How Policy Is Failing to Secure Privacy on Platforms

Roslyn Mae Layton; Anders Hansen Henten

How Policy Is Failing to Secure Privacy on Platforms

Roslyn Mae Layton, Anders Hansen Henten (Redaktør)

Publikation: Working paper/Preprint › Working paper › Forskning

127 Downloads (Pure)

Abstract

There is an important policy effort underway in the United States to evaluate consumer privacy legislation for the digital age. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) are suggested by many as the “gold standard” or “floor” for privacy regulation. Those frameworks would be warranted if in fact the they delivered the expected outcomes. However, as has been shown in the 18 months since the promulgation of the GDPR, the revenues and market shares of the largest internet companies have increased; many small firms have lost market share or have exited the market; and consumer trust online has reached its lowest point in the European Union since 2006. Moreover, the adoption of the GDPR is associated with a number of unintended and negative security consequences including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities. 1 As this paper describes, the key problem is that policymakers have characterized every online entity as the equivalent of a global platform and imposed regulations meant for the largest players on everyone. Complying with the expensive and onerous rules has thus, unwittingly, become an advantage for the largest companies and has strengthened their market position to the detriment of small and medium sized firms which were promised a ”level playing field” as a result of the rules. It is estimated that less than half of all applicable firms comply with the GDPR and many believe they will never be able to comply. Given the size and scale of the platforms, there is a tendency to overdo privacy and data protection regulation when the issues implicated are more correctly addressed with antitrust.2 A review of the regulatory history, assumptions, and theory is helpful to inform the policy development.

Originalsprog	Engelsk
Udgiver	Center for Communication, Media and Information technologies (CMI), Electronic Systems, Aalborg University Copenhagen
Antal sider	25
ISBN (Elektronisk)	978-87-7152-103-0
Status	Udgivet - dec. 2019

Navn	CMI Working Paper
Nummer	18

Bibliografisk note

CMI Working Papers provide a means of early dissemination of completed research, summaries of the current state of knowledge in an area, or analyses of timely issues of public policy. They provide a basis for discussion and debate after research is completed, but generally before it is published in the professional literature.
CMI Papers are authored by CMI researchers, visitors and participants in CMI conferences, workshops and seminars, as well as colleagues working with CMI in its international network. Papers are refereed before publication. For additional information, contact the editors.
Editor: Anders Henten, co-editor: Jannick Sørensen.

Emneord

Policy
Platforms
Privacy

Adgang til dokumentet

704720_cmi_working_paper_18Forlagets udgivne version, 443 KB

AUB Link

Søg efter materialet i Aalborg Universitetsbiblioteks søgemaskine

Citationsformater

@techreport{88211534026541ac90344c802619b124,

title = "How Policy Is Failing to Secure Privacy on Platforms",

abstract = "There is an important policy effort underway in the United States to evaluate consumer privacy legislation for the digital age. The European Union{\textquoteright}s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) are suggested by many as the “gold standard” or “floor” for privacy regulation. Those frameworks would be warranted if in fact the they delivered the expected outcomes. However, as has been shown in the 18 months since the promulgation of the GDPR, the revenues and market shares of the largest internet companies have increased; many small firms have lost market share or have exited the market; and consumer trust online has reached its lowest point in the European Union since 2006. Moreover, the adoption of the GDPR is associated with a number of unintended and negative security consequences including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities. 1 As this paper describes, the key problem is that policymakers have characterized every online entity as the equivalent of a global platform and imposed regulations meant for the largest players on everyone. Complying with the expensive and onerous rules has thus, unwittingly, become an advantage for the largest companies and has strengthened their market position to the detriment of small and medium sized firms which were promised a ”level playing field” as a result of the rules. It is estimated that less than half of all applicable firms comply with the GDPR and many believe they will never be able to comply. Given the size and scale of the platforms, there is a tendency to overdo privacy and data protection regulation when the issues implicated are more correctly addressed with antitrust.2 A review of the regulatory history, assumptions, and theory is helpful to inform the policy development.",

