Abstract
Through qualitative analysis of the policies of two major global information intermediaries — Google and Microsoft — and related case studies, this paper demonstrates a) that intermediaries' participation in self-regulatory programmes and implementation of privacy principles does not necessarily translate into meaningful privacy safeguards for users in the face of growing private surveillance capacity; and b) that within the EU and US self-regulatory frameworks, information intermediaries have discretionary power to set their policies and practices prioritising strategic interests over privacy commitments. Discussions in this paper complement existing studies on the implementation of privacy principles stipulated in Fair Information Practices (FIPs) by enhancing understanding about the role of information intermediaries in defining privacy conditions of users within self-regulation.
Highlights
Privacy has become one of the most contested public issues in internet policy, and information intermediaries such as Google, Facebook, and Microsoft are at the forefront of defining privacy conditions of users via their data collection, processing and dissemination practices
In exploring the implementation of notice and choice framework as a case study into information intermediaries’ behaviour, this paper has highlighted that despite growth in privacy awareness and a number of policy changes, information intermediaries have not reduced the amount of data they collect and process about users
Policy changes towards notice and choice and privacy controls are all positive developments but they have not affected intermediaries’ surveillance and subsequent implications for anonymous expression and privacy risks. They may have enabled intermediaries to justify their ever-growing data processing activities based on the idea that users agree to their privacy terms
Summary
Privacy has become one of the most contested public issues in internet policy, and information intermediaries such as Google, Facebook, and Microsoft are at the forefront of defining privacy conditions of users via their data collection, processing and dissemination practices. In spite of existent critique on the insufficiency of self-regulation to protect privacy (Gellman & Dixon, 2011; Lee, 2003; Rubinstein, 2011; Scott, 2015), regulators and data protection authorities in the EU and US have put their faith in a new Privacy Shield programme, which has replaced the EU-US Safe Harbor Agreement (ITA, 2016) In light of these developments, in this paper, I seek to demonstrate that despite participating in self-regulatory frameworks, taking on privacy commitments, and evolving corporate policies towards FIPs, information intermediaries’ do not offer meaningful privacy protection to users. IP addresses and unique hardware numbers can be combined with other data such as search logs and browsing details to reveal the identity of hardware owners and sensitive information about them (DPA, 2010; Tene, 2008)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
