My stance on privacy

Making decisions is important part of life. Good decisions can improve, bad decisions can ruin life. Historically, people have used their intuition to make decisions.

With the improvement of computing and data processing, people have gradually started to use data to measure decision quality and to improve it. In business setting, this is known as business intelligence. Some people are also using it to decide about their personal life.

With the raise of Big Data and AI, data is not only feed to humans to assist them making good decisions, but also AI systems, trained according to goals set by humans, have started to make decisions on their own, either without or with some very limited human involvement.

This all has changed the role of data and increased its value. Suddenly, we have to consider, how our own data is collected and processed. While nobody would mind sharing the fact they are smoking to the whole world only 100 years ago, people today would object against it, because they worry their health insurance company would use this data to make a decision and to increase the insurance fee.

If we want to infuence data-based decisions made about us, we have three ways:
1) not sharing relevant data about us,
2) having law preventing the use our data to make specific decisions, or
3) use our own data and make our own counter-decisions

In the example above, we either
1) stop sharing the fact we’re smoking to the world, or
2) we vote for law makers who will pass a law prohibiting health insurance companies to vary their fee from person to person, or
3) we use the data about the insurance company to find out that the surplus of extra fees gathered from smokers was spent to pay bigger bonuses to the management, and left this company to a competitor. This option would require laws forcing companies and governments to be reasonably transparent about their data, as well as availability of competition on the market.

Now, it is important to understand that data-based decisions don’t need to be always bad for us. As a non-smoker, I like the idea to charge them more than average for health insurance, and as an overweight person I’m ready to pay more than average myself. And I like that people with small income pay much less taxes. And it would be nice if the fee in my wrong parking ticket would consider the fact that in the 99,9% of cases I pay for parking my car. And I have stopped watched TV because I can’t stand this annoying, un-personalized and sometimes insulting advertisement – I really like the advertisements Facebook and Google are showing me.

So, to benefit from this kind of decision making, I need to share my data. Therefore I find it pity that current european law-making in this area is mainly focused on making sharing of data more harder and complicated.

If nobody would share data, nobody would get hurt by some data-based decision. But also nobody would benefit from it. So our digitalization level will remain to be blantantly low and our decisions will still be made by some guts feeling like in the stone age.

I don’t think it is reasonable trying to stop data sharing. They say, when the first cars hit the roads of the cities, and the first car accident deaths happened, the law makers have issued a law requiring a person with a red flag and drums to march in front of the car, to warn people and horses. I could imagine this could prevent deaths efficiently, but this has undermined the whole idea of driving cars.

Today, we as a society have accepted many thousends of car accident deaths and injuries per year, because the benefits cars provide to the people and to the economy have far overweighted the risks. I think, the same process will happen with our data.

We will be sharing our data, in the future, much more than we’re doing it now, willingly or unwilligly, and we will have to learn how to deal with it. Our law today prevents collection and storage of the data. The future law will concentrate instead on regulating the decisions that are being made based on the data, making it is illegal to make unfair decisions, and making the data of the decision-making entities reasonably transparent to the public.

Another issue I want to point out in the current EU legislation is the definition of so-called personal data. As we all know it is the data that identifies or can identify a person. Let’s say, an email address. If a website would store email addresses entered by their users, this information is considered to be personal data and is thoroughly regulated. But what is the risk of storing some email address in some database? If nothing else is stored there, the worst thing that could happen is that somebody would send some spam to this email address, or try to phish corresponding password.

But let’s now say, for instance, besides of the email address we would store the person’s income. Income is not personal data per se, so that no additional regulations would apply in this case. But the risk of abusing or leaking this information is much greater!

Another example: let’s now replace the email with the ip address, so now we have a table of ip addresses and their salaries. According to the German regulators (this is not in the GDPR itself) the ip addresses are personal data. But leaking of this information would lead to virtually no risk. Neither bad web site owners nor hackers have enough capacity to map ip addresses to real persons, at least not in a scalable way for massive amounts of the data. Still, according to the law, this data will be protected in the same way as the data containing email adresses.

My suggestion to that is to abandon the “personal” from the future regulations. There are just data owners, who share their data to somebody else, and this somebody else will have to comply to some set of rules (for example, must disclosure all the data used to make a specific decision), no matter what kind of data has been stored and processed.

Leave a Reply