The disparity between data controllers’ and data subjects’ rights and duties

With the advent of digitalisation, humanity has entered the era of big data. The value of data is gaining prominence and is even considered the “new oil of the future” (Janegar, 2022). However, data leaks and misuse are common, highlighting the imbalance of rights and obligations between personal data controllers and data subjects as well as the absence of individual data rights. The Australian healthcare and insurance business Medibank Private has disclosed that the information of 9.7 million current and prospective customers, including 1.8 million overseas customers, was accessed without authorisation in 2022. The data contains secret and personally identifiable information on medical procedures, including diagnostic codes and procedure-related codes. On 9 November 2022, when Medibank continued to refuse to pay the ransom, the hackers leaked “good-list” and “naughty-list” customer data files. As data controllers, businesses play a crucial role in data mining, data breaches, and data misuse, and their actions span the whole big data industry. Trying to strike a balance between the rights and responsibilities of data controllers and data subjects has become a matter of widespread interest. This blog is to examine the boundary between the right to rational data usage and the duty to preserve data security, as well as the road to achieving a balance between the expansion of the big data sector and data security.

Personal data
Data in the era of big data can be classified into two categories:personal data and non-personal data (Chen, 2018). The “identifiability” of data is the primary distinction between personal and non-personal data (Qi, 2009, p. 85). The author classifies personal data as data that can directly or indirectly identify a specific natural person by combining the definitions of personal data in several countries. Portrait, name, ID card number, work card number, and social security number are examples of directly identifiable data. Indirectly identifiable data must be combined with other data, such as cookie information, which primarily indicates which range of URLs are valid, and the search keyword records collected by internet companies via cookie technology, which reflect the internet activity trajectory and internet preference of internet users. When paired with a specific Internet account or IP address, these data can identify a particular natural person and become personal information (Li, 2017).

Personal data subjects
According to the preceding definition, personal data are generated by the network activities and other behaviours of specific natural persons, and specific natural persons are both producers and consumers of personal data; therefore, the author defines specific natural persons as the subjects of personal data. The connection between personal data and the subject is such that the subject can be identified based on a particular characteristic. Personal data intersects with personal privacy, which is likewise contained in personal data and has a personality (Zhang, 2021). Conventional privacy legislation safeguards the right to privacy as a personal right. But, data controllers can also examine the data produced by data subjects to determine its inherent worth. With the advancement of technologies such as cloud computing, artificial intelligence, the Internet of Things, and the Internet, data that records people’s activity trajectories, consumption records, and other information will become an enormous source of wealth, and data has become a new type of resource. According to some researchers, personal information is the new money in online e-commerce and the lifeblood of the internet economy (Sholtz, 2000). In this way,personal information is likewise analogous to property (Xiang, 2018). Personal data therefore conveys the personality and property interests of the data subject, and the right to personal data includes both personality and property rights.

Data controller
The original description of a data controller comes from the applicable EU law, the General Data Protection Regulation, which defines a data controller as “a natural person, legal person, public body, administrative authority, or other unincorporated organisation that can decide, individually or jointly, on the purposes and means of processing personal data. ” Therefore, the key to becoming a data controller is the right to decide on the purpose and manner of processing personal data. In Article 4 of Chapter 3 of the Specification on Personal Information Security of Information Security Technology published on 29 December 2017, the Chinese National Standardization Administration Committee (NSCA) introduced the concept of an information controller: “An organisation or individual with the authority to determine the purpose, manner, etc. of personal information processing.” This definition is similar to the definition of a data controller in EU law. Some academics believe that a data controller is “an organisation or individual that has lawful access to and actual control over data, can determine the purposes, conditions, and means of data processing, enjoys complete or partial property rights over data in accordance with the law or contractual agreement, and undertakes corresponding obligations” (Wang, 2016). Consequently, the author defines a data processor as “an organisation or individual that has lawful access to and actual control over data, can determine the purposes, conditions, and means of data processing.

