3. Data-Driven Surveillance

On big data and related transformations in social and economic relationships, see McAfee and Brynjolfsson (2012); Mayer-Schönberger and Cukier (2013); Davenport (2014); Morrison (2015).

McAfee and Brynjolfsson (2012) describe five new management challenges for a company to succeed in big data management. Companies need to have leadership teams that set clear goals and ask the right questions, and they need to employ IT workers with expertise in computer science and data management. Companies need to develop excellent software tools to manage the volume, velocity, and variety of big data, and need to use the knowledge so extracted to maximise cross-functional cooperation between business departments and customer relationships. Also needed, crucially, is a cultural shift in mentality: the right question for managers is no longer “what do we think?” but “what do we know?” This change requires moving away from acting solely on instinct and making use of data to build strategies and decision-making.

In particular, large quantities of data require “big data consumer analytics”, defined as “the extraction of hidden insight about consumer behavior from Big Data and the exploitation of that insight through advantageous interpretation” (Erevelles et al. 2016).

According to Davenport (2018), companies today are transitioning from analytics 3.0—which he describes as data-economy analytics, in which companies in traditional industries also embrace big data and analytics by resorting to machine learning models—to analytics 4.0, where we have the highest degree of sophistication in analytics thanks to AI and cognitive technologies (NLP, speech recognition, computer vision). Analytics 4.0 enhance the previous stages and form a backdrop that merges analytics and automation. On the stages of this transition see, more generally, Davenport and Harris (2017).

Balducci and Marinova (2018) define unstructured data as “information that either does not have a pre-defined data model or is not organised in a pre-defined manner.” This kind of data can be either verbal (spoken and written data) or nonverbal, which in turn can be human (e.g., facial cues) and inanimate (e.g., radio frequency identification, location data).

On the impact of big data on strategy formation, see Constantiou and Kallinikos (2015, p. 52), who look at big data as a new organisational context. While traditional business strategies would respond to the need to collect data intentionally and purposefully to inform specific theoretical models and provide predefined input to decision-making process, big data can be made business-relevant subsequent to its collection, but its relevance may not straightforwardly derive from the original data records. Much of what comes under the heading of big data is not collected intentionally; rather, they say, “it is haphazard, hugely heterogeneous, and, not infrequently, trivial, messy and agnostic, as it happens with much user-generated content and data logs of various kinds”.

Beyond business, this new setting has been summarised in the motto “First data then search for any possible uses of what is already available as data.” The quote is from Anderson (2008), which elaborates on the obsolescence of traditional scientific methods in research.

In providing a framework for different data-collection methods, I am following Clarke (2019).

On “volunteered information,” see Mitchell (2010). Before Web-based commerce, marketing had only had two sets of information to deal with: market-aggregated information, which is primarily qualitative and statistical, and transaction-related data, which are granular and personally identifiable.

According to Yong Jin Park (2013), privacy literacy online consists of the following elements: familiarity with technical aspects of the Internet, an awareness of common institutional practices, and an understanding of current privacy policies. Many empirical studies exist already on the problem of online consumers’ privacy literacy. See, among others, Bartsch and Dienlin (2016) and more recently Prince et al. (2021).

Ridley-Siegert (2015); Walker (2016).

This kind of data acquisition is traditionally referred to as “clickstream data.” See Montgomery et al. (2004).

Sipior et al. (2011).

Christl and Spiekermann (2016), p. 40: “The marketing data industry is arguably the main driving force behind ubiquitous consumer surveillance. It consists of a wide range of different types of companies, including marketing and advertising agencies, list brokers, database management providers, online and mobile advertisers, and firms engaged in direct mail, telephone sales services, and data-driven commerce, as well as companies offering loyalty programs. Marketing data companies, which are often called “data brokers”, mostly offer a smaller or bigger selection of these services.”

Schaub et al. (2016).

Privacy Choice (2010).

For an account of methods of users’ data collection and disclosure, see Lomborg and Bechmann (2014).

H. Schneider et al. (2017).

Forbrukerrådet (2020).

Brynjolfsson et al. (2013). Omni-channel is a strategy based on merging consumers’ physical and online presence to provide a seamless customer journey across e-commerce websites and brick-and-mortar stores.

The term profile derives from the Italian profilo, from profilare, originally “to draw a line,” especially the contour of an object. That is precisely the idea behind profiling through data processing, in which the data that is available about individuals or groups is expanded so as to describe their traits and propensities.

Van Otterlo (2013).

Diaz Ruiz and Kjellberg (2020).

Google Ad Manager Help, Create first-party audience segments, 2020, https://​support.​google.​com/​admanager/​answer/​2423498?​hl=​en. See, more generally, Procter et al. (2015).

