On 26th July 2019, the Australian Competition and Consumer Commission (ACCC) published a 623-page report relating to the ongoing problems with data protection and data processing by Google and Facebook. It highlights that “Innovation and rapid technological change has transformed the ability and incentive of entities to collect, use and disclose the personal information of Australian consumers in the digital economy.” Specifically, it suggests that companies have now evolved to process data in a way in which the GDPR does not provide sufficient protection.
The main takeaways from the report can be summarised in five points:
“All consumers will be better off when they are sufficiently informed and have sufficient control over their user data, so that they can make informed choices that align with their privacy and data collection preferences.”
Companies like Google and Facebook, as well as Australian banks and internal companies will need to gain consent through alternative methods to process personal data. Currently, these companies rely heavily on the uncertain processing ground which is ‘legitimate interests’. This ground has been described by S.S. Rana & Co as a ‘loophole in the GDPR’ and a barrier to its proper implementation.
Furthermore, the ways that companies do gain consent currently, such as click-wraps have been written to leverage platforms’ bargaining power and deepen information asymmetries. This prevents consumers from providing meaningful consents. If the ground of legitimate interests was removed, and click-wraps were formally legislated as insufficient, society may see companies forced to use more transparent consent mechanisms or face significant fines.
Given that society is moving towards consent as a necessary basis for processing, and click-wraps are being held as insufficient, there is a gap in the market for a technology which enables freely given consent to be built into the architecture of the technology.
“changes to laws which give consumers greater control over their personal information […] are needed”
Self-Sovereign Identity is a technology which puts the ability to process personal data, into the hands of the end-user. The personal data is, by default, stored and controlled by the individual, on their mobile device. Therefore, if a company wants to use someone’s personal data and store it, there must be explicit and freely given consent from the device of the user. The individual also has the ability to revoke personal information it shares with companies at the touch of a button.
It is therefore contended that this movement to an extended and defined version of the GDPR, could open the door to technologies such as self-sovereign identity. The Digital Platforms Inquiry will not be the last of its kind, and as such, companies should begin looking beyond the GDPR to have real privacy by design, built into data management architecture, such as the consent-approach used in self-sovereign identity.