Skip to Content

European Policy, Privacy & Data

Rethinking Privacy Self-Management and Data Sovereignty in the Age of Big Data

This paper advances the idea that the rise of large data collection and processing, also known as big data, has challenged the validity of data-protection regimes founded on ideals of individual control. With a focus on data sovereignty, it investigates concepts able to meet the requirements of big-data technologies, while also offering guidance for future policy regimes.

We begin by looking closely at the political philosophies and legal theories grounded in the rights of individuals that have shaped data-protection frameworks in the United States, the European Union and Germany. Each of these systems approaches data protection differently, yet each is premised on the concept of an individual having some control over his or her personal information. The basis for this analysis is the American perspective. The U.S. regulates data by type and sector. The focus lies here on individual consent, which many U.S. companies apply in a “take it or leave it” approach. In Germany, the processing of personal data also needs individual consent in theory, as it interferes with the right of informational self-determination. However, individual consent is only seldom obtained in practice. Instead, numerous regulations give organizations the right to engage in personal-data processing even without the explicit agreement of the individual. Nevertheless, the principle of informational self-determination grants individuals various constitutionally protected rights − for example, the right to examine, correct or delete stored personal data − which enable them to exercise control over their data. The European Union’s legal framework also bases its data-protection mechanisms on the concept of individual control, thus assigning responsibility for data management to the individual. Thus, principles such as transparency, purpose specification and data minimization have shaped existing legislation on both sides of the Atlantic.

More generally, big data has fundamentally upended the role of individuals in managing their personal information. Data-protection regimes have struggled to keep pace. In addition to looking at specific national or supranational philosophies, we explore big data’s impact on traditional notions of privacy management and long-standing data-protection laws. Because public trust is a crucial component in any successful data-protection regime, we consider public opinion in the United States, the European Union and Germany on the issues of big data, individual control and privacy, highlighting commonalities that exist despite historical and cultural differences. People on both sides of the Atlantic have reported a similar sense of powerlessness with regard to the control of their personal information, though there is generally less agreement on the appropriate role of regulation and regulators in the protection of such data. Americans tend to be resigned to the commercialization of their personal information, while Europeans generally react more negatively to such uses of data.

Finally, we examine possible new ways to achieve individual control in this big-data world. We investigate three complementary notions of privacy self-management that may offer a way forward in constructing modern privacy regulations, with data sovereignty playing the central role. The first concept, dealing with education and data portability, would give more responsibility to individuals, empowering as well as burdening them. However, since the empowerment of individuals alone cannot address all the challenges presented by big data, a second approach would make companies responsible for data protection in the form of voluntary industry self-regulation. This would relieve individuals of a portion of the data-management burden; however, self-regulation often fails to meet the standards of accountability and transparency fully. To account for this potential shortfall, a third concept is introduced, in which third parties would perform state-mandated impact assessments of data-management practices, advocating for users’ interests and creating greater transparency. However, while these third-party assessments could help users, there is a risk of treating users in a patronizing manner. To prevent this, users would need to engage in the education addressed in the first concept, thus enabling them to use the assessments in a self-determined manner. These collective approaches can address the challenges posed by big data. The basis for their implementation remains governmental regulation, which assigns rights to individuals, creates a dependable framework and balances power asymmetries. As regulatory systems have been stretched to their limits by the challenges of digitization, a multipronged approach of the kind advocated by this report is necessary to overcome the weaknesses inevitable in any single concept.