Are you the "data subject"?

In the digital realm, the term "data subject" identifies an individual whose personal data is harvested yet paradoxically remains thwarted from subsequent data management actions. This detachment spans the full spectrum of the data lifecycle, from its initial collection to its eventual application or distribution. Often, data subjects are unaware of the initial acquisition of their data, oblivious to its storage location, the security measures in place to protect it, or the processes governing its transfer. Their data's path, particularly how it reaches third parties or which entities might access or hold copies, is typically shrouded in mystery. This lack of transparency is exacerbated by end-user license agreements (EULAs), which, although designed to outline the terms of data collection and usage, are frequently (and purposefully) so convoluted or extensive that they leave the data subject uninformed about the specifics of the data collected, how it is gathered, and its eventual destiny.? EULAs are designed to safeguard the rights of the data creator, often at the expense of the data subject, by establishing terms that prioritize the creator's interests over the transparency and control of the individual whose data is being collected.

The "data subjects" often find themselves uninformed and uninvolved in the management and security protocols concerning their data at the time of creation and once it lands in the hands of data users or consumers. In the event of security breaches or unauthorized access to their data or personally identifiable information (PII), data subjects are usually the last to be notified, often long after the incident, and without sufficient detail to take protective action or proactive measures against future events. This exclusion from the data management process underscores a significant gap in ensuring that their information receives the requisite security and confidentiality attention from its handlers. This condition underlines the passive stance data subjects are relegated to within the digital ecosystem, spotlighting a profound power imbalance regarding their rights, privacy, and autonomy over their personal data. It calls for a transformative approach that repositions the data subject at the heart of data management practices, emphasizing transparency, security, and respect for their autonomy.

Further complicating this landscape is the relationship between the data subject and other entities in the data ecosystem. Data Creators, such as large technology companies, banks, healthcare providers, or social media platforms, generate data under the guise of providing a service, often binding the data subject through EULAs that obscure the full extent of data collection and data handling practices. While these entities initiate the data's journey, some ownership (maybe), but at least agency—and consequently, the authority over the lifecycle, use, and management of the data—rightfully belongs to the data subjects themselves. The opaque nature of data transactions and insufficient communication often leave data subjects without a thorough understanding of how their data is managed throughout its lifecycle. This includes details on how third parties store, transmit, and access their data. The absence of clarity significantly restricts data subjects' ability to manage their data's lifecycle effectively, including its secure deletion or the assertion of rights akin to those encapsulated in the California Consumer Privacy Act (CCPA). While the CCPA does not directly refer to the "Right to be Forgotten," it enshrines related concepts by enabling California residents to demand the erasure of their personal information held by businesses. This regulation seeks to bolster Californians' privacy and consumer protection, affording them greater authority over their data. Although businesses governed by the California Consumer Privacy Act (CCPA) must adhere to consumer requests for data deletion, with some exceptions, to respect consumer privacy preferences and avoid retaining information indefinitely without consent, data subjects are not afforded the means to oversee the deletion process directly. Consequently, they lack the ability to obtain technical or legal verification that their data has been effectively erased in compliance with their request.

Within the digital data ecosystem, Data Users or Consumers refer to organizations that apply collected data across various applications, from financial institutions conducting macroeconomic analyses to marketers crafting targeted advertising campaigns. Frequently, this harvested data from data subjects is used to customize advertisements specifically targeted at these individuals, often without their consent or acknowledgment that such targeted content may be uncomfortable or unwelcome by the data subject. Data users and consumers also include the unique elements of data brokers who act as intermediaries by collecting, curating, and selling data subject content, along with AI companies, typically accessing data either directly from data creators or indirectly from data brokers. This practice adds another layer of complexity to the data governance landscape, intertwining various entities in the supply chain of data and the management and utilization of data subject information. For ethical data management and utilization practices to be genuinely implemented, these data users should be required to gain explicit permission from the data owners—the data subjects themselves—ensuring that any data activity is transparent, consensual, reported, accessible, and aligned with the data subjects' expectations and rights.

Tackling data subjects' issues requires a fundamental transformation of existing data management protocols, advocating for a transition to frameworks that intrinsically value and ensure data subjects' rights and active involvement from the outset. This involvement must be established before the inception of data creation, as the current paradigm significantly marginalizes data subjects, denying them any form of control or management over their data once it has been created, compiled, stored, or transmitted. The status quo effectively disengages data subjects from the decision-making processes concerning their personal information, rendering them mere bystanders in the lifecycle of their own data. To rectify this, there's a critical need to embed mechanisms of consent and transparency that empower data subjects, granting them a foundational role in how their data is handled right from the beginning. This proactive engagement ensures that data subjects are aware and have a say in the governance, security, and eventual utilization of their information, marking a shift towards a more equitable and respectful digital ecosystem. Adopting this new paradigm requires breaking down the intricate and often convoluted structures of End-User License Agreements (EULAs), ensuring they become more transparent, understandable, and possibly negotiable with data subjects. It necessitates introducing transparent and effective control systems that enable individuals to restrict cookies and other AI-enhanced tracking mechanisms that surveil online behavior. This approach aims to transform data subjects from passive data sources into informed, active, and consenting participants within the data ecosystem by simplifying and clarifying the nature of data transactions. This means making the terms of data use and sharing clear and providing data subjects with straightforward, accessible tools to exercise control over their data and personal information.

Through these measures, data subjects can fully understand how their data is collected, used, and shared and possess the means to influence these processes actively. This shift towards a more transparent and participatory data management model represents a significant step forward in respecting and safeguarding the autonomy and rights of individuals and other entities in the digital age. A more equitable, transparent, and secure digital environment can emerge by redefining the roles and responsibilities within this ecosystem—ensuring data creators respect ownership rights and data users operate under explicit consent. This would empower data subjects with control over their personal information and foster a culture of accountability and ethical data handling that benefits all stakeholders in the future digital economy.