Law in the Internet Society

Tracing Data Privacy and How to Realize It

-- By AndrewTaub - 16 Jan 2018


Data privacy continues to be misunderstood as protecting the individual rather than the data. Defining and understanding this distinction is key to positioning how to counteract private power’s rise and to control one’s data privacy. Public law has been increasingly pushed out by private power from the process of regulating how and what happens when behavior data is collected. Specifically, companies generating data and operating closed platforms have amassed such private power by controlling the data and consent arrangement with its users. Ultimately, should users want to restore the privacy of their data and not be at the mercy of companies’ growing private power, they must operate and control their activity on the internet by owning their data infrastructure, both hardware and software.

Recognizing What Data Privacy Serves to Protect

Where could a misinterpretation stem from for thinking that data privacy protects the individual? The origin of the word data (Latin verb “dare” which means “to give” and the neuter past participle “darum” which means “something given”) implies there is possession involved in terms of who owns the facts or information being collected. Similarly, with privacy, the person who holds those private matters or experiences a state of freedom is entitled to defend against intruders and has authority to protect that. Given these two words, the center of the term “data privacy” would appear to be, at a singular level, an individual, as one who decides to give information and to protect that personal state. But as a term, data privacy “is the protection of data (typically in a computer-based system) for the sole use of one individual or organization, or by such others as the owner of the data may authorize.” What marries “data” and “privacy” is due to, as the NSB’s definition raises, the birth and growth of computer systems at the time in 1958. The term closely, if not entirely today, implies that a computerized information system is present and involved in the process for where that data is stored and how it is protected.

Amassing Private Power through Control of Data

In theory, it seems that data privacy should be about the individual, but in reality, it is about the protection of data on computer systems. This distinction is necessary because data protection is operated by who ultimately has power. That would be who owns the computer system, where it and the data stored are located, and most importantly, who collects, controls, and owns the data. As Yochai Benkler states, over the past ten years, there has been a shift to higher level systems (e.g., Facebook, Google, Apple, Amazon) in which there exists no core organizing structure for how to build new or integrate existing systems. The shift has been away from building frameworks and software of openness, and there are no public standards for data portability nor legal requirements for interoperability.

Public Law Ousted

This new model of a few dominant players creates a concentration of power in which their influence increases not through open programs, but through closed platforms. Since data has become the core infrastructure around which control develops and since the anatomy of these closed platforms is owned and operated by the system providers, then the individual lacks any real authority, or possibility, to even control the privacy of his or her data. Instead, privacy is built upon a form of consent between the system operator and the consumer, in which the user unseeingly accepts because there is no real choice, “stemming from a conception of the absence of any choice to begin with” (Benkler). And with that, we see public law unable to effectively reach or enact legislation in that closed realm and instead see more concentrated power thus allowing for companies to create policies privately to serve their best interest. Other forms of growing and isolated private power exist, beyond just in terms of data privacy and behavior data collection. One example is in real estate. Short-term rental platforms such as Airbnb and HomeAway? have been skirting local housing laws. By working directly with the homeowners, these companies were avoiding hotel or tourist taxes in many cities. In this case, regulatory authorities have intervened to enforce tax payments, issue fines, or enact new legislation. Another example is in biotechnology. From 23andMe, which sells personal genome tests directly to consumers, to Theranos, which is developing blood testing machines, both companies leveraged their fast rise, substantial financing, and, importantly, by owning their infrastructure, development process, and close relationship to customers, to outmaneuver components of regulatory approval. In both cases, authorities intervened to enforce the required revisions for compliance, including an investigation for Theranos.

What Next?

How can public law reassert regulatory oversight over system providers that collect behavior data? One example is the EU’s GDPR in which one of the three main elements is to strengthen the conditions of consent between the company and the data subject by requiring that companies be unable to have lengthy, illegible terms and conditions that consist of legalese and that the request for consent must be delivered in an easily understandable form with plain language and the consent must be as easy to withdraw consent as it is to give it. This is an attempt to restore the individual’s ability to exercise rights when engaging with a closed platform functioning as a behavior collection system. Ultimately though, to achieve real data privacy, the individual must take control over any activity on the internet to restore greater freedom. One example is to own a piece of the network to possess the infrastructure itself. While perhaps not as convenient or attractive to operate this as a self-service, applying this resistance restates the right and discretion of where, when, and whom users intend to share their data, an act that can reposition power, and the true sense of data privacy, back to the individual.

Certainly this was a substantial improvement, within the confines of a rather limited rewrite. I'm not sure what the first sentences mean. It seems to me that protecting people rather than data is the goal, and is not what data protection achieves. But maybe I've misunderstood again. I still think the first third of the piece should say what it means as clearly and tersely as possible, avoiding defining words in favor of explaining things.

Perhaps it is sufficient from your point of view to make some gesture in the direction of GDPR. I don't see that quite as you do, perhaps: to name someone else's legal institutions (not yet working) by mere reference doesn't seem quite as helpful as explaining what the functional parts of a system for redistributing power ought to be. Saying "Sherman Act" would hardly be sufficient, either, in such a situation, even with the benefit of 125 years of legal experience.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r4 - 01 Apr 2018 - 16:34:57 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM