Billions of people throughout the world regularly use services provided by Google. But in order to get access to the services, users must accept Google’s terms. While accepting itself is uncomplicated (just click “I agree”), understanding what one accepts is trickier.
A recently published article in Nordicom Review, “Co-constitutive complexity: Unpacking Google’s privacy policy and terms of service post-GDPR”, discusses privacy issues in terms of uses of Google. Johannes Bjerling, an editor of Nordicom’s journal Nordicom Review, sits down with one of the authors behind the study, Associate Professor Bjarki Valtýsson from the University of Copenhagen.
Johannes Bjerling: Today it may be hard to remember, but there has actually been a time when Google wasn’t around – the company was founded little more than two decades ago. Yet, Google has been tremendously successful, and a consequence is, I would argue, that we are all, more or less, dependent on Google. What do you say, Bjarki?
Bjarki Valtýsson: I agree, and you’re right about the framing of time: sometimes we may feel that “they’ve been there forever”, but they haven’t; in fact, the platforms are quite recent constructions. But while we are not talking about structures that have been around for a very long time, we are nevertheless talking about structures that have changed our societies dramatically. Today, the services provided by the “Big Five” – Facebook, Amazon, Apple, Microsoft and Google – are, to a large extent, integrated in our daily lives. And that creates forceful interdependencies. I mean, it’s difficult for me to even foresee my life without GMail – all practical, mundane information is there: communication with the plumber, with the electrician, with friends, family, etcetera, etcetera…
Johannes Bjerling: However, since they’re all commercial enterprises, we must accept their terms before using their services. And given the dominance of these companies, choosing not to accept their terms puts us in a difficult situation. But how did we end up here? Why haven’t we seen more efficient regulation?
Bjarki Valtýsson: One explanation as to why these “conglomerates” – that’s how I think of them – have been able to get away with so much is that the regulation which was in place when they took off wasn’t really designed for the digital world. Within the cultural industries, there were anti-trust traditions, but they weren’t applicable to the digital world in a straightforward way. In essence, with the “digital world” that emerged, we were grappling with new business models and new technology – technology which we were gaining much from as individuals. So, until they messed things up, they managed to get away with quite a lot. The case of Cambridge Analytica was, however, an eye-opener to many: “So, this is what happens with the data that is being collected; the selling of data is really at the core of their business model”. And now, public opinion has changed; nowadays, more and more people see problems in how personal data has become a currency. Consequently, with changes in public opinion, and some of the problematic aspects having become increasingly evident, regulators, interest organisations, governments and supranational structures – not least the EU – are really getting “into it” – in fact, they have been doing that for several years.
Nowadays, more and more people see problems in how personal data has become a currency.
Johannes Bjerling: I have three aspects in mind that may together explain why efficient regulation hasn’t been easy to achieve: First, when Internet became widely spread in the mid-90s, much of the debate was concerned with possibilities; scholars wrote about deliberative democracy and how the Internet would give voice to those who had previously not been heard, etcetera, etcetera. Second, digital technology has moved, or developed, very fast – Google is little more than twenty years old –whereas legislation takes time. Consequently, legislation will by its nature lag behind. And third, the fact that we’re dealing with global conglomerates does make it all quite complicated. What do you say? Is this accurate? Am I right or wrong?
Bjarki Valtýsson: In terms of the complications, you’re absolutely right. I would argue that diverse forms for communication on the Internet still have great potentials in terms of the points you mention. Dominant platforms are, however, instrumental in establishing and steering how people connect, and these forms for connectivity come at a cost for users. But there are certainly benefits as well. Otherwise, people would not be using them to the extent that they are. Regarding regulation, it took some time for people to figure out how the platforms’ business models actually work, and it quickly became the default model regarding how they make money based on our data. When this increasingly became a regulatory question, the platforms changed strategy. Now, they are actually much more proactive in claiming that they want to be regulated. The problem is that they also, to large extent, try to affect different parts of the regulation process – to their own benefit of course. That being said, things have started to change, and the European Union is now a very active part. GDPR – The General Data Protection Regulation that became applicable in 2018 – is but one example of this.
Johannes Bjerling: Could you, very briefly, explain what the GDPR is?
