Data stewardships

[Tim-Cowen]

Movement for an Open Web (“MOW”) is an action group founded to advocate for a competitive, open internet. Many members were involved in the Competition and Markets Authority (CMA) Online Platforms and Digital Advertising inquiry in 2020. MOW is the chief complainant in Google’s Privacy Sandbox case, and we initially applied to the CMA for interim measures to prevent Google’s proposed changes to the browser. Whistle-blower protections are recognised in law the world over and play a vital role in helping the authorities gather necessary evidence from key witnesses, whose identity must be protected to reduce the likelihood of retaliation. We note that the CMA’s Privacy Sandbox case team has agreed to protect the identity of our members.

We are submitting the following issue in the W3C forum at the request of the CMA and Google’s recommended procedure for filing issues with their Privacy Sandbox, according to section 12 of Google’s Commitments.

We would like Google to consider incorporating data stewardship concepts as a potential remedy to concerns of interoperability and privacy in its next quarterly update report.

Data stewardships require access to data to work. A “data stewardship” involves one party authorising another party to make decisions about their rights, often over property. [1] This authorised agent becomes a “steward” of that data owner’s property, with a fiduciary duty to make decisions about how an asset can be used on behalf of a group of people.

Such stewardship agreements, whereby a steward is obliged by contract to operate for the benefit of other beneficiaries that each abide by a contractual use which restricts specific data processing:

Such data stewardships both reduce the privacy risks to end users and create a collective system which could also be used among digital marketers and ad tech intermediaries as part of an access and interoperability remedy that is designed to amplify responsible, decentralized competition across the open web. For more infromation see our post: Remedies to Platform Dominance: Decentralised data management in the Open Web - Movement For An Open Web

Google’s Privacy Sandbox proposals aim to block interoperable exchanges of such data. There are not yet any affirmative proposals showing how such interoperation can continue to operate in real-time or at scale.

The CMA’s Decision to accept binding commitments deals with preventing the ways in which the Privacy Sandbox proposals would distort competition by retaining for Google’s Ad Systems access to Personal Data that it restricts from rivals. [2] Google’s Attribution API is one example of matching marketer data to a user’s prior activity across publisher properties, while restricting rivals from gaining access to the same input data. [3]

The CMA’s Privacy Sandbox Decision and Online Markets final report both address the competition issue of monopolisation of end-user data via the browser, namely that due to lack of choice and imbalance of bargaining terms, platforms can exploit the consumer. However, the coordination between Google and Apple over sign-in policies to increase control over data for their mutual benefit is not specifically addressed at any point in any previous investigation. This means that Google and Apple can further undermine access to data needed for interoperability or business-to-business purposes.

Google’s Privacy Sandbox should provide the ability for competing data trusts to interoperate with Chrome and Chromium is required now so that innovators can build their systems. We note that thus far the Privacy Sandbox quarterly reports have not substantively addressed how rival industry solutions to privacy enhancing proposals can compete, such as Data Trusts. An appraisal of this potential remedy in the January Update should be considered.

We welcome responses from @alexnj, @alice, @beverloo, @cwilso, @DCtheTall, @foolip, @fserb, @garykac, @joeyparrish, @johannhof, @junov, @jyasskin, @majido, @mgiuca, @mikewest, @rakina, @RByers, @tguilbert-google, @wacky6, @wolenetz, or any other representative from Google in this forum. We kindly request Google to address this issue in the next quarterly update report.

[1] https://www.cigionline.org/articles/what-data-trust: “Fiduciary data trusts aren’t organizations; they’re contracts that give a trustee, or a group of trustees, authority to make decisions about how an asset — say, data — can be used on behalf of a group of people.”

[2] Google’s Commitments to the CMA (4 February 2022). https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf

[3] attribution-reporting-api/EVENT.md at main · WICG/attribution-reporting-api (github.com)