Media outlets such as Motherboard and the NY Times are currently reporting cases in which private individuals in the USA have been able to buy mobility data from so-called data brokers, making it possible to determine the location of any telephone number or person. The advance of data-driven business models is unstoppable – do we simply have to get used to the fact that our privacy is no longer what it used to be?
As early as 2013, “Unique in the Crowd: The privacy bounds of human mobility” showed that traces of human mobility are unique and can therefore easily be traced back to individuals. If a stranger can use a telephone number and $300 to find out where someone works, sleeps or spends his leisure time on weekends, the consequences are unimaginable.
It is therefore possible to seriously interfere with the privacy of individuals. But the actual scandal is a different one: In the USA this kind of data trade is completely legal. In the last 5 years, a new multi-billion dollar industry has developed in which personal data is used for market research purposes. Of course, market research is not new. What is new, however, is that it is now possible to address individuals and thus personalise messages directly. This data-driven industry has grown at such a speed and within such a “regulatory vacuum” that the behaviour of individuals can now be tracked seamlessly across multiple devices (“cross-device tracking”), i.e. across smartphones, tablets, TV or smartwatches. There is almost no moment left when data is not being collected.
Companies have far more precise and comprehensive insights into the purchasing behaviour of customers than they had just a few years ago. At the same time, hardly any private individual knows how their data is used for segmentation or even who ends up in possession of this data.
“Never before has it been possible to know so much about so many of us. But where in the past information about consumers and their behaviour was analysed to develop new products and increase sales, today consumer information has become a product itself in an ever more inscrutable data market” – DatenGerechtigkeit, Frederike Kaltheuner, Nele Obermüller
The general public has a basic but unfounded trust that their data won’t be misused. This trust has been called into question by recent serious cases such as the Facebook / Cambridge Analytica scandal which have shaken society’s confidence.
(If you are interested in further information around that question the German netzpolitik.org podcast “Zukunft des Datenschutzes” (Future of data protection), discusses the discrepancy between public perception and the actual handling of data by companies. Read more about this in our translated transcript: The Future of Privacy – A netzpolitik.org Podcast.
These cases clearly show that not only companies but also society needs to rethink privacy. In addition, the term “anonymisation” must be treated more cautiously. This also shows the different legal definitions of anonymisation between the USA and Europe: according to European standards, such data is merely pseudonymised and not anonymised. (Learn more about the difference between pseudonymised and anonymised data sets in our blog article Data Anonymisation Software – Differences Between Static and Interactive Anonymisation.)
“They are all processing personal data, there is absolutely no doubt about that,” says Mathias Moulin, director for the protection of rights and sanctions at the French data protection watchdog, CNIL. “They all try to say that it’s anonymous to lower the pressure from the public, but that’s not true. They know that and we know that.” – FinancialTimes, Data brokers: regulators try to rein in the ‘privacy deathstars’
Although the global research and advisory firm Gartner has defined “Privacy and Ethics” as one of the top strategic trends for 2019 for companies, it still sees a lot of hurdles along the way to responsible data processing and handling: “Although GDPR guidelines have been in effect since 25 May 2018, organizations are at different levels of compliance. The pressure to fully comply is increasing, driving organizations in or doing business with the EU to further evaluate their data collection processes. However, most are struggling with integration costs and technologies that can help speed up compliance.”
Modern regulatory frameworks such as GDPR and privacy-enhancing technologies such as Aircloak Insights, which can help you implement the necessary measures to comply with GDPR, will both play an increasingly important role in companies in the coming months or years and contribute to the responsible use of data.
We leave you with this thought: It’s only a matter of time before the next concrete data misuse in the style and scope of Cambridge Analytica. Probably only then will the market concentrate sufficiently on data protection.