The plan: a first goal, transparency

In this post, I want to detail the first milestone of PersonalData.IO’s plan to change the personal data landscape. As @juli rightfully points out, this might not be the only way to do things. So I join her in encouraging you to post your ideas here.

Our plan fits into a larger strategy, described in the funding proposal.

At this stage, we make transparency a goal in itself, as we feel that the opacity of personal data processing is what generates a lot of the downstream problem in this field (from apathy of the individual to pure malice on corporate side).

In order to achieve this transparency, we use a right called the Right to Access. This right exists in the European Data Protection Regulation, but also the laws of many other countries. Its use is depicted in the movie The Great Hack.

After having selected a company to target, or even an entire ecosystem, we make requests for our personal data from the targets.

  • If we succeed in getting our data, we have obtained a new asset that we can then use in many different ways. For instance we can inform friends, family, journalists, and often even experts and regulators. It can also be helpful to businesses who want to build more respectful systems. Often in those cases the biggest success is to get a journalist to explain a company’s practices “from the outside” through the hard facts the request has brought forward. Even better if the journalist is able to explain why these substance and process questions are important. Often this will lead to more people knowing their rights, and a snowball effect. Even better if the journalist refers to PersonalData.IO.
  • If we fail, the failure in itself becomes interesting. Not answering such requests, as long as they are reasonable (but who judges?), is inherently suspicious. Does the entity holding your data know their legal obligations? Does it have something to hide? Again, this becomes of interest to journalist and regulators. In some circumstances, the failure to answer an access request can become a criminal matter.

Overall, this process brings new and unquestionable facts to personal data disputes. Sometimes they concern the substance itself of the processing of personal data. Sometimes they concern the duty of making these personal data processing operations transparent enough.

I will talk in a separate post of how to operationalize this plan most effectively.


Hi, I am very interested in this topic, wonder if the discussion continued somewhere else?