Do citizens have a right to control their data on the web?A study on European and American legislative proposals

Juan Antonio Martínez recently presented a study through the Holy Cross’ School of Church Communications in Rome, on what came to be the Consumer Data Privacy in a Networked World ⁽¹⁾, a draft bill approved by the White House in February 2012, and the European Commission directive General Data Protection Regulation (GDPR) ⁽²⁾ of January 2012, which both seek to establish a regulatory framework for privacy in the context of the digital economy.

Legislators from both sides of the Atlantic undeniably have sufficient reason for concern. First, scandals generated by Wikileaks and Snowden infiltrations aroused debate in the US Senate and international public opinion on political espionage within US Security, which was used for voluntarily collaboration (vaguely permitted by antiterrorism laws) with major Internet companies that possess the personal data of millions and millions of users, i.e. citizens. Representatives of some of these companies (Yahoo, Facebook, Google, Microsoft, Apple, Skype, Twitter), who once upon a time gave their enthusiastic economic support of the electoral campaigns of Obama, later decided to distance themselves from the White House. Obama himself was obliged to give explicit messages, until now only rhetorical, on the need to review policies regarding citizen vigilance through data stored everywhere.

Incidentally, it is surprising that the White House’s interest in the protection of consumer data, rather eloquently expressed in the regulatory framework adopted by the White House itself just a few months before, has not actually been “extended” to citizens. It seems as if consumers and citizens were two distinct categories. As Martínez explains in his study, the concerns that have led to the Consumer Data Privacy in a Networked World were actually commercial, not political. The issue under question in this text is who owns users’ data: enterprises in Internet services that have obtained this data with the consent of the users, or the users themselves? To what extent? How can a free trade be ensured and technological innovation be uninhibited?

Not just about spy and infiltration stories

To talk about the Internet is to talk about data. And to talk about data is ultimately to talk about people. Eric Schmidt , CEO of Google Inc. until 2011, a few years ago said, “There were five exabytes of information created between the dawn of civilization through 2003, but that much information is now created every two days, and the pace is increasing.” The reason for such an exponential increase of stored data is the content generated by users. For Google’s advisor, the information created by Internet users and the current state of technology easily allow for profiling that predicts personal conduct. “People are describing enormous amounts of things about themselves through videos and photographs and so forth… [with a cell phone] you can tell us where you are and then you can tell your friends where you are. [We can use technology] to predict where you are going to go. Pretty interesting. We can take a picture, and if you have 14 pictures on the internet with a 95% confidence interval, we can predict who you are.” Schmidt continues to explain how society is not prepared for questions that will arise as a consequence of content generated by users. The following figure gives us an idea of the quantity of data registered per minute on the web.

Scenarios described in movies such as Terminator, Matrix or Minority Report seem to come alive. But in this case, the dark side isn’t incarnate in perverse machines, but rather what some users can do with the personal data of other users. Any action that would be lost in “analogical” life, remains stored, archived, and in many cases, at the disposition of the public in the online world.

One Challenge: Two Responses

Below are the main conclusions of Martínez’ study on the two legal texts.

The new European Regulation, which will be directly applicable to all of Europe upon approval, allows for greater control over personal information. It establishes, for example, the Right to digital oblivion as the power to demand the application of reasonable means to remove, and solicit the removal from a third party, all information that may be of concern to a person (art. 17)

Another new right that aims at securing the holder ability to dispose of their personal information is Data portability (art. 18). A user may request a structured copy of his/her personal information that may be used by a similar system from the data controller.

One last important novelty of the European Regulation is the individual’s Principle of location. The former legal framework granted the applicable legislation to the data controller. From now on, the law will apply to the owner of the data. This will require the equalization of the norms for companies operating within and outside of the European Union.

The U.S. Consumer Data Privacy in a Networked World is the first standard that systematically addresses the issue of personal data protection. The core of this proposal is constituted by the the Consumer Privacy Bill of Rights, a bill of privacy rights for consumers in the digital context. This charter establishes a set of principles that serves companies in the online world as a guide to the establishment of self-regulating mechanisms regarding privacy issues.

There are seven principles that form this charter: single user control, transparency of information provided to the consumer, respect for context in data processing, security, right to access and correction of personal information, collection of data limited to the service offered by the company, and corporate responsibility in data processing.

In conclusion, according to Martínez, the principle for respect for context in processing personal information leaves companies a wide margin to decide the ends for which the personal data is used. “The norm affirms the key element to understanding the context of data transfer and processing is determined by goal of the companies relationship with its consumers. This criterion gives companies the ability to use personal information for ends that are distinct from the purpose for gathering it, as well as the possibility to pass the information to third parties as long as it represents an improvement in service for its customers”.

For its part, the European Regulation falls short of realism. For example, the right to be forgotten is not free from technical difficulties, since it is quite difficult to regain control of personal data as soon as it begins to circulate the web. Then, the location criterion presupposes a disadvantage regarding innovation for companies based in European territory, and it fails to reach companies with headquarters outside of Europe. We have yet to see the results of the legal proceedings that companies and citizens of five European countries currently hold against Google, the most powerful Internet browser, and if they will adapt to the legal framework established for the protection of personal data.

Conclusion: a new habeas data

Differences aside, which can be traced back to diverse legal traditions and mentalities, the law makers, pushed by technological changes and social consequences, are developing new rights that arise from the need for individuals to have controlling power of their personal information. As Martínez states, “in order for this power to control to be fully guaranteed, the holder needs a series of rights that he may exercise while his data is being processed. Doctrine has nominated these guarantees as ARCO: access, rectification, cancellation, and opposition.”

Without any rhetorical claims, we can speak of a new habeas data. This habeas data responds to the same requirements and criteria of justice that historically led to the habeas corpus at the start of the modern rule of law, and then to a habeas mente when the challenges of an society fueled by information prompted the recognition of a right to privacy, along with other personal rights.

⁽¹⁾ The complete title is Consumer Data Privacy in a Networked World: A Framework for Promoting Privacy and Promoting Innovation in the Global Digital Economy . The full text can be found here: http://www.whitehouse.gov/sites/default/files/privacy-final.pdf

⁽²⁾ The complete title is REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

As a European regulation, it is binding to all countries that belong to the European Union, without the need for a national law to be transposed in their respective countries. The text in English can be accessed here at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF.