Who owns your personal data?
The amount of digital data worldwide in 2020 is estimated to amount to 44 zettabytes or 44 trillion gigabytes. This number is expected to grow up to 175 ZB by 2025.¹
Meanwhile, at least 1200 petabytes, or 1.2 million gigabytes, of people’s personal data are located on Google, Facebook, Microsoft, and Amazon. The value of such data is clear to businesses: this is what brings you a competitive advantage today. For quite a long time, it wasn’t that obvious to the majority of internet users.
But the times have changed. Consumers are getting more aware of their data’s value and less willing to give it to companies for free. And it seems quite fair: if companies benefit from personal data, its owners shall get their piece of the pie. But do we own our personal data to sell it?
The ambiguity of data ownership
Data ownership is the first issue to address when speaking about the data economy.² However, the concept of data ownership is ambiguous and doesn’t fit smoothly into the current understanding of data management.
Unlike other goods, data is non-rivalrous. If you sell a car, you don’t have it anymore. When you sell data, you may still have it, just as the one you’ve sold it to. It may be an advantage: you could share it as many times as you want and not depreciate its value. But what if your data has been stolen? You still have it, but someone else too. What is your loss then? Also, keep in mind that most legal systems do not define data as an asset.³
The definition of personal data is also quite broad. Data is usually a record of some interactions. Your birth certificate says almost as much about you as it says about your parents. The value of your Facebook profile is strongly connected with who your friends are. Your Telegram chat with a friend has two equal data subjects: the friend and you. Who shall be an owner of this data? When does your personal data become personal data of someone else?
When it comes to aggregated data, some may argue that the one who collected it should also own it. In contrast, others believe that its owners are primary data subjects.
All this makes data incompatible with notions of ownership.⁴ An interesting example is how the data ownership issue has evolved in the EU within the last five years. While it was defined as a major challenge in the beginning, it has been completely dropped recently.⁵ The General Data Protection Regulation (GDPR) does not utilize this concept as well.
It’s all about control
The mere fact that the concept of ownership is hardly applied to data doesn’t mean that you, as a data subject, do not have any rights to your data. It just requires a different approach.
For example, instead of ownership rights, GDPR entitles data subjects to a set of rights over data about them. It includes:
- – Right of access,
- – Right to rectification (possibility to fix inaccurate data about them),
- – Right to erasure (also known as “right to be forgotten”),
- – Right to restriction of processing,
- – Right to be notified about rectification or erasure of personal data.
This set of rules allows people to have control over their personal data. It differs from how we control our tangible property and is based on a current vision of fairness and balance in terms of using data.
The distributed ledger technology community shares a similar view on data ownership as a set of rights: the right to access, to control, and to distribute data.⁶ People shall access data about them anytime, control how their data is used (which also includes “right to be forgotten”), and decide with whom to share it.
Why self-sovereign digital identity is important
No matter how good are ideas contained in the GDPR, their proper implementation requires specific managing tools. Otherwise, it’s extremely difficult to utilize some of the rights you are entitled to. How could you ask someone to erase your personal data if you don’t remember sharing it with them?
OAuth-based social logins (Google, Facebook, Twitter) partly solve this problem. But the main downside is that you give up control over your data when using it. Yes, you can choose who you are sharing your Facebook profile with and stop sharing whenever you want. Still, your profile is fully controlled and dependant on the service provider. As a result, it may end up being compromised and sold, as it happened to 267 million Facebook profiles in April 2020.⁷
Self-sovereign digital identity addresses this issue, making you the only one who controls your data. There is no additional authority above you, so you are fully responsible for what is happening to your profile. You have full access to it anytime, choose whom to show it, and, most importantly, no one could distribute or utilize it except yourself.
This is what we want the new Monetha application to become—a self-sovereign reusable digital identity powered and secured by cryptography. You control all your data in the closest way to the conventional understanding of ownership. What’s more important, you shall be the one who benefits from your data’s value, not Google, Facebook, Twitter, or any other company, including Monetha.
- “Data ownership, rights and controls: Reaching a common understanding”, Discussions at a British Academy, Royal Society and techUK seminar on 3 October 2018
- Select Committee on Artificial Intelligence, House of Lords, October 2017 http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/artificial-intelligence-committee/artificial-intelligence/oral/73547.html
- “EU Drops Data Ownership”, Artem Taranowski, February 2020 https://medium.com/data-legally/eu-drops-data-ownership-807ca597fd62
- Trust:: Data, A New Framework for Identity and Data, Thomas Hardjono, David Shrier, and Alex Pentland, 2016