No, You Do Not Own Your Personal Data
A larger complaint about the data ownership model and why it doesn't scale. Plus, an update to my insurance saga!
We’ve got a 2-for-1 special today on the Constantly Curious blog. The first piece is a brief update to my earlier piece, ‘When Bad Data Happens to Good People’, and the second is a longer version of a few comments I made to my colleague Jeff Jockisch’s post on LinkedIn discussing data protection ownership, and why this philosophy is deeply problematic.
An Update to ‘When Bad Data Happens to Good People’
A Tl;Dr of the Situation: Chill Insurance (the broker of my homeowner’s insurance) and Liberty Insurance (the underwriter of said insurance) both separately bolloxed my personal data due to a combination of poor data governance practices and human error, which led me to lose coverage of my homeowner’s insurance for a period of 3 months. I spent the month of November trying to fix this, and wrote a piece discussing all the various failures, data protection violations, and the harmful impact such sloppiness has on actual humans.
Here’s what’s happened since.
Both Chill and Liberty (separately) admitted to various errors related to how they handled my insurance policy and personal data. Both have attempted to make me whole — by reinstating and backdating the insurance policy to the original renewal date. Liberty has also provided a modest ‘goodwill’ payment, likely to stave off a complaint to the Financial Services & Pension Ombudsman here in Ireland after they sat on their hands and refused to respond to Chill (or myself) for 2 weeks. A reminder for others in a similar position: It never hurts to gently remind an intransigent controller that you have other options — like lodging a complaint with regulators. The key is to _remind_ not necessarily threaten.
I filed a complaint with the DPC and Chill, notifying both of the fact that the various errors I discovered constituted, based on my reading of the law, three distinct data breaches (loss of integrity/accuracy (x2), which led to a loss of availability — coverage for my house). To my knowledge, Chill still has not notified the DPC of any such breach, so there’s violations not only of the data protection principles regarding accuracy, and security (Article 5(d) and 5(f) GDPR), but also notification obligations under Articles 33 and 34 GDPR.
I sent a separate access request for my personal data to Chill’s DPO. The DPO and his team seem quite competent, and although they waited until the VERY LAST DAY to respond, they at least provided what I asked for. I still need to follow up with the DPO on the data breach issue, and we’ve been playing a game of phone tag for the last day or so.
The Irish Data Protection Commissioner has been … frustrating in terms of handling my complaint. They appear not to have read the substance of my complaint, and instead sent out a boilerplate explainer on filing a data subject access request (which was not a concern I raised). They also put the onus on me to notify Chill that they should have reported their data breach(es), which seemed very … odd. I don’t remember any aspects of the GDPR that touch on my obligation as a data subject to do the controller’s job for them, or to tell them to do their job.
As a lol-riffic aside, Liberty Insurance sent me a letter admitting to fault and providing a goodwill payment. It was addressed to Mrs. Carey Lening. Seeing as I never changed my name when I got married, and my husband never took my last name, this is yet another very minor, but very stupid data quality failure.
So that’s where we are with this. I would say I’m 95% of the way to a completely successful outcome. I do hope that the breach aspects are taken seriously though.
The Data Ownership Model is (Still) Wrong
On LinkedIn, my brother-in-data protection-arms, Jeff Jockisch shared some musings on a subject that brings dread to my heart: do we ‘own’ our personal data?’ Jeff is of the camp that generally thinks we do, though he’s thankfully not as militant as others, and really thinks hard about this question! The point of this post isn’t to pick on Jeff, who is great, but to dig in a bit more into the deeply frustrating ‘ownership maximalist’ model that I see floating around in the ether.
I honestly hate the ‘ownership’ model of privacy/personal data because it’s reductionist and completely goes off the rails once you get into thornier areas of personal data. It’s also steeped in a very US-based perspective that I’ve learned really doesn’t translate outside of the United States.
Now, it’s easy to see the appeal perhaps of the personal-data-as-property-right (aka, I own my data) model for cut-and-dry processing — e.g., user-provided data, or even some forms of biometric data shared by an individual. After all, we make the choice (i.e., we consent) to share that data with companies, so it intuitively makes sense that we should own that data. But I think Jeff is gradually starting to come around to the idea that personal data isn’t always user data, and the collection, use, storage, and processing of data can go far beyond anything an ownership model could reasonably cover.
In his post, he shared a ‘Taxonomy Analyzing Personal Data Ownership’, which quite clearly demonstrated how wickedly hard it is to answer the ownership question when it comes to certain types of data — for example, inferred data or observed data. Here’s how his taxonomy classifies “Observed and Collected Data” for example:
Data Protection Is Not A Property Right
There are many cases where you, as an individual simply can’t own your data, despite what the property rights maximalists might claim. That’s because an ownership model isn’t just a sexy libertarian-sounding synonym for ‘control’ — it means something legally. For example, The Legal Information Institute’s Wex dictionary defines ownership as
I’ve bolded ‘use, possess, and give away’ here. Depending on the context, you might not be able to do all or any of those things when it comes to personal data that someone else is processing about you. You can’t for example, ‘give away’ personal data that’s indirectly being collected about you, like your facial features and gait movement when you’re passing by someone’s Ring doorbell. You don’t really meaningfully have the ability to use or possess your criminal records (and certainly can’t compel the authorities to stop using that information!). You don’t own this data, even if it’s squarely about you.
