Beyond legal #17: Planting other trees in the forest

In my previous post, I wrote that the time has come for data protection and GRC leaders to shine. I suggested that total risk avoidance is currently not an option if you wish to take a European-centric technology strategy. And on a personal level, unless you plan to sit at home on a closed network, emailing your family members using a homelab email server, you will continue to be exposed.

So, if avoidance isn't an option, where does that leave us? It leaves us with risk reduction and strategic decoupling, and to navigate this, we need a better map.

The "Platformisation Tree"

This week, as part of a course I'm on, I have been studying the work of Professor José van Dijck, particularly her book "The Platform Society" from 2018 and her more recent paper, "Seeing the forest for the trees: Visualizing platformization and its governance."

She uses the metaphor of the "Platformization Tree" - this obviously inspired the graphic I've used for this post, though mine is quite different from hers - you'll see this if you read her paper linked to above. It is an interesting visualisation for business leaders and consumers alike because it forces us to look beyond the "leaves" - the apps and interfaces we interact with daily - and stare into the tangled "roots" of the infrastructure.

It is in these roots that the complexity of our dependence on non-European tech lies. And it is in these roots that the "legal" view of data protection often fails to capture the full picture.

The consumer perspective
For the consumer, the sheer size and complexity of this tree can be difficult to take in. But I think we are seeing a shift, because initiatives are popping up in Europe to help people begin navigating this forest so they can make choices.

In Denmark, where I live, there is an initiative called "Danmark Skifter" (Denmark Switches). In other countries there are similar projects. I applaud them as a starting point. They raise awareness and offer actionable steps for people to reduce their dependency on bigtech and, thereby, reduce their own risk.

These initiates have their critics, but I disagree. Following a risk reduction strategy is infinitely better than not attempting one at all, especially when risk avoidance is not an option right now.

I think we must stop treating consumers as if they are too naive to understand complexity. In recent years, people are have become capable of understanding that "risk" in data protection is not an abstract compliance score - it is about human rights.

Our personal risk profile varies wildly depending on who we are (such as):

• Are you more susceptible based on your sexuality, ethnicity or religious beliefs?

• Are you involved in union activities or political movements?

• Who do you associate with?

• Do you, or a family member have a criminal past?

• Are you in the media spotlight? Are you famous, a celebrity or do you live next door to someone who is?

The amount of data you have provided over the years, combined with your frequency of use, creates a unique personal risk profile. Ultimately, it comes down to your personal risk appetite for yourself and your family. The conversations I've had this past couple of years indicate to me that people can increasingly navigate these complexities and make choices, provided they can see the forest and the trees.

The Controller/Processor reality
When we move from the consumer branch down to the B2B roots, the transparency vanishes, especially in AdTech.

Data protection professionals have been well aware of the controller, processor, and sub-processor chains for many years. While the role of a sub-processor was not regulated under the 1995 EU Data Protection Directive, they came into sharp focus with the GDPR in 2016, specifically regarding the need for a processor to obtain the controller's written authorisation. In theory, the law is clear: The controller is in charge, but in practice, the power imbalance in the "Platform Society" is very significant.

When dealing with the bigtech platforms, their Data Processing Agreement (DPA) is often a "take it or leave it" document. The nuance that often catches people out is the requirement for specific authorisation. This means the controller must approve a particular sub-processor for a particular processing operation.

This is where the "Beyond Legal" mindset is critical. You cannot simply read the contract, you've got to understand the technical reality.

Many data protection professionals use tools like Exodus or Webbkoll, among others, to analyse potential data flows. These are good tools. They might flag a tracker or a potential flow to a US-based sub-processor, but remember the phrase above, "particular processing operation."

Just because a tool detects a library or a script, it does not confirm that the processing operation is active in your company's specific context. The flow might be dormant, or it might not be triggered by the specific user journey you have designed.

These tools are signals for deeper investigation, not a final verdict. They are the start of the conversation, not the end. Many of these tools are freely available online so consumers can also make good use of them.

New trees in the forest
In my study group this week, there were some great conversations and ideas being thrown about in terms of European alternatives to the GAFAM platforms, but they often ended up down in the complex root system - how can Europe step up, how can it decouple itself? As mentioned earlier, it's not possible but with the spirit and enthusiasm I sense is building there is plenty of appetite to change this even, as one person suggested it may take as long as a generation. And here is an infographic of the entire lecture - such an interesting topic:

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.