Law in the Internet Society

Tracing Data Privacy and How to Realize It

-- By AndrewTaub - 16 Jan 2018


Data privacy continues to be misunderstood as protecting the individual rather than the data. Defining and understanding this distinction is key to positioning how to counteract private power’s rise and to control one’s data privacy. Public law has been increasingly pushed out by private power from the process of regulating how and what happens when behavior data is collected. Specifically, companies generating data and operating closed platforms have amassed such private power by controlling the data and consent arrangement with its users. Ultimately, should users want to restore the privacy of their data and not be at the mercy of companies’ growing private power, they must operate and control their activity on the internet by owning their data infrastructure, both hardware and software.

Recognizing What Data Privacy Serves to Protect

Where could a misinterpretation stem from for thinking that data privacy protects the individual? The origin of the word data (Latin verb “dare” which means “to give” and the neuter past participle “darum” which means “something given”) implies there is possession involved in terms of who owns the facts or information being collected. Similarly, with privacy, the person who holds those private matters or experiences a state of freedom is entitled to defend against intruders and has authority to protect that. Given these two words, the center of the term “data privacy” would appear to be, at a singular level, an individual, as one who decides to give information and to protect that personal state. But as a term, data privacy “is the protection of data (typically in a computer-based system) for the sole use of one individual or organization, or by such others as the owner of the data may authorize.” What marries “data” and “privacy” is due to, as the NSB’s definition raises, the birth and growth of computer systems at the time in 1958. The term closely, if not entirely today, implies that a computerized information system is present and involved in the process for where that data is stored and how it is protected.

Amassing Private Power through Control of Data

In theory, it seems that data privacy should be about the individual, but in reality, it is about the protection of data on computer systems. This distinction is necessary because data protection is operated by who ultimately has power. That would be who owns the computer system, where it and the data stored are located, and most importantly, who collects, controls, and owns the data. As Yochai Benkler states, over the past ten years, there has been a shift to higher level systems (e.g., Facebook, Google, Apple, Amazon) in which there exists no core organizing structure for how to build new or integrate existing systems. The shift has been away from building frameworks and software of openness, and there are no public standards for data portability nor legal requirements for interoperability.

Public Law Ousted

This new model of a few dominant players creates a concentration of power in which their influence increases not through open programs, but through closed platforms. Since data has become the core infrastructure around which control develops and since the anatomy of these closed platforms is owned and operated by the system providers, then the individual lacks any real authority, or possibility, to even control the privacy of his or her data. Instead, privacy is built upon a form of consent between the system operator and the consumer, in which the user unseeingly accepts because there is no real choice, “stemming from a conception of the absence of any choice to begin with” (Benkler). And with that, we see public law unable to effectively reach or enact legislation in that closed realm and instead see more concentrated power thus allowing for companies to create policies privately to serve their best interest. Other forms of growing and isolated private power exist, beyond just in terms of data privacy and behavior data collection. One example is in real estate. Short-term rental platforms such as Airbnb and HomeAway? have been skirting local housing laws. By working directly with the homeowners, these companies were avoiding hotel or tourist taxes in many cities. In this case, regulatory authorities have intervened to enforce tax payments, issue fines, or enact new legislation. Another example is in biotechnology. From 23andMe, which sells personal genome tests directly to consumers, to Theranos, which is developing blood testing machines, both companies leveraged their fast rise, substantial financing, and, importantly, by owning their infrastructure, development process, and close relationship to customers, to outmaneuver components of regulatory approval. In both cases, authorities intervened to enforce the required revisions for compliance, including an investigation for Theranos.

What Next?

How can public law reassert regulatory oversight over system providers that collect behavior data? One example is the EU’s GDPR in which one of the three main elements is to strengthen the conditions of consent between the company and the data subject by requiring that companies be unable to have lengthy, illegible terms and conditions that consist of legalese and that the request for consent must be delivered in an easily understandable form with plain language and the consent must be as easy to withdraw consent as it is to give it. This is an attempt to restore the individual’s ability to exercise rights when engaging with a closed platform functioning as a behavior collection system. Ultimately though, to achieve real data privacy, the individual must take control over any activity on the internet to restore greater freedom. One example is to own a piece of the network to possess the infrastructure itself. While perhaps not as convenient or attractive to operate this as a self-service, applying this resistance restates the right and discretion of where, when, and whom users intend to share their data, an act that can reposition power, and the true sense of data privacy, back to the individual.

Learned Hand in a famous epithet from a 1940s tax case warned against "making a fortress of the dictionary." That's happened here. The dictionary definitions and mere verbal analysis take up too much space, and in particular prevent the opening of the essay from launching it. You need to show the reader your idea up front, not a set of Googled-up definitions, in order to secure attention and begin the reader's thinking process to run alongside your own.

Once you have stated your own idea (about which I must admit that the current draft leaves me not entirely certain, even by the time I have finished reading it for a second time), you can then use the central body of the essay to show how you came by it, to answer objections, and to present the most important consequences. So---if we posit for example that your primary point is that private power has ousted public, legal authority from the process of determining what happens to behavior data collected by telecomms and platforms---you can show briskly what Yochai and I have contributed to your thinking out of which you came to that conclusion. You can relate this to other forms of private power (over the physical environment, over the molecules of life and health, over the degree of "restraint of trade" exercised by the dominant competitors in goods and services markets, etc.), and discuss the forms of regulatory intervention that have been used to redress the balance between public and private power in those situations. A well-earned conclusion, then, can restate the primary force of the idea, and leave some implications for the reader to consider under her own steam.

Perhaps I don't have the central idea right; as I say, the existing draft is not particularly focused there. But, mutatis mutandis, the approach I'm suggesting should yield a richer next draft wherever the intellectual emphasis should fall.