Data use and data protection conflicts
In the era of big data, resolving the conflict between the protection of the rights and interests of data subjects and the freedom of data activities of data controllers is one of the key clashing issues in personal data protection (Chen, 2018a). On the one hand, subjects of personal data seek adequate protection of their personal data, but data controllers must unavoidably exploit personal data to realise the value of personal data, resulting in a violation of the privacy of personal data. On the other hand, disagreements concerning the value of data controllers’ actions based on the property character of personal data are on the rise.

As the limitations of the right to privacy have shifted in the era of Big Data, so too have its meanings diverged significantly from those of the old right to private. The right to privacy has developed from a passive, individual right to be free from intrusion into one’s private life to an active, individual right to control one’s own personal data, with both personal and property aspects. The right to data privacy is the right of citizens to be protected against unlawful invasion, knowledge, collection, copying, disclosure, and use of their private life and private information on the Internet, as well as the right to know, select, safeguard, control, and claim personal data (Yuan, 2014). Whether it is the right to data privacy or the traditional right to privacy, the heart of the right is the freedom to disclose information andthe protection of private life. Yet, data privacy protection is in a difficult position. In the case of the Medibank customer data breach, for instance, when Medibank refused to pay the ransom demanded by the hackers, on 10 November 2022, the hackers posted on the dark web hacking forum “Breach Forums” a file labelled “abortion” that contained information on procedures claimed by the insured, such as miscarriages, terminations, and ectopic pregnancies. This information, which is accessible to all Internet users, contains details about abortions, pregnancy terminations, and ectopic pregnancies. This data is accessible to all internet users. This demonstrates the grave threat to personal data privacy posed by data controllers’ inaction in the case of data breaches.

On the other hand, the majority of privacy violations are the result of user ignorance or reluctance to consent. Although the majority of data trading platforms have explicit regulations for transactions, they are typically hidden in user agreements, terms of service, or merchant guides, making them difficult for users to locate. To make greater use of the Internet and information services, the vast majority of users typically overlook their privacy protection. Moreover, many consumers are unaware of how to assert their legal rights in the event of a data breach. Yet according to controllers, few individuals can take prompt corrective action in the event of a breach of personal privacy (Wang & Zhang, 2018).

The aforementioned conflicts indicate that the balance of big data interests is tipped in favour of organisations with control over personal data, that the development of the data industry has come at the expense of personal data rights, and that the protection of personal data has become an urgent issue for the development of the big data industry (Bundesamt für Justiz, 2017). The author argues that the rights and restrictions of data controllers, as the foundation of the entire data business, are crucial to the growth of the data industry and data protection. In addition to reaffirming the rights of data controllers, it is vital to limit their rights. Regardless of the rights basis on which the data controller gets control of the data, it is unavoidable that it will be required to assume commensurate responsibilities and obligations.

What should the data controller’s pattern of conduct be? Exists a legal foundation for the gathering and use of data? Where are the limits and restrictions of their rights?

The rights of data administrators
The data controller is permitted by law to collect and store all categories of data in line with applicable laws. This is a fundamental data controller right. Data controllers handle the collection of raw data in the online world for a variety of purposes, transform it into a variety of data products, and rely on it to deliver a variety of services to their clients. The persistent gathering and storage of data by data controllers pave the way for the onset of the era of Big Data. Their conduct should be sanctioned and legitimised within the bounds of the law (Huang & Jiang, 2019). This is fundamental to data controllers’ rights.

Data controllers collect and store data for the aim of analysing the data to identify its regular information content. To fulfil their goals, data controllers must therefore analyse and process the data under their control, i.e. utilise the data, as is their prerogative.

Boundaries of the rights of data controllers
Observance of the right to data privacy
The General Data Protection Regulation guarantees the autonomy of individuals to control, comprehend, and keep their own data, while restricting the rights of data controllers. In the case of the Medibank data breach and many other data breach incidents, individuals may not realise that their personal information has been improperly utilised until their property and privacy have been compromised. As ordinary individuals, it will be difficult for these companies acting as data controllers to exercise their right to control data once it has been gathered and retained. Hence, as data controllers, they should specify the limits of their actions when acquiring and utilising user data and respect the users’ right to data autonomy.

