How Policy Is Failing to Secure Privacy on Platforms

Research output: Working paper/PreprintWorking paperResearch

29 Downloads (Pure)


There is an important policy effort underway in the United States to evaluate consumer privacy legislation for the digital age. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) are suggested by many as the “gold standard” or “floor” for privacy regulation. Those frameworks would be warranted if in fact the they delivered the expected outcomes. However, as has been shown in the 18 months since the promulgation of the GDPR, the revenues and market shares of the largest internet companies have increased; many small firms have lost market share or have exited the market; and consumer trust online has reached its lowest point in the European Union since 2006. Moreover, the adoption of the GDPR is associated with a number of unintended and negative security consequences including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities. 1 As this paper describes, the key problem is that policymakers have characterized every online entity as the equivalent of a global platform and imposed regulations meant for the largest players on everyone. Complying with the expensive and onerous rules has thus, unwittingly, become an advantage for the largest companies and has strengthened their market position to the detriment of small and medium sized firms which were promised a ”level playing field” as a result of the rules. It is estimated that less than half of all applicable firms comply with the GDPR and many believe they will never be able to comply. Given the size and scale of the platforms, there is a tendency to overdo privacy and data protection regulation when the issues implicated are more correctly addressed with antitrust.2 A review of the regulatory history, assumptions, and theory is helpful to inform the policy development.
Original languageEnglish
PublisherCenter for Communication, Media and Information technologies (CMI), Electronic Systems, Aalborg University Copenhagen
Number of pages25
ISBN (Electronic)978-87-7152-103-0
Publication statusPublished - Dec 2019
SeriesCMI Working Paper

Cite this