Every day, millions of gigabytes of digital data are exchanged, by our mobile phones, web browsing activities, IP cameras, connected fridge or brand new Apple Watch. The boom in connected things will certainly not reverse the trend: according to an IDC survey made for EMC and published in April 2014, the volume of data will face a very strong growth in the coming years, with an expected 10-fold increase between 2014 and 2020 to reach 44 Zettabytes, i.e. 44,000 billion gigabytes, in 2020.
Hence this question: where do these data end, and who owns them?
Sovereignty — i.e. a State’s ability to exercise its authority over a given territory and population — is by no means an immutable concept. It has changed over centuries and according to society and technological progress. Yet, the digital world, which defies physical or legal constraints, has dramatically accelerated a mutation, initiated at the beginning of the 20th century, that has obliged the State to reinvent itself and share its authority with private organisations. Just think about digital identity: to prove our identity in the “real” world, we use our identity document, issued by the State; but in the digital world, we use our Facebook or Google account. The identity of citizens and their personal data is no longer guaranteed by the State, but by companies, often located abroad, that cannot assure citizens they will abide by the legislation and regulations applicable in their own country.
The direct consequence of this is the trust crisis that seems to spread among users.
Yet, this control is purely theoretical. Indeed, what can customers do if they do not want a company to use their personal data for commercial purposes? The answer is crystal clear: nothing! The issue lies in data ownership. Every stakeholder has its own view: some consider that each individual owns their personal data, irrespectively of where they are located. For instance, Pierre Bellanger said, at the FIC 2015, that we are the “authors of our own personal data”. Others think that the issue is not so simple, like CNNum (the French Digital Council), which published a report in 2014 where they recommend not to establish a private property right on personal data because it would “(…) give individuals the responsibility to manage and protect their data, reinforce individualism and negate the power balance between consumers and companies“. Our Secretary of State for Digital Affairs, Axelle Lemaire, is in favour of a middle way whereby specific data (regarding transport, housing or the like) would have a “general interest” status, halfway between the private and public spheres.
Though alternative models are being developed, their scope remains quite limited. Therefore, what are the options if you don’t want to give up all the services offered by internet-based companies?
The second option is of a legislative and regulatory nature. Since 25 January 2012 (i.e. more than 3 years ago), the European Commission has been working on a European regulation on personal data protection. This regulation aims to update the regulatory framework regarding personal data, which has not changed since the European directive of 1995. Thus, personal data legislation in the various Member States remains highly fragmented. The new draft regulation includes the following flagship measures: notification of a personal data breach; data protection impact assessment for risky processing operations; creation of new rights regarding data portability and the right to be forgotten (with penalties of up to 2% of the breaching company’s annual turnover); and central role of the “data protection officer” (evolution from the current French “Correspondant Informatique et Libertés” position). The first draft was rejected by most Member States, stating that the balance between citizen protection and the economic interests of digital stakeholders was not right. Then, Edward Snowden’s revelations enabled the Commission to put the topic back on the agenda. On 12 March 2014, the Commission approved the new document and sent it to the Council of Europe for approval. Now, since each country has its own interests, the risk is high that the compulsory negotiations between the European Parliament, the Council of Europe, the European Commission and the co-legislators will take a (too) long time. But can we afford to wait any longer?
— Sources —
- EncroChat: Deciphering of the End-to-End Encryption Service Used by Criminals Cybercrime
- Preserving Digital Footprints and Cyber Resilience: Training the Swiss Police Cybercrime
- Ransomware in Six Questions (by the Ministerial Delegation to the Security Industries and the Fight Against Cyberthreats, French Ministry of the Interior) Cybercrime