Evidence of this Facebook’s whistleblower Francis Haugen has given birth to the latest flare-up in a never-ending series of revelations about how companies and governments dig and commercialize our personal data. In an effort to bring consumers back into the driver’s seat, recent updates to data protection regulations, such as the European Union’s GDPR and California’s CCPA, have made transparency and control mandatory as an important pillar of privacy protection. In the words of the European Commission: “This is your data – take control!”
Empowering consumers by telling them is a great goal which of course has a lot of appeal. Yet, in the current data ecosystem, control is far less a right than a responsibility – one that most of us are not equipped to accept. Even if our brains could magically capture the rapidly changing technology landscape, protecting and managing one’s personal data would be a full-time job.
Think of it this way: If you were to float on a Mediterranean coast on a beautiful day, it would be wonderful to be in charge of your sailing boat. You can decide which one of the many beautiful small towns to go to and there really is no wrong choice. Now imagine being in charge of the same sailing boat in the middle of a thunderstorm. You have no idea which way to go and none of your options seem particularly promising. Having the “right” to control your own ship in this situation may not be very attractive and could very easily end in disaster.
And yet, that’s exactly what we do: the current regulations throw people into the middle of a sea of angry technology and bless them with the right to control their personal data. Instead of forcing the technology industry to make systemic changes that would create a safer and more efficient ecosystem, we impose the burden of protecting customers’ personal data. This move protects storm builders more than sailors.
In order for users to be able to successfully control their personal data, regulators must first create the right environment that guarantees basic security, similarly the Securities and Exchange Commission regulates the investment world and protects individuals from making bad decisions. Under the right circumstances, individuals can choose between a series of desired results rather than a mix of undesirable results. In other words, we must first control the ocean before we can give people more control over their boat. Regulators may take immediate action to calm the water.
First, we have to make it costly for companies to collect and use personal data by levying taxes on the data they collect. If they have to pay for every piece of data they collect, they will think twice about whether they really need it.
Regulators should also make it mandatory that defaults are set to adequate security levels. Users should protect data unless they choose otherwise, an idea called “privacy by design”. No one has the time to create privacy to protect their full-time job. Securing information needs to be easy. Privacy by design reduces friction in the way of privacy and ensures that fundamental rights are automatically protected.