Introduction
“Data is the new oil" is a popular phrase that was coined by British mathematician and data science entrepreneur Clive Humby. The phrase often describes how data is a valuable resource that can be processed and refined to create insights that drive innovation and competitive advantage. What then is the rationale behind the power tussle for data?
About 2.5 quintillion bytes of data are produced every day globally. This data is generated by simple tasks such as sending an email, searching the internet, or posting pictures to your socials.
Just like the oil wells that have made the Middle East rich, whoever controls the new oil, “data”, will also control the wealth of the near future.
With the undue advantage, data controllers enjoy at the expense over data subjects who actually own the data, this essay will try to contribute to this ongoing debate by defining some terms, examining a case study, proffering some solutions that will empower individuals to regain control over their data, and highlighting some caution that needs to be taken.
Definition of Terms
Asymmetry refers to the lack of equality or equivalence between parts or aspects of something
The data subject is the identified or identifiable natural person to whom personal data relates.
The data controller is the entity that ‘alone or jointly with others, determines the purposes and means of the processing of personal data’
Case study
In a startling discovery, Paradigm Initiative, an organization that connects under-served young Africans with digital opportunities and ensures the protection of their rights has uncovered that multiple unauthorized websites are asserting ownership and providing access to sensitive personal and financial information of Nigerian citizens for as little as 100 Naira ($0.06). This disturbing situation constitutes a significant violation of the essential right to privacy, infringes on data privacy rights, and poses considerable threats to individuals and the national economy.
On March 16, 2024, Fij.ng, an online news platform, released an article titled, “ALERT: XpressVerify, a Private Website, Has Access to Registered Nigerians’ Data and is profiting from it.” In that piece, the media outlet shared an investigative report about a site with the URL, www.XpressVerify.com.ng, which had access to the personal information of Nigerian citizens and exploited this data for financial gain. Although the site was swiftly removed, Paradigm Initiative is actively pursuing legal action for Nigerians.
In the wake of the XpressVerify incident, additional investigations were conducted, revealing another entity known as AnyVerify.com.ng has been operating within Nigeria's digital landscape since November 2023. The investigation indicates that AnyVerify.com.ng is a website engaged in the commercializing Nigerians personal and confidential information. On its homepage, a dropdown menu displays a variety of data services offered by the website. These include personal information such as the National Identity Number (NIN), Bank Verification Number (BVN), virtual NIN, Driving License, International Passport, Company details, Tax Identification Number (TIN), Permanent Voter’s Card (PVC), and Phone Numbers. This website sells all this data to interested parties for the price of N100.00 (One Hundred Naira Only) for each data request. The site received five hundred and sixty-seven thousand, nine hundred and ninety visits in February 2024 and one hundred and eighty-eight thousand, three hundred and sixty visits in April 2024.
Source
Legal measures to address the imbalance
Often, inaccuracies in one’s data may prevent people from accessing important services. Since things like the educational, marital, or location status of a data subject are likely to change, modern data protection laws must ensure all systems collecting our data are equipped to register changes in a person’s data and that they do so electronically and with relative ease.
Policymakers need to grant individuals the right to access their data from a data collector and receive it in an easy-to-read format. With many data subjects prevented by time limits and other elements of the current system, laws that will stimulate unlimited access to personal data and mandate organizations to inform individuals about who has requested their credit report in the past year are necessary. When more data subjects begin to have access to their data, it will make them more aware of what data are being collected and processed.
In several institutions like banks, updating one's record is a difficult nut to crack because of inflexible laws. This has made many data subjects to continue parading incorrect data on these databases. Since data can influence decision-making negatively, data controllers need to make record updating more flexible.
From experience, I have noticed that when one stops using a service, his data is not erased from the database. Although this may be for security reasons, organizations prey on this to share these data with third parties. When customers no longer wish for their data to reside with an organization they have opted out of, their request should be granted.
Due to the strained, relationship that exists between data controllers and data subjects when the latter decides to move on to a competitor, duplicity of data across platforms has become a norm. Laws that will give data subjects the right to mandate controllers to transfer data in usable forms to competitors. This will encourage inclusion and bridge the divide.
