What Exactly is Data Protection Legislation Protecting?

The past five years have witnessed a tightening of data protection legislation around the world. From Europe’s emblematic General Data Protection Regulation (GDPR) to California’s Consumer Privacy Act (CCPA) or Brazil’s General Data Protection Law, jurisdictions are imposing stricter responsibilities on entities that collect, use, store, and communicate personal information. As Canada looks to update its Personal Information Protection and Electronic Document Act (PIPEDA), is might be time to step back and ask: 1. what exactly are we protecting? 2. is our legislation in fact protecting it? and 3. could we do better?

What are we protecting? And why?

Regardless of the approach, data protection regimes protect personal information:  information about a natural person that either directly or indirectly identifies that person. For example, both an individual’s DNA or passport number that directly identify them qualify as personal information but so do consumption habit and app configuration date as these constitute indirect identifiers.

The reason data protection regimes protect personal information is because it is supposed to be inherently linked to an individual’s right to privacy. Personal information is defined broadly so that organisations collecting, using, storing or communicating a broad range of personal information must comply with a variety of data protection regulations. But do these regulations really protect the individual? Or are they not in some instances a smoke screen preventing the individual from capitalising on the value of their information?

What are data regimes protecting?

Arguably, the effect of most data protection regimes is to enable entities collecting, using, storing or communicating personal information to derive financial value from it without compensating the individual. Most laws in this field impose extensive disclosure obligations on organisations and provide the individual with an illusion of control in the form of consent. But they in no way address the real issue: the value of the information and who should benefit from it.  At best California’s famous “do not sell my information button” prevents a company from selling personal information. But most privacy policies are statements of how an organisation will use, including profit, from the information that individuals provide to it free of charge.

Could we do better?

A possible approach that would at the same time protect privacy and facilitate the monetisation of data would be to narrow the definition of personal information to include only information that is so intimately linked to an individual’s biographical core that is should not be sold. Less intimate personal information would be included from a definition of personal information and consequently could be sold. Arguably the GDPR hints at this approach – sort of – by listing special categories of information that cannot be processed unless the processing falls into an exception. It falls short however or recognising personal information as a form of property in exchange for which an individual could receive financial compensation. This failure, a failure shared by most if not all data protection regimes, is non-sensical in the face of current market practices of “monetising” data and the willingness of most individuals to provide what they clearly do not believe to be highly valuable information in exchange for a good or service.

Conclusion

As Canada undertakes a major overhaul of PIPEDA would it not make sense to better focus our law on protecting the information that is truly private and allowing individuals to share in the value of the information that is not? Currently, individuals have no real ability to share in the monetisation of their information while the protection of their truly private information is compromised by an overly expansive definition of personal information that is increasingly the subject of “work arounds” as the market continues its quest to monetise, for a variety of laudable and less laudable reasons, the information that defines us.