Seemingly everyone, from scholars, industry, and privacy advocates to lawmakers, regulators, and judges seems to have settled on the idea that the key to privacy is control over personal information. But in practice, there is only so much a person can do. Control is far too precious and finite of a concept to meaningfully scale. It will never work for personal data mediated by technology.
Now we have an entire empire of data protection built around the crumbling edifice of control. The idealisation of control in modern data protection regimes like the GDPR and the ePrivacy Directive creates a pursuit that is actually adversarial to safe and sustainable data practices. It deludes us about the efficacy of rules and dooms future regulatory proposals to walk down the same, misguided path. We should dislodge and minimise the concept of control as a goal of data protection.
In mediated environments, the control we users get is illusory, overwhelming, and myopic. Justifying control measures on privacy grounds requires so much justification and tying ourselves in knots that it feels like it’s merely serving as a proxy for some other protection goal that’s just out of reach. Lawmakers and companies should pursue more direct values like trust, obscurity, and autonomy. They should embrace more direct strategies like mandatory deletion, collection and purpose limitations, and non-waivable duties of care, loyalty, discretion. People's trust in companies should be protected regardless of the control they are given.
The Case Against Idealising Control
European Data Protection Law Review
Available at: https://scholarship.law.bu.edu/faculty_scholarship/3069