What personal data law exists in today’s world?

Do you own a smartphone or a social media account? Have you ever used the wearable devices? Do you use your face to pay the groceries?

If you answered yes to any of these questions, you have been sharing your personal information. Sharing our information do bring life convenience, we have more tailored web pages, better predictions of traffic or weather, fast and easy payment. And as a fact we have to hand over our information to do daily tasks and engage with other people in today’s society.

However, it is full of risks. Your personal data reveals a lot about you, your shopping tendency, your thoughts, your sexual orientation and maybe your whole life. These data can easily be exploited to harm you, such as privacy issue, defraud, even life security. According to a data breaches report released by Risk Based Security, compared to the same period in 2018, the number of data breaches and the amount of data leaked in the first half of 2019 increased by more than 50%. Of the 4.1 billion data leaked, 3.2 billion were leaked due to eight data breaches. This is happening more frequently across the globe, and governments are trying to protect individuals’ information, but facing big challenges since the ever-changing technologies.

Biggest concerns

Technological breakthroughs in the field of computer and Internet have led to an exponential growth in the value of data. Data has become an important resource in today’s society. Data mining is widely used in business, scientific research, government governance and other aspects. It is a procedure by which large databases, Big Data, are mined by means of algorithms for patterns of correlations between data.

Mining the data from a variety of people allows categorising them into different types of groups, generating high rates of predictability concerning the behaviour of categories of people, and its group profiling. At the same time, there is personalised profiling that mines the data of one individuated subject. For instance, profiling the keystroke behaviour of one particular person may enable a service provider to “recognise” this person is online, because his/her behavioural “signature” allows the service provider to check his/her online behaviour and thus to build up a very personal profile, that can be used to offer specific goods and provide access to certain services. The profile can also be stored and sold to other interested parties, or be requested by the criminal justice or immigration authorities. Service provider could be company like Google, Facebook or any e-commerce platforms.

The most successful commercial use of profiling maybe is targeted advertising – a practice of service provider’s using highly specific characteristics, search engine habits, cookies, and a variety of statistics to tailor a promotion to a specific consumer. Thus, the main sources of data used to develop tailored ads are clickstream data, search record and purchase data etc. With all these data, service provider can create a picture of the potential customer’s interests, attitudes, and hobbies. Consequently, building ads that are targeted exactly to the consumer’s specific wants. This explains why web pages can be personalised to each of us, even the price may be based on our salary or needs.

Role of algorithms

Algorithms plays a major role in profiling, not only in determining our search results and the ads we see online, algorithms can also predict what we will pay, if we get a loan or a job, if we have been defrauded, and most recently, if we are paroled and how we are sentenced, yeah, algorithms have been brought into criminal justice system too. The algorithms are either designed by developers or trained by data, both ways could be influenced by people’s bias, even though developers argue that their algorithms are neutral, but they cannot avoid the fallible contexts of biased data and improper use by society. Profiling is an activity where subjectivity matters.

Algorithms are difficult to identify let alone understand, therefore exclude users’ understanding to the ethical implications in use. As a citizen, consumer or employee we may find ourselves in the position of being profiled, but unable to understand how algorithms is used to deal with us, either to fight against with seemingly unfair results.

Why personal data law?

Big data is playing a pivotal role in many companies’ strategic decision-making. More and more companies are adopting data-driven business models and strategies to obtain and sustain a competitive “data-advantage” over rivals. Advertising is no longer just a matter for advertising companies, but something that every Internet company must care about. Judging from the results of ad revenue, online advertising has actually become the most important engine of the Internet. Given the appealing value of personal data, the way of collecting, using, transferring personal data could be notorious just like before mentioned shocking numbers of data breaches.

Raising questions include whether it is possible to empower individuals the right to control their personal information, and to what extent they can control, whether developers have a responsibility for their algorithms in use, what those firms are responsible for and the normative grounding for that responsibility. Furthermore, as the data-driven mergers are increasing, so are the risks of abuses of dominant tech firms. Data-driven exclusionary practices and mergers raise significant implications for privacy, consumer protection and competition.

The value of personal information is multiple. The personal right is inherent in personal information, such as right of personality, privacy rights, and personality freedom. But individuals also have to surrender personal information in social activities, share data dividends with enterprises, and jointly promote social development, not only the increase of corporate interests, but also the growth of public interests. In addition, individuals have to compromise some or all of their own rights in personal information for the realisation of the public interest under certain conditions, for instance the public safety and social governance. Therefore, when deciding the basis for processing personal data by an enterprise, it should be clearly recognised that the protection of personal information must be balanced against the realisation of multiple benefits. Yes, it’s a super complicated problem and we have to straighten it out.

Current situation

Globally, there is an increasing growth in data protection laws since policy makers and regulators have recognised the lack of protection in personal data, and also it has become an issue in national security and sovereignty.

In the European Union, the General Data Protection Regulation (GDPR) is the new framework for protecting personal information. People as data subjects should be able to decide whether or not you want to share their information, who has access to it, for how long, for what reason, and be able to modify if the data is not correct, and more. Several multimillion-euro fines have already been issued, such as a €50 million (about $56 million) fine against Google in France for processing personal data without legal grounds and infringement of transparency and information duties, and in Germany, a €14.5 million fine against a real estate company for operation of a non-compliant archiving system.

At the same time, a growing number of the concentrations that are notified to the European Commission involve online companies’ mergers active in the collection and processing of Big Data.

The emerging consensus is that privacy protection is a parameter of non-price quality competition. Thus, the competition agency would likely reject the deal if the merging parties would lower the price at the expense of privacy protection.

Enforcement action

In US, the California Consumer Privacy Act (CCPA) went into effect on Jan 1, businesses that are not fully compliant with the CCPA’s restrictions on the handling of consumers’ personal information can face severe financial penalties.

In July, 2019, the US Federal Trade Commission (FTC) slapped a $5 billion fine on Facebook in the wake of the Cambridge Analytica scandal and its other data leaks. The FTC has also ordered the social network to make privacy-related changes to avoid data breaches in the future.

It is significantly important to enhance compliance controls in large, multinational corporations with the goal of reducing the risk of an enforcement action on foreign soil. These internal compliance controls include conducting privacy impact assessments, risk analysis in cross-border data transfers, and cultivating awareness surrounding privacy.

Well, to solve all the problems, we cannot just count on law though. Laws, norms, the market, and architectures, these four modalities regulate and interact to build our society either real or not.

Arlene Zhang works at the Data Law Research Center in Shanghai, China