In 2017 Vodafone presented the Municipality of Florence with a data analytics study based on mobile phone data, revealing several interesting (and on occasion startling) facts about population flows through the city’s centre. How many people commuted there daily, from where, who stayed overnight, where the tourists come from.
No issue about privacy here, we were told, because they were only using aggregated and hence anonymous data. Let us set aside the substantial debate as to whether complete anonymization is in fact possible and consider the following question: are aggregate data harmless?
Why do we believe that being put under 24-hour surveillance, unbeknown to us, to be studied as a group exposes us to lesser risks as individuals than to be studied as a single person?
Let us consider this scenario: there is major political demonstration in the centre of our city. The following day, a local telecoms operator publishes the areas from which participants to the protest came from. Are you feeling a little more uncomfortable now? And did you really agree to this use of your data when you bought your SIM card?
Data protection in Europe has too narrow a definition of personal data and has been structured in such a way as to bury companies in bureaucracy without giving real power to citizens to make informed decisions about data release. In many contexts, it is not clear to most people how their data can be used and how they are actually used.
What is the point of receiving periodical alerts from the major social media platforms that their terms have changed and that you need to agree to them to carry on using the service if you don’t understand what these terms really are?
Most critics concentrate on the length of the documents. I contend that we do not understand their contents. GDPR requires anyone who wants to handle your data to provide concise, intelligible explanations in plain language of what they will do with it. But we are way beyond the protection of unauthorised disclosure of your telephone number to an advertiser or call centre. Techniques and uses of data are complex, technical, highly sophisticated and extremely boring to read when translated into procedural gibberish.
Yesterday, residents in Lombardy received a text message on their mobile phones from the regional authorities inviting them to download AllertaLOM, an app presented as a Covid contagion map tracing exercise. Its data information sheet may be clear and concise but it still leaves the reader none the wiser as to what exactly will be done with the data which, we are told, “will not be subject to an entirely automated decision making process”. Do you understand what this means? We may have the truth and nothing but the truth here, but we do not have the whole truth. If we did then there would have been no reason to drag Mark Zuckerberg to Washington in the fallout from the Cambridge Analytica scandal. We do not understand and, as such, cannot make an informed decision.
Covid has not just killed thousands of people, it has killed most critical voices on the boundless use of big data, mass surveillance and their impact on personal liberty. Immuni, the contact tracing app chosen by the Italian government today goes a very long way in the attempt to limit data collection and protect anonymity. But this did not stop the very same government from using the data Facebook volunteered to map its citizens’ movements. I had not realised I had subscribed to this.
I am not advocating that we renounce the use of technology or advances in data science. We need to rethink the structure of our data protection and find better ways to increase transparency on data usage. A two-minute video on how a supermarket beacon works is a much more straightforward way of explaining to a customer what is happening to their data than the technical description required by GDPR.
Transparency is key but this still leaves open the second problem posed by aggregate data and this is their very premise: to get mass data you must have mass surveillance. Size matters. The data Facebook sent the Italian government allowed it to map the movements of a sufficiently large proportion of the entire country’s population to draw policy conclusions.
Just before the pandemic hit us, antitrust authorities were taking a fresh look at the data giants. Let the emergency and pressures not stop this process and let it be clear that no regulation on the use of data can be complete if it does not consider the amounts of data involved. Why the local corner shop is subject to the same rules on use of personal data as Facebook remains a mystery to me.
Data collection, their use, transparency and the individual’s right to choose what happens to their data, anonymous, pseudo anonymous or otherwise, needs urgent review. We are told that when the pandemic is over we will need to build a new world. Whatever happens, data will remain central to the future that comes. Let us take this opportunity of reshaping European future for a profound rethinking of our data regulations.
This article by Marianna Vintiadis was first published in Italy, Gli Stati Generali.