Sitra’s recent survey probes the secret life of data collected about us

Every second, hundreds of organisations and companies are trading data collected about individuals. The network formed by those trading in the data is so complex that understanding the flow of data between services is practically impossible.
Image: Topias Dean / Sitra

Writer

Mira Nupponen

Specialist, Communication and Public Affairs, Sitra

Published

With the aid of six test subjects, Sitra’s Digitrail survey monitored the flow of individual data when using digital services and studied how well users are able to understand the data economy’s operating environment.

The first results from the survey showed that, despite exercising their rights under the General Data Protection Regulation (GDPR), users of digital services do not always understand how their data is used and have limited opportunities to influence how it is collected and used.

“I thought that my data was only disclosed to the service provider when using an online newspaper, for example. I found out that data about me is disclosed to various other organisations around the world and there is absolutely no control over the network that uses the data,” one of the test subjects revealed.

What happens to our data in digital services?

The data generated by the activities of individuals using digital services is a valuable asset and commodity. Its management is mainly in the hands of global technology and data companies. User profiles created based on individual data are used to target advertising, for example.

The survey confirms the notion that the network for trading in individual data is a complex entity of various bodies, that its operations are hidden from the consumer and it follows its own set of rules. The practices for sharing individual data are described in long and opaque terms of use written with only businesses in mind. Accepting the terms of use often means that consumer data can be shared with third parties.

“Reading the privacy policy of a single service does not provide a complete picture of where and with whom the data will be shared,” warns Tiina Härkönen, Leading Specialist at Sitra. “When an individual visits one commercial service, dozens or even hundreds of other bodies may be collecting data in the background. And it will all be over in a fraction of a second.”

A big question mark over the GDPR’s effectiveness

The survey showed that the GDPR offers only a limited view of the flow of data in digital services. The operating environment is multi-layered and elusive. Using their right to access their data – a subject access request – as provided for by the GDPR, is the consumer’s only way to find out what data has been accumulated about them. However, an individual cannot possibly know all the third parties with whom their individual data is being shared.

“Our survey shows that is it very difficult for an individual to obtain an overall picture of the generation, consolidation and use of their personal data. Alternative data economy business models are needed to ensure a fairer future,” says Riitta Vänskä, Specialist at Sitra.

Who is responsible for children’s rights?

The data accumulated through digital service use enables very detailed user profiling. UNICEF has contributed to studying the online behaviour of children and their rights as data subjects, and is participating in the Where’s my data? – Citizen’s digital trail event organised by Sitra on the international Data Protection Day (watch Steven Vosloo’s video greeting at the event).

“The internet was made for adults. Children cannot be expected to understand the terms of use that even adults have difficulty understanding. Enormous amounts of data about children are collected and sold, and children are profiled just as much as adults,” Vänskä points out.

“Children must be recognised as a special user group, and services must be offered to them as well,” says Jussi Kivipuro, Development Director at UNICEF Finland. “A child has the right of access to their personal data. A business must ask permission to access a child’s data in a way that he or she understands. This means that the child must also be able to understand the consequences of giving such permission.”

Read more about the Digitrail survey and Sitra’s IHAN project

Sitra’s Digitrail survey was launched in November 2019. The analysis of the results will continue in January and February 2020. The first results were published at the end of January 2020 in connection with Sitra’s Where’s my data? – Citizen’s digital trail event. Six test subjects were used at the initial stage of the survey to study the ways of accumulating data and the amounts of data accumulated when using digital services, how the data is used, and how effective the GDPR is in giving an individual the opportunity to access information on the collection and use of data about them.

The test subjects were a 16-year-old schoolboy, a young university student (female), a middle-aged journalist (female), a middle-aged politician (female), a middle-aged executive manager (male) and a pensioner (female).

The survey was implemented as part of Sitra’s IHAN project. The Fair data economy project is building the foundations for a fair data economy, which is aimed at restoring confidence in digital services. Further information on the results can be found in Sitra’s article. More survey results will be available later this spring.

Sitra’s Digiprofile test

Take the Digiprofile test and get tips about responsible online behaviour.

Article edited on 28 April 2020: Link to Steven Vosloo’s video greeting added.

PROJECT

Digitrail

The use of digital services leaves a digital trail, data. The Digiprofile test allows you to test your own behavior online and gives you hints on how to manage your privacy better.

Writer

Mira Nupponen

Specialist, Communication and Public Affairs, Sitra

Published

Latest

What's this about?