Joe McNamee, is the executive director of European Digital Rights (EDRi), an NGO that campaigns for civil rights in the digital environment.
“What legal framework should be implemented when companies and governments increasingly know more about individuals than they know about themselves? This is the stark – and vastly underestimated – question that is facing European policy-makers in the reform of the data protection framework.
Cambridge University carried out a study on a comparatively small number (58,000) of volunteers and looked at a narrow range of online activity (clicks on Facebook “like” buttons). They discovered that it was possible to build reasonably accurate profiles, guessing the gender, sexual orientation, political orientation, substance abuse and, remarkably, the relationship status of the individual's parents.
It seems safe to assume that the individuals in question did not know that they were clicking on particular “like” buttons because they were left- or right-wing or because their parents had divorced when they were young. The profilers knew what the individuals did not know – despite the low numbers and narrow range of activities tracked – they knew the deeper reasons why they were “liking” particular articles. Scale this up to a billion Facebook users, scale this up by adding data from groups that individuals are signed up to, the range and location of their network of friends, the online games they play, their mobile phone location data, relationship status, ... add to this the perfect “memory” of the technologies used and you suddenly realise that not only does Facebook know more about you than you know about yourself, you realise that it is impossible to imagine what is possible today and even less what will be possible tomorrow. And Facebook is far from unique – similarly comprehensive data is collected by Google, by Yahoo, by the all-pervasive and invisible Acxiom2 and others.
Can we guess to what uses this information is going to be put? Yahoo had an interesting idea – you might not realise that you are disproportionately influential in your social networks, but their profiling can identify such influence. So, wouldn't it be great if they could sell their knowledge of your influence to advertisers? They have even patented the idea. Amazingly, not only have they claimed a level of ownership of your influence that would enable them to sell it, they have claimed ownership of the idea of claiming ownership of your influence. “In this manner,” their patent explains “an advertiser may be billed a higher amount for advertisements provided to users having a higher social authority score than for advertisements provided to users having a lower social authority score.”
And then we come to the issue of governments. There are two iron rules regarding governments and personal data in the 21st century – they have an insatiable hunger for databases and their appetite is strongest for private databases that they do not have to pay to create. Every large international database – airline passenger records, bank transfer records, telecommunications records have been re-purposed for surveillance purposes. It would be absurd that the treasure trove of movements, thoughts, beliefs, friendships, loves, hates, relationships, activism, etc, would not ultimately be used by governments in the same way as every other similar database. In the context of recently revealed lawless, abusive antidemocratic use of our personal data by both domestic and foreign governments, should we be concerned about this?
Most of the online companies are from the US. Some of the government access to such data is regulated under the PATRIOT Act. That legislation is being abusively (mis-)interpreted by the executive branch of the US government in a way that has been described as “a bunch of bunk” by the Act's sponsor in Congress. Access to data under the FISA Act is overseen by the FISA Court, whose privacy controls have been “so frequently and systematically violated” that they “never functioned effectively” according to one of the judges on the court. Supervision by the US Congress has been undermined by misinformation including, on separate occasions, from the Director of National Intelligence and the Deputy US Attorney General.
Faced with these – and many more – huge threats to the fundamental right to privacy and data protection (and the free speech, freedom of association and democratic rights which rely on this right) that is supposed to be protected by the primary law of the European Union, what are our political leaders doing? The European Commission produced a limited but promising draft Regulation and Directive... and then it went to our democratically elected representatives.
In the European Parliament, the vast majority of the approximately 4,000 amendments tabled by our representatives seek to add complexity, decrease predictability and undermine privacy rights. All the core elements of individuals' control of their own data are being attacked. Our representatives in the Internal Market and Consumer Protection Committee have weakened provisions on the definition of personal data, weakened obligations on notification of data breaches to individuals, weakened guidelines on sanctions to be imposed by courts, expanded the right to consent-free data processing under the “legitimate interest” exception and gutted virtually all meaning from the protections proposed by the European Commission on profiling.
The MEPs with responsibility for consumer protection proposed limiting the right of the individual to object to profiling to situations where this would already be illegal (if it were “unfair or discriminatory"), they proposed limiting the right of the individual to give or withdraw consent, they proposed limiting the right of the individual to receive information about the profiling or the envisaged effects of the profiling.
The challenges posed by “big data” - challenges for the role of the state and its interaction with the citizen, challenges for the free speech of citizens, challenges for trust in the data-driven economy are being underestimated, misunderstood and misrepresented – squashed under a steamroller of short-term corporate interests, an out-of-control lobby machine and a security infrastructure that appears to have declared independence from the people whose security it is meant to protect.
There is still time to save the process. With recent revelations, elections next year and the current legislative package, we will never have a better opportunity to comprehensively address these questions.
Edward Snowden has given us a wake-up call. Will we wake up on time?”