Cooperating with data subjects in the exercise of their right to be forgotten
The right to be forgotten, also known as the “right to erasure,” refers to the data subject’s right to request the data controller to permanently delete the data subject’s personal data and to be forgotten by the Internet, unless there is a legitimate cause for the preservation of the data (Wu, 2013). The Medibank data breach was caused by hackers attempting to “bargain with the corporation about the alleged deletion of client data,” but Medibank publicly refused to comply with the hackers’ requests. This demonstrates Medibank’s inability to comply with its obligation and responsibility to assist users in exercising their right to be forgotten. In truth, the publication of personal data as a result of human flesh searches and online violence also violates the right to privacy. In such instances, the right to be forgotten is a right that can only be exercised with the cooperation of the data controller, and its objective can only be fulfilled if the data controller’s rights are curtailed. The right to be forgotten is the final obstacle to the preservation of private information. The right to be forgotten, which is implemented through erasure, is the most extreme and effective “right to restrict and delete access to knowledge” (Garside, 2014, p. 6).

In the era of big data, technological advancements have made data a distinct “resource,” and the proliferation of internet technologies, exemplified by big data technologies, has increased the value of data utilisation and sales. However, the negative impact of privacy invasion resulting from the leaking of personal data during the process of utilising and sharing data reveals the imbalance between data controllers’ and data subjects’ rights and obligations. To address this issue, it is necessary to first define the scope and limits of data controllers’ rights, regulate their rights and constraints, and strike a careful balance between maximising the value of data and preserving the rights of all data subjects.

Bundesamt für Justiz. (2017). Gesetze im internet.

Chen, X. (2018a). On personal data rights in the era of big data. China Social Science, 3, 102–122.

Chen, X. (2018b). On the right to personal data in the era of big data. Chinese Social Sciences, 3, 201–208.

Garside, J. (2014). RighttoBeForgottenIsaFalseRight,SpanishEditorTellsGooglePanel (p. 6). TheGuardia.

Huang, Z., & Jiang, S. (2019). The rights and limitations of data controllers. Journal of Shaanxi Normal University ( Philosophy and Social Sciences Edition), 48(6), 34–44.

Janegar, R. (2022). DATA IS THE NEW OIL – the commerce society. Shri Ram College of Commerce.

Li, Q. (2017). Personality, privacy and data: Commercial practice and its limits: A review of the first chinese cookie privacy dispute. China Law Review, 2.

Mariusz Krzysztofek. (2018). GDPR : General data protection regulation (EU) 2016/679 : Post-reform personal data protection in the european union. Kluwer Law International.

National Information Security Standardization Technical Commettee. (2017). Information security technology personal information security specification.

Powell, O. (2022, November 10). A full timeline of the medibank data leak. Cyber Security Hub.

Qi, A. (2009). Saving personality in the information society (p. 85). Peking University Press.

Sholtz, P. (2000). Economics of personal information exchange. First Monday, 5(9).

Wang, W., & Zhang, M. (2018). Research and analysis of big data trading platforms at home and abroad. Intelligence Journal, 11, 1–7.

Wang, Yu. (2016). Research on the property rights and restrictions of big data controllers from the perspective of information service risk avoidance. Library and Intelligence Knowledge, 5.

Wu, Y. (2013). On the “right to be forgotten” in the age of online information – A perspective on the EU personal data protection reform. Library Theory and Practice, 11.

Xiang, D. (2018). On the independence of personal information property rights. Journal of Chongqing University ( Social Science Edition), 24(6), 169–180.

Yuan, X. (2014). Privacy protection in the era of big data. Journal of Shandong Agricultural Engineering College, 3, 99.

Zhang, J. (2021). The configuration of rights of personal data in the era of big data. Journal of South China University of Technology, 23(5), 69–77.

Be the first to comment

Leave a Reply