It was hard to find websites that would not ask for a comment, subscription or online booking. It was hard to find anyone that wasn’t excited about the possibility of communicating with people or order stuff all over the world. How often did we hear “from the comfort of your couch”? If it was easy for users, it was as easy for website and app developers. Adding an interactive facility to a website was, and is, as simple as adding the default “form” HTML tag. With a bit of home-schooled MYSQL and PHP coding, any happily shared data could be logged into a database, for ever, and henceforth cross-referenced, analysed, aggregated and sold to willing buyers. Everyone was happy, and all was tremendous …
Only, it wasn’t. While we weren’t looking, websites were collecting information about us that we never intended to share. Websites were tracking our entire online behaviour, looking over our shoulders like peeping toms on a high school summer camp. Aggregating and analysing our data revealed sensitive patterns about our nature and behaviour. Our personal data, it turned out, was shared for purposes we had never consented to, with anyone from above-the-board advertisers and political campaigners to underground hackers, spammers, and who knows who else. All of a sudden, big data knew more about us than we ourselves knew about ourselves. Surely, that can’t be good. It can’t be good because it opens us up to all kinds of school book psychological manipulation.
Apart from the anxiety of not knowing when or where the manipulation comes from and what it makes us do, other questions arose. Who owns the personal data we share? If tech companies own it, does this mean they can do whatever the hell they want with it? If we own it, does it mean we have the right to object to our data being used? Do we have the right to lie about our personal preferences, or at least amend what is stored about us? But what if companies make important decisions about our lives, based on this false information? Can we demand that our data is removed? One way to deal with these questions, is regulation. I talk more about that below. Another way, is technology.
Regulators have been hard at work worldwide over the last couple of years, in an attempt to keep up with the latest technologies and trends. The starting point is privacy. Privacy, and by extension the personal information we or others, knowingly or unknowingly, share online, is a human right, protected by the Constitution in most countries. But privacy, it is said, should not stand in the way of progress, the free flow of information and money. There are of course great benefits for humanity in harvesting personal data of millions of people. Global exchange of ideas and progress in medical science are just two examples.
Recently published regulations sadly ignore the need to decentralise personal information, and have been designed from the (old) perspective that private companies should be allowed to process personal data. Founded on more or less universal principles, the regulation attempts to keep a balance between personal interests on the one hand, and public and commercial interests on the other. The most important principle is transparency. However, with its focus on protection, one could argue that regulation treats the symptoms, but not the cause of the problems.
Personal information is information by which a particular natural or juristic person can be identified, and includes race, sex, gender, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, birth, education, medical, financial, criminal or employment history, e-mail address, physical address, telephone number, location information, biometric information, personal opinions and private correspondence, and of course the name.
The principles are as follows. First, the law tells us who is legally held responsible for the protection of personal data. Now that this is clear, there’s no more passing the buck on that one. Secondly, processing of personal data relies on consent that has been received directly from the person whose data is being processed. The scope of the processing is determined and limited by that initial consent. Third, the purpose of the processing must be clearly defined. Four, before personal information can be further processed, consent must be received for that further processing. Five, the information must be up-to-date and accurate. Six, transparency! One must be informed when personal data is being processed, and informed on its purpose, destination and on who will have access. Data controllers must at all times be able to provide evidence of administrative measures to safeguard transparence. Seven, security! Data controllers must do everything in their control to safeguard the information. Should a security breach occur, data subjects affected by the breach must be notified without delay (GDPR states “within 72 hours”) Eight, data subject participation. Every data subject has the right to access, request a correction or deletion and object to the processing of personal information.