have the option to control. Online, we make hundreds of choices every day that speak about who we are. The data behind these choices is transparent to the platforms we interact on but remains invisible to us. The commercial system set in place by the Internet’s key players has benefited abundantly from this loophole, while we have had no knowledge about how our personal information was collected, interpreted, or repurposed. Connecting online personal information to offline real individuals has become the founding principle of a new economic system: the identity economy, allowing for the commodification of identity at a scale never encountered before. The mass harvesting of personal information online was possible through a methodical erosion of our informational privacy. Not only have the Cambridge Analytica and similar reveals altered our collective experience of privacy (we now, for example, expect constant surveillance online), but they have also pointed out that an erosion of informational privacy can be perceived as a direct attack on our self-identity, as our online identities are unquestionably constituted by our information.
While we benefited from legal frameworks protecting our identities in the real world, the territory of our online identities represented, until recently, a vast and unchartered gray area. The need to create effective regulation to safeguard our identities in the online environment became increasingly pressing once mass claims to our online identities made by various entities were undeniably exposed. In 2012, the European Union (EU) Commission was assembling a think tank and research group called the “Onlife Initiative.” Its members, reputed thinkers of our time, had the mission to advise the EU in the formulation of its digital strategy, assessing the impact of information and communication technologies on individuals and society and setting the ground for future policy. The product of this collective effort, synthesized in a document titled “Onlife Manifesto” (Floridi 2014b), pointed to our irreversible digital transformation. The word “onlife” itself, a term coined by Luciano Floridi (2011), is revealing of the way information and communication technologies have altered the fabric of our living environment and through it, the nature of our very existence. In a hyperconnected world, we are never totally on nor completely off. Consequently, our identities are inevitably constructed and performed within this merged informational environment that has unnoticeably become our natural habitat. The “Onlife Manifesto” had signaled the need to adjust our conceptual framework to a new reality, before any legal framework could be imagined and implemented.
This was 2012. Only two years later, the actions of one single individual set in motion a chain reaction that accelerated the adoption of legislation aimed at protecting the identity of individuals in the online environment. Following the complaint of a Spanish citizen, directed at Google Spain, Google Inc, and a local newspaper, about outdated and unjustly incriminating personal data appearing in searches, the EU Court of Justice ruled in favor of “the right to be forgotten,” taking a first step in the legal protection of personal information online (European Court of Justice 2014). Citizens of the European Union now had the power to request search engines like Google to remove search results based on a person’s name, if the information included in these results was inaccurate, inadequate, irrelevant, or excessive. From June 2014 to April 2019, Google had received 801,659 queries in connection with the “right to be forgotten,” requesting the removal of 3,124,642 URLs, according to Google Transparency Policy (2019). What is more useful to note is that the number of requests has grown annually and that almost 90% of these requests were originated by private individuals. Not all requests find their resolution. Google makes it clear that they are evaluated on a case-by-case basis, taking into account criteria such as the importance of personal information to the general public or the position and history of the person requesting the removal. The rights to privacy and data protection are therefore analyzed against other values, rights, or interests, for example freedom of speech or freedom of access to information. Moreover, this being EU legislation, it applies to EU citizens only (URLs that appear in European search results are delisted; also, with the use of geolocation signals, access to a certain URL from the country of the requester is restricted). Yet it affects any company outside of the EU targeting EU citizens. By defending the right of European individuals to personal data protection online, the “right to be forgotten” was the first breakthrough in founding a global legislative system able to protect the identities of individuals in the online environment.
What followed is by now notorious. The GDPR (General Data Protection Regulation), a historic change in personal data protection legislation, was adopted by the European Parliament (2016) and has been enforced since 2018 in all EU countries. European Union citizens benefit from a common legal framework that limits their exposure as data subjects and allows them to question the collection, storage, and use of any personal information online. Looking at the definition of “personal data” provided by the European Commission (n.d., online), we can understand how, by stipulating how their personal data can be handled, the premise of regulation is to protect the identities of individuals:
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
The GDPR, still in its infancy and still to prove its long-term efficiency, succeeded in setting a global regulatory standard that pressured consistent followership from other countries around the world. In the US, where Silicon Valley exercises a major economic influence and acts as an important consultative pillar for this type of legislative decision, a federal law with a scope similar to that of the GDPR is yet to be designed and enforced. In the meantime, there have been various signals that such a regulatory initiative is long overdue. Facebook has received a fine of US$5 billion, the largest penalty ever imposed on a company for breaches of consumer privacy, and 20 times greater than any similar penalty ever imposed worldwide (Federal Trade Commission 2019). In a May 2019 op-ed in The New York Times, Chris Hughes – one of Facebook’s initial five co-founders – openly advocated for the breakup of Facebook and sustained regulatory reform:
For too long, lawmakers have marveled at Facebook’s explosive growth and overlooked their responsibility to ensure that Americans are protected and markets are competitive.
(Hughes 2019)
Hughes refers to Facebook’s successive moves towards insulating itself from competition: in 2012, it acquired Instagram and, in 2014, WhatsApp. Hughes’s argument is based on the claim that the resulting colossus is both too powerful and too dangerous. Breaking it up would ensure healthy competition, while regulating it would prevent further abuses of power. What is noteworthy to mention is that Facebook’s response to Hughes’s plea, although expectedly not in favor of dismantling the company, acknowledges the long overdue need for tight regulation:
We are in the unusual position of asking for more regulation, not less. … Anyone worried about the challenges we face in an online world should look at getting the rules of the internet right.
(Clegg 2019)
It is difficult to predict what a comprehensive legal framework covering all aspects of the online environment – personal, social, and commercial – would look like, or the effects of implementing unifying regulation at a global scale to companies and individuals. From a broader perspective, there is no precedent validated by history to guide lawmakers in approaching such a gargantuan task. The turmoil surrounding the repetitive offences of Facebook and those of other platforms points to the deficiency of existing laws and, at the same time, reveals a system that has been operating in retrospect. For too long, the online environment had been regulating itself. Only when flagrant consequences transpired did boundaries begin to be erected one by one. Yet, continuing to design and enforce legislation for the online environment is not a straightforward task. Going back to the goal of the “Onlife Initiative,” we must be ready to update our conceptual framework in order to be able to understand and address the never-ending challenges related to our digitization as a global society.
