![Personal data: a cornerstone of sovereignty? [by Loïs Samain, CEIS]](https://incyber.org//wp-content/uploads/2024/03/adobestock-749446930-1-1920x735.jpeg)
Personal data: a cornerstone of sovereignty? by Loïs Samain, CEIS
Every day, millions of gigabytes of digital data are exchanged, by our mobile phones, web browsing activities, IP cameras, connected fridge or brand new Apple Watch. The boom in connected things will certainly not reverse the trend: according to an IDC[1] survey made for EMC and published in April 2014, the volume of data will face a very strong growth in the coming years, with an expected 10-fold increase between 2014 and 2020 to reach 44 Zettabytes, i.e. 44,000 billion gigabytes, in 2020.
Hence this question: where do these data end, and who owns them?
Sovereignty — i.e. a State’s ability to exercise its authority over a given territory and population — is by no means an immutable concept. It has changed over centuries and according to society and technological progress. Yet, the digital world, which defies physical or legal constraints, has dramatically accelerated a mutation, initiated at the beginning of the 20th century, that has obliged the State to reinvent itself and share its authority with private organisations. Just think about digital identity: to prove our identity in the « real » world, we use our identity document, issued by the State; but in the digital world, we use our Facebook or Google account. The identity of citizens and their personal data is no longer guaranteed by the State, but by companies, often located abroad, that cannot assure citizens they will abide by the legislation and regulations applicable in their own country.
The direct consequence of this is the trust crisis that seems to spread among users.
According to a survey made by ACSEL in 2013[2], less than one third of French people put their faith in administrative websites (29%), in trust labels of merchant sites (28%) and in the privacy policy of social networks (28%). A real data asymmetry has appeared between companies and users, with these latter feeling categorised and watched and thus losing trust in these companies. This situation has led to the development of a new model aiming to replace the standard CRM approach (which is, for the record, based on tools and techniques intended to collect, process and analyse the data related to current and potential customers, in order to make them loyal by offering them the best service): the so-called VRM (Vendor Relationship Management) approach. This concept, developed by Doc Searls[3], is based on a key statement: « a free customer is worth more than a captive one » (the customer-centric paradigm). The principle of VRM is that companies give back to consumers their respective personal data, to make them feel at the heart of the relationship with that company and empowered in their interactions. VRM is like a reversed CRM: it enables the consumer to manage its relationship with the brands it values, just as the brand uses CRM to better interact with its clients. In 2011, the United Kingdom launched a project called midata[4] whereby more than 20 large companies committed to share with their clients the data they possess on them. Such companies included BarclayCard, MasterCard, HSBC, Everything Everywhere (the UK operator of the Orange and T-Mobile brands), Google and several energy or retail companies. The data concerned will be reusable and portable, like the well-known « open data ». This radical change in customer relationship aims at enabling users to regain control of their personal data and decide what they want to share.
Yet, this control is purely theoretical. Indeed, what can customers do if they do not want a company to use their personal data for commercial purposes? The answer is crystal clear: nothing! The issue lies in data ownership. Every stakeholder has its own view: some consider that each individual owns their personal data, irrespectively of where they are located. For instance, Pierre Bellanger said, at the FIC 2015, that we are the « authors of our own personal data »[5]. Others think that the issue is not so simple, like CNNum (the French Digital Council), which published a report[6] in 2014 where they recommend not to establish a private property right on personal data because it would « (…) give individuals the responsibility to manage and protect their data, reinforce individualism and negate the power balance between consumers and companies« . Our Secretary of State for Digital Affairs, Axelle Lemaire, is in favour of a middle way whereby specific data (regarding transport, housing or the like) would have a « general interest » status[7], halfway between the private and public spheres.
Today, when we register on certain websites and accept the dozens of pages of Terms of Use, we accept that the service become the owner of the data we provide, which may vary according to the data usage policy[8]. We also authorise the service to use such data for commercial purposes[9]. As the saying goes: « If the product is free, you are the product »[10]. Without this, a company like Facebook, which mainly offers free services, could not yield a profit of some 2.9 billion dollars[11]. During the 2nd quarter of 2014, each European user enabled the firm to earn $2.84[12] by selling their data to companies wanting to do targeted advertising. But other firms are offering alternatives, such as the company Yes Profile[13]. This latter enables Internet users to charge companies wanting to access their personal data, thus enabling users to control and monetize such data. Unfortunately, experience shows that the idea is good but not profitable, with only few euros collected in one year. This is way below the amounts secured by the internet giants with our personal data.
Though alternative models are being developed, their scope remains quite limited. Therefore, what are the options if you don’t want to give up all the services offered by internet-based companies?
The first option is a users’ alliance. It does indeed happen that users rise up and change the course of things, like with Instagram. This photo-sharing platform, taken over by Facebook in April 2012, announced at the end of 2012 that it would modify its Terms of Use to have the right to commercially use the pictures published on its platform. Unfortunately, users turned massively against the company. Even National Geographic deleted their account to keep control over the rights of its photos. Furthermore, a class action was filed in the US to contest the new Terms of Use. Conclusion: Instagram cancelled the change of its Terms of Use.
The second option is of a legislative and regulatory nature. Since 25 January 2012 (i.e. more than 3 years ago), the European Commission has been working on a European regulation on personal data protection[14]. This regulation aims to update the regulatory framework regarding personal data, which has not changed since the European directive of 1995. Thus, personal data legislation in the various Member States remains highly fragmented. The new draft regulation includes the following flagship measures: notification of a personal data breach; data protection impact assessment for risky processing operations; creation of new rights regarding data portability and the right to be forgotten (with penalties of up to 2% of the breaching company’s annual turnover); and central role of the « data protection officer » (evolution from the current French « Correspondant Informatique et Libertés » position). The first draft was rejected by most Member States, stating that the balance between citizen protection and the economic interests of digital stakeholders was not right. Then, Edward Snowden’s revelations enabled the Commission to put the topic back on the agenda. On 12 March 2014, the Commission approved the new document and sent it to the Council of Europe for approval. Now, since each country has its own interests, the risk is high that the compulsory negotiations between the European Parliament, the Council of Europe, the European Commission and the co-legislators will take a (too) long time. But can we afford to wait any longer?
— Sources —
[1] http://france.emc.com/infographics/digital-universe-2014.htm
[2] http://www.acsel.asso.fr/erosion-de-la-confiance-des-francais-dans-les-services-en-ligne/
[3] http://www.cluetrain.com/manifeste.html
[4] http://www.midatalab.org.uk/video/
[5] http://www.franceculture.fr/emission-place-de-la-toile-plaidoyer-pour-une-souverainete-numerique-2014-04-19
[6] http://www.cnnumerique.fr/plateformes/
[7] http://www.nextinpact.com/news/93124-open-data-axelle-lemaire-veut-donner-statut-aux-donnees-dinteret-general.htm
[8] https://www.facebook.com/about/privacy/
[9] http://www.godzimama.com/si-jaurais-su-jaurais-pas-signe-les-cgu-de-facebook/
[10] https://www.youtube.com/watch?v=8vLSf1i4E7A
[11] http://techcrunch.com/2014/07/23/facebook-q2-2014-earnings/
[12] http://techcrunch.com/2014/07/23/facebook-sets-revenue-per-user-records-around-the-world-in-q2/
[13] http://www.yesprofile.com/
[14] http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0212+0+DOC+XML+V0//FR