The following is an enhanced transcript of my comment’s at the following Closing Plenary of International Institute of Communications Annual Conference, October 13, 2016.
15:15 SESSION 6: DIGITAL CITIZEN / DIGITAL CITIZEN – EVOLVING PRIORITIES, CONSUMPTION PATTERNS AND ATTITUDES TO PRIVACY, SECURITY AND FREEDOM OF EXPRESSION
Digital citizen / digital consumer – evolving priorities, consumption patterns and attitudes to privacy, security and freedom of expression
- What does it mean for policy makers, regulators and industry?
- Priorities of users and the concept of choice
Ann LaFrance, Coordinating Partner, EMEA Communications Law; Co-Chair, Global Data Privacy & Cybersecurity; Squire Patton Boggs (UK) LLP; Director, International Institute of Communications
Cordel Green, Executive Director, Broadcasting Commission of Jamaica
Q1. Are consumer expectations changing, and in which direction, when it comes to digital privacy? Does this vary by country/region? –
A. Yes, a decade ago, people were grateful to platforms for providing free services like search, e-mail, blogging space, e.g., but now they think that platforms are taking people’s data for free. Quite a change in consumer expectations. Right To Be Forgotten shows such change in consumer expectations. Although the New RTBF arose out of a court case Google Spain, its origin was not jurisprudence but consumer expectations and fears about others finding out about themselves. Now, it is interesting that the change varies by country and region. RTBF is going strong in Europe but not so in Asia, Africa, North and South America, the former colonies of Europe. There is a historical reason for that: Histories of oppression and injustice in the colonial pasts have not been adequately addressed, and people don’t want to blind themselves from one anothers’ wrongs, they want truths and whole truths, and it is a historic mission. Yes, data protection laws giving ownership-like control to data subjects over data about themselves are spreading in those continents but the laws are being interpreted in quite a different manner.
Q2. How does the transactional/situational context affect the assessment of privacy (data used by business, telcos, online providers, government authorities, etc.)? – Yes, rightly so, actually data protection law is exact;y such a contextual device. It is a device to equalize the bargaining powers of powerless individuals entering into data transactions with powerful governments and companies by turning data over in exchange for receiving services. The idea was that, if we treat ourselves like the “owners” of data about ourselves, then governments and companies taking our data will have to respect our wishes much more carefully than before. Yes, one clear way is to limit the purposes for which data is to be used and the 3rd parties with which the data is to be shared but powerless individuals will not have resources to negotiate those conditions, let alone enforce them. Now, if these powerless individuals are the owners, governments and companies will now have burden of proof before using them for unconsented-to purposes or or disclosing them to unconsented-to 3rd parties. Data protection law is a great contextualizer of privacy.
Q3. How to reflect these variables in evolving regulatory paradigms around the world? – Since data protection law is contextual, a context must be taken into account. Let’s take data that “K.S. Park is a professor”. Since I “own” that data, should I require everyone telling others that I am a professor, to obtain my consent before doing so? Should I require Google to suppress searching for data like “K.S. Park publicly admitted to plagiarism 12 years ago” since I own the data? No, data protection law came out of a context of people turning over private data over to companies and governments. That I am a professor, or that I publicly admitted plagiarism, are not private data. There is no data transaction where bargaining powers need be equalized here. Data protection law should not apply to publicly available data. That is where Google Spain decision needs be rightly criticized. Data that he sold the house upon judicial sale was public data, and URL or IP location of where that data was also public data. ECJ, not understanding that data protection law is a metaphor responding to a certain context, applied data protection law to publicly available data. You know what is going to happen now. The Internet has given a gift to humanity, that is, powerless individuals are given the same information power as powerful companies and governments, and that comes from search functions. If all people manipulate search results like this, Internet will no longer play that equalizing role. With search results manipulated, a poor person who wants to find out about the lawyer Costeja cannot find out about Costeja’s past financial history while a rich person can hire people to go through manually the websites of local newspapers in the areas where he lived.
Having said that, we need strong data protection law. As to private data, I have no problem applying the law, or treating the data subjects like the owners. For instance, Google scans email contents to attach contexual advertisements. If I write to my friend “Let’s go have wine”, the email that my friend receive will have ads of wineshops. Now, email content is, yes, private, and the authors of emails should be considered the owners. So, of course, Google should obtain consent before using the email content for advertising revenues. Now, there is data protection law in the U.S. so Google did not have to obtain consent but it was ethical for Google to obtain it by including in Terms and Conditions that email content will be used for advertising purposes. Many companies forget to do that. So, to answer the question of how companies should work with the variables, stay before the curve and do what Google did for email scanning.
Q4. The tension between privacy and freedom of expression: Implications of anonymity; balancing competing rights, including the Right to be Forgotten.
A: As far as RTBF and data protection law underlying it are used for the original purpose for it was designed, I.e., applied only to private data and not to publicly available data, I see no conflict. Just remember “data ownership” is not a statement of law, it is only a metaphor responding to certain limited contexts.
Now, some people may come up to me and ask “What do you mean it is only a metaphor? Data about me comes from me. Of course, I own it.” Well, number one, data cannot be owned like a car can be owned. Data is non-rivalous commodity so the putative owner cannot nicely transfer its exclusive domain over to another person. Also, data does not come from a data subject. Consider data that “K.S. Park is a professor.” How does my status as K.S. Pak come about or how is it confirmed? If I lecture in an empty classrom, that does not make me a professor. The fact that there are people sitting down in front of me to learn from me is what makes me a professor. These data are created socially, in a relationship with other people. I am not saying that all data are. For instance, your health data comes originally from you and is usually held privately, and there is no problem in applying the metaphor of data ownership to health records for these reasons. Still, it is only a metaphor. Think about your health data is expressed in certain languages, for instance, blood pressure, temperature, and these units and specifications are work of other people. You cannot own data.
Let’s say I had lunch with you at a restaurant owned by a third person. Who owns that data? Do I? Do you? How about the restaurant owner? That data came from participation from all of us. It is impossible to give control over that data to any one person. One may say, “ok, so that data is owned by three of us only.” Well, it does not work like that. How about the owner of the landlord? Everywhere, land register is open to the public, so the land owner is identifiable from a statement that I had lunch with you at a restaurant sitting on the land owned by him or her. Should he not also own that data? So, it goes on.
(The questions below could not be answered because of lack of time but these were prepared answers.
Q5. How to deal with international data interoperability concerns in the new trade environment? –
A: Different regional trade regimes are emerging. There is TPP, there is RCEP, and there is GDPR. Data will be prepared in formats unique to the interoperability requirements of each trade regime. So, there is a question whether these pro-trade movements will actually help interoperability. Ironically, these trade regimes may be hampering trade. What shall we do? Well, look at how Christianity is spreading. They fall back on the same messages: the Bible. We have to go back to our fundamental value – privacy. We need to understand that data ownership is just a metaphor. We need to understand that what we want really at the end of the ay is privacy. Make sure that GDPR is interpreted according to the values of free speech and privacy, and so are TPP and GDPR. That is the best we can do.