Personal data ownership & control

What are the key issues around personal data ownership & control?

Here are some of my thoughts, which are a bit rough or ready; but I would be interested to know if you have other points that I haven’t included, or if any of the ones I have listed aren’t really key issues.

Ownership or possession of myself & its property, material & intellectual
Ownership of inferred data
Sole ownership
Shared ownership
Are the lines of ownership ambiguous or clear
Have ownership expectations been violated

Do people have control over the information about themselves
Control flow of their own data?
Is control in the hands of the state; a corporate entity?
Is there any type or level of control that the data subject can exercise on their personal data?
Do they have control over the lifecycle of their data (generation, access, recording, usage)
Level of control (full, partial, none)
Is it direct control, or indirect control?
Vulnerable to having behaviour controlled by others? (social control)
Control over one’s own informational image?
Interpersonal boundary control
Genuine control over the dissemination of our personal information?
Control the disclosure of personal data to third parties
Control personal data flow
How is control achieved
– notice and choice (The control illusion)
Do they have ex post control in terms of the ability to check whether people are actually keeping to their obligations & promises
Use of personal data stores or data vaults
Ability to manage digital footprint
Ability to negotiate boundaries (cf Sandra Petronio’s communications privacy theory)

The control illusion: Profiling, discrimination, and other inferential harms happen so remotely from the source as to remove any doubt that the “choice” offered to users who disclose personal in the modern world is usually an illusion (Richards, Hartzog 2015)

The control paradox: There is a limit to how much control is helpful to consumers. In fact, too many privacy options may lead to users making poorer choices about their privacy by confusing them. For example, letting users define that only their self-designated “friends” can see blog posts can be helpful for ensuring privacy, but giving users multiple definitions of friends (ex: work friends, Tennessee friends, college friends) who all access the same profile, can actually lead to users to make more information about themselves available than if they were offered fewer, but easier-to-understand, choices (Flatow 2008)

FLATOW, I., 2008. Web privacy concerns prompt Facebook changes. Science Friday, .
RICHARDS, N.M. and HARTZOG, W., 2015. Taking Trust Seriously in Privacy Law.