How can we build trustworthy commerce beyond GDPR alignment?
This is a key question I am working on as leader of the Ethical Commerce Alliance (ECA), an initiative addressing current and future ethical challenges in the digital world. The alliance evolved from Empathy.co’s vision and values to create technology that puts humans and their digital rights at the centre, not the data. Overall, the ECA aims to extend our core principles beyond company boundaries, setting a new tone for a more ethical use of personal data.
I dove into this topic of trustworthy commerce beyond GDPR with academic and industry experts in Berlin, Germany, as part of ECA’s Ethical Commerce Series. Through this event series we hope to explore a brighter, more ethical future for commerce, opening up the conversation to a diverse audience and encouraging positive change. A huge thank you to Empathy.co’s partner, foryouandyourcustomers, for hosting our Berlin event!
On the panel, we welcomed:
- Dr. Daniel Guagnin, head of the research group Network & Society at the Nexus Institute for Cooperation Management and Interdisciplinary Research.
- Katja Rausch, founder of the House of Ethics, a platform to exchange questions around ethics in data, medicine and business.
- Carissa Véliz, Associate Professor in Philosophy at the Institute of AI & Ethics, Fellow at Hertford College at Oxford University and the author of Privacy is Power.
Privacy as a fundamental right
Our discussion began with a keynote from Daniel, who spoke about privacy protection beyond compliance. He examined the definition of privacy and ethics from a sociological point of view through the lens of an insightful analogy: a truck versus a pedestrian. Intrigued? Stay with me and you’ll see in the video at the end!
A deeper exploration with the panel
Privacy violations can have far-reaching consequences across many areas of our lives. When we find various results on different sources on the internet, also depending on the devices we are using and the locations we access them from, that creates an information asymmetry with intended or unintended consequences. For example, this affects different credit ratings, unequal job opportunities and much more.
Minimal compliance means adhering to GDPR regulations, but does not keep companies from exploiting dark patterns in cookie banners. This means banners are designed to compel people to consent, rather than clearly present a choice to accept or decline cookies and what that entails for usage of your data.
Our panel discussion extends these ideas and explanations, focusing on protective legal policies as equally important as the protection of each individuals’ right. In other words, the individualistic view of what you can do yourself to protect your privacy as part of your identity online versus what the regulatory framework should look like to safeguard people’s data. This also ties into who is responsible and can be held accountable to ensure this security.
The conversation offers some ideas and tips on how to increase your own individualistic security on the internet. The small steps that everyone can take, but can create a huge effect.
From the individualistic view, in order to make sound decisions, we need some kind of autonomy which we can obtain through information. However, that can hardly be found because ‘privacy policies are notoriously vague’, as Carissa Véliz points out. Even if you do read and fully understand them all, you still do not know where your data is stored and for how long, nor who has access to it, let alone to whom it can be sold. So the effects on your life — like applying for a loan, a job, an apartment — remain opaque.
These knowledge asymmetries result in power asymmetries, with power in the hands of companies who hold your data. In consequence, we have to learn more about data and what companies do with it, while at the same time ensuring those companies know less about us by protecting our privacy better.
This we can do, but actually, this is not enough. From a systemic view, and the way the GDPR was built, individuals should not have to reject cookies all the time. The system should be set up in a way that offers better solutions to protect the individual’s data points. One example is the NOYB lawsuits to enforce GDPR. Another step is in the hands and the responsibility of companies to enforce privacy protection.
Key takeaways: The future is private
Every data point a company stores about you is actually a liability, a leak that can easily result in a lawsuit. The simple solution would be not to store any personal data in the first place.
We wrapped up our conversation with the shared vision to be more ambitious and optimistic about future endeavours in protecting our data. With the ECA, we are focusing on actions to take from many sides: from laws, companies and individuals. This fundamental shift in the tech industry from privacy violations to privacy protection is key to a more collaborative, respectful society on and offline.
And now, you’re invited to grab your favourite film snack and watch the recordings of the panel and keynote. Click on the images below to see the videos in YouTube. I hope you enjoy and the comments are open for your thoughts.