No matter if we choose to believe or disbelieve Zuckerberg’s announcement regarding the intention to redefine his company around the value of privacy, we cannot ignore the historical significance of the moment. Facebook’s leader was publicly cornered into an unprecedented move; his was the only possible response to appease (even if temporarily) the snowball effect of recent revelations. In many ways, affirming the new objective of Facebook legitimized a cultural tension that had been building up around the idea of privacy in the age of hyperconnectivity, to the point of transforming privacy into a societal turning point. Two explanations seem necessary here. On the one hand, it should be clarified that we are referring to informational privacy – the “freedom from informational interference or intrusion, achieved thanks to a restriction on facts … that are unknown or unknowable” about someone (Floridi 2014a, p. 103). On the other hand, we should not forget that privacy is a social construct, like freedom, justice, or power. As such, it can be understood differently by different people, in different circumstances. In a post-Internet society, it is logical to assume that ideas and expectations of informational privacy have changed from those we held before our collective datafication. Digital technologies of connectivity can be deployed to both decrease and increase informational friction, making personal information more available or less so (depending on knowledge and intent), and therefore both eroding and enhancing informational privacy (2014a). The cultural tension mentioned earlier is the result of our failure to project the consequences of this dual role. Our frontstage experience with being empowered to exert certain levels of control over our personal information online has prevented us from observing the systematic informational intrusion that unfolded backstage.
Since the emergence of social media, users have chosen to share information about themselves in an environment that they knew little about. It was not unreasonable to assume their personal data belonged to them, or at least that it was treated with care since, through their structural organization, platforms gave the impression of a controlled type of sharing. Users did not spend too much of their time questioning this assumption. The reality we have been confronted with in recent years is that we could not have been more wrong. Once released online, our personal information is no longer ours. What is more, our data does not consist solely of the information we have historically uploaded and, theoretically, have the option to control. Online, we make hundreds of choices every day that speak about who we are. The data behind these choices is transparent to the platforms we interact on but remains invisible to us. The commercial system set in place by the Internet’s key players has benefited abundantly from this loophole, while we have had no knowledge about how our personal information was collected, interpreted, or repurposed. Connecting online personal information to offline real individuals has become the founding principle of a new economic system: the identity economy, allowing for the commodification of identity at a scale never encountered before. The mass harvesting of personal information online was possible through a methodical erosion of our informational privacy. Not only have the Cambridge Analytica and similar reveals altered our collective experience of privacy (we now, for example, expect constant surveillance online), but they have also pointed out that an erosion of informational privacy can be perceived as a direct attack on our self-identity, as our online identities are unquestionably constituted by our information.
While we benefited from legal frameworks protecting our identities in the real world, the territory of our online identities represented, until recently, a vast and unchartered gray area. The need to create effective regulation to safeguard our identities in the online environment became increasingly pressing once mass claims to our online identities made by various entities were undeniably exposed. In 2012, the European Union (EU) Commission was assembling a think tank and research group called the “Onlife Initiative.” Its members, reputed thinkers of our time, had the mission to advise the EU in the formulation of its digital strategy, assessing the impact of information and communication technologies on individuals and society and setting the ground for future policy. The product of this collective effort, synthesized in a document titled “Onlife Manifesto” (Floridi 2014b), pointed to our irreversible digital transformation. The word “onlife” itself, a term coined by Luciano Floridi (2011), is revealing of the way information and communication technologies have altered the fabric of our living environment and through it, the nature of our very existence. In a hyperconnected world, we are never totally on nor completely off. Consequently, our identities are inevitably constructed and performed within this merged informational environment that has unnoticeably become our natural habitat. The “Onlife Manifesto” had signaled the need to adjust our conceptual framework to a new reality, before any legal framework could be imagined and implemented.
This was 2012. Only two years later, the actions of one single individual set in motion a chain reaction that accelerated the adoption of legislation aimed at protecting the identity of individuals in the online environment. Following the complaint of a Spanish citizen, directed at Google Spain, Google Inc, and a local newspaper, about outdated and unjustly incriminating personal data appearing in searches, the EU Court of Justice ruled in favor of “the right to be forgotten,” taking a first step in the legal protection of personal information online (European Court of Justice 2014). Citizens of the European Union now had the power to request search engines like Google to remove search results based on a person’s name, if the information included in these results was inaccurate, inadequate, irrelevant, or excessive. From June 2014 to April 2019, Google had received 801,659 queries in connection with the “right to be forgotten,” requesting the removal of 3,124,642 URLs, according to Google Transparency Policy (2019). What is more useful to note is that the number of requests has grown annually and that almost 90% of these requests were originated by private individuals. Not all requests find their resolution. Google makes it clear that they are evaluated on a case-by-case basis, taking into account criteria such as the importance of personal information to the general public or the position and history of the person requesting the removal. The rights to privacy and data protection are therefore analyzed against other values, rights, or interests, for example freedom of speech or freedom of access to information. Moreover, this being EU legislation, it applies to EU citizens only (URLs that appear in European search results are delisted; also, with the use of geolocation signals, access to a certain URL from the country of the requester is restricted). Yet it affects any company outside of the EU targeting EU citizens. By defending the right of European individuals to personal data protection online, the “right to be forgotten” was the first breakthrough in founding a global legislative system able to protect the identities of individuals in the online environment.
What followed is by now notorious. The GDPR (General Data Protection Regulation), a historic change in personal data protection legislation, was adopted by the European Parliament (2016) and has been enforced since 2018 in all EU countries. European Union citizens benefit from a common legal framework that limits their exposure as data subjects and allows them to question the collection, storage, and use of any personal information online. Looking at the definition of “personal data” provided by the European Commission (n.d., online), we can understand how, by stipulating how their personal data can be handled, the premise of regulation is to protect the identities of individuals:
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also