With concerns over big data and privacy simmering away the Obama administration launched a 90-day federal review of the issues in January, and the first of three major conferences took place at MIT two weeks ago. In the background is a draft bill approved by the White House in February 2012, Consumer Data Privacy in a Networked World, and the European Commission directive, General Data Protection Regulation (GDPR), of January 2012 , which both seek to establish a regulatory framework for privacy in the context of the digital economy.
Legislators from both sides of the Atlantic undeniably have reason for concern. First, scandals generated by Wikileaks and Snowden infiltrations aroused debate in the US Senate and international public opinion on political espionage within US Security. This was done in voluntary collaboration (vaguely permitted by antiterrorism laws) with major Internet companies that possess the personal data of millions and millions of users, i.e. citizens. Representatives of some of these companies (such as Yahoo, Facebook, Google, Microsoft, Apple, Skype, Twitter), who once gave their enthusiastic economic support to the electoral campaigns of Obama, later decided to distance themselves from the White House. Obama himself was obliged to give explicit messages, until now only rhetorical, on the need to review policies regarding citizens’ stored data.
Incidentally, it is surprising that the White House’s interest in the protection of consumer data, rather eloquently expressed in the regulatory framework it adopted two years ago, has not actually been “extended” to citizens. It seems as if consumers and citizens were two distinct categories.
In a perceptive study, Juan Antonio Martínez of the Pontifical University of the Holy Cross (Rome), explains that the concerns that have led to the Consumer Data Privacy in a Networked World were actually commercial (about consumers), not political (about citizens). The issue under question in this text is who owns users’ data: enterprises in Internet services that have obtained them with the consent of the users, or the users themselves? To what extent? How can a free trade be ensured and technological innovation be uninhibited?
Not just about spy and infiltration stories
To talk about the Internet is to talk about data. And to talk about data is ultimately to talk about people. Eric Schmidt, CEO of Google Inc. until 2011, said a few years ago: “There were five exabytes of information created between the dawn of civilization through 2003, but that much information is now created every two days, and the pace is increasing.” The reason for such an exponential increase of stored data is the content generated by users. For Schmidt, the information created by Internet users and the current state of technology easily allow for profiling that predicts personal conduct:
“People are describing enormous amounts of things about themselves through videos and photographs and so forth… [with a cell phone] you can tell us where you are and then you can tell your friends where you are. [We can use technology] to predict where you are going to go. Pretty interesting. We can take a picture, and if you have 14 pictures on the internet we can predict who you are with a 95% confidence interval.”
Schmidt goes on to explain how society is not prepared for questions that will arise as a consequence of content generated by users.
The following figure gives us an idea of the quantity of data registered per minute on the web.
Figure 1: Infograph of the Internet every 60 seconds
Source: Domo Inc.
Scenarios described in movies such as Terminator, Matrix or Minority Report seem to come alive. But in this case, the dark side isn’t incarnate in perverse machines, but rather in what some users can do with the personal data of other users. Any action that would be lost in “analogical” life, remains stored, archived, and in many cases, at the disposal of the public in the online world.
One Challenge: Two Responses
Below are the main conclusions of Martínez’ study on the two legal texts.
The new European Regulation, which will be directly applicable to all of Europe upon approval, allows for greater control over personal information. It establishes, for example, the Right to digital oblivion, which entails the power to demand the application of reasonable means to remove, and solicit the removal from a third party, all information that may be of concern to a person (art. 17)
Another new right that aims at securing the holder’s ability to dispose of their personal information is Data portability (art. 18). A user may request a structured copy of their personal information that may be used by a similar system from the data controller.
One last important novelty of the European regulation is the individual’s Principle of location. The former legal framework applied to the data controller. From now on, the law will apply to the owner of the data. This will require consistency of the norms for companies operating within and outside of the European Union.
The U.S. Consumer Data Privacy in a Networked World is the first standard that systematically addresses the issue of personal data protection. The core of this proposal is the Consumer Privacy Bill of Rights, which applies to the digital context and establishes a set of principles for companies in the online world.
This charter for self-regulation has seven principles: single user control, transparency of information provided to the consumer, respect for context in data processing, security, right to access and correction of personal information, collection of data limited to the service offered by the company, and corporate responsibility in data processing.
According to Martínez, the principle of respect for context in processing personal information leaves companies a wide margin to decide how to use personal data. “The norm affirms the key element inunderstanding the context of data transfer and processing is determined by the goal of the company’s relationship with its consumers. This criterion gives companies the ability to use personal information for ends that are distinct from the purpose for gathering it, as well as the possibility to pass the information to third parties as long as it represents an improvement in service for its customers.”
For its part, the European Regulation falls short of realism. For example, the right to be forgotten is not free from technical difficulties, since it is quite difficult to regain control of personal data as soon as it begins to circulate on the web. Then, the location criterion presupposes a disadvantage regarding innovation for companies based in European territory, and it fails to reach companies with headquarters outside of Europe. We have yet to see the results of the legal proceedings that companies and citizens of five European countries have initiated against Google, the most powerful Internet browser, and whether they will adapt to the legal framework established for the protection of personal data.
Conclusion: a new habeas data
Differences aside, which can be traced back to diverse legal traditions and mentalities, the lawmakers, pushed by technological changes and social consequences, are developing new rights that arise from the need for individuals to have control of their personal information. As Martínez states, “in order for this power to control to be fully guaranteed, the holder needs a series of rights that he may exercise while his data is being processed. Legal doctrine has nominated these guarantees as ARCO: access, rectification, cancellation, and opposition.”
Without any rhetorical exaggeration, we can speak of a habeas data. This new principle responds to the same requirements and criteria of justice that historically led to the habeas corpus at the start of the modern rule of law, and then to a habeas mente when the challenges of a society fueled by information prompted the recognition of a right to privacy, along with other personal rights.
Norberto González Gaitano teaches media studies in Rome. He also runs the Family and Media website which examines how the family is presented in the media and how family associations can communicate effectively.