Principle 5: Public Data
Just because data about people are publicly available, it does not always mean that a company may collect or use these data. Publicity is not a carte blanche. At the same time, there is certain data that ought not to be completely private, such as data about people’s contagious diseases like the swine flu or COVID-19.
In the Principle of Data Ownership (Principle 1), we saw that people often lose their control rights over their data, when they make these data publicly available. When Smith walks down the street, and Jones can see Smith’s physical appearance, Smith has waived his control right over data about his physical appearance. All else equal, Jones may now tell his friend Peter about Smith’s physical appearance.
There are many cases where it is straightforward to determine whether someone has waived control rights over data. Let’s consider a few examples.
Imagine that Smith is keeping a diary. Unbeknownst to Smith, Jones opens the diary and takes pictures of the pages and uploads them on a social media platform. Much personal information about Smith is now publicly available.
Does that mean that anyone may now use this data as they wish? Clearly not. If for example Peter sees the pictures, and he knows that Smith did not want them to be published, then Peter should not distribute them further. And, Peter should not store the pictures for future use.
Similarly, if people’s security numbers – or other personal information about people – are leaked for public display, due to an accident or a cyber attack, then other companies should not access this information or store them for future use in their databases.
What these examples show is that data is not always published voluntarily by the data subject. In those cases, the data subject has not waived the rights over this data, so others should abstain from accessing, storing, using or further distributing this data.
Most people will probably find the Principle of Data Use fairly uncontroversial. It seems intuitive enough that if people publish personal information voluntarily, then they lose their right to control the information. And if people’s personal information is published involuntarily, then they have not lost this right.
But in some cases, it is not so straightforward to determine exactly what the limit is between being private and being publicly available.
Imagine that Smith is sitting on a bench in a public park with his friend Carl. A few people are walking by, but no one seems to be paying attention to Smith and Carl’s conversation. Smith tells Carl all sorts of personal information about his sex life. Unbeknownst to Smith and Carl, Jones is eavesdropping on their conversation.
Smith has decided to talk about personal information in a public space, but does that mean that Jones can eavesdrop on the conversation, use and distribute the information further as he wishes? People may have different moral intuitions about this case.
In order to be on the safe side, and in order to avoid breaking the Principle of Trust (Principle 4), it is a good idea to only collect publicly available data if these data are clearly published voluntarily by the data subject itself. In addition, it’s a good idea to inform the data subject that the data is being collected. In a time where personal information is flowing more or less freely online, it is important to remember: It’s Not Always Right to Use Data Just Because It’s Public.
It’s Not Always Right to Use Data Just Because It’s Public.