​Data privacy: You may call it personal data but who actually owns it?

While politicians, lawyers and business leaders continue to argue about access to personal data, it's still not clear where the boundaries of ownership and privacy lie.
Written by Toby Wolpe, Contributor

As a major report emerges today on surveillance and individual privacy, experts continue to argue over the rights of states and businesses to access personal data - and who actually owns it.

In the commercial sphere, one argument says the investment by businesses in gathering and exploiting information about individuals gives them a degree of ownership over the data.

"You say it's yours but I the company - Amazon or Netflix or whoever - am making the investment to collect that data. I built the software, I did the data storage, so it's also mine," Stephen Brobst, Teradata CTO and former member of Barack Obama's President's Innovation and Technology Advisory Committee, told a round-table debate organised by the data and analytics firm this week in London.

That investment should also have a bearing on what happens to the data once the relationship between the consumer and the business ends or the individual want to move that information elsewhere.

"Let's say I'm Netflix and I collect lots of data about the kind of movies you want to watch and I provide you with a service by delivering a recommendation engine that gives you good viewing choices and all that kind of stuff, if I collect that data to provide a service to you, it shouldn't be that my competitor should benefit from all this investment that I've made," Brobst said.

"That's my asset and [other businesses] shouldn't be able to see the data that I've collected about the viewing habits of people who are my customers."

Chief executive at campaigning body Privacy International Dr Gus Hosein said at least in a Netflix-type arrangement the individual has made an initial choice and established a contractual arrangement with the entity collecting the data - unlike the situation with internet-of-things technology.

"The current ambitions of those with money and those with aspirations to spend our money are that they want sensors everywhere. They want unlimited data collection and controls merely on use," he said.

"The only way we're all going to be able to stem collection and stem deployment is by the compulsion that it has to be open and the implication of it being open is you don't want just anybody being able to place an entire city under surveillance."

That principle of transparency is going to be increasingly important for privacy, particularly with the impending introduction of new European data-protection laws, according to partner at Irwin Mitchell and expert in data privacy law Joanne Bone.

"Very broad privacy policies are going to become a thing of the past because one of the big things from the new data-protection regulation - if it ever happens - is transparency. A big part of it is the emphasis on transparency," she said.

"One of the parts of it is you can't put really long privacy policies that mean nothing to anybody. It's meant to be clear, it's meant to be transparent."

Head of privacy and trust at innovation centre Digital Catapult Michele Nati said along with transparency, context is key to understanding privacy.

"The context should be defined by the user and also the policy needs to be applied by the consumer because privacy is always a trade-off between what I give and what I get," he said.

Privacy International's Dr Gus Hosein said what the individual gets out of any data-sharing arrangement is at the heart of the ethical debate over privacy.

"Shall you be able to disclose all your information in exchange for a service or a good - and once that information is collected you lose governance over that? That's the fundamental challenge," he said.

"We'll have to make some illiberal decisions in the future to say, 'No, you cannot be compelled to hand over your entire DNA. No, you cannot be compelled to give your entire life history to an employer.

"But if we're accepting that we're having to make some of those decisions, we're accepting that it is no longer a free-for-all when it comes to your personal information and that there should be some rules."

However, the trouble is that regulation tends to work to the detriment of the individual, according to Teradata's Stephen Brobst.

"If I look at places where there has been significant regulation on surveillance, in many cases it has done a disservice to the consumer," he said.

"There are countries that do not allow enterprises to keep data more than x number of months. Even if the consumer would allow it, it wouldn't be permitted. That means they can't do good pricing and they can't do good recommendations. Those companies are at a huge disadvantage and it's a disservice to the consumer. You get more junk mail, you get worse products, you get worse pricing. It doesn't work."

However, the absence of legislation in the US on data privacy is not working in the interests of the consumer either, Privacy International's Dr Gus Hosein said.

"You can't move 50 yards in the US without running into a lawyer - and there's a reason why. There's a lot of red tape where they want red tape to be but there's a lack of red tape where they don't want it to be, and data is one of those areas," he said.

"It's partly self-serving. It is, 'Yes, we want the innovation to occur but we also want to have the data in the jurisdiction so that we can do what the NSA does and get access to it all'."

Hosein said regulation may not always work but the market is also highly ineffective and inefficient.

"The existence of privacy policies - they shouldn't be called privacy policies, they should be called surveillance policies because it's an explanation of everything that's done to you and your data when it's handed over to a company. The existence [of privacy policies] shouldn't matter because underneath is still a law and there are obligations on the organisation that's collecting the data," he said.

"In the US it's a bit of a Wild West and that has to be fixed. Every serious actor in the US knows it has to be fixed. They just don't know what the solution is. But I don't think we should revel in it and think we're so much happier with innovation instead of fair rules.

"The standards are no longer going to be set in the US. They're going to be set in India and they're going to be set in China. At that point all we're going to have is the law to fight back."

More on data privacy

Editorial standards