For-profit tech companies want to make as much money as possible, and that in itself is understandable; they are businesses after all. But making money can’t come at the expense of users’ privacy. For example, companies that rely on advertising create privacy-busting algorithms to maximize profits. These algorithms collect your personal information, use it to predict buying behavior, and then show you the most enticing ads possible. Also, as an internet user, you can expect that there will always be a digital warehouse of personal information about you online, and that warehouse’s inventory will go up every time you use a popular social media or other indispensable application. expand. These warehouses store and provide all kinds of details about you, no matter how big or small.
All of this data can be turned into commodities. Some merchants use data to get you to try their new line of sneakers, others to keep you glued to their app and never leave. No matter what their conversion goals are, merchants are not particularly transparent about the process of where they collect your information from and how it is used.
In all fairness, tech companies’ privacy policies have come a long way, like giving users more opportunities to opt out of data collection and sharing, and starting to write such policies in easier-to-understand language. But tech companies will need to do more to consciously invest in privacy safeguards for essential data processing needs, while eliminating redundant and risky data practices.
Companies should join or encourage the establishment of independent multi-stakeholder organizations with accountability mechanisms covering all areas where company activities may cause or contribute to digital rights harm.
Commit to and implement strong digital rights governance
Companies demonstrate their commitment to protecting and respecting freedom of expression and privacy by publishing strong digital rights policies. These commitments must be backed up by establishing board oversight and comprehensive due diligence mechanisms to identify potential privacy implications of company operations across the board, and to ensure that companies do their best to protect users’ digital rights. To this end, companies should take the following actions.
One is to conduct due diligence on digital rights. Companies should conduct comprehensive due diligence on all aspects of their business that may affect users’ digital rights. The scope of digital rights impact assessments should be expanded to include government regulations and requirements; enforcement of own policies (including the accuracy and impact of decisions to qualify content); development and deployment of algorithmic systems and targeted advertising. In each area, companies must make clear that they need to assess the impact on freedom of information, privacy, and non-discrimination (a commitment to giving equal opportunities to any individual without prejudice to anyone). Companies should significantly enhance existing due diligence, including feeding it back into senior leadership decision-making, and contracting with independent third parties who can guarantee quality.
The second is to strengthen the supervision of digital rights. A company’s board of directors should directly oversee risks related to user security, privacy, and freedom of speech and information. To this end, board members should include those with expertise and experience in issues related to digital rights. Boards should also ensure that due diligence, remediation procedures and stakeholder engagement are sufficiently effective to address and mitigate digital rights impacts and risks.
The third is to strengthen the commitment to privacy management. Companies should implement effective management and supervision to address the risks to user privacy posed by actors who may obtain user information (whether legal or illegal). A commitment should be made to protect and advance strong encryption standards and notify users in the event of a data breach. Finally, accessible, predictable and transparent grievance and redress mechanisms should be provided to ensure effective redress for violations of privacy.
The fourth is to engage with affected stakeholders. Companies should engage with individuals and communities most at risk of digital rights violations. They should actively incorporate the voices of those most vulnerable. They should work with these individuals and groups to establish new procedures for identifying risks, mitigating harm, expressing grievances and providing meaningful remedies, and developing terms of service and enforcement mechanisms that maximize the protection and respect of the rights of all users. Finally, companies should join or encourage the establishment of independent multi-stakeholder organizations with accountability mechanisms covering all areas where company activities may cause or contribute to digital rights harm.
Fifth, provide effective grievance and redress mechanisms. When users’ privacy or other rights are violated while using a company’s platform, services or devices, they need to be able to report the harm and seek redress. Companies must provide clear notice and a credible path to appeal and resolution.
Companies should disclose comprehensive and systematic data and other information that enables users, as well as researchers, policymakers, investors, civil society, and other third parties, to clearly understand how platforms and services limit or shape behavior, assess and mitigate risks, and How to provide remedies to users. The company needs to do the following two aspects.
One is to publish transparency reports on the implementation of its rules. Such reports should be published regularly, reporting what types of restrictions the company has implemented and why. Be transparent about the data they collect about users, the beneficiaries of the data, how companies develop and use algorithms, and what companies are doing to combat misinformation.
The second is to demonstrate a solid commitment to safety. Companies should implement privacy policies in all markets in which they operate, providing the highest possible protection and equal respect for the digital rights of all users. It should disclose as much as possible whether and to what extent industry standards for encryption and security are being followed, conduct security audits, commit to proactively informing the public about data breaches, monitor employee access to information, and educate users on how to guard against threats.
Give users meaningful control over their data and inferred data about them
Transparency is the first step towards increasing user autonomy, but there are other specific steps companies can take to give users meaningful control, including giving users clear choices about not only whether and how their data will be used, but whether first The data is collected and for what purpose. Companies should take the following actions.
One is a commitment to data minimization and explicit disclosure of collected data. Companies should clearly disclose to users the entire lifecycle of their information—from collection, use, sharing, to retention and deletion—and explain the purpose for which the information was collected and shared. Companies should only collect data that is necessary to achieve clearly stated purposes. Companies should clearly disclose any data collected from or shared with third parties and how that data was obtained.
The third is to allow users to choose to agree, not to force them to opt out. Companies should provide users with the information they need to give meaningful consent to how their data is managed. Whenever companies aim to use personal data to develop their algorithmic systems, targeted advertising, or other components of their business, they should make users opt-in rather than hold them accountable for opting out, and make clear how they can do so.
Take responsibility for harm caused by algorithms and targeted advertising
Companies should maximize transparency in the development and deployment of algorithmic systems and targeted advertising, publish and continuously update their policies to clarify where and which rules are used, and publish digital rights protections related to both areas relevant data.
One is to demonstrate the accountability of the algorithm. Companies should commit to following international human rights standards when developing and using algorithms. They should also publish comprehensive policies describing how algorithms are used and developed in their services. These policies should be reinforced by explicit disclosure of the role that algorithms play in key areas of company operations. If automation is used in any way to enforce company policy, these should be included in the company’s transparency report. If the algorithm is used in a field with widely recognized salient risks, such as in a ranking or recommendation system, the company should clarify the variables that affect the algorithm and provide users with accessible means to control the use of the algorithm.
The second is to admit the company’s targeted advertising behavior. Companies should publish advertising content and targeting policies that not only dictate which ads are allowed and which are not, but how companies can detect rule violations and enforce those rules. The use of targeted advertising systems should be supported by a robust digital rights due diligence process, which should also be assessed for bias and potential discriminatory effects. Companies that serve ads to users on the platform should publish a common, publicly accessible paid ad library on the platform, including relevant targeting parameters. They should also report ads removed for policy violations.
Today, it can be argued that if you use an Internet-connected device, then you generate data, and that data isn’t just floating around in cyberspace. Instead, it is carefully exploited by a system of hardware, software, and services. In the past, with default opt-in settings and non-negotiable privacy policies, the acquisition of user data cost little to tech companies but was widely capitalized as a commodity.
We know there are many reasons why a handful of giants control such a large slice of the digital economy, but there is no doubt that leveraging user data is an important one. However, this status quo is rapidly changing. Charges against Big Tech in recent times have come from two directions: privacy enforcement and antitrust investigations. So, don’t take privacy issues lightly.
Concerns about the monopoly and misuse of user data by big tech companies are growing every day. If tech giants fail to effectively self-regulate, there will always be public pressure and real-world events that force them to do so.