1
Origins and Concepts of Data Privacy

Privacy is not something that I'm merely entitled to, it's an absolute prerequisite.

- Marlon Brando

We generate enormous amounts of personal data and give it away without caring about our privacy.

Before the wake-up alarm rings on our smartphone, our heartbeats and sleeping patterns were being recorded through the night on the embedded app on our wrist watch. We turn on our customized morning playlist on Spotify, read the headlines tailored for our interests on Apple or Google news, retweet on Twitter, upvote on Quora, register likes on WhatsApp, post a snapshot of the snow outside our window, and look up on what our friends are up to on Facebook. We then check the weather forecast and ask Alexa to order cereal from Amazon. We are ready to go to work.

Unimaginable convenience for us commoners without a royal butler feels splendid. The invisible cost is that we are under constant surveillance whenever we use these services. All our choices, actions, and activities are being recorded and stored by the seemingly free technology-driven conveniences.

When we take an Uber or Lyft to work, our location and destination are known to them from previous trips. Today's journey is also recorded, including the name of the driver and how we behaved - spilling coffee may show up on our passenger rating if the driver notices it. A smile and thank-you wave to the driver are worth five rating stars. Our choice of coffee at Starbucks may already be programmed and ready based on our past preferences. Each swipe of our credit card is imprinted into our purchase habits.

As we exit the car, a scarcely visible street camera is recording our movements and storing those records for the local city police. The recording of our actions continue as we turn on our computer at work. We read and respond to e-mails, order lunch online, attend video conference calls, and check on family and friends again. Before noon, we have generated innumerable data on our laptops, tablets, phones, and wearables - with or without our conscious cognition or permission.

Everything that we touch through the make-believe cocoon of our computer, tablet, or smartphone leaves a digital trail. Records of our actions are used as revenue sources by data-gobbling observers in the guise of learning and constant improvement. In a different era, this level of voluntary access into our daily lives would have thrilled secret service organizations.

Numerous questions are raised in this fast-evolving paradigm of convenience at no cost: Whose data is it? Who has the rights to sell it? What is the value of the information that we are generating? Can it be shared by the Data Collectors, and, if so, under what circumstances? Could it be used for surveillance, revenue generation, hacking into our accounts, or merely for eavesdropping on our conversations? And, most importantly, can it be used to influence our thinking, decisions, and buying behavior?

Concerns regarding the privacy of our data are growing with advances in technology, social networking frameworks, and societal norms. This book provides a discourse on questions surrounding individual rights and privacy of personal data. It is intended to contribute to the debate on the importance of privacy and protection of individuals' information from commercialization, theft, public disclosure, and, most importantly, its subliminal and undue influence on our decisions.

This book is organized across three areas: we first introduce the concept of data privacy, situating its underlying assumptions and challenges within a historical context; we then describe the framework and a systematic guide for the General Data Protection Regulations (GDPR) for individual businesses and organizations, including a practical guide for practitioners and unresolved questions; the third area focuses on Facebook, its abuses of personal data, corrective actions, and compliance with GDPR.

1.1 Questions and Challenges of Data Privacy

We illustrate the questions and challenges surrounding individual rights and privacy of personal data by exploring online dating and relationship-seeking apps such as match.com, eHarmony, and OK Cupid. To search for compatible relationships through these apps, users create their profiles by voluntarily providing personal information, including their name, age, gender, and location, as well as other character traits such as religious beliefs, sexual orientation, etc. These apps deploy sophisticated algorithms to run individuals' profiles to search for suitable matches for dating and compatible relationships.

Online dating apps and platforms are now a global industry with over $2 billion in revenue and an estimated 8,000 sites worldwide. These include 25 apps for mainstream users, while others cater to unique profiles, special interests, and geographic locations. The general acceptance of dating sites is significant - approximately 40% of the applicable US population use dating sites, and it is estimated that half of British singles do not ask someone for a date in person. The industry continues to evolve and grow, with around 1,000 apps and websites being launched every year in the US alone.

Most dating sites and apps do not charge a fee for creating user profiles, uploading photos, and searching for matches. The convenience of these apps to users is manifold. They can search through the universe of other relationship-seekers across numerous criteria without incurring the costs and time for the initial exchange of information through in-person meetings. More importantly, dating apps lower the probability of aspirational disappointment if there was disinterest from their dates.

1.1.1 But Cupid Turned Out to Be Not OK

In May 2016, several Danish researchers caused an outrage by publishing data on 70,000 users of the matchmaking/dating site OK Cupid. Clearly, the researchers had violated OK Cupid's terms of use. The researchers' perspective was that this information was not private to begin with. Their justification for not anonymizing the data was that users had provided it voluntarily by answering numerous questions about themselves. By registering on the dating service, the users' motivation was to be "discovered" as individuals through a selection process by application of the matching algorithm. The information was available to all other OK Cupid members. The researchers argued that it should have been apparent to the users that other relationship-seekers and thus the general public could access their information - with some effort, anyone could have guessed their identities from the OK Cupid database.

This case raises the following legal and ethical questions:

1. Were the researchers and OK Cupid within their rights to conduct research on data that would be considered as private by the users?
2. Did the researchers have the obligation to seek the consent of OK Cupid users for the use of their personal information?
3. Was it the obligation of OK Cupid to prevent the release of data for purposes other than dating?
4. If a legal judgment were to be made in favor of the users, how could the monetary damages be estimated?
5. What should a legal construct look like to prevent the use of personal data for purposes different from that which is provided by the users?
6. If users' information in the possession of and stored by OK Cupid was illegally obtained and sold or otherwise made public, who is liable?

1.2 The Conundrum of Voluntary Information

As humans, we have an innate desire to share information. At the same time, we also want to be left alone - or at least have the autonomy and control to choose when and with whom we want to share information. We may disrobe in front of medical professionals, but it would be unthinkable in any other professional situation. Similarly, we share our tax returns with our financial advisors but otherwise guard them with our lives. We share our private information personally and professionally in specific contexts and with a level of trust.

This phenomenon is not new but takes on a different dimension when our lives are inextricably intertwined with the internet, mobile phone connectivity, and social networks. With the ease of information dissemination through the internet, anyone with a computer or a mobile phone has become a virtual publisher - identifiable or anonymous. The internet provides near-complete autonomy of individual expression and effortless interactions with commercial services to bring tremendous convenience to our daily lives. At the same time, our expectations of control over our privacy have become increasingly overwhelmed by the power of commercial interests to collect our personal data, track our activities, and, most alarming, to subliminally influence our thoughts and actions. The growing power of commercial and other nefarious interests to impact our lives would have been considered dystopian not too long ago.

We generally understand that once we voluntarily share information with someone else, we lose control over how it can be used. However, two questions remain unanswered: Do we truly realize the extent to which our personal data is being monitored? What level of control and rights do we have over our personal information that is generated through our activities and involuntarily disclosed by us? As an example, mapping our driving routes to avoid traffic jams or ordering a taxicab to our location through an app on our mobile phones has become indispensable. This...