By: María Paula Ángel*
In 2013 Cullen Hoback produced and launched the documentary “Terms and Conditions May Apply” (2013), in which he crumbles the content of the Terms and Conditions and Privacy Policies that we usually accept off guard prior to using, accessing, or installing platforms or applications such as Facebook, Google, or Amazon. During the 80-minute documentary, Hoback wonders if those policies are not about protecting privacy at all, but rather, taking it away. This is because by simply clicking “I Accept” we basically allow those companies to collect the information that we supply about ourselves (and the companies automatically collect) and legally use it to enhance their digital marketing efforts by applying targeted advertising and to provide it to third-parties, including law enforcement authorities.
Five years later, those activities, as well as the ones of profiling, automated decision-making, and data commercialization that can also be found in most of the current policies of the data-driven companies—and even in public policies—keep drawing a worrying scenario for the right to privacy and related freedoms of netizens in every single country around the world. However, today the real reach of the aforementioned Terms and Conditions and Privacy Policies is not the same for everyone. In particular, it depends on where on the Globe you are located.
In the European Union, the General Data Protection Regulation (GDPR) recently went into effect. Having been formulated to balance the protection of privacy with the economic development and innovation, the GDPR is a radical update of the rulebook for the digital age. Even though it does not ban any of the activities that are being currently practiced by corporations to extract economic value from data, it does regulate and limit their reach. In particular, it includes new data holders’ rights, such as the right to object the processing of personal data for direct marketing. Likewise, it establishes the right not to be subject to a decision based solely on automated processing of data (without human intervention) that may significantly affect the data holder. Moreover, within the responsibilities that apply to the companies the GDPR includes the obligation to take, both at the time of the determination of the means for processing data and at the time of the processing itself, appropriate technical and organizational measures that may ensure data protection. Similarly, it requires companies to ensure that, by default, only personal data, which are necessary for each specific purpose of the processing, are processed.
Unlike the European Union, most of Latin American Privacy Statutes are poorly updated for the digital age. Except for Chile, who has established the right to opt out of direct marketing, and Argentina and Mexico, who have regulated the automated decision-making, most of the countries in the region are not well suited to cope with the activities stated in those Privacy Policies, and therefore, are unable to limit them. This, due to the fact that their Privacy Statutes were formulated to regulate the processing of structured databases, and not to tackle the risks that come along with Big Data and Data Analytics. Therefore, they do not even mention problematic practices such as profiling, nor they include possible safeguards such as the pseudonymisation or the right to be de-indexed. And actually, this vulnerability to the digital age seems even worse in the case of countries such as Colombia, where we have a Data Protection Authority that has no human rights perspective, and much less technical capacity to hold data-driven companies accountable.
In practice, the Latin American lack of adequate protection manifests itself in the possibility of banks using credit algorithms to decide whether to grant a loan or not, without any intervention by someone with the authority and competence to change the decision. Likewise, it reflects on the possibility that any data-intensive company has to profile its Latin American users focused on characteristics such as ethnicity, gender, religion, or sex. Another example is the possibility that any app in your smartphone has to collect data—such as photos and contacts—that is unnecessary for providing a specific service—such as a flashlight—just to sell it later to data brokers. This gives them the freedom to make collection and sharing, and not privacy, the default.
In their Privacy Policies some companies such as Uber and Netflix recognize that the practices described are subject to the applicable laws of the places where they operate. Therefore, they state that they will only participate in the practices defined in their Terms and Conditions and Privacy Policies if they are allowed in that particular country or region. Similarly, Apple states that unless the national law establishes something different—as the GDPR actually does—it will consider Internet Protocol (IP) addresses and similar identifiers of your computer as impersonal information, and therefore, data protection will not be applicable to them. But what happens when the national data protection statutes say nothing about those matters? Basically, what proceeds is the application of the universal principle according to which, in the case of private entities, everything is to be understood as permissible until law expressly prohibits it. Given this principle, and existing no legal provision that neither prohibits nor regulates data intensive exploitation practices, Latin American countries seem like a paradise for data exploitation and big analytics innovation, to the detriment of the right to privacy of its citizens.
Fortunately, other companies such as Facebook have decided to offer their users around the world the same privacy controls required under the new European data protection regulation. But it does not seem to be enough to rely solely on the good will of the companies. According to Statista, by October 2017 Google had a market share of more than 90% of the search engine market in Mexico, Venezuela, Argentina, Brazil, Bolivia, Colombia, Chile and Peru. Similarly, in 2018 the number of Facebook users in Latin America is expected to reach 271.1 million. Likewise, in 2018 147.2 million Latin Americans are expected to buy goods and services online. Evidently, Latin America has not been excluded from the digital era. Hence, its Privacy Statutes should neither be excluded from the update process already advanced in the European Union by means of the GDPR. Even, its countries should begin to think of a supranational regulatory harmonization for the region, such as the one that has endowed Europe with greater bargaining power over data-driven companies. And let us hope that this happens soon, before the economic power and the market monopoly of these companies grows more, and it becomes almost impossible to regulate them. Otherwise, for Latin Americans the expression “Terms and Conditions May Apply” will mean much more than just the title of a famous documentary.
María Paula is a researcher at the Center for Law, Justice and Society (Dejusticia).