What if I tell you that your personal data is worth as much as gold? What if I tell you that
Droit du Numérique/Université
Paris 1 Panthéon Sorbonne
your personal data is the new oil? Did you ever question yourself on why services proposed by Google, Facebook, YouTube, Instagram or Snapchat are free? Because they are kind-hearted? Surely not. As any private firm, they are huge money-making machines. In exchange of what they call ‘free services’, they collect your personal data to sell it afterwards to other businesses after processing it.
As explained by Tim Berners Lee “The current business model for many websites offers free content in exchange for personal data. Many of us agree to this – albeit often by accepting long and confusing terms and conditions documents – but fundamentally we do not mind some information being collected in exchange for free services. But, we’re missing a trick. As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data, and chose when and with whom to share it.” (1)
According to the Boston Consulting Group, the value created through personal data can be massive: “€1 trillion in Europe by 2020, or roughly 8 percent of the combined GDP of the EU-27. For European businesses and governments, the use of personal data will deliver an annual benefit of €330 billion by 2020—bringing growth to an otherwise stagnant economy” (2).
But what is personal data?
To be succinct, it may be defined as any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, an online identifier or to one or more factors specific to the physical, physiological or social identity of that person. Most importantly, your personal data is often classified as « une composante de la vie privée ».
Why should you care for your personal data?
As many Mauritian citizens you are on Facebook. You may even be reading this article via Facebook. As everyone else, you post things on your personal life, share music or food videos and like all sort of kind of pages depending on your sexual preference, religious belief or political opinion. These simple actions may seem trivial to you but these little actions have changed the essence of your right to privacy, freedom of expression and freedom of movement. By posting, sharing and liking you are opening up and sharing highly sensible and private data like your sexual orientation, location, political and religious philosophies or even your state of health to firms like Facebook. Hence, every step you take, every move you make is analysed, stored and then sold to other firms.
To exemplify how your personal data is useful to firms and why it is very important have a better control, let’s say that Mr. X is currently using 3 simple mobile applications: (i) a sleeping app so as to help him to perfectly monitor his sleeping hours, (ii) a food app to have a proper balanced diet and (iii) a running app so as to track distance, speed and fitness goals. If for Mr. X these applications just help him to remain in good shape, the data generated by these mobile apps is worth gold to Insurance Companies. By processing the data generated by these 3 applications they would be able to know the exact number of hours that Mr. X has slept last month, the kind of food eaten and the average number of kilometres run by him to know if Mr. X is healthy or not. Hence, such data will be of vital importance to Insurance Companies as they will be able to adapt and develop tailor-made insurance premiums to such an extent that should Mr. X be unhealthy, poor eating habits, no sports and very few hours of sleep, he may see his premium increase.
Data Protection in Mauritius
In Mauritius, your personal data is “lightly” protected by the Data Protection Act of 2004. During the last budget speech, the Government proposed to amend the above-mentioned Act by taking as precedent the EU General Data Protection Regulation entering into force on the 25th May 2018. Consequently, a Data Protection Bill was proposed to the Parliament on the 5th of December 2017. (3)[Ref: Budget speech 2017-2018, Rising to the challenge of our ambitions].
Like the EU Data Protection Regulation, the new Data Protection Bill purports to “strengthen the control and personal autonomy of data subjects over their personal data, thereby contributing to respect for their human rights and fundamental freedoms, in particular their right to privacy”. Hence, one should understand that the ratio legis or raison d’être of this bill is to enhance people’s self-determination right on their data. (4) [Ref: Data Protection Bill, Explanatory Memorandum and Hansard No. 29 of 2017- 8 December 2017].
To enhance people’s rights, the new Data Protection Act recognises the following rights (i) a right of access, that is, the right to ask for instance to Google what type of personal data is being processed, (ii) Right of information, that is, the right to know why your data is being processed or to whom these data have been communicated, (iii) a right to object, that is the right to request to your supermarket to stop the processing of your personal data and (iv) a right to request the rectification, the deletion, and the restriction of processing, when you change for instance your residential address and moving out elsewhere to such an extent that your personal data is no more relevant. (5) [Ref: Articles 37,39,40 of the Data Protection Bill].
If for long years Mauritian citizens have been deprived from basic rights when talking about Data Protection, this bill deserves some credit for aligning our legislation on this particular matter with the European model where data protection is considered as a fundamental right. However, we should not stop there.
With the Smart City project, the civil data project and the digitalisation of Mauritius in general, more and more personal data will be generated, collected, processed and stored. Naturally, many businesses will make huge amounts of profits from these personal data. By taking into account the particular stand of the Supreme Court in Madhewoo M. v The State of Mauritius and Anor 2015 SCJ 177 regarding the right to privacy in Mauritius and the “datafication” of the Island which shall be viewed as a new revolution, it is of utmost importance that the right to data protection is recognised in our Constitution later on.
As rightly said by Mrs. Christiane Féral-Schul and Mr. Christian Paul «toute révolution industrielle appelle un nouvel âge démocratique » (6). Everyone should have the chance to be part of this technological revolution but most importantly, it must not be forgotten that technology must serve human first and in an equal manner. The core essence of our right to privacy is at stake here. So, let there be hope.
…..
References
1) Tim Berners-Lee: I invented the web. Here are three things we need to change to save it, available on https://www.theguardian.com/technology/2017/mar/11/tim-berners-lee-web-inventor-save-internet
2) Boston Consulting Group, The Value of our Digital Identity, available on: https://www.bcgperspectives.com/content/articles/digital_economy_consumer_insight_value_of_our_digital_identity/
3) [Ref: Budget speech 2017-2018, Rising to the challenge of our ambitions]
(4) [Ref: Data Protection Bill, Explanatory Memorandum and Hansard No. 29 of 2017- 8 December 2017].
(5) [Ref: Articles 37,39,40 of the Data Protection Bill].
6) Commission de réflexion et de propositions sur le droit et les libertés à l’âge numérique, Le droit et les libertés à l’âge du numérique, available on http://www.assemblee-nationale.fr/14/rapports/r3119.asp