If You don't provide Your Data, can Companies Refuse to Provide Services?

-


 If You don't provide Your Data, can Companies Refuse to Provide Services? 

The Issue: 

        South Korea's Personal Information Protection Commission (PIPC), which is in charge of overseeing privacy rights and enforcement in Korea, fined Meta 6.6 million won on Feb 8 for "allegedly disadvantaging its customers refusing to provide personal information". The PIPC found that Meta had refused to provide services if users did not consent to providing behavioural information, such as records of activities on other online sites. This kind of data was ruled by the PIPC to exceed the minimum data required to offer Facebook and Instagram services. As Europe had similarly ruled under the GDPR in a $390M euro fine on Meta that there was no legal basis in Meta requiring behavioural information to customize advertisements, this appears to be a general trend in privacy regulation.   
        Additionally, the inability of users to choose whether they could refuse to provide their personal information was deemed to violate Korea's privacy laws (namely the Personal Information Protection Act - PIPA). Meta had further made it difficult for users to choose even where there was choice, by providing their privacy policy in a very difficult-to-understand form to users who are creating new accounts. Although Meta defended itself by arguing the revenue generated from customized advertisements enabled the provision of free services and also allowed users to discover content or products they are interested in, this did not meet the PIPC's standard of 'minimum required to provide services'. 

        This brings up the question of whether Korea's PIPA is unique in disallowing the 'refusal of services' by a company if the reason is the user's refusal to provide their data. 

Key Takeaways: 

- Europe, Canada, and Korea all have regulations and laws prohibiting companies from refusing goods and services to a user that refuses to give consent to their data being processed, unless the company can prove such data processing is necessary to provide goods and services. 

- the US does not have such regulation at the federal level, but this is due to the lack of federal privacy regulation in general. States with advanced privacy laws, like California, have similar prohibitions as the EU, Canada, and Korea. 

- the consumer market is trending towards greater privacy awareness and higher expectations on ethics and privacy standards; in such markets, having strong privacy and ethical standards can be an opportunity for companies to secure loyal users who are more willing to provide data. 

Comparing to other major privacy laws: 

        One problematic aspect for companies is that regulatory standards differ in each country or region. For instance, the US generally allows corporate surveillance and gives companies the freedom to monitor users and withhold services, while the EU's GDPR strictly prohibits excessive surveillance unless consent is given. However, when looking at global standards, the trend seems to be leaning towards greater privacy and consumer protections, especially as the risks and fallout of privacy breaches become more widespread and understood. 

Europe? 

        Europe's General Data Protection Regulation (GDPR), the leading example of strong privacy regulation, states that companies cannot make the provision of a service conditional on users giving consent to the processing of their data, unless companies can prove that such processing is necessary. Article 7(4) of the GDPR states that;

  • "when assessing whether consent is freely given, utmost account shall be taken of whether, among other things, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." - Article 7(4) of the GDPR

In other words, Article 7(4) is saying if companies provided services conditional on the user consenting to their data being processed, and if this processing was not necessary to provide the service, then that consent is not deemed to be 'freely given'.  Recital 43 of the GDPR further states that; 

  • "consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." - Recital 43 of the GDPR 

Recital 43 is in essence saying that users should not get detrimental consequences for refusing to provide their consent, since otherwise it would not be 'freely given' consent. Since the GDPR emphasizes that 'freely given consent' is a critical requirement for processing data (unless the company can prove it is necessary to provide services), Article 7(4) and Recital 43 together indicate that companies cannot make the provision of a service conditional on consent to processing personal data (processing here can refer to collection, use, or disclosure), nor can they impose negative consequences on users for refusing to provide that consent. The only exception to this is if companies can prove that the required user data is necessary to provide a service, which in recent years, EU data protection officers have indicated does not include the collection of behavioural information for targeted advertisements. 

United States and Canada? 

        While there is no federal law in the US that specifically prohibits companies from refusing to provide services to users who do not give consent to their data being collected and processed, a few states have passed state laws that does prohibit such behavior. For example, California's Consumer Privacy Act (CCPA) guarantees consumers the right to opt-out of the sale of their personal information to third parties, and prohibits companies from discriminating against consumers that do opt-out. This discrimination may be denial of goods or services, providing lower quality of goods or services, or charging a different price to these consumers. Virginia's Consumer Data Protection Act (CDPA) has similar provisions protecting consumers that opt-out of data collection and sharing. However, in other parts of the US that do not have such state privacy regulation, companies are generally free to choose whether they provide goods or services to users depending on users' consent to providing their data. 

