Jump to content

Data Subjects of the World, Unite!


Recommended Posts


Lucadp/iStoc, via Getty Images Plus

The European Union’s new digital privacy law, the General Data Protection Regulation, doesn’t just protect European residents or citizens. The law covers “data subjects.”

You are a data subject. If you got an email in the last few days from an online shopping website advising you of new privacy policies that are compliant with the rule, you are likely a data subject of Europe, even if you’ve never been to Europe and don’t even have a passport.

A data subject is defined as “a natural person” inside or outside the European Union whose personal data is used by “a controller or processor”; in a curious inversion, it is individuals who are the subjects of data, not the data that is secondary to the individual.

The term started appearing in privacy regulations in the early 1980s. But it is mainly because of the internet that our digital lives have actually become de-territorialized. Our bodies can only be in one place at a time, but data can be in multiple locations at once. Digital information is split up, fragmented, multiplied and dispersed. We don’t always know where our files, emails and photos are stored; who ends up mining them for information; or how those mining them put the insights they gather to use.

What matters to regulators is whether the company collecting and processing your data is in the European Union, and, if it’s outside the union, whether it offers these services to or monitors people who are in Europe. The privacy law essentially compels companies operating globally to play by stricter European Union rules if they want to keep doing business there. It entitles us “data subjects” to move our information from one platform to another; to know how and by whom it is being used; and to contest a decision made by an algorithm, among other things. By reaching extraterritorially, regulators make it harder for companies to shop around for friendly jurisdictions to avoid these rules.

In broader terms, the regulation is an attempt to make sense of newly complex and decentralized relationships among individuals, their data, the state and the private sector that have emerged under globalization.

These are relationships we negotiate and renegotiate every day.

The artist James Bridle explores this process in Citizen Ex, a browser extension that uses the domains of the websites visited by people using the browser to determine where they appear to be “from.” Online, individuals “pass through time, space and law”; reduced to their browsing activities, they appear as “a collection of data extending across many nations, with a different citizenship and different rights in every place.” The tool can yield surprising results. I consider myself a citizen of the world, but lately, my browsing habits have been embarrassingly provincial: Although I’m not a United States citizen, I appear overwhelmingly American, with a smattering of Singapore, Ireland, France and Germany.

Mr. Bridle’s term for this form of belonging is “algorithmic citizenship”: a decentralized and fragmented status. It can be split “into an infinite number of sub-citizenships,” and it can “produce combinations of affiliations to different states.”

The digital privacy law’s “data subject” gets at the same idea, by tethering what’s done with our data to places on earth. The law doesn’t draw borders around the data itself, or indeed around us; it acknowledges that on the internet, individuals and their data travel all over. Under the new law, you can be a citizen of the United States, a resident of Japan and a European “data subject” at the same time.

And this time, the borders are being drawn around corporations. The law’s extraterritorial reach ensures that corporations can’t weasel their way out. Like so many laws, this one is meant to provide some protections to vulnerable populations from those who wield a lot of power. In the digital world, the power rests with a small handful of multinational leviathans; all of us are vulnerable, and we can be exploited without even knowing it. The new privacy law acknowledges the dangerous power of these companies while attempting to return some personal sovereignty to their clients, the people.

We should all start thinking of ourselves not just as clients of a company, residents of a state or citizens of a country, but also as data subjects of the world. Data is currency; creating and holding it is power. This power has gone to Google, Facebook, Amazon and the other neo-feudal masters that use it to their advantage, not ours.

If it takes a European Union bureaucrat’s definition of “data subject” to help us wrest back some of that power, I’m O.K. with that, because what’s done to us should be a matter of fundamental rights, whether online or in real life. Technological innovations should be for the good of the world, not just the market. To cite one of the law’s more touching lines: “The processing of personal data should be designed to serve mankind.”

< Here >

Link to comment
Share on other sites

  • Replies 0
  • Views 220
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...