Privacy and data in 2019: We deserve better than surveillance capitalism

Karlin Lillington: Tech companies now face greater legal and regulatory opposition

In terms of privacy and data protection, 2019 was another bumper year of issues, arguments, frustrations and weary resignation, eased by a (very) few reasons to be cheerful.

Where to even begin to understand, much less counter, the seemingly endless ways in which we are watched by Big Tech, little tech, government and law enforcement, all interested in gathering or accessing our personal data?

A significant and welcome answer was offered early in the year with the publication of Harvard emeritus business professor Shoshana Zuboff's massive tome The Age of Surveillance Capitalism. Though lengthy and challenging, the book begins to put a historical context, and analytical language and frameworks, on how we are targeted, and why we feel so relentlessly ground down and helpless. At last, a start towards understanding and critiquing the beast.

Mark Zuckerberg drew criticism by announcing that Facebook would allow lies in political advertising, going against its normal advertising standards

She explains in detail how we are where we are because companies like Facebook and Google are adept at redirecting our gaze to a new feature over here or product over there, never letting us get any real sense of how the most minute details of our lives are mercilessly sucked into these data machines, with us, sold on as targeted audience groups to advertisers. Surveillance capitalism is, overwhelmingly, the business model of the internet.


The ways in which this juggernaut of data surveillance operates, even in the most indirect and invisible ways was highlighted by a story in March, when it was disclosed that some Irish Government sites had embedded trackers gathering data on visitors. But it was not because the web-page developers purposefully placed them there. Instead, they hitchhike in on popular, freely available add-ons with secret trackers tucked away inside their code.

Post-Edward Snowden's disclosures and a year after learning about Cambridge Analytica, more politicians were confident in making the concerns explored by Zuboff key election issues in 2019, and as US campaigning for the 2020 presidential election got off to a start. In particular, Democrat Elizabeth Warren called for giant social media platforms to be split up and better regulated.

Facebook's CEO Mark Zuckerberg drew criticism by announcing in autumn that the company would allow lies in political advertising, going against its normal advertising standards.

Regulatory opposition

Meanwhile in Ireland, a cross-party group of politicians hosted the Grand International Committee on Disinformation in the Seanad in November. This body of global parliamentarians heard a wide range of evidence on the platforms (including from me), with special focus on electoral issues, and issued a statement supporting – at least for now – bans on electoral advertising.

Technology companies also faced a growing wave of legal and regulatory opposition during 2019, following high-profile appearances in 2018 by tech company chief executives before US, British and European parliamentary bodies.

Privacy advocates expressed concern about the unusual nature of a privatised project that would disclose genomic information on a huge swathe of a national population

In the US, some 50 state attorneys general announced antitrust investigations against Google, while New York state initiated the same against Facebook.

After years of complacency, the Federal Trade Commission (FTC) grew more stern and fined Google/YouTube $170 million for violating children's privacy, and Facebook, $5 billion for privacy transgression. The EU fined Google €1.5 billion over its advertising practices.

Yet, as many critics noted, even a fine of billions is chump change for these powerful, profitable companies.

A much-watched Irish-originating legal case – the so-called Schrems II case, challenging whether companies like Facebook can guarantee EU-level protections to personal data transferred to the US – was finally heard by the European Court of Justice mid-summer, with a guiding (but not binding) opinion offered in mid-December. Businesses and privacy advocates will be watching for the final decision in the new year, but if it follows the guiding opinion, companies will have a high bar to satisfy on data protection.

The court may also decide to reconsider a critical earlier case on the data protection adequacy of the current Privacy Shield US/EU data-transfer agreement.

Back at home, the Government left questions unanswered about two major Irish data-gathering projects with State involvement. In the first case, many queried the reasoning behind a €70 million injection of Irish tax money into GMI, a private Irish genomics company bought by a Chinese pharma and biologics conglomerate that, during the year, also announced a second major pharma investment in Dundalk. GMI wants to gather the DNA of a tenth of the Irish population for private research.

We all deserve better than the endless, secretive, risk-producing, dehumanising encroachments of surveillance capitalism

Over the year, global genomics experts and privacy advocates expressed concern about the highly unusual nature of a privatised project that would disclose genomic information on a huge swathe of a national population, rather than having the State invest in a publicly controlled and safeguarded project.

One-stop shop approach

Controversies with Public Services Card (PSC), which the Data Protection Commission had found riddled with inadequacies and problems in late 2018, also rumbled on throughout 2019.

The State continued to defend the card that the DPC found was used to gather sensitive data without legal basis, and under which data was held for periods longer than needed, and without adequate transparency. In July, UN poverty envoy Philip Alston warned about privacy and potential discrimination issues with the card. But the Government has continued to reject criticisms and refuse to implement the DPC's findings – at least without a direct order to do so.

The lack of such an order was only one of many criticisms levelled against Irish and international regulators. Notably, a Politico article at the end of the year documented growing dissatisfaction with the paucity of regulatory decisions from Ireland and Luxembourg – home to most US tech multinationals – in some long-standing investigations.

The bottom line is whether the General Data Protection Regulation’s one-stop shop approach, which means companies are regulated from their EU base country, is fit for purpose – a consideration likely to carry forward into 2020.

The year ended with an explosive privacy wake-up call in a meticulous data investigation by the New York Times, which tracked the publicly available data gleaned from millions of mobile phones and revealed how virtually every movement we make – even of workers in the Pentagon, and president Trump’s security detail – could be tracked in real time.

Perhaps this one study will put paid to the false argument that if you’ve done nothing wrong, you have nothing to hide, and demonstrate that we all deserve more privacy than we have ceded to technology companies and devices, generally without any knowledge of having done so.

As Zuboff argues, we all deserve better than the endless, secretive, risk-producing, dehumanising encroachments of surveillance capitalism.