Doctoral dissertation: Current legislation cannot effectively address data protection abuses by dominant ICT companies


Aleksander Wiatrowski examines in his dissertation the data protection abuses of dominant ICT companies and the potential of legal action to protect people's privacy. Legislation has not kept up with the changes of a technology-dependent society.

In his dissertation, Aleksander Wiatrowski, LL.M., sheds light on data protection abuses by dominant ICT companies and public authorities, as well as global legal action to prevent these abuses. Of the companies, the study focuses specifically on Microsoft, Facebook, and Google. As for state actors, the study looks at the mass surveillance of citizens.

ICT companies in a dominant position are nowadays part of our daily lives. According to Wiatrowski, we live in a network society that is completely dependent on technology.

"We need technology at work and in our leisure time, and there are data of us in a number of systems and services of public and private actors, such as health care databases and social media. On the Internet, we often share our personal information such as phone numbers and home addresses without thinking about it – voluntarily. We do it for example on social media sites and in online stores, or to comply with legal requirements," Wiatrowski notes.

Many current business models rely heavily on data. Large ICT companies collect data from billions of consumers from a variety of sources, much without the consumers' knowledge. They accurately identify consumer preferences, lifestyle choices, and general online behavior. Social media sites have their own means of encouraging people to recklessly share data, for example by offering more personalized services.

"The data gathered by observing our lives has become very valuable to private companies and governments, and this resource will not be easily abandoned," Wiatrowski estimates.

Extensive action is needed to ensure data protection

According to Wiatrowski, the current situation is based on the fact that data-driven business models have been generously funded over the last 15 years without taking into account ethical, social, cultural and political implications. In addition, the lack of privacy regulation in the United States and the weakness of its control and enforcement in Europe have actively hampered other types of digital innovation – practices, technologies and business models that support and preserve autonomy, democracy, social justice and human dignity.

Legislation has had difficulty keeping up with the changes of the current network society.

"The General Data Protection Regulation of the European Union, adopted in 2016 and applied as of 2018, may address some of the EU’s data protection issues. However, it only applies to the private sector and ignores data abuses by states, such as mass surveillance of citizens. Data abuses committed by governments should therefore also be assessed," Wiatrowski says.

For example, the division of dominant ICT companies into smaller parts has been proposed as a solution to the problems. However, Wiatrowski does not believe it alone suffices as a solution to data abuses. Restoring people's privacy requires extensive action and new legal concepts built on an understanding of how these areas of business work. In addition to data protection legislation, the activities of dominant companies can be addressed through the development of legistation on anti-discrimination, consumer protection and competition.

"In addition, data collectors should make their terms and conditions of use more comprehensible so that service users really understand what kind of data they authorize the collectors to extract when they accept the terms and conditions."

The sources of the study have been, among others, legal acts and policy documents of the European Union and the Council of Europe, directives and regulations of the European Union, and the jurisprudence of the European Court of Human Rights, the European Court of Justice and the US Supreme Court.

Information on the public defence

The doctoral dissertation "Abuses of Dominant ICT Companies in the Area of Data Protection" by Aleksander Wiatrowski, LL.M, will be publicly examined by permission of the Faculty of Law of the University of Lapland on Friday 21 May 2021 at 12:00 in lecture hall LS19 (the University of Lapland, main building, A-wing). Doctor of Laws Jari Råman from the Office of the Data Protection Ombudsman will act as the opponent, and Professor Emeritus Ahti Saarenpää from the University of Lapland will act as the custos. The public defence will be held in English.

The public defence can be followed online at:

Information on the candidate

Aleksander Wiatrowski graduated in 2011 from the University of Lodz, Poland, with a Master of Laws, specializing in European Economic Law. He is a member of the Law, Technology and Design Thinking Research Group in Faculty of Law at the University of Lapland. Earlier, he has worked in the NETSO project (Network Society as a Paradigm for Legal and Societal Thinking) at the Institute for Law and Informatics in the Faculty of Law at the University of Lapland and in the FRII project (Future Regulation of Industrial Internet). In addition, he cooperates with the London-based firm Spark Legal Network and Consultancy as an external legal expert in a wide range of EU projects.

His research interests deal with privacy, data protection, digitalisation, new technologies and competition law with the main focus on the European Union legal system.

Further information

Aleksander Wiatrowski
firstname.lastname (at)

Information about the publication

Aleksander Wiatrowski: Abuses of Dominant ICT Companies in the Area of Data Protection. Acta electronica Universitatis Lapponiensis 307, ISBN 978-952-337-259-7, ISSN 1796-6310.

Permanent link to the dissertation: