Data brokers – companies that trade in our personal data – are not something many people know much about and the very notion tends to arouse some sinister fantasies in our minds. However, in this ubiquitous digital era, it is important to grasp the economic, social and human implications of this flourishing business.

Data brokers: it’s time to lay down some effective rules

Cyberspace is now the second dimension of the public space, where every day millions of units of data are left behind by online channel users, and has therefore become a major political and business issue. Cyberspace has brought about a renewal of individual liberty, by enabling people to break out of traditional frameworks, but it is also the focus of widespread surveillance. The growing digitisation of individual identities, objects, and also social and commercial relations is creating a world where everyone leaves traces online, providing masses of data which, when shared on the networks, act as the beating heart of our 2.0 society. The data is the trace, the information footprint left on the Internet and on your smartphone by an array of technologies, which capture, transform, store and transmit them. Nowadays these vast quantities of data are driving a great deal of economic activity. Big Data and Analytics and Smart City services are now sectors in their own right. User data can be described as the raw material for Industrial Revolution 3.0 which is now expanding and taking shape and there is a battle on to obtain a greater share of it. Consequently, the personal data market has really taken off.

In the online era, the real world is distilled into digital data, providing a mine of information that is exchanged over increasingly complex networks. When people talk about ‘the personal data economy’, what they really have in mind is a business model for monetising resources that are intrinsically free, within an entirely new ecosystem. This new economy, based on the Internet and communication networks in cyberspace, is all about turning the role of information intermediary into a thriving business. The Internet giants, notably Google and Facebook, were of course the first to carve their slice of the Big Data economy by playing this intermediary role, positioning themselves as online service providers so as to capture the personal data left behind during a free exchange between two parties. Whenever you share a ‘like’ on a brand’s Facebook page, you are providing straight-from-the-horse’s-mouth information on your own shopping preferences. The same goes for your searches on Google.

For some time however, in parallel and in partnership with these tech giants, a new form of specialist intermediary company has been on the rise, whose business consists of gathering or buying up as much personal data as possible and re-selling it for profit. Such speculation with basic raw material has become rather lucrative. The latest report from American market research, analysis and advisory firm, International Data Corporation (IDC) forecasts that worldwide turnover from Big Data business will amount to over $187 billion by 2019, i.e. an increase of over 50% on 2015, when turnover totalled $122 billion. Meanwhile Wikibon – a community of practitioners and consultants on technology and business systems that uses open source sharing of free advisory knowledge – talks about an annual growth rate of close to 14.4% for the Big Data sector.

With the exponential growth of this new business, new players are appearing – some still in the shadows, others coming into the spotlight – with a determination to benefit from these juicy opportunities. So, should we be wary of data brokers? Are they entitled to use all our personal data? And what new businesses and opportunities are developing as a result of their activities?

Notre-identite-numerique-laisse-des-traces

Who are the data brokers?

Data brokers usually work in the shadows, hardly ever appear in the media, and so arouse all kinds of fantasies. As far as the general public is concerned, they are the sharks in the Big Data ocean, silent phantoms sliding through the darkness to hoover up our personal data in huge quantities. These people are thought to be hackers working for large, non-transparent companies: two good reasons for the general public to distrust them. While this picture might not be so far from reality, it is certainly high time for some light to be shed on their status and their business so that everyone can grasp just who these data hunters really are.

Like the Gold Rush miners of old and the more recent oil explorers, the data hunters are in search of the valuable resource that such information represents today. They include the large intermediation platforms plus also new firms – known as data brokers – that capture data left behind by Internet users, cross-reference, analyse and resell it to all kinds of companies, organisations and even individuals, who make use of it to target their customers with products and services highly suited to their needs, wants or habits.

This constitutes a third level in data capture.  It is widely known that if a Facebook user declares a fondness for natural yoghurt on his/her Fb page, the platform will capture this data and may then send the user an ad for a product likely to appeal. However, Facebook may also sell the information onto a data broker such as Denver, Colorado-based Datalogix, which also tracks such flows as bank transactions transiting through online shopping sites or at bricks-and-mortar stores. The data thus gathered and packaged is then sold to commercial firms. Moreover, intermediaries such as Facebook and Google may also purchase such data to help them target advertising. The data ecosystem therefore encompasses intermediation platforms, data brokers and other private or public sector clients.

However, unlike the intermediation platforms, data brokers do not provide any direct service to site users. Whereas Facebook provides a social network service, from which it subsequently extracts data, most of the brokers are data marketing specialists who simply extract raw data from sites without offering any service in return. And they do not only trade in data; they also sell commercial firms comprehensive analyses obtained by cross-referencing data that they have gathered upstream. Analysis products appear in the form of reports and rankings, geolocation benchmarks and targeted graphics which point up the quantitative trends in different markets.

Of course, there are plenty of business consultancy companies that collect quantitative data and draw up detailed reports on trends or consumer views. Like data brokers they work upstream on data processing, aiming to advise their clients on current market status and market trends. But there are two basic aspects that distinguish the two types of company. Firstly, expertise. Consulting firms base their work on surveys; they carry out comprehensive polls to sound out public opinion and try to spot the latest trends from different strata of society by combining on-the-ground investigation with thorough quantitative and qualitative analysis. By contrast data brokers are more akin to merchants, suppliers. They buy and gather data, often selling it on to their clients just as it is. The second major difference is all about consent. Whereas respondents canvassed by traditional survey specialists have to agree to provide answers, the data brokers’ approach is somewhat murkier: website and platform users are very rarely asked to give their consent for the use of their data. Data brokers mostly work hand-in-hand with platforms, such as – to give a fairly recent striking example – Facebook, in order to gather data in an indirect way that most often escapes the user’s notice. You have to actually read the site’s General Terms and Conditions of Use – which most people find too off-putting to bother with – to discover that you are deemed to have given your consent for such uses of your personal details.

Unsurprisingly, the first data brokers were established in the United States. One of the most influential is Acxiom, a Little Rock, Arkansas-based firm that provides data and statistics to marketing and fraud detection firms. According to the US Federal Trade Commission, Acxiom possesses around 700 million units of data on consumers worldwide, enabling the firm to turn over business worth close to $850 million in 2016. The company also works outside the United States; its subsidiary Acxiom Europe works right across the Old Continent. For instance, the CEO says that Acxiom Europe “has collected up to 600 pieces of data per household from 6 million French homes.”Les différences de traitement des données

From Big Data to ‘smart data’: monetising information

So how can the data be monetised? It may seem far from obvious how to extract value from something that is insubstantial and appears to be freely available at no cost. However, it is all a question of how the data is used to feed the algorithms created by marketing tech specialists. Today the usefulness of such data lies mainly in the precise behavioural information it can provide and/or how it can be used to influence people’s decisions. Its value comes from deep analysis and cross-referencing of the information to point up strategic opportunities for retailers, brands and other commercial companies.

So we are seeing the broad concept of Big Data giving way to the more precise notion of ‘smart data’ – shifting from gathering huge amounts of user data to feed into large scale quantitative analyses towards focusing hard on data that is useful to the client in targeting consumers. Both concepts are based on data mining, but the methodology differs. The exponential growth in the market for Big Data has led to difficulties with overabundance of data. Refocusing on a ‘smart data’ approach can do away with the need to gather such huge masses of data. And the more pertinent the data, the greater its value. Quite simply, not all data has the same value, a realisation which might eventually undermine the current data-broker business.

Data brokers do not always process the data themselves; they generally sell it ‘by weight’ to clients who arrange for their own processing. However, they still have a firm hold on the data market and it remains a huge source of profit. In their book entitled ‘Datanomics, les nouveaux business models des données’ (Datanomics, the new data business models), Louis-David Benyayer and Simon Chignard explain the three different categories of value arising from basic, unprocessed data. First there is the ‘trade value’ – i.e. the value of data in relation to supply and demand; secondly, the ‘leverage value’, which arises from aggregating the data in a manner which increases its value; and thirdly the ‘strategic asset value’ which has to do with the expertise required to extract useful data. This book seems to firmly quash any ideas that such data is freely available and has no value and also to refute the argument that, with the emergence of smart data, the data brokerage business is likely to shrink considerably. The future is therefore far from clear, but data brokers will have to re-think their market and see where their growth prospects lie. What confers value on an isolated piece of data is basically the networks and the business environment linked to it. In short, data is nothing without a particular market. Hence data broking specialists help to perpetuate and boost the value of all our data by ensuring that the data market has depth and breadth. The trade in data still seems to have a bright future, as it helps to meet the demands of our insatiable society, as data – from connected objects to the Smart City – becomes an indispensable factor for growth and prosperity.

L'identité numérique, le sacré coeur de notre moi virtuel

Control of our personal data: a human rights question

We should not however forget that the user of the device, site or platform is central to this business as s/he is the main source of the data in question. So the fundamental issue of its value should not be studied only through the lens of business. Such data basically carries a highly personal value which is actually priceless because all data left behind by the user, assembled into a whole, forms what we may call his/her digital identity. This ‘substitute persona’ only applies in cyberspace, identifying the user and enabling the system to create a more or less informed profile of his/her personality and preferences – which is of course exactly what data brokers are looking for. And looking at it this way, what these companies are in fact doing – in addition to broking and trading raw data – is trying to capture, categorise and sell our digital identities. This is precisely why we need to ask whether such information should be seen as private or public, personal or shared, with a view to perhaps setting up effective data protection systems. If you are your data, then protection of this data is clearly part of your human rights.

So what is it that makes a piece of data private? And even if it is your personal data, does that mean it actually belongs to you? In an article entitled Economie des données personnelles et de la vie privée, (‘The Personal and Private Data Economy’) Fabrice Rochelandet, a Professor at the University of Paris Sorbonne Nouvelle, offers a classification of data posted on the web which is based on an overall distinction between ‘objective’ data and ‘subjective’ data. This classification helps us to understand what it is that makes data ‘personal’ – in the most fundamental sense of the word. Objective data covers all identification and contact details, information for reporting purposes, plus socio-demographic, legal and financial data. The term ‘subjective data’ on the other hand is used to cover a person’s preferences and interests, religious or political affiliation, plus behavioural data and geographical and relationship data. Any data becomes ‘personal’ when it enables a person to be identified within a given social grouping. This is clearly the case with objective data but is also the case with subjective data that serves to establish an excessively personal profile or cross-references with objective data in such a way that a single individual can be clearly identified.  At that point, the data will come under privacy rules and be entitled to the relevant protection.

This is the position of the France’s National Commission on Informatics and Liberty (CNIL), taking a strict interpretation of Article 2 of the French law on ‘Internet and Liberty’, which states [L’Atelier translation]: ’Personal data means all information about a physical person who is identified, or who can be identified, directly or indirectly, by reference to an identification number or to one or several pieces of information that are proper to him/her. In order to determine whether a person is identifiable, all the means enabling him/her to be identified which the person responsible for processing the data or any other person has at their disposal, or to which they can obtain access, must be taken into account’.

This means that the law requires compliance with the five basic principles pertaining to personal data, i.e. the user must agree to the gathering and processing of the data; the purpose of such gathering and processing must be in line with the rights and freedoms of persons; and these procedures must be a) necessary, b) proportional and c) secure. In drawing up its recommendations on this subject, the CNIL is thus paying due regard to individual freedoms and privacy rights. Nevertheless, given the burgeoning market for data, its growth potential and possible repercussions on users, it now seems absolutely necessary to regulate the data market and ensure adequate governance models.

Voices are now being raised along these lines. In Europe, various public bodies have been keeping a close eye on compliance with rights and freedoms in this field and in 2016 the European Union legislative institutions passed a General Data Protection Regulation, whose provisions are due to come into force in 2018.

There is as yet no similar legislation in the United States, where the most powerful data brokerage firms are based. However, NGOs such as Electronic Frontier FoundationAmnesty InternationalColor of Change and the Center for Democracy and Technology have joined forces in calling data brokers to task on the privacy and data ownership issue, arguing that data governance needs to be transparent and above all to comply with human rights. At a time when the Trump Administration has been trying to ban Muslims from entering the United States, these NGOs have called on data brokers to take a stand against government surveillance and make the following formal pledge: “We will not allow our data, or services, to be purchased or otherwise used in ways that could lead to violations of the human rights of Muslims or immigrants in the United States. If we cannot guarantee that our data, or services, will not ultimately be used for such purposes, we will refuse to provide them.”

This uncompromising appeal is directed in the first instance against President Trump’s discriminatory policies. However, it clearly highlights the very real risks arising from the data processing business and underlines the primordial responsibility of the data brokers in this regard. This is why it is now vital to regulate the data market, to specify companies’ responsibilities, and to reverse the tendency towards data misuse. We should be enabling people to draw benefit from the data rather than ‘selling people’ for profit. Protecting our data basically means ensuring due respect for our digital selves.

By Théo Roux
Journaliste