Facebook For Business, Audience Targeting Options, 2020 https://​www.​facebook.​com/​business/​help/​633474486707199.

Jenkinson (1994). In the early days of marketing, buyer personas were generally constructed by conducting interviews and surveys with real consumers. Using their expressions and thoughts, and maybe even the photos they took or the activities they did, marketers would “step into the shoes” such real individuals and rely on the imagination and creativity to build profiles that described their hypothetical target consumer.

Burgess and Burgess (2020) explain that a buyer persona “is a semifictional representation of your ideal customer based on market research and real data about your existing customers.” The authors describe this process of creating a buyer persona through data in seven steps: gathering buyers’ data, assembling the team, getting to know the buyer, evaluating pain points, crafting the persona, continuously revisiting and revising the persona, and validating the persona. Based on the validated persona, the marketing team will be able to find a lookalike audience in new incoming data.

Popov and Iakovleva (2018).

On predictive analytics see, generally, Siegel (2013).

This is an example of regression. However, consumer scoring can also be modelled as a classification task. In such a case, consumers would be classed as either “potential buyer” or “non-buyer.”

Barnhard (2020).

Chen (2018).

Camilleri (2020).

In the Foucauldian tradition, Lyon (2007), defines surveillance (from French surveiller, “to watch over”) as “the focused, systematic and routine attention to personal details for purposes of influence, management, protection or direction” (p. 14). The author cautions that, contrary to what is commonly assumed, the term surveillance does not carry any evaluative overtones, but it is merely descriptive. It includes everything from face-to-face encounters to mediated arrangements dependent on a comprehensive and ever-growing range of information technologies.

Together with governmental surveillance, the corporate use of information technologies has been among the recurrent research interests of surveillance scholars. For example, in one of the earliest studies on corporate surveillance, Gandy Jr. (1993, p. 1) relied on Bentham’s idea of the panopticon to describe technology-mediated corporate practices as “a kind of high-tech, cybernetic triage through which individuals and groups of people are being sorted according to their presumed economic value.” Similarly, Clarke (1988) was concerned about the increasing use of information technologies in commercial organisations and coined the term dataveillance to stress how longstanding forms of visual and communication surveillance had been progressively replaced by more economically viable and technically efficient computerised means. Others who have spoken of corporate surveillance and technology, include Lyon (1994, 2010); Haggerty and Ericson (2000); Zwick and Dholakia (2004). For an historical overview of this research strand, see Pridmore and Zwick (2011).

Ball et al. (2016), p. 61: “thus we are forced to ask what the ‘big’ in ‘big data’ refers to. While the etymology of the term encourages a focus on the volume of data, it refers in fact instead more to the ubiquity of data, the completeness of coverage over contemporary lives. It is this ubiquity, the knowledge of a near-complete record of individual lives, which removes the need for a priori decisions on commencing surveillance.”).

Andrejevic and Gates (2014).

Mayer-Schönberger and Cukier (2013).

Hildebrandt (2019), for example, describes machine learning as agnostic in the sense that the algorithms are oblivious to human bias or independent of the design choices that determine its accuracy.

Fisher and Mehozay (2019). See also Krasmann (2020), who argues for a specific epistemological approach to algorithmic systems. Since these systems have no access to the “world of human sense-making,” they reduce reality and paint a “behaviourist picture” of human modes of existence.

Fuchs (2011).

The concept of a prosumer was introduced by Toffler (1980) to welcome the uptake of a new political, economic, and democratic order characterised by “progressive blurring of the line that separates producer from consumers.” However, surveillance scholars have argued that Toffler overlooked that “prosumption” would also affect power relations in decentralised working environments, reconfiguring production and the autonomy of labour. In particular, Fuchs (2011, p. 295) criticises the practice of digital platforms outsourcing work to users and consumers, who now work for free. That is the case, he argues, with social networks, which exploit user-generated content to make a profit through advertising.

Fuchs (2011, p. 299), who on a Marxist approach argues that big data companies exploit prosumers as much as industrial capitalists exploit factory workers.

See Lyon (2010), claiming that there exists a new type of surveillance he calls “mobi-veillance.”

The digitally mediated contextualisation of consumers has been analysed by surveillance scholars under the label “brand-scape,” defined by Wood and Ball (2013) as “a new mode of ordering that seeks to simultaneously construct space and subjectivity, a mode of ordering represented by a new apparatus.”

In making the predictive analytics of machine learning understandable and appealing to marketers, Siegel (2013, p. 20) argues that “[w]e usually don’t know about causation, and we often don’t necessarily care. […] the objective is more to predict than it is to understand the world. […] It just needs to work; prediction trumps explanation.”