With the democratization of technology, the rapid rise in the use of AI, and the prevalence of cyberattacks, data protection laws will need to keep up to safeguard customer privacy, including the right to receive an explanation of nonhuman-based processing of data.
Organizational measures to address the imbalance
Results from previous decades has shown that not empowering people to shape and participate in the systems of collecting, sharing and using data creates mistrust. Organizations need to deliberately organize periodic meetings that will encourage data subjects to be actively involved from the point of data collection to storage and processing.
On many platforms, data subjects don’t have access to the terms and conditions of a service until they are ready to sign up. According to a Deloitte survey of 2,000 consumers in the U.S. found that 91% of people consent to legal terms and service conditions without reading them. For younger people, ages 18-34 the rate is even higher with 97% agreeing to conditions before reading. Data controllers need to make terms and conditions available and accessible even before one decides to opt in for a service to give data subject’s greater control.
A recent research reveals that, 79% of consumers who shared complaints about poor customer experience online had their complaints ignored. And after one negative experience, customers will never do business with that company again. Organizations need to empower their customer care unit to maintain a 24/7 presence to ease access to data and bridge the divide.
Data generated using AI platforms is only one source of data for foundational AI. With these data limited, Organizations are making effort to get diversified data from online communities because it is highly curated and as such better quality than most Internet content. While communities like Reddit are already closing platforms like subreddits for selling their data to AI firms without consent from data subjects, StackOverflow is blocking users who deleted their artistic contributions in protest over the sale of their data to OpenAI. Instead of being greedy, organizations should learn to consent and share proceeds gotten from the sale of data with data subjects to create a sense of belonging.
Technological measures to address the imbalance
Advanced encryption like homomorphic encryption can allow data to be processed while remaining encrypted. Since this measure ensures there is data privacy without sacrificing usability, industries like financial and healthcare services handling sensitive data can promote data subjects’ control of data.
Through blockchain technology, information can be stored securely without unauthorized usage. This helps in making sure data subjects' details are used in compliance with owners’ preferences.
The predictive capacity of AI can help data subjects monitor and identify data breaches before they occur. Using them will empower data subjects to withdraw their data before a breach.
Innovations in the Internet of Things (IoT) are already creating bottom-to-top approaches that secure data. This measure tries to isolate and separate data streams from potential breaches.
The phrase, Artificial Integrity, which was coined by Hamilton Mann is already promoting “Privacy by Design” in the development phase of technology. With this not being an afterthought, trust is being built among data subjects concerning their data.
In an attempt to be steps ahead, software developers are creating Apps that allow data subjects to see who has access to their data and how it’s been used. This enhances transparency and makes data subjects more powerful.
Need for caution while striking a balance
Recent case law of the European Court of Justice has substantially widened the notion of “data controller" in unclear and potentially onerous ways for a range of actors involved in personal data processing.
On paper and according to regulatory laws, data controllers and data subjects seem to be different actors but recent technical and legal developments have made the dividing line between both sets of actors less clear-cut.
This has made users find themselves acting as joint controllers with service providers, or even as sole controllers. This qualification matters, because effectively it places the principal, onerous duties in the data protection regime on the users themselves, which may be inappropriate for legal and technical reasons, as well as prejudicing the rights of (other) data subjects.
After a period of brouhaha regarding the handling of the need for balance between data subjects and data controllers, let's quickly examine the judgment delivered by the European Court of Justice (ECJ) in the Fashion ID case;
Judgment of the Court (Second Chamber) of 29 July 2019
Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV
What happened: The case involved Fashion ID, a German online clothing retailer, which had embedded the Facebook "Like" button on its website. As a result, when users browsed the Fashion ID site, their IP addresses and certain other basic data were collected and shared with Facebook automatically (regardless of whether they had a Facebook account).
