Earlier this month, I blogged about personal data being valuable and hence worth protecting like any asset. But what about commercial exploitation such as selling it to third parties? Is that OK too?
Some companies find it perfectly acceptable to Hoover-up all the personal information they can to use or sell to third parties, whereas others take a more conservative and (to my mind) ethical position, limiting personal data collection, using it for necessary internal business activities and refusing to sell or disclose it further (not even to the authorities in the case of Apple).
The EU position on this is clear: personal information belongs to the people, not the corporations. Since privacy is a fundamental human right, people must retain control over their personal information, including the ability to limit its collection, accuracy, use and disclosure.
The US position is ambiguous, at best. Efforts to tighten-up US laws around privacy and surveillance have been lackluster so far, often being stalled or knocked back by those same tech companies that are busy profiting from personal information, or by the spooks.
With the battle lines drawn up, once GDPR comes into effect next May the charge is on. Privacy and unrestricted commercial exploitation of personal information are essentially incompatible, so something has to give. We've already witnessed the failure of a half-baked attempt at self-regulation (Safe Harbor) and it seems Privacy Shield is also faltering. What next?
One possibility is a commercial response, where organizations increasingly decline doing business with US corporations that openly exploit and fail to protect personal information. That, coupled with the massive fines under GDPR, might finally drive home the message where it hurts them most: the bottom line.
As Rana Foroohar from the Financial Times puts it "Privacy is a competitive advantage. Technology companies may have to say whether they are data peddlers or data stewards." Personally, I don't see it as a quite such a black-and-white issue, with plenty of room between those extremes.
A key issue, for me, is that matter of personal choice: we deliberately choose to give up some elements of our privacy under some circumstances, and that's fine provided we are fully informed and voluntarily accept the implications - two of the requirements under GDPR. What's unacceptable, to me anyway, is when my personal information is obtained sneakily and/or exploited or disclosed to third parties, without my knowledge and consent. I resent that. How about you? Perhaps it's another one of those cultural things.