Seems to me that depends on the kind of regulation. If it's just "trust the regulator to keep ahead of Google" than that's one thing. But we can add other constraints on top of that. E.g., we could require that Google's privacy-relevant code be open source, and that they must give you data all data related to you, such that individuals could audit things and prove or disprove that Google's behavior matches their claims.
Especially if we add bounties for catching Google's transgressions, I expect we could do quite well open-source, personalized regulation.
> E.g., we could require that Google's privacy-relevant code be open source, and that they must give you data all data related to you, such that individuals could audit things and prove or disprove that Google's behavior matches their claims.
What happens if they lie? They have the data, they give you the code that does the user-facing thing with the data, then they copy the data to some other system where some unspecified foreign subsidiary uses it for arbitrary nefarious purposes without telling anybody.
And as much as it might help to have a law requiring cloud services to publish all their source code so people can verify that they're doing at least that part of what they say they're doing, do you really expect that to be enacted?
I think the right regulatory fix depends a lot on which particular service we're talking about and what the threats are. But the general goal of mandatory transparency reporting is to minimize the size of the possible lie. And I think that works even better when individuals and civil society groups have the opportunity to verify that. E.g., look at how many companies have been caught hoovering up data thanks to individual investigators looking at app behavior.
I don't think a law requiring all code to be published would get passed. But key code for, say, personalization algorithms? That seems doable. Places like health departments, ag inspectors, and workplace safety agencies get to inspect the physical machinery of production all the time. No reason we can't start extending that in to the virtual realm. Companies won't be excited for it, but they might prefer it to some of the more heavy-handed proposals going around now. (E.g., section 230 reform, antitrust concerns.)
Especially if we add bounties for catching Google's transgressions, I expect we could do quite well open-source, personalized regulation.