The Chain of Data Acquisition (Part 1)

How effective are my rights of personal data ownership? In other words, what are the limitations on what data someone can take from me without my permission? Or, how can I reasonably expect to be protected from invasions of privacy?

Here's a proposition for what I'll call The Chain of Data Acquisition which is a way to break down the practicalities of a situation of potential data theft:

In order for your data to be protected...

1. A technological method of capture and data storage must be possible and available
2. Capture protection, and data storage protection must be practically and technologically possible and available
3. If possible and available, some kind of regulation must be in place to restrict what is possible
4. If regulation is in place, infringements must be reportable, verifiable and / or discoverable
5. If so, the consequences must be actionable and the will exist to action them

To summarise, systems of protection for data must be practical and any regulation must be enforceable. And each element of the regulation must be well defined and make sense.

Please note that by regulation, I don't only mean laws. I also include ways in which computer operating systems regulate the programs which they support, and indeed the self regulation of those programs. It is also intended to cover other, non-hierarchical regulation, aka community decision making. But I'll go into that in detail later.

Let's look at each point, and survey the available material on the arising issues:

A technological method to capture and store data must be possible and available

The imperative of protecting your personally stored data is clearly evident, but I want to first argue that data protection begins with data capture. For example, if I take a photo of you, that is data capture. You may not want me to take a photo of you and so might argue with me on the grounds that you are the subject of the photo; the photo is about you. So data protection can extend not only to data you own as a kind of property, but to the prevention of creation of data about which you are the subject.

What I'm referring to is termed personality rights, and exists both as a privacy rights and a property right, specifically

[...] the right of an individual to control the commercial use of his or her name, image, likeness, or other unequivocal aspects of one's identity

I would like to see these rights strengthened and extended to the capture of information about our behaviour. This is commonly referred to as analytics or simply as tracking. Arguments against this usually focus on the privacy of the individual and not on their property rights. Where existent, we should be further protected from the widespread abuse of our trust in internet platforms which routinely demand the handing over of these rights.

Here is a real example. It is against the law to take or publish photos of any person for any reason in Brazil, Spain and Switzerland, and with exceptions (usually if the person is not identifiable) in the Czech Republic, France, Hungary, Japan, Macau, and Slovakia. In most countries there are no real restrictions though. [1]

This article seems to contradict the Wikipedia article I used as a reference above, but it does say that

It is legal in Brazil to take photographs of “private persons”, with the premise that they are in a public space and that the image does not hurt its privacy rights. [...] The problem, though, is that this is a really subjective matter, and could trigger long arguments and even legal processes. [...] if the photo is not produced for commercial purposes, the photographer does not need an authorization, although this might be recommended to avoid arguments. It is important to remember that, taking pictures of somebody inside a private space, like their apartment for example, is illegal, unless an authorization is given by the photographed.

The Wikipedia article on Photography and the law puts it, in the UK

The right to privacy is protected by Article 8 of the convention [the European Convention on Human Rights]. In the context of photography, it stands at odds to the Article 10 right of freedom of expression. As such, courts will consider the public interest in balancing the rights through the legal test of proportionality.

So like most rights, in practice a right cannot always be invoked and must be weighed against the rights of others. Some rights always apply (inalienable rights), but these are necessarily few. Therefore my right to enjoy the utility of my property and my freedom of expression must be balanced with your right to privacy, and thus data protection.

Today, no matter where you are, you actually can walk around taking photos of every person you encounter whether legal or not. This is because digital cameras are cheap enough to be accessible to most, and digital storage is even cheaper. But remember that not so long ago this kind of capability would have been beyond the average person. So maybe 50 years ago this may have been technologically possible, but too expensive for most. And 100 years ago, not technologically practical. So there are many people alive today how have seen this become a possibility where it was not always so.

Is there a difference between capture and storage? Certainly capture is a kind of storage, at least into computer memory, so storage actually means transferable storage. This is physical or digital media which can be used by a system other than the capturing device.

End of part 1

I will continue detailing the links in the chain in the next article. I hope you enjoyed it so far 😌 🙂

References

• [1] Commons:Country specific consent requirements, accessed on 18.12.16, https://commons.wikimedia.org/wiki/Commons:Country_specific_consent_requirements