When a journalist approached me to help her get a copy of her personal data from Tinder, I knew this would be a good story. Judith Duportail had read my work researching the use of psychometrics during the US elections and the Brexit referendum. Duportail knew that Tinder computes a “desirability score” for their users: Tinder’s CEO had told another journalist their score, emphasising how complex and advanced its algorithm supposedly was. Curiosity piqued, Duportail wondered whether Tinder would tell her, or any other user who asked, their score, and how it was computed.
Any European company has in theory the obligation to disclose the personal data it holds about any individual who asks them Companies even have to disclose the “logic of the processing” of that data.
These rights can be very powerful tools for the democratic and distributed oversight of the data economy, but they have unfortunately fallen into misuse. That’s partly by design: who has the illusion they still have some power in a relationship, when they are reduced to clicking a box at the bottom of dozens of pages of a “privacy policy”?
Even though those rights do exist, due to many different national laws and lots of gaps in the regulatory framework, enforcement is very difficult. Despite complaining to two data protection authorities, enrolling the help of a human rights lawyer, my sourcing of information with Norwegian consumer advocates, and many conversations with Tinder, Duportail never got her desirability score. The Dallas-based company is, at least for now, untouchable from a legal standpoint: in most cases, a European citizen simply has no meaningful access to scores computed about them in the US.
Instead Duportail eventually got some of the rest of her data, but only on a voluntary basis, and only after she identified herself as a journalist. Her non-journalist friends who followed suit never got responses to similar requests.
Finally armed with the 800 pages she had clawed back from Tinder, Duportail wrote a story reflecting on her own relationship with her data, and the myopic view Tinder had of her love life. I feel her story helps bridge the chasm between those with information stored in the database and the architects behind it, providing much needed neutral common ground to democratically discuss power distributions in the digital economy.
Given the popularity of her story, and my overflowing inbox, I would say many agree. And indeed, you should expect more similar stories to be unearthed in the future because of the upcoming General Data Protection Regulation (GDPR). From May 2018, the new European-level regulation will come into force, claiming wider applicability – including on US-based companies, such as Tinder, processing the personal data of Europeans – and harmonising data protection and enforcement by “levelling up” protections for all European residents.
Journalists, but also educators, NGOs and the rest of civil society, will have more powerful regulators to turn to if they are prevented from informing the general public about pressing issues in the data economy.
But beyond the much older right of access, the true revolution of GDPR will come in the form of a new right for all European citizens: the right to portability.
This right will transform consumers into real actors in the data economy. Companies will have a legal obligation to move the data you provided from one company to another, if you so wish. In a world where personal data is an asset increasingly used to concentrate power, and then to abuse that position in the market, this new right will provide a much needed balancing mechanism on the incumbents. One can hope.
- Paul-Olivier Dehaye is the co-founder of PersonalData.IO, a Swiss startup helping individuals regain control over their personal data
