Data breaches in the age of surveillance capitalism: Do disclosures have a new role to play?

Abstract

The rise of big data has led to profound changes to the dynamics of accumulation and profiteering. Today, data is captured, produced, and reproduced with such regularity that its collection, utility, and value can go largely unnoticed, giving rise to “surveillance capitalism” (Zuboff, 2019a). This paper explores emerging forms of exploitation within the data economy, including the rise of “instrumentarian power” (Zuboff, 2019a), opacity surrounding data collection and use, and the impact of data breaches on our capacity to function within the information economy. We consider whether new forms of extended responsibility reporting may help to disrupt the trajectory of surveillance capitalism and democratise participation in the digital economy (Crawford, 2021). We draw on the accounting literature on organisational disclosures to consider whether the disclosure of data breaches might enhance accountability by making aspects of the surveillance economy knowable to us. Empirically, our analysis considers the various rules currently governing the disclosure of data breaches in Australia, the US, the EU, and Canada, and the application of these rules in practice. While regulation of the digital economy is developing, laws governing the disclosure of data breaches are highly dependent on an organisation’s judgement. As a consequence, the nature, scale, and timeliness of these disclosures vary significantly, and the lack of clear routines makes it difficult for stakeholders to assess data risks. In response, we consider whether a mandatory disclosure framework might contribute usefully to the public “naming and taming” of surveillance capitalism (Zuboff, 2019a) and the democratisation of our digital future.