Who owns our data when a company dies?
Another week, another wave of revelations about the use and abuse of personal data. This week Facebook is the one under fire.
On Tuesday, the Prosyscom Tech News revealed the social networking site gave Spotify and Microsoft access to data about its users in recent years.
Then, on Wednesday Facebook was sued by the District of Columbia’s attorney general over earlier revelations about the controversial UK data group Cambridge Analytica. CA had been given access to information harvested by Cambridge university professor Aleksandr Kogan from about 70m users via a quiz app in 2014. The company went into administration over the summer after its use of Facebook data became public.
As that scandal continues to reverberate, there is another important question which deserves debate: what happens to all this data harvested from Facebook or anywhere else when a company goes bust? That issue has received scant public attention because there have been relatively few recent big tech insolvencies. Indeed, the guidelines that exist, from bodies such as the Institute of Chartered Accountants of England and Wales, tend to assume that personal data would simply be frozen.
But a court case due to start in the London suburb of Hendon next month will thrust this issue into the spotlight. David Carroll, a New York-based professor, is suing CA’s administrators with the support of the UK’s Information Commissioner’s Office. They say CA failed to comply with European privacy laws and with an order from the ICO that required it to reveal to Prof Carroll the data it had collected about him. He is asking for up to £20,000 in compensation.
The ICO order was actually issued before the data firm went bust and the bankruptcy has complicated the matter because the ICO has seized the servers and theoretically could give Prof Carroll the data if it wanted to. Lawyers for CA’s administrators also contend that the firm has already given Prof Carroll lots of information.
But the proceedings are being closely watched nonetheless because the case could set precedents about user data rights and corporate responsibilities, for companies living and dead. And, as such, it raises fascinating legal and philosophical issues.
Normally, when a company goes bust, the administrators are obliged to sell its assets at the best possible price in order to compensate the group’s creditors. But what happens when those assets include user information that is protected by privacy laws?
Prof Carroll argues that the data originally held by Cambridge Analytica actually belongs to the users and should be returned to them, despite the insolvency. “I am a data creditor just like the financial creditors,” he says. “There are outstanding obligations to me.”
It remains to be seen if the courts will accept the idea of a “data creditor”. But if they do, there would be wide ramifications. That is because the same questions around information ownership will come up for any other entrepreneur who has jumped into the big data field in recent years and gone bust. So too with the non-tech companies who have been amassing treasure troves of information in recent years be they hedge funds, banks, retailers or anyone else.
The Carroll case also highlights how the cross-border nature of data flows will complicate the fight over data rights. The lawyers for CA’s administrators have questioned the UK ICO’s involvement, since Prof Carroll is an American rather than British citizen. Facebook has relied on similar arguments as it seeks to appeal a £500,000 fine previously imposed by the ICO over the same scandal.
But the lawyers acting for the ICO and Prof Carroll counter that legal jurisdiction should be determined by the location of the company designated to handle the data and cite recent case law from a Google case in Spain to support this.
Such arguments are likely to proliferate in the coming years, particularly if insolvencies increase as the global credit cycle turns.
After all, canny entrepreneurs have been hopping across national borders for years as they seek to exploit differences in local legal regimes, and data is migrating into a disembodied “cloud”, held on servers that may sometimes be in other countries.
Is there any solution? In the long run, probably the only effective answer would be to borrow a leaf from the financial sector another sphere where entrepreneurs are adept at conducting legal arbitrage across borders.
There, the solution has been to create global frameworks and rules.
The digital world would benefit from a cyber version of the Basel Committee on Banking Supervision, which sets out minimum standards for capital and liquidity that national governments then adopt. Better still, we could create the digital version of a Financial Stability Board to oversee a global regulatory architecture.
But don’t bet on that happening soon. Right now Europe and the US are embracing different data regulatory regimes and show no sign of wanting to harmonise them.
The best short-term hope for investors (and corporate boards) who want more clarity is to look to the courts to lay out clear precedents on data ownership and responsibilities.
All eyes, then, on the DC attorney-general’s lawsuit against Facebook and the coming court case in Hendon.