Privacy & Data Protection

Jeroen Seynhaeve / Word count [ 1067 ] View all [ 41 ] / Vertaal naar Nederlands

Data Protection

Once upon a time, sharing personal information online felt as comfortable as smiling at a stranger on a good day. While everyone was basking in the glory of the technological possibilities, no questions were asked.


Read an introduction to POPIA here

It was hard to find websites that would not ask for a comment, subscription or online booking. It was hard to find anyone that wasn’t excited about the possibility of communicating with people or order stuff all over the world. How often did we hear “from the comfort of your couch”? If it was easy for users, it was as easy for website and app developers. Adding an interactive facility to a website was, and is, as simple as adding the default “form” HTML tag. With a bit of home-schooled MYSQL and PHP coding, any happily shared data could be logged into a database, for ever, and henceforth cross-referenced, analysed, aggregated and sold to willing buyers. Everyone was happy, and all was tremendous …

Only, it wasn’t. While we weren’t looking, websites were collecting information about us that we never intended to share. Websites were tracking our entire online behaviour, looking over our shoulders like peeping toms on a high school summer camp. Aggregating and analysing our data revealed sensitive patterns about our nature and behaviour. Our personal data, it turned out, was shared for purposes we had never consented to, with anyone from above-the-board advertisers and political campaigners to underground hackers, spammers, and who knows who else. All of a sudden, big data knew more about us than we ourselves knew about ourselves. Surely, that can’t be good. It can’t be good because it opens us up to all kinds of school book psychological manipulation.

Apart from the anxiety of not knowing when or where the manipulation comes from and what it makes us do, other questions arose. Who owns the personal data we share? If tech companies own it, does this mean they can do whatever the hell they want with it? If we own it, does it mean we have the right to object to our data being used? Do we have the right to lie about our personal preferences, or at least amend what is stored about us? But what if companies make important decisions about our lives, based on this false information? Can we demand that our data is removed? One way to deal with these questions, is regulation. I talk more about that below. Another way, is technology.

A example of a technological answer to the problem of privacy protection, is Solid, a project led by Tim Berners-Lee, the inventor of the World Wide Web. Solid’s aim is to decentralise the personal data we store online. Rather than logging our information with this and that website, Solid creates the option of storing personal data on a decentralised platform, entirely controlled by the owner of the data. Websites, like social media apps, can request access to this data, but only on your, and not their, terms. For example, here’s my profile.

Regulators have been hard at work worldwide over the last couple of years, in an attempt to keep up with the latest technologies and trends. The starting point is privacy. Privacy, and by extension the personal information we or others, knowingly or unknowingly, share online, is a human right, protected by the Constitution in most countries. But privacy, it is said, should not stand in the way of progress, the free flow of information and money. There are of course great benefits for humanity in harvesting personal data of millions of people. Global exchange of ideas and progress in medical science are just two examples.

Recently published regulations sadly ignore the need to decentralise personal information, and have been designed from the (old) perspective that private companies should be allowed to process personal data. Founded on more or less universal principles, the regulation attempts to keep a balance between personal interests on the one hand, and public and commercial interests on the other. The most important principle is transparency. However, with its focus on protection, one could argue that regulation treats the symptoms, but not the cause of the problems.

Personal information is information by which a particular natural or juristic person can be identified, and includes race, sex, gender, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, birth, education, medical, financial, criminal or employment history, e-mail address, physical address, telephone number, location information, biometric information, personal opinions and private correspondence, and of course the name.

The principles are as follows. First, the law tells us who is legally held responsible for the protection of personal data. Now that this is clear, there’s no more passing the buck on that one. Secondly, processing of personal data relies on consent that has been received directly from the person whose data is being processed. The scope of the processing is determined and limited by that initial consent. Third, the purpose of the processing must be clearly defined. Four, before personal information can be further processed, consent must be received for that further processing. Five, the information must be up-to-date and accurate. Six, transparency! One must be informed when personal data is being processed, and informed on its purpose, destination and on who will have access. Data controllers must at all times be able to provide evidence of administrative measures to safeguard transparence. Seven, security! Data controllers must do everything in their control to safeguard the information. Should a security breach occur, data subjects affected by the breach must be notified without delay (GDPR states “within 72 hours”) Eight, data subject participation. Every data subject has the right to access, request a correction or deletion and object to the processing of personal information.

So, while any regulation to protect personal information should be welcomed, it does little to shift the balance of control from tech companies and governments to private individuals, and leaves some fundamental questions, like data ownership, largely unanswered.