Having control of your data is, quite rightly, a hot topic. The advent of the electronic age has really made data both an attractive sight for advertisers, companies, governments, and anyone with even the vaguest connection to people and their habits, thoughts, desires, cravings, or lives.
But being able to stay in control of your data, or even being able to stay off the electronic grid should you want to, is increasingly hard in this ever-connected world. It’s depressing to realise that we – or, at least, the electronic version of ourselves – are bought and sold in ever-increasing details to ever-increasing numbers of people and organisations. Our data are big business for big business, and help predict voting patterns, shopping habits, hobbies, and everything about your sex life, friendships, and political persuasions.
But what if you don’t want your life to be sold on and shared with anyone or someone in particular? How can you claim it back from the oppressive corporations who don’t have any procedures for that kind of request – no, demand – and who view the control and influence of data as their inalienable right?
Just how much data is there about you online? Before you answer that, think about the raft of social media networks, retailers, insurance providers, fitness tracking services, and other digital services you’ve used in your lifetime. Whatever age you are, there will be some record of you somewhere; even if you’ve deliberately tried to keep yourself offline as much as possible, a “digital footprint” will exist. Whether you rent or buy a home, or are registered with a doctor, a dentist, and an optician, at least basic details will exist on a database, and those details will exist somewhere.
I’ve not actively tried to manage my digital activities, and I’m currently in my mid-thirties, so grew up as the internet launched into the mainsteam with the development of the world wide web. It didn’t really come into the public consciousness until I was in my teens, and even then, there wasn’t a huge amount to it; dial-up internet was considered huge, Ask Jeeves was the biggest search engine of the day, and forums and chat rooms were early precursors to Facebook and Twitter.
I’ve been dabbling on the internet for the past twenty years or so, and have properly appreciated its benefits and diversity for about the last five. I don’t intend to be an expert in the field and am an average user. Yet when I google my name, loads of entries come up. A few aren’t me, surprisingly, as I always thought my name was fairly unique – another dent in my ego; thankfully, it can take a battering – so I can discount them. But I appear significantly because of my blog, my Facebook page, interviews I’ve conducted with reviewers and book sites to promote my books, the odd contribution I’ve made to a forum, and so on; all retrievable and targeted by advertisers and anyone else who is interested.
That information sharing is particularly telling on places like Google and Facebook, where they are clearly analysing your movements to target the advertising we see on their pages. Companies study the tracks we leave as we browse the internet, then sell the data to targeted marketing firms and customers; hence why we see so many ads that seem spookily focused on the web pages we’ve just been looking at. A few times I’ve even found myself staring at ads on subjects I looked up on a different computer where I thought I wasn’t logged into an account at all, and that’s worried me the most; how transferable the data is. The digital data marketing industry, including companies generating revenue from online ads and selling user data, was worth $62 billion in 2012. No wonder it’s such a lucrative market, and no wonder that – despite regular expressions of concern and despite peoples’ desires for a more private digital existence – we are often ignored.
It may seem obvious that you shouldn’t post risque photos of yourself online, or share pictures of part of your anatomy with people that you may or may not know that well, as anything like that just may be used against you in the future by university admissions departments or potential employers; I’ve certainly checked up on people online when I’ve been due to interview them for a job, and extrapolated information about them from what I can find online. In an interview this year, for work not even remotely connected to my writing career (and after the submission of a CV that focused on particular skills), I found myself discussing this very blog that the interviewers had found online. I still got the work, however, as there’s nothing on this that I’m ashamed about.
Everyone should have the right to opt-out of their personal data being collected and distributed, and they shouldn’t be penalised by losing privileged services or paying higher rates or extra fees as a result. If a media company or an ISP wants to collect and sell your data, it should only do so with your explicit permission; which you’re perfectly entitled to give, of course … for a price. Why shouldn’t individuals share in the profits associated with data sharing? The new European Global Data Protection Regulations (GDPR) are giving people explicit opportunities to control what data is being held about them; if organisations can’t prove that they have got the subject’s outright consent to hold their data, then they can be sued. Britain has already agreed to implement the legislation when it comes in – it doesn’t have a choice, as we’ll still be in the EU then – but will also be carrying it through to post-Brexit, as there’s a lot of benefits to having far more rigorous regulations about all of this.
