One of the key issues facing societies in the 2020s is data privacy, and more importantly whose needs will data privacy regulations explicitly focus on. Even in countries without such regulations, their cultures and societal norms will implicitly shape data privacy considerations. In this blog I examine the three primary stakeholders of data privacy strategies: Individuals, corporations/businesses, and states/nations.
The following figure summarizes the needs of these three different stakeholders. Notice how they are both interrelated and potentially at odds with one another. The implication is that trade-offs need to be made. Furthermore, each society will make a unique set of trade-offs that that makes sense for them, and will likely evolve those trade-offs over time as their situation evolves. Let’s examine the needs of each stakeholder group one at a time.
Corporate-Dominated Data Privacy
Let’s start by examining the scenario where the needs of businesses are prioritized over those of individuals or nations. This occurs in societies where capitalism and the belief that the marketplace will find the best solutions tends to prevail. Notice that the needs of individuals and the state are still taken into consideration, but that they are dominated by business/corporate needs.
As the figure above suggests, there are several potential challenges that we need to consider when the needs of corporations dominate data privacy trade-offs:
- Competitiveness. Do the dominant players in a market segment exist because of their technological advantages, rather than the quality of their offerings? In other words, there is the potential for organizations to use the horde of data about their customers to their advantage and often to the disadvantage of their competitors.
- Targeting. The more data that an organization has about their customers, or potential customers, the easier it becomes for them to target offerings to individuals. This can be both good and bad, good in that people’s time isn’t wasted with irrelevant pitches and bad in that people may have become motivated to buy things they don’t need or to miss out on things that they do need but weren’t put in front of them.
- National security. There is the potential for national security to be undermine by bad actor organizations that put their own needs first, or through profit seeking put national interests second to their own.
- Societal well being. Not all societal needs may be met via profit-seeking businesses, either through limiting services to those who can afford them or not providing non-profitable offerings at all.
- Individual well being. In their quest for profits, corporations may choose to capture and then use data to their own benefit over that of the individuals involved.
State-Dominated Data Privacy
Now let’s examine the scenario where the needs of the state are prioritized over those of individuals or corporations. This occurs in societies where either the ruling class has wrested too much power over their citizenry or where there is a clear existential threat. Examples of the former include Russia and China and of the latter Israel.
As the figure above suggests, there are several potential challenges that we need to consider when the needs of the state dominate data privacy trade-offs:
- National security. A common refrain for state-dominated strategies is the need to support national security. But when it comes to individual data privacy rights in some situations, have the citizens become the enemy?
- Governance. There is certainly significant opportunity to improve a nation’s governance strategy through comprehensive data access, as Latvia has certainly shown (while remaining protecting individuals rights via GDPR compliance). However, it is possible for governance to be detrimental to individual right as we’re seeing in China with their heavy-handed application of personal data (more on this below).
- Societal well being. Is the state using their comprehensive data for the good of their people, or against the people?
- State corporations. Are corporations controlled, and even owned, by the state? Is the data captured by these corporations fed to the state to support monitoring and control of the citizenry?
- Individual well being. Does the state provide better services to its citizens as the result of the comprehensive data that it collects? Or is the data used to promote the perpetuation of the current ruling class?
Individual-Dominated Data Privacy
Finally, let’s examine the scenario where the needs of individuals are prioritized over those of states or corporations. This occurs in open societies where the equality and well being of individuals are important aspects of the culture.
As the figure above suggests, there are several potential challenges that we need to consider when the needs of individuals dominate data privacy trade-offs:
- Individual safety. Are mechanisms in place to ensure that individuals can control access to their personal data?
- Individual well-being. Is it still possible for the state, and perhaps corporations, to provide effectively tailored offerings to people?
- Competitiveness. Are businesses being hampered in their ability to compete against foreign rivals, while still respecting individual privacy?
- National security. Is data appropriately accessible to ensure national security without it being used inappropriately against the citizenry?
- Good governance. Is the state still able to govern effectively? Can it provide tailored services to people while maintaining individual privacy?
- Societal well-being. Are people being protected from digital abuse by state and corporate entities, yet still being positively served by them?
Making Trade-Offs in Practice
Luckily, and I use that word loosely, we can see these trade-offs being made today in different societies:
- Corporate-dominated data privacy. Currently the best example of this is the United States (US). Granted, the American reality isn’t as extreme as what is depicted in the corporate dominated figure earlier but the lack of data privacy regulations tends to favour businesses in that country. This has arguably enabled US technology firms to thrive in the US, thereby building a foundation from which to compete globally. However, this is quickly changing with regulatory initiatives in California and at the federal level, indicating the potential for a greater focus on protecting individual data privacy.
- State-dominated data privacy. China provides a fascinating, and horrifying, glimpse at a state-dominated strategy. People are tracked by the government via their mobile phones, their online activities reported by Chinese technology firms, and benefits and sometimes punishments levied by the government based on the data gathered via these strategies. This enables the Chinese government to control the populace and arguably develop economic and societal infrastructure for the people, albeit at a cost of reduced individual freedom for those outside the ruling class.
- Individual-dominated data privacy. The best example of this is the European Union (EU) given its General Data Protection Regulation (GDPR) strategy (and yes, Canada is currently working on something very similar that will hopefully be released in 2023).
My hope is that societies will choose to favour an individual-dominated approach to data privacy. I recognize that not all societies will make this decision, however, and as a result I hope that those societies don’t stray too far from protecting the data privacy of their people.