certificate Facebook whistleblower Frances Hogan has sparked the latest wave of escalation in an endless string of revelations about how companies and governments mine and market our personal data. In an effort to get consumers back in the driving seat, recent updates to data protection regulations such as the EU General Data Protection Regulation and the California Consumer Privacy Protection Act in California have imposed transparency and control as cornerstones of privacy protection. In the words of the European Commission: “It’s your data – take control!”
Empowering consumers by giving them an opinion is a noble goal that certainly has a lot of appeal. However, in today’s data ecosystem, control is not so much a right as it is a responsibility – a responsibility most of us are not qualified to take on. Even if our brains were to magically catch up to the rapidly changing technological landscape, protecting and managing one’s personal data would still be a full-time job.
Think of it this way: Being in charge of your own sailing boat is pretty cool if you’re drifting along the Mediterranean coast on a nice day. You can decide which of the many cute little towns to head towards, and there are really no wrong choices. Now let’s imagine being in charge of the same sailboat in the midst of a raging thunderstorm. You have no idea which direction to go, and none of your options look particularly promising. Having the “right” to control your ship under these circumstances may not be very attractive, and could easily end in disaster.
However, that’s exactly what we’re doing: Current regulations drop people into the raging sea of technology and give them the right to control their personal data. Instead of forcing the tech industry to make systemic changes that would create a more secure and adaptable ecosystem, we are placing the burden of protecting personal data on consumers. Taking this step protects the creators of the storm more than the sailors.
For users to be able to successfully control their personal data, regulators first need to create the right environment that ensures basic protection, in the same way that the Securities and Exchange Commission regulates the investment world and protects individuals from making bad decisions. Under the right conditions, individuals can choose from a series of desirable outcomes, rather than a combination of undesirable outcomes. In other words, we first need to tame the sea before giving individuals more control over their boats. There are some steps that regulators can take immediately to calm the atmosphere.
First, we need to make the collection and use of personal data costly for businesses by taxing the data they collect. If they have to pay for every piece of data they collect, they’ll think twice about whether they really need it.
Regulators also need to force default settings to be set to adequate levels of protection. Users’ data must be protected unless they choose otherwise, a concept called “privacy by design”. Nobody has time to make privacy protect their full time job. Information protection should be easy. Privacy by design reduces friction on the privacy road, and automatically ensures fundamental rights are protected.