I want to point to two interesting provisions in Europe's General Data Protection Regulation. We are not sure yet how they are going to be adjudicated and applied in the market.
One of those provisions says the user should have more control over the consent they give to different kinds of information. Right now, when I sign the Facebook privacy agreement, it's all or nothing. I either agree to whatever is in that 80-page document or I don't use the service. The GDPR says you can't do that anymore. You have to give people meaningful choices when it comes to controlling their own data, especially sensitive data such as that which shapes political views.
I think there's a key question about giving consumers more ability to control what data is collected and how it's used. The German antitrust regulator, interestingly, has launched an inquiry into Facebook. It says that the market power a company like Facebook has over a segment of social networking is so strong that effectively their privacy agreement is a coercion—that it's all or nothing. There's no way for the consumer either to know or to have an incentive to know what's in there, because to say “no” is to abandon the service altogether and not get access to something that two billion on the people on the planet are using.
To me, this points to the fundamental problem. Exactly as Professor McKelvey says, you need to know what they're collecting, and not only do you need to know how they're using it, but you need to have a say in how they're using it. That's what I think is consumer control over the application of my data. That's the key piece that I think we're wrestling with in privacy policy, but it has implications in competition policies as well, because market power plays a big role.