You are here

Down with the data monarchy: Our devices generate and collect personal data without our knowledge or consent. This has to change.

31 October 2016

This piece originally appeared in Politico.

If you want to understand the power dynamics in our increasingly data-driven economy, look no further than the language being used to describe the participants.

In data protection lingo, an individual is called a “data subject” and the companies that collect, store, analyze and disseminate the individual’s personal data are called “data controllers.” And sadly, it wouldn’t be a stretch — when it comes to massive companies such as Facebook, Apple and Google — to define the relationship between the subjects and the controllers as an absolute monarchy.

These days, there are new, innovative and often downright creepy ways in which our devices generate and collect personal data. This data is then used by companies to predict, monitor and even steer individuals’ future behavior. Much of this data generation and transmission is done without the individual’s knowledge or involvement.

Vast amounts of data are being generated and collected by an increasing array of products that are no longer limited to your computer or your phone, but also include your fridge, car, children’s toys, fitness bands, and more. News about these practices usually reaches consumers only when something goes horribly wrong, such as the massive theft of data from Yahoo servers.

In most cases, how the information is used is beyond the control of the data subject.

And yet, there is reason to hope that we are not completely at the mercy of big corporations. Last week, a data protection authority in Germany prohibited Facebook from collecting and storing the data of WhatsApp users in the country. For good measure, the authority also ordered Facebook to delete all data already forwarded by the app.

It is too early to assess the impact of the decision, but there is a good chance it could have implications beyond Germany. The U.K. information commissioner and other data protection authorities in Europe had previously stated that they intend to investigate the implications of the changes in the way personal data is shared between Facebook and WhatsApp. And if the German authority’s order is upheld and enforced, it might be technologically too burdensome, as well as potentially unlawful, for Facebook to apply different sharing rules to different users depending on where they are located.

This is not an isolated case. There are currently over 100 countries across the world with data protection laws, albeit with varying standards of enforcement. Data protection authorities are increasingly looking at how new technologies that generate and share data affect an individual’s privacy.

This year, some 25 data protection authorities participated in a coordinated review of more than 300 devices connected to the Internet of Things, such as fitness trackers, thermometers, heart rate monitors, smart TVs, smart meters, connected cars and connected toys. Their findings are unsurprisingly worrying, both in terms of poor privacy policies and poor security measures to prevent misuse of data or hacking of the devices.

It is becoming increasingly difficult to ask companies how exactly they use consumer data. When you wear a fitness band, for example, is your weight and your average number of steps per day accessible to the company? Does the company sell that personal health data to insurance companies? Is that legal? The answers are unclear. With the proliferation of smart devices, it is crucial that we ask such questions and that companies be compelled to provide a clear response.

The EU’s General Data Protection Regulation, adopted earlier this year, offers a good data protection framework, but also leaves a lot of room for interpretation about the scope of protection offered to data subjects. Other initiatives, such as the current revision of the EU ePrivacy Directive, could help developing the data protection principles that should underpin a digitized society.

In the end, data protection authorities alone cannot address all the concerns related to the modern use, misuse and exploitation of data. We must develop a coordinated effort between regulators to ensure that digital societies are free from exploitation. Given the complexities of an economy powered by data, we need to protect citizens’ fundamental rights and increase transparency around how data is used.

We cannot let the data subjects face the data monarchs alone. We must continue to ensure that the emerging legal framework empowers individuals to take back control of their personal data. The often hidden exploitation of personal data — and its subjects — cannot be allowed to continue.

Tomaso Falchetta is a legal officer at Privacy International and primarily develops the organization’s advocacy approaches to relevant U.N. and regional human rights bodies.