What You Should Know about the Data Supply Chain
Privacy Plus+
Privacy, Technology and Perspective
What you should know about the data supply chain. This week, we turn from current events to focus on the data supply chain. Unlike ordinary supply chains, which focus on transferring a product or service from supplier to customer, the data supply chain runs in the opposite direction. Personal information is transferred from citizen consumers to companies far-far away. There are five points to appreciate here:
1. Once online, our personal information slips out of our control.
When we enter our personal information online, we hand it over to others in exchange for some kind of value—a useful transaction, the pleasure of sharing something with friends, “free” services, and so on. Perhaps the companies to which we entrust it will hold it responsibly and use it only as we wish and expect. Most people, we think, realize that services cannot be provided for “free” and that they may expect to be “advertised to” in the course of enjoying something that is ostensibly free. We seriously doubt most people realize that that is only a fraction – often a very small fraction – of how their data will be used, spread, and monetized.
2. Data flows from consumers to companies to subcontractors and on down.
When a consumer shares her personal information with a company online, that company (whether Big Tech or otherwise) generally subcontracts their data processing activities. Let’s take Facebook as an example. Take a look at Paragraph 2 of Facebook’s Data Processing Terms, a link to which follows: https://www.facebook.com/legal/terms/dataprocessing . In its relevant part, it authorizes Facebook to subcontract its services to other “Facebook Companies.” Now, compare Amazon Web Services, which maintain an extensive list of specific subprocessors, which is available at this link: https://aws.amazon.com/compliance/sub-processors/.
Yet even a descriptive list of subcontractors provides an incomplete picture because subcontractors themselves hire subcontractors, who also have subcontractors. And data flows down and down...
3. Within the data supply chain, privacy is illusory.
Transfer of personal information to third-parties is baked into the online ecosystem. As a result, when online, you have no meaningful choice about where your data is stored or who has access to it. You may be provided notice. You may even read it. (Be honest. Do you really have time for that?) Perhaps you understand it. (Good! Does your mother, who is not a privacy professional?) You may even consent. (After all, you do want the product or service.) But when you have no effective choice – “Here’s our policy. Take it or leave it” -- is that consent really effective? It’s certainly not meaningful. As result, privacy is illusory online.
Under both the EU’s General Data Protection Regulation (GDPR) and California’s soon-to-be-effective Consumer Privacy Act of 2018, service providers who exist as subcontractors in data supply chains must be parties to written contracts which guarantee that your data is processed in a manner consistent with the business purpose for its collection. Citizen consumers, however, are not parties to those contracts, nor is control of the data in any way tied back to the consumer. Instead, the “data controller,” which is the GDPR’s word for the entity that determines how the data will be processed, is recognized as having control, and the “data processor”—the subcontractor—is responsible for following the controller’s written orders. That is how the data supply chain is supposed to work.
4. The “data supply chain” is really a complex data supply web that compromises the security of your personal information.
The concept of a data supply chain isn’t adequate to describe the complexity of the information ecosystems associated with the internet. To many people, the word “chain” is linear, like an anchor chain that goes up or down in a line. “Chain mail” – an expansive web of links that are interconnected and overlap – is more like it. Data supply chains are more like webs because subprocessors often rely on other subprocessors, who in turn, rely on others, to process your personal information on behalf of a controller. Contracts may work well for a supply chain with a limited number of parties, but tiered and multi-party data supply webs aren’t readily secured by linear contractual commitments.
More than that, service-providers are often at high risk for data breaches. Thus, the succession of control of consumers’ personal information to a data controller creates more opportunities for that data to be compromised.
5. Right now, efforts are underway to re-envision control of data flows to third-parties.
There is a strong argument that to restore personal privacy online control of personal information needs to be reassigned to citizens—meaning you control your own personal information. Sir Tim Berners-Lee, who is credited as being the inventor of the World Wide Web, has launched a new platform called Solid, which allows users to control their data by managing and securing a data “POD.” Companies that wish to have access to the data in the PODs must design applications that run on the Solid platform. Users of the platform can then decide to grant or to revoke access to their POD to a certain company, but the data itself remains in the POD controlled by the user. You can read more about Solid by following this link: https://inrupt.com/solid .
For more about the data supply chain, you can also check out this article we wrote earlier this year: Privacy Risk in Outsourcing, Texas Lawyer (January 2019).
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.