The protection of personal information has increasingly become a global topic of discussion and many states are in the process of revolutionising their data protection laws which regulate the manner in which private and public organisations process personal information.

25 May 2018 marked the first day of implementation of the General Data Protection Regulation (“GDPR”) in all 28 European Union (“EU”) member states and has unquestionably been the pace-setter for states around the globe. Although the GDPR is applicable in the EU, the regulation has gained international recognition since it applies to organisations located outside the EU if those organisations offer goods or services or monitor the behaviour of EU citizens.

The need for the implementation of the privacy compliance framework provided for in the GDPR was emphasised by the discovery of the corrupt data privacy practices which came to light in the Cambridge Analytica saga. Cambridge Analytica, a data mining firm, conducted a digital personality test to develop a powerful software program which harvested millions of US voters’ Facebook profiles without their consent or awareness, and processed the information to create a psychological warfare weapon targeting those voters with personalised political propaganda. The Cambridge Analytica whistle-blower described this process as a “grossly unethical experiment” on the basis that “the psychology of an entire country, in the context of the democratic process”, was controlled by scientifically designed algorithms.

Following the scandal, the United States Senate Commerce and Judiciary Committees held a joint hearing in which Mark Zuckerberg, the founder and CEO of Facebook, testified that Facebook, allegedly mistakenly, did not take a broad enough view on its social media privacy practices and its commitment to protecting users’ information. Despite Facebook’s remorse for failing to safeguard its users’ data, the United Kingdom Information Commissioner’s Office (“ICO”) slapped Facebook with a record fine for the violation of the UK’s data protection laws. The ICO’s record fine was not purely a “warning shot” to all organisations processing personal information, but emphasises the value of personal information and the importance of its protection.

The Cambridge Analytica saga highlights the value of Facebook users’ personal information as demonstrated by the fact that the company spent one million dollars on harvesting the information. Is the company’s expenditure on harvesting the personal information indicative thereof that personal data has become a digital commodity? It would appear so.

The mining of personal information is common in the data brokerage industry as data brokers remain in the shadows while they buy and sell personal information. The Dark Web remains a marketplace in which hackers trade personal information without the consent of the owners of that information. Recent articles suggest that new companies are emerging to provide platforms on which data subjects may sell their personal information for various forms of benefits. Although personal data has not been universally acknowledged as a digital commodity, there are clear signs that it is regarded as tradeable.

The GDPR and other privacy laws have provided a regulatory framework by which data subjects can recover ownership and control of their personal information and the implementation of the reformed privacy laws has brought to an end the unprincipled manner in which tech Goliaths gather, process and disseminate personal information.

Stacey Middleton