—and in anticipation of impending regulations elsewhere—many companies, such as Microsoft, have begun to implement personal privacy and data protection practices on their own. Social media companies may need to follow suit as well.

Policy principle #2: qualitative controls on collected data

Another principle—which follows logically from the previous—is qualitative controls that restrict how outside parties can access and use collected data. In this case, the goal would be to prevent outside parties from accessing and using private data without consumer consent.

An example of this policy principle would be the personal privacy and data protection regulations enacted in California. They’re part of the California Consumer Privacy Act (CCPA).

CCPA: California responds in Silicon Valley’s backyard

The CCPA (signed into law June 2018, and in effect by January 2020) tries to restrict outside parties from accessing and using private data without someone’s consent. Under this law, people can also request that companies delete their private data from company records. Moreover, people may file complaints for violations of privacy with the state attorney general.

Of course, the law isn’t perfect. For instance, the process for requesting data deletions under CCPA can be daunting. It involves contacting companies individually and filling out potentially long request forms.

Comparatively, the CCPA resembles GDPR, but there are subtle differences. For example, the basis for consent under the CCPA requires people to opt out of letting companies collect their private data, whereas the GDPR has people give their consent by opting in. Regarding what private data is protected, the GDPR protects personally identifiable information, while the CCPA includes some behavioral data too, such as browsing history.

At the very least, the CCPA may be a starting point for personal privacy and data protection regulations. Hence, the law was supported by organizations like the American Civil Liberties Union (ACLU)—an organization that advocates for civil rights—and the Electronic Frontier Foundation (EFF)—an organization that advocates for online privacy.

Meanwhile, the EFF has recommended strengthening CCPA to include opt-in consent (like the GDPR) and stronger accountability mechanisms that would make it easier for people to sue companies that do not respect privacy. In other words, the EFT advocates for making online privacy a fundamental right. Which brings us to one more policy principle.

Policy principle #3: individual control over private data

Yet another principle—though not as obvious but just as important—is giving individuals control over their private data. After all, personal privacy and data protection regulations aren’t simply about keeping non-public information to ourselves. They’re also about having some degree of control over our own personal information, so that it’s not misappropriated.

(This is especially important for private data that could affect our professional or personal reputations in adverse and unexpected ways.)

The main idea behind this policy principle is seeing online privacy as a fundamental right. To be sure, laws like the CCPA have partly put this policy principle in action by requiring companies to obtain consent to collect, access, and use people’s private data. Nevertheless, these laws could also include a policy that would empower people to sue for privacy violations.

Examples of this policy principle include proposed legislation like the Consumer Online Privacy Rights Act (COPRA) and the Consumer Data Protection Act (CDPA).

COPRA and CDPA: seeing online privacy as a fundamental right!

Passing comprehensive data privacy legislation in the U.S. looks more promising lately. For instance, both Democratic and Republican lawmakers have introduced bills that would provide stronger personal privacy and data protection regulations, including COPRA (which is modelled on the GDPR) and CDPA (which is similar to the CCPA).

Legislation like COPRA would codify online privacy as a fundamental right, giving citizens greater control over their private data. Meanwhile, it would shift the burden to secure the data to companies, including social media companies. According to the EFF, COPRA could also empower individual citizens to bring civil suits against companies that violate privacy rights. Moreover, the law would not preempt stronger state laws on this matter.

Likewise, the CDPA would obligate parties that collect private data, such as social media companies, to acts as good stewards of the data. Such companies would need to make transparent exactly what data they collect, and they’d be accountable for the data they share with third parties. They also must implement data protection practices to safeguard people’s personal information online.

To date, the State of Virginia has passed a version of this law, and other states may soon follow.

Beyond personal privacy and data protection regulations

In sum, there are policy principles that can help restore privacy, including online privacy, as a fundamental right. While these policy principles apply especially to social media, they’re also relevant to nearly all aspects of online life today. As one senator wrote in a notable white paper, “Potential Policy Proposals for Regulation of Social Media and Technology Firms”:

Social media and wider digital communications technologies have changed our world in innumerable ways. They have transformed the way we do everything from shopping for groceries to growing our small businesses and have radically lowered the cost of, and barriers to, global communication. The American companies behind these products and services – Facebook, Google, Twitter, Amazon, and Apple, among others – have been some of the most successful and innovative in the world. As such, each of them deserves enormous recognition for the technological transformation they have engendered around the world. As their collective influence has grown, however, these tech giants now also deserve increased scrutiny.

Nonetheless, even if we get personal privacy and data protection regulations on social media, another problem could remain on these platforms. In short, it’s the fact that social media platforms are also designed, at least in part, to be highly addictive.

Therefore, in addition to personal privacy and data protection regulations, we’ll need to support ethical design practices in social media. Which bring us to the final part of this article series, where professional ethics meets technology design in social media.

 

Leave a Comment