In embedding the "Like" button, the court decided that Fashion ID was exerting a "decisive influence over the plugin" because the transfer to Facebook could not have occurred without Fashion ID's input. Both parties were pursuing a common purpose of commercial gain by agreeing to embed the social plugin on the Fashion ID site. Fashion ID did not itself have access to the data shared with Facebook but this did not dissuade the court from making a finding of joint controllership. This perhaps indicates that common purpose and objectives are more important in a finding of joint controllership than access and use of the data by both entities. It is this point that has been most alarming to website operators as it has the potential to greatly expand their risk exposure.
The court found that Fashion ID would have been responsible for both having a lawful basis for sharing data and informing website visitors about the disclosure of their information.
As this was a CJEU decision, the court was not concerned with whether a legal basis was actually obtained, or whether individuals were correctly informed, because these are matters for the German national courts to decide.
The court did moderate its finding of joint controllership by making it clear that Fashion ID was only a joint controller concerning the collection and transmission of personal data, and it was not seen as a controller for Facebook's further use of the data. This will help to ease fears over the extent of the judgment. Source
Lessons for data controllers
Data controllers need to examine their privacy statements to confirm they offer sufficient information regarding the data shared through the plug-in, the identity of the third party, and the existence of a joint controller agreement.
Firms need to verify that they possess a legitimate legal foundation for processing personal data in this manner.
They also need to assess the actions suggested by the third party in response to this ruling for a GDPR-compliant joint controller agreement (Article 26 of the GDPR requires controllers qualifying as joint controllers to establish an arrangement concerning their relationship and to communicate the main aspects of this arrangement to the relevant data subjects).
Implications of creating a balance and how to navigate them
In light of the above judgment, there is concern over the apparent increase in responsibility placed on data subjects for the processing of their data. This trend may hinder the development and adoption of much-needed privacy-protective technologies, as well as decentralized data ecosystems.
The trend towards expanding responsibility through joint controllership could pose significant risks for consumers or home users who are looking for increased control over their data via new privacy-protecting frameworks known as personal data stores. Instead of having data stored and processed centrally in the cloud, private individuals retain it in a decentralized fashion. Privacy-preserving computations can then be employed to derive insights from this data, enabling users to access services like price comparisons or searches without their information ever being exposed to outside platforms. This situation presents several significant challenges for data protection frameworks.
Data stores, akin to distributed ledger technologies, may place data controllers in a conflicting position as entities that orchestrate or coordinate processing without actually accessing the data. To address this, policies that will ensure that decentralized systems incorporate inherent safeguards should be adopted.
Individuals using personal data stores like “smart homes” may be classified as joint controllers, yet not benefit from “household exemption”, intended to protect domestic users from the full extent of controllership obligations. PDSs—particularly in contexts such as "smart homes"—are likely to be classified as joint controllers, yet they may not benefit from the so-called "household exemption," which was intended to shield domestic users, like those managing club mailing lists, from the full extent of controllership obligations. This exemption has been interpreted restrictively, as seen in the Lindqvist case, but two additional judicial criteria—namely, that data must not be shared with an indefinite number of individuals and that processing must not be ‘directed outward from the private domain of the data processor’—indicate that the household exemption is unlikely to protect smart home users who seek external services or inadvertently process the data of their home visitors. To this end, clauses accommodating such unique scenarios shouldn’t be neglected when balancing data subjects and controllers.
The global law body needs to enact frameworks that will implement how joint controller responsibilities should be allocated in law and the processing stages involved. Although this may deprive data subjects of effective protection and keep them ignorant about the illegal activities of joint data controllers, it is a safer way to strike a balance as we advance.
Conclusion
Despite calls for data subjects to take absolute control of their data because of the thriving power imbalance, adopting the legal, technological, and organizational solutions discussed in this essay is key, but caution should be applied during implementation.
References:
https://policyreview.info/articles/news/data-subjects-data-controllers-fashionable-concept/1400
https://www.cgap.org/blog/6-data-protection-rights-for-empowering-people-in-digital-world
https://www.truendo.com/blog/embracing-the-future-technological-advances-and-innovative-practices-in-data-privacy.