Who Owns Our Data?

You know what’s pretty weird? Somewhere out there, your personal info is sitting in some company’s database.

First name, last name, email address(es), phone number(s), gender, age, marital status, home address. Where you’ve shopped. Where you work. Maybe even more sensitive data fields, like political affiliation or socioeconomic status.

Truthfully, we have very little idea about which companies have access to our personal data. We also have very little idea of the scope of this problem. Do a hundred companies have our data, or is it more like a thousand? 10,000?

You may be looking at your phone or laptop, thinking to yourself, “Hold on. There’s no way 10,000 companies have data on me. How would that be possible?”

I invite you to think about how many times you’ve done one of the following:

• typed your personal info into a contact form on a website
• filled out one of those sweepstakes forms, either online or in person
• signed up for some software or product
• allowed third-party access through a platform like Google or Facebook

Where did all that data go? Did one company sell it to another company? Did the company that bought your data sell it to a third company? Was that company acquired by even another company? Did your data end up on a data marketplace, where it is available for purchase by anyone, for any reason, at any time? There are many well-documented cases of all the above happening in recent times.

On top of all this, we still have not considered how our data is being used. It can be safely assumed that our data is being used to sell us products and services. But, is it possible our data is being used for more secretive, nefarious purposes? Likely not, but it’s a possibility, and there have been notable instances in the past.

2019 is the year of data. The general public is aware that personal data is being collected and used for profit. Now that we are aware, we can have important conversations about how we feel data should be treated.

One of the most important questions of the next decade(and the focus of this piece) is:

“Who owns my data?”

It’s a powerful question, because it is so simple.

If I buy a pair of shoes, I own them. If I lend them to my friend, I still own them. If I sell them to my friend, she now owns them. If I rent my shoes to my friend, I own them, and she is able to use them so long as we continue the rental arrangement.

How does this apply to our personal data? How has it applied in the past, and how should it apply in the future?

Data processing has been largely unregulated up until GDPR in 2018. To use the shoe example, it’s like if we gave our friend (a company) our shoes without agreeing on the arrangement. We just gave them our shoes, without agreeing whether they were borrowing, renting, or buying.

Now, in a post-GDPR world, there are rules about companies processing data for EU citizens. I am not gonna get into GDPR here (I’ve written about this topic before, though). I want to draw on one important fact:

GDPR establishes that personal data is fundamentally the property of the person.

In the shoe example, that means anyone can rent, borrow, or buy our shoes, but we ALWAYS reserve the right to take them back — no questions asked. That may not seem fair (to the buyer), since that’s not how ‘buying’ generally works. But, our data is fundamentally “ours” in a way that shoes, or physical objects, could never be. It is an inalienable right.

GDPR establishes (for EU citizens) that WE own our data. But unless we enact on that right, we do not *effectively* own it anymore that we did before GDPR. If we are given rights and do not exercise them, what’s the point?

Given the two facts I have argued in this article:

1. An unknown number of companies have our personal data; and

2. Our personal data is irrevocably ours, no matter what, no exceptions.

I propose a three-part action plan:

1. Figure out who the hell has our data

2. Figure out what data they have, and what they are doing with it

3. Decide, for ourselves, whether they should continue to have (and process) our data.

The first point is tough, because it is difficult to retroactively figure out who has our data. We have filled out a lot of forms in our lifetimes. The second point is not as difficult, because once we know who has our data, we can ask them what they are doing with it. It might be difficult to get a response, but eventually, conceivably, we can get one.

The third point is the most important, because it is where we exercise our rights. Without being an EU citizen, you technically do not have GDPR rights. But, many companies have become GDPR compliant proactively.

Value Exchange

If we allow companies to process our data (which is irrevocably ours), what value do we receive in return?

If the value we are receiving does not fit with the value we are giving, something is out of whack. If the value we receive is equal to or greater than the value we give, it is a good arrangement. If the value we receive is lower than the value we give, it is a bad arrangement. The goal is to end the bad arrangements and continue the good ones.

There are many businesses processing our data without providing value in return. Why should we allow this?

Who owns my data? I do. I have the right to lend, rent, or sell my data to anyone, and I have the right to take it back at anytime.

Whether I decide to lend my data depends on the value exchange.

If the value I receive in exchange for the data I provide to you is high enough, you may continue to use my data. If it is not, you may not.

Footnote: My company, Vumonic Datalabs, is hiring for all roles in Bangalore. ping me: gabriel(at)vumonic(dot)com