LONDON — Privacy has never been more under threat. But strangely, it has also never been more alive.
From increasingly connected and personalized spaces to the looming threat of ubiquitous facial recognition, we are faced with unprecedented threats from governments and companies, who can know more about us than was ever previously possible.
Yet, at the same time, we are seeing the richest and most informed debate on privacy that we have ever had. And it’s being carried out across the world. Just last August, the Indian Supreme Court ruled that privacy is a fundamental right for the country’s 1.34 billion citizens.
What’s so fascinating about this renewed interest in privacy is that the narrative has evolved. Privacy was once misconstrued as being about hiding and secrecy. Now it’s understood to be something much more pressing: power dynamics between the individual, the state and the market.
As recent scandals have illustrated so vividly, privacy is also about the autonomy, dignity, and self-determination of people — and it’s a necessary precondition for democracy.
Companies aren’t updating their privacy policies because they feel like it’s a good idea — but because the EU’s General Data Protection Regulation forces them to do so.
In an underregulated data ecosystem, people’s most sensitive information is up for grabs. It merely takes five clicks on ExactData.com to download data on 1,845,071 Muslims in the United States, according to an investigation by Amnesty International. For 7.5 cents per person (or $138,380 in total) the data broker offers a file containing individual names, addresses and ZIP codes.
The website also offers more fine-grained lists such as the addresses, phone numbers, email and social media accounts of “Unassimilated Hispanic Americans” or “Americans with Bosnian Muslim Surnames.” And it’s not just a problem in the U.S. In Kenya, for example, biometric data gathered for the country’s voter registry may have been used by third parties to micro-target voters with WhatsApp messages.
Precisely because so much is at stake, it is crucial to recognize that regulation is one of the reasons why privacy is more alive than ever. Companies aren’t updating their privacy policies because they feel like it’s a good idea — but because the EU’s new General Data Protection Regulation forces them to do so.
We now see one-page ads from large companies, not just embracing, but also celebrating GDPR, but it is often these very companies that have fought — and continue to fight — privacy regulation across the world. This is why GDPR is such a remarkable achievement. Across the world people are looking at the rights enshrined by Europe’s data protection law and are asking why they don’t get them too.
There’s the persistent misconception that data protection is a European concept. To the contrary, 126 countries around the world have national data protection frameworks. These are diverse, but they are all designed to protect individuals’ data and reflect a judgment that such protections are an important aspect of the right to privacy.
Still, the defense of privacy requires more than a strong data protection law. New technologies continue to challenge (and thereby undermine) existing legal protections. We see a troubling pattern in how police adapt new technologies. Every time there’s a new technology — from surveillance devices targeting mobile phones to facial recognition to mobile phone extraction — there is a tendency for these technologies to be used without the necessary safeguards.
Emerging privacy threats don’t necessarily involve personal data and sometimes the harm is done not to individuals, but groups or entire segments of society. Data protection organized around the individual is not always able to effectively protect us all from these more collective harms. One example is emotion detection technologies that are employed in public spaces. They clearly pose a threat to privacy (among other rights), but don’t necessarily fall under data protection.
Ultimately, it’s important remember that data protection is about power.
Anyone who has ever tried to access their data quickly recognizes the profound informational asymmetries that characterizes today’s data economies. From third-party trackers in apps that we cannot see to companies we have never knowingly engaged with brokering our information — the ad-tech industry has created an ever more complex ecosystem of thousands of companies that are in the business of tracking and profiling peoples’ every move.
If there’s one positive outcome of the election targeting and interferences scandals of the past months, it’s this: They may have served as a reminder to companies and governments around the world that data protection has to be about more than simply protecting data.
It must seek to mitigate the inherent power imbalances between people — and those that collect, process and profit off their data.
Frederike Kaltheuner leads Privacy International’s data exploitation program.