The reality of data protection

Most nations have data privacy and protection laws in some form or another, like the General Data Protection Regulation (GDPR) 2016 of the EU, the US Privacy Act of 1974, the California Consumer Privacy Act of 2018, and India’s Digital Personal Data Protection Act 2023. But are these laws effective at all? Is it possible to protect personal data, or is personal data protection a utopian concept? Let us first explore what personal digital data is. Who generates it? Who owns it? Who stores it? Who controls it? Who regulates it? And finally, who profits from it?

Let’s focus on just one type of data that is generated by you and is definitively yours and personal: your photograph. Imagine you take a selfie with your iPhone and send it via e-mail to your partner, who, along with her photo, posts it on her social network page using her phone. By uploading them willfully, you knowingly give consent to global online websites to store and process them.

So, let us examine who has access to your data in this scenario. For instance, Apple is the maker of your iPhone. Google transmits the attached image and downloads the mail to your partner’s Lenovo laptop, which stores your image on its hard drive and potentially in the Lenovo or Alibaba cloud used by your partner. She might also use the Canva or Photoshop apps to create a scenic garden view with your pictures. Finally, Instagram is the social media site where your friend uploads the edited image and tags many others.

But there is more—a couple of telephone companies that provide networking services to you and your partner and store your personal data. They often grant their commercial partners access to your mobile number, address, and demographic profile. No wonder you get dozens of spam calls from banks, insurance companies, and real estate agents every day.

Uploading and sharing photos is a normal, everyday act for users (the data principal). Governments worldwide are attempting to make technology companies (data fiduciaries) responsible for the use, storage, processing, privacy protection, and safekeeping of this data. They create data protection boards and appoint data protection officers to supervise data flow. However, with a humongous data upload of 3 billion images per day and an internet traffic data flow of nearly 80 gigabytes per second, this seems impossible and utopian. But let us not negate knowledgeable global lawmakers by citing numbers alone. Let us explain how the industry works
and the nitty-gritty of the process that makes regulation impossible.

The internet started in the 1990s but lacked funding for the technology. The early pioneers needed huge amounts of capital that no government or private investor was willing to bear. The only people who were willing to pump in money were advertisers, who wanted to sell products through celebrity endorsement. With the arrival of social media a decade later, people were wilfully sharing their private life stories, becoming influencers, and earning money from the internet. Netizens wanted convenience over privacy. Book an Uber, send a gift, buy a dress, and mingle with friends instantly without permission at every stage. So privacy was thrown to the wind as netizens chose self-promotion over discretion and privacy. The citizens were happy, and the technology companies were happy.

Data protection is important only because it has to be made available to the user 24x7. Hence, cloud campuses started springing up globally, storing data and backing it up at two remote locations. So the image clicked by you has actually been stored by Apple, Google, Lenovo, Samsung, Alibaba, Facebook, and the mobile companies and their back-end remote servers for redundancy, which makes it over a dozen locations per image. That means having to monitor 36 billion images a day and a hundred thousand data fiduciaries. We will not talk about other data that is more granular and more complex to understand. Besides, most of these backup remote servers are located in nations where energy is plentiful and costs are low. They are funded by discreet investor money from tax havens. Provinces in North China are popular locations for backing up data. Data today is too widely spread and too enmeshed with our lifestyle to be protected. No amount of fines for technology companies will achieve it. Like it or not, no single entity owns or controls our personal data, and there is no international agreement that can protect it.

(The writer is a journalist and author of four books on the economy, banking, and technology.)