And things get even more murky (as Jeff admitted) if you try to reconcile an ownership model with shared, mixed, or group data. I might share an opinion about you or somebody else over an email ('Suzie has a great personality and would make for a strong hire', or 'I think Paul is an incompetent DPO and shouldn’t be working for XY Corp.'), or I might have information about you as an employee that's part of a larger dataset of employee data. Under most legal regimes, this is personal data about you, but in no universe would anyone reasonably argue that you own or have control over that data.
Finally, what about data that affects groups of people? The 23andMe leak continues to remind us all that personal data extends beyond the individual to the group — and that harms to one can manifestly create harm on a systematic scale to others. Under a ‘data ownership’ model, who "owns" that data? How would you even apply an ownership model in that case? If you’re the parent of a child who signed up for and provided DNA to 23andMe, at least some of your DNA is also there online. You have no control over how that data is used by 23andMe, or sadly, what happens if that data is compromised.
Human Rights, Not Property Rights
My thoughts to Jeff (and the reason I decided to make this a longer blog post) are generally that while Europe drives me a bit mad with all the laws they keep passing, they really do get a lot right when it comes to protection of data protection and privacy.
When I came to Europe in 2017, it took me some time to realize that, and I largely (still) let these distinctions slide in polite company. After all, nobody likes pedants at parties. But this is my blog damnit, and on here, I have a right to be at least a little pedantic. So let’s get into a few areas that I wish my American (and other property / ownership maximalists) would agree to.
1. Privacy is not the same thing as data protection: We recently celebrated Data Protection Day on 28th January, which commemorates the day that the Council of Europe began accepting signatures to Convention 108, which protects personal data. Non-EU folks often refer to it as ‘Data Privacy Day’, and most people (even some in the EU) use the term data protection and privacy interchangeably. But these terms are not the same. Data protection and privacy are connected, and sometimes they overlap, but they are very different beasts.
Privacy is a right that is fundamentally grounded in dignity, autonomy, and the right to be let alone (amongst other things). Data protection covers obligations around protecting information related to identified or identifiable people. There’s often privacy aspects to it, but that protection also covers things like obligations around collecting, storing, and securing data, and the right to be informed, have access to, and in some cases, control the use of how that data is used.
For my US friends, it’s like the distinctions made between intellectual property rights. Copyright, trademarks, and patents all share common elements. They protect tangible and intangible assets, impose some duties or formalities on the creators (registration, policing), and confer certain rights to those creators to make use of their creations. But there are also substantial differences:
copyright protects original works of authorship that exist in a tangible medium;
patents protect new, unique and useful inventions; while
trademarks protect words, phrases, designs or a combination thereof which are used to identify goods or services in commerce.
Sometimes, some of those protections and rights overlap (e.g., what Disney is doing to keep Mickey Mouse from going into the public domain by leveraging trademark law), but most people probably know they aren’t the same, even if they don’t know precisely how or why. The same holds true for privacy and data protection.
2. Data protection and privacy are fundamental human rights. The US has unfortunately drafted its laws in a way that ground privacy and data protection as consumer protection and/or property rights. This is, as I’ve said, a very limited and limiting, reductionist perspective. Firstly, laws protecting consumer or property rights tend to limit the scope of individuals covered (only ‘consumers’, or ‘patients’, or someone with an economic interest). Second, it absolves entities of responsibility. If a law only applies if you meet an arbitrary threshold number of affected individuals, that leaves a lot of opportunity for everyone below that threshold to do whatever the hell they want.
To give a concrete example: Imagine that there’s a law that says that any utility company providing water to individuals only needs to ensure it’s safe and potable if they have at least 300,000 customers. Otherwise, they can ship whatever quality of water they can get away with. Nobody would stand for such a thing. This is not the same as saying that any entity processing data needs to meet the same thresholds and ‘compliance obligations’ that a big giant like Google does — only that a certain baseline standards should be established, regardless of size.
Finally, all the carve-outs and exceptions make compliance even harder for everyone. Entire cottage industries have developed with the singular purpose of helping companies find loopholes in consumer protection and other property-based laws, precisely because so many loopholes exist. That really isn’t as common in the EU because at least with regard to fundamental rights there are far fewer exceptions in the first place. It’s a much more level playing field.
3. There’s more to life than consent. Everyone, everywhere would be better off legal systems stopped assuming that consent was the only valid legal reason / purpose / basis for doing stuff with data. I wrote about the myth of consent here. I believe that once that myth dies, the majority of boosterism behind the ownership model will also go with it, because at its core, the ownership or control model is premised heavily on consent. If there are cases where you can’t make a choice about how your data is used (like the 23andMe example I mentioned earlier), you quickly come to the understanding that consent does not, and cannot work in all cases, for all purposes. Plus, consent tends to be poorly executed. As I mentioned in the “Data Protection Myths” piece:
Consent is a double-edged sword in many respects. It does give data subjects a lot of control over their data if done correctly by a controller, but it’s also one of the lawful bases that is most likely to be applied incorrectly.
In short, I hope that this might cause a little reflection, and perhaps even a shift in thought on the subject. I am thankful that Jeff kicked things off on the subject though, even if the data ownership question really does make my head hurt. As always, I would love to hear what others have to say.