Testimony Facebook whistleblower Frances Haugen sparked the latest outbreak in a series of never-ending revelations about how companies and governments mine our personal data and commercialize it. To get consumers back in the driver’s seat, recently updated data protection regulations (such as the EU’s GDPR and California’s CCPA) have made transparency and control a key pillar of privacy protection. In the words of the European Commission: “This is your data-control!”
Empowering consumers by giving them a voice is a lofty goal, and of course it is also very attractive. However, in the current data ecosystem, control is far from a right, but a responsibility-most of us are not able to bear it. Even if our brains can magically catch up with the rapidly changing technological environment, protecting and managing personal data is still a full-time job.
Think of it this way: If you are rafting along the Mediterranean coast on a good day, it is absolutely wonderful to take charge of your sailboat. You can decide which of the many lovely towns to go to, and there really is no wrong choice. Now let us imagine that we are in charge of the same sailing boat in the storm. You don’t know which direction to go, and none of your choices seem particularly promising. Having the “right” to control one’s own ship in this situation may not be very attractive, and it can easily end in disaster.
However, this is exactly what we do: Current regulations place people in a turbulent ocean of technology and give them the right to control personal data. Instead of forcing the technology industry to make systematic changes to create a safer and more compliant ecosystem, we have shifted the responsibility of protecting personal data to consumers. Taking this step will protect the creator of the storm more than protecting the sailor.
In order for users to successfully control their personal data, regulators first need to create a correct environment that guarantees basic protection, just as the US Securities and Exchange Commission regulates the investment world and protects individuals from making wrong decisions. Under the right conditions, individuals can choose from a series of ideal results, rather than mixing some undesirable results. In other words, we need to tame the sea first, and then give individuals more control over their ships. Regulators can take some immediate measures to calm the waters.
First, we need to tax the data collected by the company to make the company’s collection and use of personal data costly. If they have to pay for every piece of data they collect, they will think twice about whether they really need the data.
Regulators also need to force the default settings to be set to an adequate level of protection. Unless the user chooses otherwise, the user’s data should be protected. This concept is called “design privacy.” No one has time for privacy to protect their full-time work. Protecting information needs to be easy. Privacy design reduces the friction on the privacy path and ensures that basic rights are automatically protected.