        Canada meanwhile follows the footsteps of the GDPR. The Office of the Privacy Commissioner of Canada (OPC) advises that under PIPEDA (Canada's private-sector privacy law), companies cannot refuse to provide services to individuals simply on the basis of their refusal to provide consent to the collection of their personal data. The only exception to this is, similar to the GDPR, when a company can prove that the personal data is necessary to provide said goods and services. Moreover, PIPEDA further requires individuals to be informed of the consequences of withdrawing consent, and although not explicitly stated, prohibition on discriminating against users for withholding consent likely extends to price discrimination or discrimination on quality of goods and services provided since that would go against the principle of 'meaningful consent'. 


Conclusion: 

        Overall, data privacy regulations generally prohibit companies from withholding the provision of goods and services, or other discriminatory behaviour, if the main reason for doing so is the user's refusal to consent to the processing of their data. There are exceptions, mainly when the company can prove that said data processing is necessary to provide goods and services, but precedents such as the EU's $390M euro fine on Meta indicate that it is a relatively high standard which will generally exclude the collection of behavioural data for third party targeted advertising purposes. Even in the US, it is the lack of privacy regulation that allows such coercive company behavior rather than the regulations permitting it; California and Virginia's privacy regulations demonstrate that where strong privacy regulations are enacted, they tend to protect consumers against coercive means by companies to gather more user data than is strictly necessary. Therefore, it is likely reasonable to expect these standards of company behaviour in Canada, the EU, and Korea to become adopted globally in the near future as privacy regulations become globally standardized. 

        In addition, complying to existing privacy regulations, or adapting data practices in anticipation of such privacy regulations should not be viewed as merely a loss for companies either, but rather as an opportunity to win consumer trust and loyalty. Surveys have shown that consumers are increasingly expecting stronger privacy rights, withholding their user data from companies they do not trust, and expecting ethical behaviour from companies they provide with user data. For instance, a Cisgo report found 76% of Europeans would not make a purchase from an organization they do not trust with their data.Where privacy is such a core expectation, companies that market themselves as privacy compliant and ethically responsible with user data can stand out and become favoured by consumers.  





Comments

Post a Comment

Popular posts from this blog

Seeking ChatGPT's Insight: Are the Biden Administration's 'Trump-Proofing' Efforts Legally and Morally Justifiable?

-
Image
  Recently, polls indicate that former President Trump's chances for returning to Presidency have become increasingly likely. Given this, there have been rising attempts over the past year by the Biden administration to "Trump-proof" matters so that if Trump is re-elected, he will be unable to (or at least have difficulty in) reversing or nullifying the current policy and agreements.  I decided to ask ChatGPT on this topic because I was curious on whether these efforts by the Biden administration would be successful in restraining Trump, or even whether such actions were morally and legally viable. My doubts arose because actions taken to completely deny or restrain future Presidents from changing policy or agreements (generally speaking), especially if such measures came from Executive Orders, seem to be against the democratic spirit even if they are meant to protect against possible abuse of presidential power.  My question to ChatGPT: Do you believe that the Biden admi
Read more

ChatGPT's Age-related Slogans for Biden, Trump, and Desantis.

-
Image
          Looking at the upcoming US presidential elections, two of the three (as of now) nominees seem to face questions over whether they are 'too old' to run. At 80 years old, Biden is the oldest president to serve, with Trump similarly advanced in years at 76. Compared to them, DeSantis at 44 years old is far younger. Given this potential point of debate, I asked ChatGPT 4 to theorize how these presidential candidates might defend their positions or attack their opponents on the topic of age, as well as to generate possible political slogans they could use relating to this. Here is the political strategies ChatGPT suggested, as well as some creative slogans it came up with. Keep in mind, the entire following article and slogans were generated by ChatGPT, with no edits by myself aside from the initial prompting and guiding (through more prompts) to arrive at this result.  ChatGPT 4.0:  Title: Age as a Tool: Politicking in the Prime of Life and Beyond           In today's
Read more

Unraveling the WGA’s MBA with ChatGPT: Expert Analysis or Algorithmic Bias Towards Legalese?

-
Image
On Oct 9, the Writers Guild of America (WGA) overwhelmingly voted in favour of ratifying the 2023 Minimum Basic Agreement (MBA), which will apply until May 1, 2026. While most news outlets have reported on this as a major win for the writers guild, I grew curious on whether there were any shortcomings in the agreement since the the entertainment industry’s capitulation seemed to come quite abruptly compared to their former hardline opposition to any concessions. Since I am not a legal expert on contract law, I turned to ChatGPT instead to see if it could provide a fresh perspective. Given that the WGA provided both the complete 2023 MBA as well as a summary, I chose to try inputting both into ChatGPT, focusing particularly on the Artificial Intelligence clauses. However, the results made me ponder whether ChatGPT’s analysis might be influenced by bias or randomness. ChatGPT’s analysis of the summary and the complete 2023 MBA: Upon analyzing the summary, ChatGPT initially gave off a ske
Read more