Spotify plans on gathering more data on users (location, music taste, Facebook activities) and put them to commercial use. Spotify is hardly unique in this. Most free services are creating ever richer user profiles in order to better target advertisements. The deal is as follows: users get to use an online service for free and in exchange they accept that their behaviour is observed so the service can target them with ads effectively. A user thus ‘pays’ for a service with his interests, location, pictures and in some cases, his friends.
The debate about online privacy is increasingly framed in terms of this transaction. Prominent scholars such as Tufekci and Wu have recently written opinions on the price of selling our personal data. But the question is whether the concept of privacy as a commodity that you can sell is accurate. In this blog I will explore whether personal data is actually ‘owned’ by the individual (the data subject) and whether it can be ‘bought’ by a third party (the data controller).
The idea of paying with your data is part of a broader notion in society that you ‘own’ your personal data. This idea probably stems from the fact that the right to privacy has its origins in that of private property. John Locke for instance argued through his theory of private property, that every person has a property in his own person, and that therefore we all have inalienable, fundamental human rights. As such, a right to privacy can be derived from the right to personal property. But while the right to privacy definitely has a strong link to private property it is at the same time more and less than property.
Warren and Brandeis, who were the first to conceptualise privacy as a legal right in their seminal 1890 Harvard Law Review article, convincingly argue that the privacy principle which protects us, is not the principle of private property, but rather that of an ‘inviolate personality’. Reducing privacy and personal data protection to something that you can ‘sell’ diminishes the protection provided by the right to privacy. It also raises the spectre that those who cannot afford privacy, are not entitled to it.
So, privacy is more than personal property.
But at the same time it is also less.
Personal data is created in the relationship between the data subject and the data controller. Unlike intellectual property, personal data is generally not created by the data subject. More often than not, personal data is created by a data controller. This alone makes the argument that the data subject owns his personal data shaky. But the argument goes beyond merely the question who created the data. Reducing privacy and personal data protection to an issue of ownership undervalues the fact that in a personal data transaction there are always two parties: the data controller and the data subject. The data controller also has legitimate interests in keeping and using the data he created or helped create. In a sense, personal data is the opinion a data controller holds about a person.
The fact that both parties have legitimate interests in personal data often leads to friction. A good example of this is the discussion about the right to be forgotten: data subjects have a right to be forgotten, but society at large has a right to form and record an opinion about a person. If personal data is treated as private property, the right to be forgotten always wins out. What this example shows is that the legitimacy of personal data processing is not so much dependent on who owns the data, but rather about what is fair and reasonable in the interaction between two (or more parties) interacting with each other.
Reducing the discussion about privacy and personal data to a discussion about ownership oversimplifies the discussion about privacy in the information society and may lead to sub-optimal results when it comes to regulating the use of personal data.