Beyond legal #17: Planting other trees in the forest
Whether you are a business leader trying to decouple from high-risk vendors, or a consumer trying to protect your family’s digital footprint, the strategy is the same. We must stop looking only at the shiny leaves of the apps we use and start understanding the roots. Our mindset needs to be switched to “risk reduction.”
In my previous post, I wrote that the time has come for data protection and GRC leaders to shine. I suggested that total risk avoidance is currently not an option if you wish to take a European-centric technology strategy. And on a personal level, unless you plan to sit at home on a closed network, emailing your family members using a homelab email server, you will continue to be exposed.
So, if avoidance isn’t an option, where does that leave us? It leaves us with risk reduction and strategic decoupling, and to navigate this, we need a better map.
The “Platformisation Tree”
This week, as part of a course I’m on, I have been studying the work of Professor José van Dijck, particularly her book “The Platform Society” from 2018 and her more recent paper, "Seeing the forest for the trees: Visualizing platformization and its governance."
She uses the metaphor of the “Platformization Tree” - this obviously inspired the graphic I’ve used for this post, though mine is quite different from hers - you’ll see this if you read her paper linked to above. It is an interesting visualisation for business leaders and consumers alike because it forces us to look beyond the “leaves” - the apps and interfaces we interact with daily - and stare into the tangled “roots” of the infrastructure.
It is in these roots that the complexity of our dependence on non-European tech lies. And it is in these roots that the “legal” view of data protection often fails to capture the full picture.
The consumer perspective For the consumer, the sheer size and complexity of this tree can be difficult to take in. But I think we are seeing a shift, because initiatives are popping up in Europe to help people begin navigating this forest so they can make choices.
In Denmark, where I live, there is an initiative called “Danmark Skifter” (Denmark Switches). In other countries there are similar projects. I applaud them as a starting point. They raise awareness and offer actionable steps for people to reduce their dependency on bigtech and, thereby, reduce their own risk.
These initiates have their critics, but I disagree. Following a risk reduction strategy is infinitely better than not attempting one at all, especially when risk avoidance is not an option right now.
I think we must stop treating consumers as if they are too naive to understand complexity. In recent years, people are have become capable of understanding that “risk” in data protection is not an abstract compliance score - it is about human rights.
Our personal risk profile varies wildly depending on who we are (such as):
Are you more susceptible based on your sexuality, ethnicity or religious beliefs?
Are you involved in union activities or political movements?
Who do you associate with?
Do you, or a family member have a criminal past?
Are you in the media spotlight? Are you famous, a celebrity or do you live next door to someone who is?
The amount of data you have provided over the years, combined with your frequency of use, creates a unique personal risk profile. Ultimately, it comes down to your personal risk appetite for yourself and your family. The conversations I’ve had this past couple of years indicate to me that people can increasingly navigate these complexities and make choices, provided they can see the forest and the trees.
The Controller/Processor reality When we move from the consumer branch down to the B2B roots, the transparency vanishes, especially in AdTech.
Data protection professionals have been well aware of the controller, processor, and sub-processor chains for many years. While the role of a sub-processor was not regulated under the 1995 EU Data Protection Directive, they came into sharp focus with the GDPR in 2016, specifically regarding the need for a processor to obtain the controller’s written authorisation. In theory, the law is clear: The controller is in charge, but in practice, the power imbalance in the “Platform Society” is very significant.
When dealing with the bigtech platforms, their Data Processing Agreement (DPA) is often a “take it or leave it” document. The nuance that often catches people out is the requirement for specific authorisation. This means the controller must approve a particular sub-processor for a particular processing operation.
This is where the “Beyond Legal” mindset is critical. You cannot simply read the contract, you’ve got to understand the technical reality.
Many data protection professionals use tools like Exodus or Webbkoll, among others, to analyse potential data flows. These are good tools. They might flag a tracker or a potential flow to a US-based sub-processor, but remember the phrase above, “particular processing operation.”
Just because a tool detects a library or a script, it does not confirm that the processing operation is active in your company’s specific context. The flow might be dormant, or it might not be triggered by the specific user journey you have designed.
These tools are signals for deeper investigation, not a final verdict. They are the start of the conversation, not the end. Many of these tools are freely available online so consumers can also make good use of them.
New trees in the forest In my study group this week, there were some great conversations and ideas being thrown about in terms of European alternatives to the GAFAM platforms, but they often ended up down in the complex root system - how can Europe step up, how can it decouple itself? As mentioned earlier, it’s not possible but with the spirit and enthusiasm I sense is building there is plenty of appetite to change this even, as one person suggested it may take as long as a generation. And here is an infographic of the entire lecture - such an interesting topic:
