Having covered the rules that protect your access to the data of others in our previous article, the natural follow up is to discuss how your personal data is protected. Data privacy has become an increasingly prominent issue, especially where it involves the commercial use of personal information gathered by ISPs and companies like Google and Amazon. In our interconnected world, such personal information can impact an individual’s ability to apply for loans, secure employment, or their personal reputation. Therefore, there does need to be a standard for minimum protections of personal information to ensure both its accuracy and proper use.
Before the internet became the global commercial enterprise it is today, it was a product of the United States military and university researchers. Both groups saw the need for the protection of an individual’s personal information even in those early days They convened the Special Advisory Committee on Automated Personal Data Systems was established to determine a set of guidelines for the protection of personal data for both government and commercial purposes. In 1973, the committee returned the following principles to guide policymakers in creating data privacy regulations:
- For all data collected, there should be a stated purpose.
- Information collected from an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual.
- Records kept on an individual should be accurate and up to date.
- There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting.
- Data should be deleted when it is no longer needed for the stated purpose.
- Transmission of personal information to locations where “equivalent” personal data protection cannot be assured is prohibited.
- Some data is too sensitive to be collected, unless there are extreme circumstances (e.g., sexual orientation, religion).
These principles focus on limiting the scope of data collection and sharing, as well as ensuring that individuals can check the accuracy and location of their information. However, the country that developed them has subsequently failed to implement them. The United States’ policies on data privacy have been exceptionally narrow, only focusing on medical records, credit ratings and financial transactions, and intercepted electronic communication. Outside of these areas, there are very few regulations at the US federal level that govern the collection and sharing of user data. In essence, whoever collects the data has the right to store and share it, even without the individual’s knowledge or consent.
However, some US states are starting to fill the void. California enacted a new law in 2020, the California Consumer Privacy Act, allowing its residents to request access to data collected on them and to prohibit the sale of that data, with the final regulations still being drafted and implemented. This is the most notable expansion of data privacy rights in the US, but it can hardly be considered comprehensive. It only applies within the California, and only to data directly collected by any private or public organization. Information purchased from a third party would not be covered under this legislation and therefore would be outside the control of the individual it relates to. These loopholes and a broader disregard for data privacy in the US has created a vast market for the sale of personal information without the knowledge or consent of the user. The state of data protection in the US is representative of the majority of countries, with very little protection or regulation available to allow individuals to control their information online.
On the other hand, the European Union’s General Data Protection Regulation (GDPR) has become a model for data privacy regulation. The European Convention on Human Rights that came into force in 1953 guarantees that “Everyone has the right to respect for his private and family life, his home and his correspondence”. The GDPR works to ensure that both public and private sector organizations utilize data in cases where the collector has the consent of the user, is fulfilling a legal obligation, or working in an official capacity for the public good. These protections apply to both data collected directly by organizations and data purchased from third parties, making it one of the most expansive data protection policies globally. These protections also apply beyond the borders of the EU. Per Chapter 5 of the GDPR, organizations are prohibited from transferring EU internet user data to countries with weaker data protection laws for subsequent use or sale. This more globalized protection provides a model for more universal protections for global citizens across the emerging cyber commons.
Disparities between different regional and national protections for users in cyberspace necessitate the establishment of a new global convention on data privacy, similar to the United Nations Convention on the Law of the Sea or the Outer Space Treaty. These agreements provide an internationally agreed upon framework to ensure the rights of all global citizens to common resources. Cyberspace is a similarly universal resource, and therefore deserves the same degree of attention. By developing fair and equitable standards for protecting global citizens in cyberspace, we can foster a space where individuals can explore the wealth of information provided by the internet without the fear of their every click and keystroke being recorded and sold.