Van Dijck (2014, p. 200), who deconstructs the ideological grounds of data-driven culture as rooted in problematic ontological and epistemological claims (so-called dataism). As part of this logic, predictive analytics reveals “a slippery slope between analysis and projection, between deduction and prediction.”

See, Cohen (2016), mocking the rhetoric of participation and openness in today networked data flows (s.c. the “participatory turn”), which hides the design to position surveillance outside from legal and social control.

Zuboff (2019).

Polanyi (1944).

This is only one of eight definitions given to the “surveillance capitalism.” For a flavour of the range of ideas addressed in the book, consider the other seven: (i) “a parasitic economic logic in which the production of goods and services is subordinated to a new global architecture of behavioral modification”; (ii) “a rogue mutation of capitalism marked by concentrations of wealth, knowledge, and power unprecedented in human history”; (iii) “the foundational framework of a surveillance economy”; (iv) “as significant a threat to human nature in the twenty-first century as industrial capitalism was to the natural world in the nineteenth and twentieth”; (v) “the origin of a new instrumentarian power that asserts dominance over society and presents startling challenges to market democracy”; (vi) “a movement that aims to impose a new collective order based on total certainty”; and (vii) “an expropriation of critical human rights that is best understood as a coup from above: an overthrow of the people’s sovereignty.”

See on this also, Sadowski (2019).

Zuboff (2019), p. 199.

Zuboff (2019), p. 38.

Negroponte et al. (1997).

Zwick and Dholakia (2004).

The concept shows a clear link to digital-driven buyer personas as a product of marketing creations.

Haggerty and Ericson (2000, p. 606): “this assemblage operates by abstracting human bodies from their territorial settings and separating them into a series of discrete flows. These flows are then reassembled into distinct ‘data doubles,’ which can be scrutinised and targeted for intervention. In the process, we are witnessing a rhizomatic levelling of the hierarchy of surveillance, such that groups which were previously exempt from routine surveillance are now increasingly being monitored.” Data doubles are often referred to by other labels, such as “dividuals” (Deleuze 1992) and “data shadows” (Simon 2005).

Lanier (2010).

See Boyd and Crawford (2012), who deconstruct the widespread mythology that “large data sets offer a higher form of intelligence and knowledge that can generate insights that were previously impossible, with the aura of truth, objectivity, and accuracy.”

Barocas et al. (2013).

Pridmore and Zwick (2011) argue that the surveillance character of algorithmic assemblage does not manifest with the individualisation of identities. Instead, it is concerned with “the collection of personal information to discriminate individuals into previously categorised consumer lifestyle groups or profiles”.

The method of consumers protection and how big data are valued reflect what Zuboff (2019, p. 535) calls a “formal indifference” of surveillance capitalism to its population of customers and users.

The phrase was already used prior to the Internet boom of the late 90s. For example, one can see nearly that exact phrase (or at least certainly the exact principle) described in Serra and Weyergraf (1980) on TV advertising. The interview references a short film titled Television Delivers People, made by the American video artist in 1973, who claimed that “The Product of Television, Commercial Television, is the Audience.”

Zwick and Dholakia (2013).

Pridmore and Zwick (2011, p. 122) speak of “consumer brands.”

Holvast (2007).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, pp. 1–88 (GDPR for short).

For example, on the differences between the EU and US approaches to granting individuals rights to personal information, see Paul M. Schwartz (2003).

Warren and Brandeis (1890). The paper is considered the seminal essay in the history of privacy, by American and privacy lawyers alike.

Among the many theories of privacy, Tavani (2008) singles out three. The first is Warren and Brandeis’s traditional notion of privacy, ascribed to the category of “physical privacy,” which is the freedom from physical intrusion. The second and third are “decisional privacy” and “psychological privacy,” concerned with protection from interference in important life decisions and the protection of one’s intimate thoughts.

Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Jan. 28, 1981, ETS. No. 108.

Ibid., Article 1.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, pp. 31–50 (also Data Protection Directive)

Charter of Fundamental Rights of the European Union, OJ C 326, 26.10.2012, pp. 391–407.

Ibid, Article 8.

Rouvroy and Poullet (2009).

This is clearly stated in the preamble of the GDPR, Recital 7 (“Natural persons should have control of their own personal data”) and in Recital 39 (“Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing”).

Article 6 GDPR.

Recital 32 GDPR: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”

Indeed, the simpler the law makes the consent procedure, the less users are likely to understand what they are being asked to consent to. But then the more meaningful you make the consent procedure, by providing sufficient information about your data processing, the more time-consuming and demanding it will be for users to go through all that information in forming an informed judgment about giving their consent to such processing.

Barocas and Nissenbaum (2009).

According to a study carried out in Sherman (2008), a proper understanding of the meaning of privacy documents would require the IQ of an average PhD.