Bjarki Valtýsson: Yes, very briefly then. Briefly, it is a regulation coming from the EU, and it is meant to protect citizens’ fundamental rights to data protection – that’s one side of it, how it’s meant to protect the rights of EU citizens. However, it also aims to facilitate business within the EU’s digital single market. With regard to the former, what can be called “the citizen level of the GDPR”, it wants to ensure that data processing is fair and transparent and that the collection of data is kept to a minimum. Moreover, it must be clear to us that our data is being collected for specific purposes, and thereby not used in other contexts.
Johannes Bjerling: In your article, you have looked at how Google’s terms of service and privacy policy have developed over time, from 1999 onwards, but you have also looked at how other kinds of documents are interrelated – how, today, there is a jungle of Google texts that one, as a user, should know about and understand. So, what did you find? Has it, as the GDPR aimed at, become easier for Google users to get a clear idea of how their data are being used?
Bjarki Valtýsson: Over time, Google’s terms of service and privacy policy have really not changed very much; in large, the discourse and formulations remain the same as it was before the GDPR. Of course, this is not very surprising – the terms of service and privacy policy must align with the overall business model of the company. Looking at the horizontal intertextuality – that is, the complicated relations between different documents and texts – the complexity has actually increased after the GDPR was introduced. While this may seem paradoxical – after all, GDPR was meant to make things easier for us – it really isn’t so strange: GDPR forces these companies to be clear and explicit, and with the demands for more transparency come more details and definitions.
Johannes Bjerling: So, more information hasn’t really led to better possibilities for citizens to understand what they must accept in order to use the services?
Bjarki Valtýsson: It hasn’t for lay people. For somebody who is not used to reading these kinds of documents and text, it takes quite an effort to understand how the information that Google collects is being used. Today, there are more than 120 hyperlinks in Google’s privacy policy – click on one of them and a new detail appears, for instance, a definition of a given concept. Going through all of these is, to put it mildly, very, very complicated.
For somebody who is not used to reading these kinds of documents and text, it takes quite an effort to understand how the information that Google collects is being used.
Johannes Bjerling: I totally agree with that! But then the GDPR hasn’t really solved what it was meant to. Was introducing the GDPR a failure?
Bjarki Valtýsson: Since it is very difficult to carve out a regulatory framework that is not complicated and complex, I would say that, from a legal perspective, the GDPR is a success. But we are looking at this from the citizens’ perspective, and complexity begets complexity. Faced with more complexity and more detailed demands, Google and other services have reacted in ways that made it even more complicated for citizens to understand how these companies work. So, while citizens are better protected legally, the textual complexity has increased, which can easily make it trickier for users to relate to.
Johannes Bjerling: As we mentioned earlier in our talk, there was much optimism surrounding the Internet and the companies that emerged in the mid-1990s and onwards. But during the last couple of years, public opinion has, to some extent, changed: there are ongoing trials against Google in the US; Facebook is being challenged in Australia; the European Union has taken actions to limit the power and dominance of platform giants – there are probably other examples as well, but what do you think about the future for the digital giants, the “Big Five” as you call them? Will they survive?
Bjarki Valtýsson: That’s really a million-dollar question, but if you look at other industries where monopolies have emerged, companies have been broken up before. However, the situation at hand is in many ways different. The companies we are now talking about constitute much of the infrastructure and backbone for online communication. The platformisation of the web that we have seen during the last decade simply makes this a somewhat different case.
Johannes Bjerling: The platformisation of the web in combination with digitalisation – is that how I should understand you?
Bjarki Valtýsson: Yes. Platformisation and digitalisation come hand in hand and lead to different kinds of interdependencies. While we can problematise the tendency of Google’s search engine to prioritise Google products, there are so many other services that these conglomerates provide and offer. We will therefore definitely have to grapple with these companies in the future – but in different ways in different contexts.
Johannes Bjerling: What you’re studying is very interesting. I know more about it now than I did before talking to you, so thank you very much!
Bjarki Valtýsson: My pleasure – thank you!
Read more
The Open Access article “Co-constitutive complexity: Unpacking Google’s privacy policy and terms of service post-GDPR”, by Bjarki Valtysson, Rikke Frank Jørgensen & Johan Lau Munkholm, was published on 6 May 2021. You can read and download it free of charge here: https://www.sciendo.com/article/10.2478/nor-2021-0033
You can read more about CNIL’s decision to fine Google for not meeting the demands of GDPR here: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
Photo: Unsplash