The latest Facebook conflict has resurfaced a decades old debate among the general public. Technology is exciting and the digital winds of change have been upon us for decades now. However, the further we move forward the more the need to start considering the implications of ignoring fundamental questions in our changing society. One of the most important questions that has been surfaced over the years has been regarding ownership of data. Who owns the data we use and the digital shadows we leave on the internet? The answer has surprisingly been divided into three different areas the consumer, the platform, and some even say no one should have a right to own data. Public discourse is often expressed in policy when nations tackle the question head on. In the case of data ownership, the General Data Protection Regulation (GDPR) has revealed Europe’s orientation with the question. What is GDPR? This article will summarize all three perspectives on this and how it relates to your company going forward.
Data Ownership: Exchange, Processing, and Commodification
Common among businesses is the practice of requesting data in exchange for a service or enhanced product. After a consumer shares their data often they have no idea where it goes or how it is used. Companies process the data for whatever purpose they wish. Often times consumer is to either improve marketing efforts, operations, logistics, or to create a data product for a seperate market. The processing of the data makes many companies believe that they own the data they have collected, and the new data they generated from the collected data. Platforms such as Facebook, Twitter, or LinkedIn collect data but also are able to build comprehensive profiles of people that can be very valuable for many different third parties. Everyday interactions easily become commodified and added to one’s profile. The Facebook controversy started because Cambridge Analytica sought access to people’s “likes” on Facebook to determine their political leanings and better target messages towards them.
The current data ecosystem has created an environment of distrust between consumers, platforms, and even governments. Explicit consent sometimes is not even given for data collection and processing. People have no idea what happens behind the scenes with each bit of information. The value of personal data is expected to reach ~1.4 trillion USD by 2020 and is a key part of competitive advantage in today’s economy. Despite this, companies such as IBM have been trying to make it clear what their positions are in regards to data responsibility. Statements such as these are a recent phenomenon and are an evolution in from the carbon copy privacy statements from the last few years.
No matter how many statements come out, the questions could develop a foothold through policy. Over the years many academics and organizations have come forward and stated that there needs to be an individual centric approach towards data ownership, which means the consumer. In 2014, Alex Pentland from MIT suggested that there needs to be a New Deal on Data and made clear he does not believe companies own data. Other academics such as Lothar Determann of Berkeley School of Law has taken the position that no one owns data and it should stay that way. This position of non-ownership of course favors the status quo.
GDPR and Europe’s Orientation
The GDPR has been hailed a step in the right direction among those who believe the individual should be in charge of their data. While some may believe that the GDPR is primarily focused on privacy, this is inaccurate. The GDPR is concerned principally with concerned with protecting personal data and essentially placing control of that data back into the hands of the individual. One quick glance at the list of rights now granted to individuals demonstrates that privacy alone was not the aim of this legislation. Some of those rights include:
- The right to be informed
- The right of access to data
- The right to rectification
- The right to be forgotten (erasure)
- The right to restrict processing
- The right to data portability
- The right to object
- The right to reject automated decisions
These rights place control directly into the hands of individuals. Businesses must now gain explicit consent in order to collect, process, and exchange personal data. This will of course cause serious disruption among many industries and recent business models. For example, some organizations from the advertising industry have made clear that consent is not compatible with automated advertising that exists today.
Europe has made a loud declaration that the individual is the owner of their data. With this policy taking effect on May 25, 2018, it is clear that the business and public sector environments will have to adjust to this new paradigm. Europe has had a long standing policy practice of protecting citizens. The precautionary principle as applied to goods and services in Europe is one example of that where products need to be proven safe to the public before they can be sold in the market. Policy such as the GDPR reflects a long standing tradition of centering the well being of citizens. Such an outcome should have been expected.
The United States Orientation
In the United States, there is no policy that compares to the GDPR. As the U.S can be business-centric, they are always cautious when it comes to imposing restrictions on the private sector. While there are no explicit definitions of who owns data, it is obvious who benefits from data, which are the platforms who collect and process it. For the most part an individual in the US has no control of what happens to their data outside of highly regulated industries such as healthcare or finance. The more recent security incidents that has upset the public such as the Equifax data breach and the Facebook/Cambridge Analytica data sharing have increased public resentment.
Despite the public outrage there is not much happening to shift the policy paradigm in the US, which is centered on privacy and responsible handling of data. Reviewing security policies in the US such as HIPAA, SOX, or PCI DSS and it becomes clear the goal is to mitigate terrible outcomes. Which personal data is mentioned there is nothing that defines who owns the data, the individual or the business who collects and processes the data. This ambiguity can be beneficial as Lothar Determann has argued.
Should Anyone Own Data?
The question of data ownership, according to Determann is one that applies property rights to the content of information that exists outside of intentionally authored works and databases. Their argument against defining ownership in the United States is based on the perspective that such definition and assignment of property rights would do more harm than good in the long run. Their reasoning is that individuals, businesses, and governments all have a varying amount of interests in data ownership and access restrictions; and that existing laws in the U.S are enough to manage those interests. While Determann never really defines how, they claim that defining data ownership would “restrict free speech” and slow down technological progress. If you would like to learn more about this perspective you can view their analysis here. One could argue that the perspective that existing laws are enough, is the dominant US position.
Where to From Here?
The question of data ownership is one that will continue to define the interactions of our institutions and civil society going forward. It is becoming clear where the lines are being drawn in regards to who owns data. This is creating new business models and adding to the complexity of operating in today’s world. Facebook, Google, and many other firms will need to operate and develop strategies from both perspectives where in Europe, the citizens are the owners of data, and in the US no one owns data. Whether this has a negative impact on technological progress and the future of freedom of information will be seen soon. Click below to learn more about Teramind.