Between the Cambridge Analytica scandal and the entry into force of the General Data Protection Regulation on 25 May, it hardly seems necessary to have a reminder of the importance of privacy. Yet this week is Choose Privacy Week, an initiative run by the American Library Association. It’s great opportunity to go beyond scare stories and (complex) legislation, and look at practical steps that individuals can take to keep their private lives private.
25 May will bring a particular new way of doing this, at least theoretically. The GDPR creates the concept of ‘Data Ownership’ – that data about you is your property, and so you should be able to decide what to do with it.
Conceptually, the idea is attractive. If Facebook has gathered information about your preferences and habits, you should be able to see it, ask Facebook to delete it, and take it to other social networks if you want. The goal – give the individual the power to decide who does what with their data, and ensure that they are getting the best deal for it.
This is already what is proposed in some places with data about electricity or water consumption. Meanwhile, some of the biggest companies have already moved to give people the possibility to look at the data collected about them, without necessarily allowing them to delete or move it (the company retains ownership). This at least allows for stronger awareness of why they are seeing what they do online.
The idea is contested.
Extending property rights to data does represent a very liberal approach, and assumes that there is both a choice (i.e. opting out of social networks), and that people are aware, skilled, and motivated to use it. More on this below.
Others have suggested that personal data should be protected along the same lines as work, given that employees may well find themselves in a position of weakness compared to an employer. It is clear that, even with the idea of data ownership, the activities of those making use of personal data will need to be policed, at least in a proportionate manner.
So how will this play out for libraries?
The Library Angle
The concept of data ownership can affect libraries in terms of the data they hold about users, personal data in the works in their collections, personal data on the wider Internet, and their broader role in helping users navigate the information environment.
- Library User Data: libraries hold data about their users, primarily in the form of lending/use records and any information associated with their library card or profile. Much of this can be personal – for example the case of a reader from a minority who borrows books on subjects of particular interest to them.
At least for those libraries with EU citizens as users, there will be the obligation to deal with requests to share or delete data. Many libraries limit risks here by deleting information after a short period of time. This is also the case in the US, where minimising data retention makes it easier to resist requests from security agencies. In those libraries that keep data for longer – for example because the works handled are rare or of a high value – there may be a case for keeping information for practical purposes.
- In the Stacks: many works in library collections – not least biographies – by their nature contain what is now classed as sensitive personal data. Libraries are, of course, not in the business of destroying reputations or violating privacy thoughtlessly – codes of ethics and good sense play an important role in whether access is given. However, there would be concern when decisions about acquisitions and collections cannot be made freely.
Fortunately, there is an exception for archiving in the European text (i.e. a library has a defence when someone objects to a book about them being added to a collection, or requests to delete information). However, this is not mandatory for all EU Member States, and there is a risk that in some places, data ownership will mean libraries have less control over the works in their own collections.
- A Right to Remember?: there is of course already one way that people can ‘take control’ of their data, even if in a limited way – the ‘right to be forgotten’. This allows people to ask for certain web-pages and articles to be removed from the results of searches for their name. IFLA itself has underlined that there are circumstances where such a provision can make sense, in particular if the information found in this way is unfair, untrue, or irrelevant.
The challenge, as already seen in a number of cases, is when this is used to cover up relevant facts (for example, the crimes of someone bidding to be a company director), or to limit the shelf-life of news and restrict the freedom of journalists to report. In its statement, IFLA underlined that decisions on delisting should be taken carefully, on a case-by-case basis, and with due regard to the importance of access to information.
- Many Careful Owners: finally, libraries have an expertise in information management, and so arguably a responsibility to help others develop this themselves. Clearly it isn’t reasonable to expect all librarians to understand in depth how data analytics work and what they can mean. But there are great resources available (such as those produced by the Data Privacy Project in the US) while go some way towards doing this.
Libraries are also already looking to deal with the issue, highlighted above, of ensuring that people are aware of the choices they have, and are motivated to use them. Knowing about the existence of encrypted messaging services, greater care in choosing privacy settings, and simply better data hygiene can all help. And there are great tools such as the Data Detox Kit already available.
Of course data ‘ownership’ takes this to the next level. Given libraries’ existing engagement, there is a logical role for them in helping people exercise their new rights. Doubtless, in the coming years, it will be possible to share some great ideas.
Nonetheless, ‘data ownership’ in itself should not be seen as an excuse to leave all of the responsibility to individuals and those that serve them. The right privacy legislation – set and implemented nationally, regionally and globally – still has an essential role to play.