Why we need to ask who owns our data

The delay in the passage of the Data Protection bill can be seen as an opportunity to widen the conversation on data ownership.

With the monsoon session of the Parliament drawing to a close, it is safe to say that the much-awaited Data Protection bill will not see the light of day until, at least, the winter session in December/January. By then it will be nearly 18 months since the Sri Krishna commission submitted its draft bill. This delay, while not optimal, gives us as citizens, an opportunity to consider some questions about the ownership of data as we get swept into the tsunami that is the information economy. Though the conversation is still unfolding as we uncover both the positives and negatives, it is not as simple as we would have wanted.

We are well aware that all our interactions online generate data which is sent off for processing for companies to glean insights from. And, as data generation increasingly eats the offline world through connected cars, Internet of Things (IoT) devices, location tracking, facial recognition etc., all these interactions too are processed. Ostensibly, this is being done to provide us with better targeted, more personalised services. There seems to be little we can do to escape. We can choose to stop using certain services, like say, Facebook. But it is well-documented that Facebook maintains shadow-profiles on Internet users irrespective of whether they use it or not. We can try going completely off-the-grid, but this will come at great personal cost. Even then, there is no guarantee of success as we could still be picked up through interactions with others still on-the-grid or by the countless CCTV cameras/IoT devices proliferating everywhere.

What’s in it for me?

When some of the world’s most valuable and profitable companies use our data to generate millions of dollars per month in revenues, is it that outlandish for users to demand more control or something in return for their data? The #My31 app/movement seeks to give users that control. Essentially, such approaches hold that a user owns his/her data and should be able to exchange it for services only when they consent. A more extreme version of this approach is that we attempt to exercise full control of our data, and only use services that guarantee privacy/non-use of data. This would probably cost a premium, and we won’t know for sure that our data is not being used. The Data Transfer Project, another initiative that seeks to give users more control by improving portability and interoperability, was recently given a fillip by Apple coming on board to join the likes of Google, Facebook, Twitter and Microsoft. But the data ownership concept has not really played out in legislation yet, with EU’s General Data Protection Regulation (GDPR) and the draft Indian Data Protection Bill focusing on informed consent rather than full-ownership.

An alternative idea that is being explored in California is the concept of a ‘data dividend’. While the specifics are yet to be worked out, we can think of it as a universal basic allowance in exchange for the use of our data. Other efforts are pushing big technology firms to determine the actual value of an individual’s data. A significant challenge to such an exercise is that once separated from privacy, data is significantly valuable only in large volumes. My personal search, browsing, viewing, location and shopping history – will reveal a lot about me, but by itself will not have much monetary value for the likes of Facebook and Google.

India’s approach

In the context of accumulation and bulk processing of data, it has been referred to as the ‘new oil’, a commodity, or even as capital itself. The 2019 Economic Survey presents the viewpoint that data should be treated as a public good since it is non-rivalrous and private investment will not naturally gravitate towards uses that will drive social/societal welfare without accompanying profits. It contends that operating in conjunction with privacy laws, treatment of data as a public good by the state has many advantages while, rather optimistically, downplaying any negative outcomes. Much of the data localisation debate has centered around its use as a national resource. So, it is clear, that as a country, we view data processing as a collective concept rather than it being a consideration at the individual level. Expectedly, privacy advocates are at odds with this.

Back to basics?

Another, and perhaps, more fundamental question we can ask is should this data even exist? Given that, as a country, we’re just beginning to unlock the value of data, it seems easy to dismiss this. But it does need some consideration. The oft-heard analogy is that if a service is free, then its users are the product. However, through the book, Surveillance Capitalism, Shoshana Zuboff makes the case that users are merely free raw material. She also refers to the business models of data-driven companies as those trading in our future actions and behaviours (essentially, manipulation). Indeed, the Netflix documentary The Great Hack which is centered on the Cambridge Analytica-Facebook scandal features a whistleblower referring to their methods to influence voters being targeted as being equivalent to military psychological operations or psy-ops (influencing an adversary’s state of mind by non-combative means).

This has profound implications as we seek to combat misinformation campaigns that threaten public order. Even if we do choose to set this aside, it is important to understand the potential harms of the model. The history of policy-making can be considered to be a chronology of unintended and unanticipated consequences of good intentions. Therefore, the Personal Data Protection bill should not be the end but the beginning of a long conversation about our digital rights.

(Prateek Waghre is a student of the Technology and Policy Programme at Takshashila Institution)

The views expressed above are the author’s own. They do not necessarily reflect the views of DH.