Imagine taking your car to a mechanic and signing their terms of services. But in the fine print, it says that, while they hold the vehicle, they may use your car for a number of other purposes: they could use it as a demonstrator, a banner carrier, or event rent it out — all without any further consent from you. Worse, they wouldn’t tell you who had used the car or for what purpose. And you wouldn’t be paid for that usage!
No sane person would agree to such terms and there would be widespread outrage in the community if the law was blind to such practises.
The Facebook and Cambridge Analytica data breach fiasco, however, showed that in the digital world that is exactly how our data is treated. The scandal did trigger somewhat of a backlash: people were outraged they had lost control of their personal data.
But many months later, the law still turns a blind eye to abuses of private data. Virtual assets are still not given the same importance as physical assets, even though the damage from losing your data could far outweigh loss of physical assets.
Governments have failed to act as forcefully as they should have.
The existing privacy regulations across the world, including European regulations (GDPR), do not go far enough when it comes to safe guarding an individual’s virtual assets. Most organisations can relatively easily fulfil their regulatory obligations and hide under the cloak of their privacy policies.
An organisation can use a crafty privacy policy to get a blanket cover without having to inform us about the custody of data, how it’s used data or how they profit from it.
Governments must move to give virtual assets like our personal data the same status under the law as physical assets like our home and car if they are to stop privacy breaches and unscrupulous exploitation.
My data, My property
The first step towards ensuring appropriate safeguards for the law to recognise that my data is my property.
I may give my data to another legal person for specific purposes. But I will retain ownership of the data and anyone using it without my consent is committing a crime against my property. Once this basic principle is affirmed in the law, it will be easier to enforce our rights to our individual virtual property.
Clarity on custody of data
Organisations should also be forced to disclose who will have custody of our data, and who will protect it, before they collect it from us.
With the increase in cloud-based software, the cloud software provider has custody of our data, not the organisation who collected it from us. They don’t have any control over how the cloud software provider uses or safeguards the data.
The recent data breach at PageUp, a cloud-based recruitment software provider, brought this issue to light. Job applicants thought they are providing their personal details to companies like Australia Post, RBA and Telstra, but it was in fact PageUp that was collecting, had custody of, and subsequently seemed to have lost, job applicants’ data.
Express consent every time
Organisations should also be forced to seek consent every additional time they use or share our data.
Under new privacy laws, unless I provide express consent for every instance, organisations that have my data should not be allowed to share it or use it for purposes other than the original purpose.
With current regulations, in most, if not all privacy policies, organisations get a blanket consent from us around usage and sharing of their personal data. Once the blanket consent is given, we don’t know who they send our data to and how it is used.
Organisations that share data tend to have a slack attitude towards tracking the status of the shared data. They are much less likely to notify us when a third party who they sent our data to suffers a breach.
If organisations must get consent for every instance of additional usage or sharing – and not be allowed to hide behind blanket consent — they are much more likely to handle personal data with extra care.
Compensate me for using or losing my data
Finally, under new regulations, organisations should have to reveal to us that our data is being monetised and compensate us for that. We should also be compensated for data breaches.
When someone uses or loses my physical assets, I have the right to be compensated; similarly, I should have the right to get compensated when someone uses or loses my personal data.
Data monetisation today is a multi-billion-dollar industry and is expected to grow significantly in the coming years. Most data that could be monetised is an individual’s, including our personal and behavioural data. While organisations that monetise our data make large profits, we ourselves may not even know our data is being monetised, let alone be compensated.
Most privacy regulations impose penalties on organisations for breach of data and the penalties are collected by regulatory bodies. However, the affected individuals are not compensated by default and must take actions through arduous and expensive litigations to seek compensation.
An essential change
The number of personal data breaches in the last 10-15 years has steadily increased driven largely by the increase in value of data and more sophisticated methods of breaching data. That is set to continue to increase. Artificial intelligence systems capable of rapidly processing large scale data are evolving, and breaches and misuse of data can now occur in the blink of an eye.
Yet organisations that hold our data lack sufficient safeguards to protect our data. If this trend continues, almost every single individual in this wold could end up having their data breached to some level.
Government must regulate to ensure organisations that collect, use, share and monetise our data safeguard that data and respect everyone’s right to it. While these changes will marginally increase the cost of doing business, the benefits organisations receive through smart use of data will far outweigh these additional costs.