From Data Subjects to Data Sovereigns: Addressing the Limits of Data Privacy in the Digital Era

Abstract

Self-sovereignty is a curious, but crucial, concept. Sovereignty alone often signifies the assertion of control and jurisdiction by the state. The sovereign is the one who decides, holding the power of the captain of the ship in Plato’s metaphor. Compounded with data, the conception of data sovereignty opens up the digital information frontier for conquer. The fight is still about who has and who can exercise control. Nation states remains to be the prime player, asserting long-arm jurisdiction over cross-border data flows. Meanwhile, there is growing awareness for individuals to retain meaningful control over their personal data, leading to a turn to the concept of self-sovereignty in the digital age.

The self is supposed to be at the center-stage endeavoring to exercise control over one’s personal data against surveillance not only by the state, but also against exploitation by commercial giants. For a long while, the self is used to be protected under the orthodox personal data protection framework. Consent should be sought so that individuals can authorize and exercise control over the collection, use, and processing of their personal data, including access, correction and deletion of data. However, facing a deluge of data armed with big data and artificial intelligence (AI) technologies, the ability of individuals to rule over their data has almost vanished. Individuals have diminished into powerless objects when identities can be easily discovered even through anonymized data, inferences about them can be drawn by AI technologies, and profile can be built from their online and offline daily lives. In light of such, issues of consent and control of individuals fade away in the legal debate in the use of data driven technologies.

This article asks why the traditional data privacy protection framework is inadequate in the modern age. It points out, first of all, that the current protection which depends on the concept of personal data is unable to guard against the erosion of data privacy in the digital age. Second, protection based on the need to obtain consent under the terms of services gives only a false sense of control and security to the data subjects. Third, individuals can hardly exercise meaningful control over their own data in the fast evolving data ecosystem. Instead, the author argues that data self-sovereignty, understood as the empowerment of the self to have effective and meaningful control over one’s data, should complement the current framework of data privacy protection. The COVID-19 pandemic, which has hit the world since 2020, has accelerated the reflection on the need and strengthened the call for self-sovereignty. Through expanding the scope and means of control, we reclaim sovereignty over our data, and more importantly, our personal beings.