It is not difficult to find some dominant positions in the current discussions related to privacy regulation (just to mention a few examples: prior authorization of the owner to collect and circulate its own data; the limited scope to obtain and use private data; and the right to obtain your own information recorded in third-party databases). It is absolutely understandable that each one of us defends the existence of privacy of personal data and the definition of clear criteria and rules for its use. But what is not much subject to discussion is how insufficient and ineffective these rules are.
We all know it is impossible to control the flow of personal data circulating on the Internet. The famous statement from Scott McNealy – “You have zero privacy anyway. Get over it” – said in 1999, increasingly reveals the only certainty we have about what happens to the information generated on a network, or by third parties who observe our behavior. The problem is not the fact itself, but on how we are unable to deal with it. We have the illusion that the laws and the courts can organize the behavior of collection and use of information, imagining an “acceptable” level of legal certainty.
Under civil law, this alleged right to control personal data arises from the belief that they are understood and regulated by the right of personality, the one which protects the right to a name, the body, honor, silence, among many others, and which is recognized in many countries for a long time, even before the existence of computers or the Internet. I have nothing against the protection of personal data under the right of personality and I believe it is fair and right that each of us controls what refers to our own personality. The problem is that it simply does not provide the legal certainty necessary to deal with this issue, not only for the people who provide, but also for third parties that use data and information lawfully obtained.
The focal point of this insecurity is located mainly on concerns that the data will be “improperly” used to sell products or services. After all, you are not the only one surprised to find a banner of that airline you just saw in a webpage, offering deals that fit exactly in your search. But the use of personal information circulating on the network has not and will not have just this purpose. The generation of data is exponentially increased from the sharp connection of devices that interact with other machines and humans: the so-called Internet of Things.
It is estimated that in 2020 we will have more than 50 billion connected devices interacting with each other through the Internet. With this incredible generation of data, it will be possible to find more appropriate and efficient solutions for the operation of machinery and equipment. The space in this column is not enough to say what it means, but we can mention some examples: increased safety and reduced time in air travels; efficient use of energy tied to specific demands; precision on surgeries, less invasive and with a higher success rate, among others that show the emergence of a new and unknown world. To make this possible, more and more data will be collected and used. And, not unlike the current situation, the previous control of this flow of information will be absolutely impossible.
What makes sense in this discussion is what types of data should remain under the right of personality and what types of data should be considered as common use or access, or public utility. By this I mean that we cannot treat equally the protection of the name, gender, religious option and address (personal data that reveal much about myself and my personality) of those data collected when someone enters the emergency room of a hospital, such as the type of illness, how long the bed was used, what medicines were chosen, among others. Once the anonymity of such information is observed, such data analysis and use is important for a better hospital service. But it is so hard to disagree with these statements as accepting that we should not restrict the use of the data generated to contribute to a better world that can reverse positively to our own wellbeing.
This is not to trivialize the discussion as if the summary of the arguments would be the choice of the famous systems “op-in” or “opt-out”. But I believe it is the more efficient to regulate the collection and use of personal data with a less pronounced focus on prior authorization and a stronger focus on the responsibilities and applicable penalties in the event of a personal or a collective damage. It is better to work in regulatory frameworks that indicate clearly the responsibilities of each one in this process (individuals, businesses and government) and the consequences of misuse, than to continue to work for a false security in the previous control of personal data, as if the simple right to own a data is sufficient to ensure the best regulation on this issue. After all, in the real world, this control does not exist (you should try to overcome it…).