keywords = "Policy, Platforms, Privacy",

author = "Layton, {Roslyn Mae} and Henten, {Anders Hansen}",

note = "CMI Working Papers provide a means of early dissemination of completed research, summaries of the current state of knowledge in an area, or analyses of timely issues of public policy. They provide a basis for discussion and debate after research is completed, but generally before it is published in the professional literature. CMI Papers are authored by CMI researchers, visitors and participants in CMI conferences, workshops and seminars, as well as colleagues working with CMI in its international network. Papers are refereed before publication. For additional information, contact the editors. Editor: Anders Henten, co-editor: Jannick S{\o}rensen.",

year = "2019",

month = dec,

language = "English",

series = "CMI Working Paper",

number = "18",

publisher = "Center for Communication, Media and Information technologies (CMI), Electronic Systems, Aalborg University Copenhagen",

type = "WorkingPaper",

institution = "Center for Communication, Media and Information technologies (CMI), Electronic Systems, Aalborg University Copenhagen",

}

TY - UNPB

T1 - How Policy Is Failing to Secure Privacy on Platforms

AU - Layton, Roslyn Mae

A2 - Henten, Anders Hansen

N1 - CMI Working Papers provide a means of early dissemination of completed research, summaries of the current state of knowledge in an area, or analyses of timely issues of public policy. They provide a basis for discussion and debate after research is completed, but generally before it is published in the professional literature. CMI Papers are authored by CMI researchers, visitors and participants in CMI conferences, workshops and seminars, as well as colleagues working with CMI in its international network. Papers are refereed before publication. For additional information, contact the editors. Editor: Anders Henten, co-editor: Jannick Sørensen.

PY - 2019/12

Y1 - 2019/12

N2 - There is an important policy effort underway in the United States to evaluate consumer privacy legislation for the digital age. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) are suggested by many as the “gold standard” or “floor” for privacy regulation. Those frameworks would be warranted if in fact the they delivered the expected outcomes. However, as has been shown in the 18 months since the promulgation of the GDPR, the revenues and market shares of the largest internet companies have increased; many small firms have lost market share or have exited the market; and consumer trust online has reached its lowest point in the European Union since 2006. Moreover, the adoption of the GDPR is associated with a number of unintended and negative security consequences including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities. 1 As this paper describes, the key problem is that policymakers have characterized every online entity as the equivalent of a global platform and imposed regulations meant for the largest players on everyone. Complying with the expensive and onerous rules has thus, unwittingly, become an advantage for the largest companies and has strengthened their market position to the detriment of small and medium sized firms which were promised a ”level playing field” as a result of the rules. It is estimated that less than half of all applicable firms comply with the GDPR and many believe they will never be able to comply. Given the size and scale of the platforms, there is a tendency to overdo privacy and data protection regulation when the issues implicated are more correctly addressed with antitrust.2 A review of the regulatory history, assumptions, and theory is helpful to inform the policy development.

AB - There is an important policy effort underway in the United States to evaluate consumer privacy legislation for the digital age. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) are suggested by many as the “gold standard” or “floor” for privacy regulation. Those frameworks would be warranted if in fact the they delivered the expected outcomes. However, as has been shown in the 18 months since the promulgation of the GDPR, the revenues and market shares of the largest internet companies have increased; many small firms have lost market share or have exited the market; and consumer trust online has reached its lowest point in the European Union since 2006. Moreover, the adoption of the GDPR is associated with a number of unintended and negative security consequences including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities. 1 As this paper describes, the key problem is that policymakers have characterized every online entity as the equivalent of a global platform and imposed regulations meant for the largest players on everyone. Complying with the expensive and onerous rules has thus, unwittingly, become an advantage for the largest companies and has strengthened their market position to the detriment of small and medium sized firms which were promised a ”level playing field” as a result of the rules. It is estimated that less than half of all applicable firms comply with the GDPR and many believe they will never be able to comply. Given the size and scale of the platforms, there is a tendency to overdo privacy and data protection regulation when the issues implicated are more correctly addressed with antitrust.2 A review of the regulatory history, assumptions, and theory is helpful to inform the policy development.

KW - Policy

KW - Platforms

KW - Privacy

M3 - Working paper

T3 - CMI Working Paper

BT - How Policy Is Failing to Secure Privacy on Platforms

PB - Center for Communication, Media and Information technologies (CMI), Electronic Systems, Aalborg University Copenhagen

ER -