Legally speaking, such practices would run contrary to Article 12 GDPR, which requires the information given in privacy policies be “concise, transparent, intelligible and easily accessible form” and be stated in “clear and plain language.”

Reidenberg et al. (2016).

Koops (2014), p. 251: “often, there is little to choose: if you want to use a service, you have to comply with the conditions—if you do not tick the consent box, access will be denied.”

This social fact could naively be regarded as a privacy paradox. On the one hand, individuals seem to be concerned about their informational privacy and to want to protect it. On the other hand, they voluntarily disclose information online and rarely exercise their data-protection rights. However, an alternative explanation is that people may want privacy and understand its importance, and they are even aware of the rights they have, but in the current data-driven marketplace, using and sharing data has become such an integral part of their life that their “choice” is not a real one. Such an explanation calls into question whether the decisions made by individuals when sharing data are indeed paradoxical or instead simply reflect their needs in a highly “datafied” society.

See Mantelero (2014), who calls for a general acknowledgement of the “transformative approach of Big data.”

On the difficulty of reconciling privacy principles with big data, see also Tal Z. Zarsky (2016). Among other things, big data would be incompatible with the principle of data minimisation, which under Article 5 GDPR, requires that “personal data shall be […] adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Apparent conflicts emerge with the principle of purpose limitation, requiring that “personal data shall be […] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” (Article 5(1)(b) GDPR). On the possibility of reconnecting AI and big-data applications with the principle of EU data protection though extensive interpretation, see Sartor (2020b).

See Baruh and Popescu (2017), who argue that the predominant privacy-protection regimes underplay privacy as a collective good. In particular, they show how the two common individual privacy strategies—i.e., not consenting to privacy policies and completely relying on market-provided privacy protections—may result in fewer privacy options available to society at large. On a similar note, Mantelero (2016) explains that the atomistic approach to data protection no longer holds in mass-predictive data analysis. In such a new context, privacy interests have an additional layer consisting of in “the collective dimension of data protection, which protects groups of persons from the potential harms of discriminatory and invasive forms of data processing.”

The assumption that consent is adequately informed based on acceptance of online service contracts turns out to be “the biggest lie on the Internet.”

Hull (2015) argues that the failure of notice and consent to protect privacy, while at the same time making it easier to exploit personal data, may be the fruit of specific ideological choices. The notice-and-consent model consecrates the belief that, despite the scope of fundamental rights, privacy can only be treated in terms of an individual’s economic choice to disclose information.

Article 4(1) GDPR.

Recital 26 GDPR.

On this point, see Paul M. Schwartz and Solove (2011), who caution that the restricted notion of personal information risks leaving the behavioural data markets untouched, even if they probably rank among the most privacy-invasive spaces.

Andrew and Baker (2019).

On whether behavioural data in targeted advertising can be covered by data-protection legislation, see also Zuiderveen Borgesius (2016).

Article 2(5) GDPR.

Article 6(4)(e): “Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: […]. (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.” This is complemented by Recital 29, providing that “in order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately.”

Andrew and Baker (2019). The authors conclude that “its reach will be limited if law makers fail to understand the broader behavioral data ecosystems they seek to regulate […] the law creates the space for a behavioral data market in which commercial self-interest is likely to flourish. In this way, whether deliberately or otherwise, the GDPR will make it possible for the behavioural data market to continue to function unencumbered.”

Art. 13(2)(f), 14.2(g), and 15(1)(h).

Among others, see Wachter et al. (2017); Malgieri and Comandé (2017); Veale and Edwards (2018); Kaminski and Malgieri (2019).

Hildebrandt and Rouvroy (2011), p. 23.

On the possibility of considering inference as personal data under the GDPR, see extensively Sartor (2020a), p. 40ff.

Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, adopted on 20 June 2007. In particular, the opinion follows that idea that in order for data to count as “related” to an individual, there needs to be a “content,” “purpose,” or “result” element. The first criterion means that information qualifies as personal data when it relates to a person, i.e., it is about that person, as when “the information contained in a company’s folder under the name of a certain client clearly relates to him.” Under the second criterion (“purpose”), an item of information counts as personal insofar as it is used to evaluate, treat in a certain way, or influence the status or behaviour of an individual. Under the “result” criterion, even without a “content” or “purpose” element, data can be considered personal whenever their use is likely to have an impact on a person’s rights and interests.

Article 29 Data Protection Working Party, Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679, adopted on 3 October 2017 as last revised and adopted on 6 February 2018: “In addition to general information about the processing, pursuant to Article 15(3), the controller has a duty to make available the data used as input to create the profile as well as access to information on the profile and details of which segments the data subject has been placed into” (p. 17).

Wachter and Mittelstadt (2019).

Article 29 Working Party, Guidelines on the Right to Data Portability (2016), p. 242.