We don’t want to sell our data, we want data rights!
Wednesday, February 6, 2019
Dear will.i.am,
We saw your piece in the Economist and were very excited to learn that you care about privacy as much as we do. At PI we expose government and corporate bad behaviours, we disrupt their plans, and identify a hopeful path forward.
That’s why we very much agree with you that people need much more protection, transparency and control over their personal data. Cheers for: “I want to have it clearly explained in plain language who has access to my camera, to my photos, who’s listening to my microphone, and who gets to use this information.” Just like you, we also believe that people urgently need real choice and the ability to restrict how others use and abuse their data.
But we also think that putting a price tag on people’s data is a very bad idea. Monetization and personal data just don’t go well together!
- Data rights offer something that property rights do not: governance.
Data rights give people authority over their data. These rights can be quite powerful: they offer the right to access, to change, to move or to delete data; the right to know who’s collecting it, where it is, where it’s going, who has access to it, for what purposes.
We just used the expression “your data”, but what we really mean is any data that can be linked to a unique individual. That includes the data you knowingly generate, such the photos or posts on your social media account, but also data you indirectly generate and that is automatically collected about you, like your location history, your browsing history. It also includes information about you that has been derived, inferred or predicted from other sources. For example, data rights allowed one of our staff members to get access to all the data that an online tracking company collected from one of the browsers they used. This included data about the websites they have visited, but also the many things that this company predicted about them: their gender, their income, their number of children, as well as all lots of, so-called “consumer segments” that other companies have placed them in: their shopping habits, their interest, and even (wrongly!) how much alcohol they consume at home.
Data rights offer a system of control and protection that is much more comprehensive than ownership, and these rights continue to exist even after you share your data with others. They apply to data that others collect about you with or without your knowledge and they also apply to the insights and conclusions that they make about you.
As an analogy, think about the data that you generate as forming your informational body. As much as you control your own physical body, you want to have control and authority over your informational body. You want autonomy to decide what to do with it. You don’t want to be financially dependent on companies to pay you for your data body. You also don’t want to sell your kidney for money.
- Let’s not get confused about what we want to demand: people don’t believe in “free” services anymore and they want a stop on exploitative data processing systems.
You are right though, many people feel helpless in fighting “the data monarchs”, as you call them. People have lost control over the data they generate, and they often don’t know what others collect about them, how it’s used, and with whom it’s being shared.
That’s why Privacy International filed complaints against data brokers, ad tech and credit scoring companies. This is why we uncovered that mobile apps automatically send data to Facebook without your knowledge, regardless if you have an account.
You’re demanding that data ownership becomes a human right for everyone, but it’s important to note that both privacy, and data protection are already fundamental rights in the European Union. Data rights are at the very core of data protection regimes that already exist around the world, but as is so common in many domains of law and tech, not all of these regimes are strong enough to protect people from new threats. That’s why the EU (and thereby also the UK) has adopted a new data protection law that became effective in May 2018. This new law isn’t perfect. Nonetheless, it’s one of the strongest data protection laws in the world and in many ways, we’re standing at a crucial crossroad: now is the time to make sure that these rules are meaningfully and fiercely enforced so that those who exploit our data actually comply with them.
- A different take on addressing the data monopolies
European privacy rules offer mechanisms for addressing data monopolies. One of them is the right to data portability. If users can pull their data from one company and move it to another in an easy way, they won’t get trapped in the walled data farms of the big corporations, and more innovation and healthy competition can emerge.
Europe is also discussing a legislative proposal (the ePrivacy Regulation) that could boost the GDPR and increase individual protection, provided that big industry’s efforts to weaken it will not prevail. Strong privacy rules together with modern, reformed antitrust framework provide a better foundation for addressing the “data monarchies”.
That’s what we should be aiming for, that’s what we’re working on and that’s why we feel that demands for data ownership and monetization, while well-intended, are driving the conversation away from our preferred solutions. We already have a strong data rights system in place, let’s channel our efforts into making it easy to use and widely adopted before jumping into applying free market rhetoric as a universal panacea.
- We’re sceptical