Today at DDW19 I came across some stickers with warnings about personal data, like the warnings on cigarette packages.
They were made by Candle which does smart home devices without storing data in the cloud.
Elizabeth Renieris and Dazza Greenwood give different words to my previously expressed concerns about the narrative frame of personal ownership of data and selling it as a tool to counteract the data krakens like Facebook. The key difference is in tying it to different regulatory frameworks, and when each of those comes into play. Property law versus human rights law.
I feel the human rights angle also will serve us better in coming to terms with the geopolitical character of data (and one that the EU is baking into its geopolitical proposition concerning data). In the final paragraph they point to the ‘basic social compact’ that needs explicit support. That I connect to my notion of how so much personal data is also more like communal data, not immediately created or left by me as an individual, but the traces I leave acting in public. At Techfestival Aza Raskin pointed to fiduciary roles for those holding data on those publicly left personal data traces, and Martin von Haller mentioned how those personal data traces also can serve communal purposes and create communal value, placing it in yet another legal setting (that of weighing privacy versus public interest)
….viewing this data as property that is capable of being bought, sold, and owned by others is in large part how we ended up with a broken internet funded by advertising — or the “ad tech model” of the Internet. A property law-based, ownership model of our data risks extending this broken ad tech model of the Internet to all other facets of our digital identity and digital lives expressed through data. While new technology solutions are emerging to address the use of our data online, the threat is not solved with technology alone. Rather, it is time for our attitudes and legal frameworks to catch up. The basic social compact should be explicitly supported and reflected by our business models, legal frameworks and technology architectures, not silently eroded and replaced by them.
This from Wendy Grossman hits the nail quite precisely on its head.
“The problem isn’t privacy,” the cryptography pioneer Whitfield Diffie said recently. “It’s corporate malfeasance.”
This is obviously right. Viewed that way, when data profiteers claim that “privacy is no longer a social norm”, as Facebook CEO Mark Zuckerberg did in 2010, the correct response is not to argue about privacy settings or plead with users to think again, but to find out if they’ve broken the law.
I think I need to make this into a slide for my stock slide deck. It’s also I think why the GDPR focuses on data protection and the basis for data usage, not on privacy as such.
(Do add Wendy Grossman’s blog net.wars to your feedreader.)
After California, now the Washington State senate has adopted a data protection and privacy act that takes the EU General Data Protection Regulation (GDPR) as an example to emulate.
This is definitely a hoped for effect of the GDPR when it was launched. European environmental and food safety standards have had similar global norm setting impact. This as for businesses it generally is more expensive to comply with multiple standards, than it is to only comply with the strictest one. We saw it earlier in companies taking GDPR demands and applying them to themselves generally. That the GDPR might have this impact, is an intentional part of how the EC is developing a third proposition in data geopolitics, between the surveillance capitalism of the US data lakes, and the data driven authoritarianism of China.
To me the GDPR is a quality assurance instrument, with its demands increasing over time. So it is encouraging to see other government entities outside the EU taking a cue from the GDPR. California and Washington State now have adopted similar laws. Five other States in the USA have introduced similar laws for debate in the past 2 months: Hawaii, Massachusetts, New Mexico, Rhode Island, and Maryland.
Service announcement: I regularly lie to data gathering platforms like FB. So any message from FB telling you it’s my birthday today can be safely ignored. It’s not. They wanted to check my age when I created the account. They don’t need a day and month for that, and for that matter any year before 2000 will do. I lied to FB. You should too.
For those of you sending birthday wishes: thank you, I appreciate hearing from you. It’s good to know you
This is a very interesting article to read. A small French adtech company Vectaury has been ordered to stop using and delete the personal data of tens of millions of Europeans, as it cannot show proper consent as required under the GDPR. Of interest here is that Vectaury tried to show consent using a branche wide template by IAB. A French judge has ruled this is not enough. This is an early sign that as Doc Searls says GDPR is able to, though at the speed of legal proceedings, put a stake through the heart of ad-tech. Provided enforcement goes forward.
A month after the verdict, Vectaury’s website still proudly claims that they’re GDPR compliant because they use the concept of a ‘consent management provider’. Yet that is exactly what has now been ruled as not enough to show actual consent.
This Twitter thread by NYT’s Robin Berjon about the case is also interesting.