Ex Post Transparency: Shattering the One-way Mirror

The digital world is becoming a one-way mirror: tech companies gain unprecedented knowledge of individuals who remain ignorant of how companies handle their data. Tech giants have been able to discreetly train their artificial intelligence models on vast troves of personal data, raising privacy concerns. This shows that we have yet to fully learn the lessons of the Cambridge Analytica scandal, where the infamous company misused the personal data of millions of people until the misdeeds were revealed by whistleblowers. A largely overlooked aspect of the scandal is that the law failed to enable timely detection of anomalies because data controllers lurked in the shadows. The ultimate lesson is how to achieve more meaningful organizational transparency that helps safeguard consumer privacy. Three major data privacy laws enacted after the scandal—the General Data Protection Regulation of the European Union, the California Privacy Rights Act, and the Personal Information Protection Law of China—all attempt to enhance transparency of data processing, but none have achieved the goal.

This Article builds on the disclosure requirements in securities laws and proposes that ex post transparency, the requirement for data controllers to disclose their actual data processing activities, will deliver more meaningful transparency. Such disclosure must be directly accessible to the public, revealing information based on reviews and audits. It will compel data controllers to take greater precautions because they know their behaviors will be subject to public scrutiny, and will thus provide a feasible way to shatter the one-way mirror.