Before we get into today main topic, let’s talk about some context. Through out history, human beings have valued different resources. In the agriculture revolution, land was considered extremely important. In the Industrial Age, it was machinery, coal and then oil. Now, in the 21st century, scholars, journalists, and industry leaders have been saying that data is the new oil. Amongst the most valuable companies in the world by market cap, many are tech companies and they all have an enormous amount of data about global consumers. The usual names are:
- In the East: Alibaba, Tencent, Baidu, Flipkart
- In the West: Google, Microsoft, Amazon, Facebook, IBM, Apple
Another perspective from the World Economic Forum’s report data policy in the Fourth Industrial Revolution is that: “At the World Economic Forum, we prefer to think of data as the oxygen that fuels the fire of the Fourth Industrial Revolution. It is readily available and necessary, but if used improperly it can generate dangerous and unwelcome results.“
Given how important “data” is, I am trying to educate myself this topic and this post is the first of a series about data privacy. As I am not an expert on this topic, I will what I have learned and provide links to the sources.
For today, we will talk about 3 main questions:
- What is personal data?
- Who owns it? – a nuanced answer
- What are your rights?
What is personal data
So far I have found the definition used by the European Union in their GDPR regulation the most comprehensive.
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
They also provide examples of personal data here:
- email address (email@example.com)
- an Internet Protocol (IP) address
- a cookie ID (often found on your web browser)
- the advertising identifier of your phone
Other examples can be:
- Your private communication: the content of your email/private messages
- Your financial records (bank balance, transactions, tax return)
- Education records (which school you go to, your grades in school)
- Medical records
- Biometric data (fingerprint, your face) etc.
While I include only a few examples here, it’s important to note that there are more than 100 existing data protection laws in different countries/territories.
Personal data protection commission Singapore, “Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the has or is likely to have access. Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).“
Who owns it?
Well, the most obvious answer to many people is: it’s my data so I own it. The picture is getting more nuanced than that in real life though.
Government & public agency record
In many countries, the government maintains a lot of data about its citizen like birth certificate, identity card (well the government gives these to its citizen in the first place), biometric data etc.
India government last year implemented one of the largest biometric ID programs with roughly 1 billion people.
What’s interesting is that at Davos this year during the conversation about “Setting the rules for the AI race“, a representative from the India government mentioned that the data belongs to public entities/government. The government can allow entities access to personal data.
When you travel (or apply for a visa to travel), many countries require you to submit biometric data. After you submit your data and sign some paperwork, it is likely that you start to share your biometric data with those foreign governments.
Observed and inferred/predictive data
World Economic Forum report data policy in the Fourth Industrial Revolution proposes that we need to consider in the conversation. The answer to the ownership question of observed data/inferred data is not straight forwards.
“Observed data: internet browsing preferences, surveillance video, call detail records etc.
Inferred data: credit scores, consumer profiles, predictive traffic flows, patterns in the spread of infectious diseases, targeted advertisement etc.
As we go through our everyday life, we use different services and leave a lot of “observed data” behind with different businesses. So do these businesses own this data? This can range from hospital, airlines, restaurants, your share riding services etc. In circle, businesses often refer to this type of data as 1st party data, which seems to indicate that they can use it. But can they? If you use the European Union GDPR definition of personal data, then as long as the data can be used to identify a person, that person owns the data. If the data is anonymized or undergone pseudonymisation then it is a different matter.
One thing to note is that we have been leaving tons of our behavior, economic data behind for a long time. What has changed over the past decade or so is the advance in big data and machine learning. It is now relatively easier/cheaper for companies to store, process a huge amount of data and make from it. Any recommendation engine (like Amazon) is essentially that.
This is where I really like the clear articulation from the European Union regulation. I am not debating whether they are right or wrong here, at least not yet on this first post. European GDPR establishes the following rights for consumers:
- Each person owns his/her own personal data
- Transparent with consent: Companies need to explicitly ask for permission to store and process personal data in a transparent and plain English manner
- Security: Personal data should be protected by reasonable security safeguards.
- Right to withdraw: at any time, we can withdraw our consent for our data to be processed or used
- Information and access to personal data
- Right to rectification
- Right to the restriction of processing
- Portability right
Of course, there are many detailed exceptions and exemptions described by GDPR too.
Next, I will look at some of these thornier topic in subsequent posts:
- Is the European union’s GDPR too prescriptive?
- Should we have a global data privacy law given different legal regimes, economic models globally? If not, what should be our global approach given the interconnected/interdependent nature of our world?
- How do we move forwards from here?
- The balance between data privacy and innovation, starting with health care and education ?
- How to avoid data monopoly at local, national and global level?