Pillar 2: Data Privacy
Pillar 2: Data Privacy#
Collected human data should be shared and maintained in a way that protects the privacy of subjects
Just as with our medical, financial, and educational records, our personal data needs to be maintained securely due to its sensitive and personally identifying nature. In the age of the Internet, technology has advanced rapidly, arguably faster than the ability for common audiences to fully understand its implications. Because use of the Web is ubiquitous, many users take for granted or are simply unaware of how their personal data is collected and used. For example, cookies are small files that can store personal preferences and data to enhance our online experience. When browsing websites, third-party cookies can communicate with their home servers to inform them about a user’s visit to a website. This is often how companies like Facebook, YouTube, and Google are able to know about someone’s online shopping habits and thus use targeted advertising on other unrelated websites. Because of legislations like the General Data Protection Regulation (GDPR)1 - a set of international laws that regulate data privacy and associated human rights, websites have become more transparent about their cookie usage and provide the opportunity for website visitors to opt out of certain cookies. Some websites, however, do not offer these opportunities and may use cookies in an unregulated fashion. The GDPR enforces transparent data processing and limited storage, and it applies to companies and commercial entities that offer goods and services and/or monitors online traffic of citizens within the European Union (EU), even if they operate outside of the EU. Exceptions to the GDPR include enterprises with less than 250 employees or data collection for “purely personal or household activity.” Companies based outside of the EU may geo-block visitors from the EU to circumvent the need to be GDPR compliant. Because of the boundless nature of the Internet, staying in compliance with the GDPR can greatly reduce a company’s legal liability.
Apart from cookies, there are other means by which personal information can be obtained, such as collecting data through third-party services and apps or purchasing data from these services or data brokers. These data can be aggregated with geolocation data, device identifiers, financial transactions, and other data that may not legally be defined as “personally identifying” but can allow for specific targeting of users. Further processing, such as pseudonymization and anonymization, may be done prior to external release of data as a way to de-identify the data and protect personal identities. Pseudonymization is the assignment of pseudonyms to data entries, while anonymization is the complete removal of identifier variables. Pseudonymization can potentially re-identify individuals if corresponding metadata is supplied. Once collected and processed, this data is treated as property of the collection company or data broker and can be sold to government agencies and other private companies. This introduces ethical and legal arguments pertaining to data ownership. In order to utilize goods and services, companies usually require users to forfeit rights to ownership or allow royalty-free licensing of collected personal data 2,3. This limits the economic compensation and control of dissemination of personal information for individuals from which the data is collected. Additionally, regulation of this would be rather difficult, as various stakeholders may play a role in directly or indirectly contributing to data collection, processing, and maintenance 2.
While collection and selling of data has grown to be an extremely profitable market, ethical faults have caused personal and collective damages to citizens. Data brokers have come into legal battles over the sale of sensitive personal information which has been posed as concerns of safety and exploitation in cases such as the ones involving scams against the elderly4 and the homicide of Amy Boyer5,6. As data continues to be a growing commodity, regulations and ethics will need to rapidly develop to meet the dynamic ecosystem around the selling of personal data to maximize social and economic benefit while minimizing harm.
- 1
European Parliament, Council of the European Union, General Data Protection Regulation (GDPR), 25 May 2018, available at: https://gdpr-info.eu/
- 2(1,2)
Jurcys, Donewald, Globocnik & Lampinen, Note, My Data, My Terms: A Proposal for Personal Data Use Licenses, Harv. J.L & Tech. Dig. (2020), https://jolt.law.harvard.edu/digest/my-data-my-terms.
- 3
Drexl, Josef, et al. “Position Statement of the Max Planck Institute for Innovation and Competition of 26 April 2017 on the European Commission’s ‘Public Consultation on Building the European Data Economy.’” SSRN Electronic Journal, 2017, https://doi.org/10.2139/ssrn.2959924.
- 4
UNITED STATES v. MACROMARK, INC. 20-CR-147-AWT, 18 Dec. 2020, https://www.justice.gov/civil/case/file/1326376/download.
- 5
An Online Tragedy, https://www.cbsnews.com/news/an-online-tragedy/.
- 6
REMSBURG v. DOCUSEARCH, INC. No. 2002-255, 18 Feb. 2003, https://www.nhd.uscourts.gov/sites/default/files/Opinions/02/02NH090.pdf.