Let’s look at this another way; is this as bad as it sounds? In itself, no; at least, not yet. Really, the question needs to be reframed; is privacy a right or a privilege? I ask this question not to give an answer, but merely to pose the point of view. It’s the same question no matter what you ask; is healthcare a right or a privilege? What about education? Or access to clean energy and enough jobs. Privacy deserves to be treated with that same level of respect.
That said, is the digital world that different from any other part of our lives? Do we have absolute privacy? No, it’s simple to say that we don’t; even in the most privileged and private areas of our lives — our homes, our sex lives, our bodies — we do not enjoy an unlimited level of freedom from government intrusion. Everyone is susceptible to government invasion of privacy when it is warranted. How you justify “warranted” is another matter entirely.
Consider also how much of our sensitive personal information has no guarantee of privacy at all. None of us can make our electoral registration, home ownership records, tax records, or court records totally private, unless under exceptional circumstances. The rubbish we generate at home is publicly accessible when you put the dustbin out by the road. Even our personal health records are not as private as many think they are. Twenty years ago, everyone still used landline phones; widespread mobile phone ownership was something the average person in the street could only dream about. If you relied solely on a landline, did you believe that you have absolute, total privacy? We might have kidded ourselves that we had it, but we also knew that the high courts could, if they so chose, issue a legal directive that would allow the security and intelligence services to tap our phones and listen in. The fact that it didn’t happen to most of us didn’t mean that it couldn’t happen.
Here in the UK, the GDPR legislation is the biggest shake-up in digital privacy and data protection in 25 years. Now on the statute books, many of the key components aren’t being made legally binding until May 2018 – but with bigger penalties for anyone who fails to comply than the current laws when it come into place.
People have already got a new right to force social media companies and online traders to delete their personal data; the infamous “right to be forgotten”. That phrasing is a worrying one, as where do we draw the line between data that is publicly available and data which is privately ours? If we could differentiate between those two criteria, I for one would be a lot happier. However, that said, companies will no longer be able to get limitless use of people’s data simply through default “tick boxes” online.
Plans to give people the right to request a deletion of social media posts from their childhood were floated by Theresa May during the Conservatives’ 2017 election campaign, and legislation was promised in the Queen’s speech. Surprisingly, the measures appear to have been toughened since then, as the legislation will give people the right to have all their personal data deleted by companies, not just social media content relating to the time before they turned 18.
The legislation will also give the Information Commissioner’s Office powers to issue tougher fines of up to £17m, or 4% of global turnover, for breaches of data law. But one of the main aims of the bill is to replace the data protection act and make sure that the UK’s laws are compliant with the EU’s general data protection regulation, so that data can continue to flow freely across borders after Brexit. This is a smart move, as the EU have already stated they will not collaborate with countries outside its borders that do not have similar levels of information security, and quite right too; if my data was legitimately being shared with another country, I’d want a guarantee that it was being protected no matter where the data was being sent and held.
There was, briefly, some good news in April 2014 when the European Court of Justice struck down the EU Data Retention Directive – which, in the UK, allowed the Home Secretary to force service providers (such as BT, Sky, and Virgin) to retain data for 12 months – specifically, communications data; emails, Skype calls, Facebook chats, and so on. However, in response to this ruling, the Government forced through ‘emergency’ legislation (the Data Retention and Investigatory Powers Act) with no chance for public debate or scrutiny. DRIPA not only ignored the Court’s judgement by re-legislating for blanket retention of communications data, it also granted the Government astonishing new surveillance powers.
By sweeping up everyone’s data, rather than just those who are suspected of criminal activity, the security services are turning us all into suspects. You might think this is perfectly fine because you don’t do anything untoward online – nothing to hide, nothing to fear. Think of it this way: if you are suspected of a crime, police officers will need a warrant to search your home. When searching your home, those officers can only look for items specifically listed in the warrant. But with DRIPA, you don’t have to be suspected of a crime for your online personal data to be gathered. There tends to be a lot more information about us online than we keep in our homes – and a lot of revealing information is potentially up for grabs. They don’t need a warrant and you will not even know they are doing it. I find that incredibly chilling, and I hope you do as well.
There’s no such thing as absolute privacy or, for that matter, absolute security. However, basic principles of legality, proportionality, and judicial and parliamentary accountability should – and must – govern the use of intrusive surveillance. Privacy matters, and we must fight to keep it; trust me, until it’s gone, you won’t know what you’ve lost.