This article is for all the 13 people (thanks, guys) who voted for me to share my recent experience with reclaiming autonomy over my own data.
Before I get to that, let me lay the foundation with reasons why this is an important case study to document.
Data autonomy and ownership is an emerging issue with regards to the fundamental human right to privacy. Privacy here, simply put, is the freedom to live and make choices from interference from third parties, whoever or whatever they may be.
How does data then relate to Privacy? Because with enough data, your behaviour can be manipulated to produce certain outcomes. If I know exactly how you think and which emotional buttons to push, I can create the conditions that make you behave the way I wanted you to behave, obviously to my benefit (why else would I do it?), of course.
The “bad guy” here is not the data or the tech. With or without digital technology, data has always been collected and stored. Before data processing softwares (e.g. Microsoft Excel) existed, people collected data on paper and did the analysis manually in the analog form. Technology is only a means to access data. Today’s technology merely makes it a lot easier, faster, and ubiquitous.
Technological advancement has made it possible to access vast amounts of data with just the click of a button. Data, information, knowledge – used interchangeably to mean the same thing in the digital world – information that can be collected, analysed and processed to produce accurate predictions of future behaviour.
The ‘prediction imperative’, as used by Shoshana Zuboff in her latest book The Age of Surveillance Capitalism, is often the end goal of technology builders in the current paradigm of the digital political-economy.
When I say this is the “current paradigm”, it is because I do not believe that it is the only paradigm. As I have explained, data collection or technology itself is not a bad thing. What makes it potentially bad is why and how data is collected and used.
Privacy advocates (also known as privacy pros) are people who defend your right to privacy as a fundamental aspect of being human. They are the ones thinking about how to better protect your Privacy, with or without a data-centric approach. There are indeed many ways to slice a cake.
But because the exposure of data is closely linked to breach of privacy, it makes sense to protect your privacy by protecting your data.
Now that we’ve got that covered, we get back to the purpose this article is written – to tell you the story of how I asked for my data to be deleted.
Like millions of others, I am connected to the digital world via Internet-based platforms. Most of the platforms I use are mobile applications, only because I am heavily dependent on my mobile devices.
Recently, I downloaded a new app on my phone. I don’t need to tell you why I needed their service or what the mobile app is, suffice to say that this is a Malaysian mobile application for a particular type of service that I need (so you know this is not a Super App, you may cross out Grab from your list of guesses).
Like any other app, you must provide the data needed for the services to be rendered. In this case, I had to give the following data:
- Personal data (name, IC number, phone number, email address)
- A selfie (so that they know my face)
- A photo of my IC and driver’s license (so now they know my complete home address and religion)
As it turns out, the app was not functioning properly and the photos required of me to approve my membership did not go through. After many tries, I got frustrated and decided I no longer wish to use the app.
Because my membership to the app was never approved, I never got to even use the app. By then, I was even more frustrated because I had given up valuable data to the company for nothing. So I did what any privacy conscious human being would do, I requested for termination of the account AND the deletion of all my data.
I emailed tech support (my favourite hobby nowadays) and I asked for them to process my request above immediately.
“Hi, I would like to delete my account. Please also delete all my data. Email me the confirmation when it’s done. Thank you.”
As I wait for a reply, I checked my notes on Malaysia’s Personal Data Protection Act just in case. This is not the first time that I have made such a request, so I know how reluctant tech companies can be when you wish for your data to be removed from their database.
I received a reply 20 minutes later requesting a confirmation. The company has the following policy when people wanted to “withdraw” from the App (a softer language used to lower the degree of responsibility that comes with “deletion”):
- I am only allowed to re-register for the App’s account after 3 months from the date of withdrawal
- Withdrawal process may be delayed if there are unsettled payments
- All App’s points and promo codes applied will be forfeited and will not be refunded
I replied and said yes, go ahead. It’s not like I’ve used the App anyway, and I don’t have any intention to use the App in the near future.
They replied 20 minutes later that they have acknowledged my confirmation and will proceed to process my “withdrawal”. But I had a gut feeling that they did not fully comply with my request, so I asked, for the second time, a written confirmation that all of my data has been deleted.
This was their reply:
Hi Maryam Lee,
Kindly be informed that your record is still in the system after deletion. We still can see the record of your registration for future reference.
The only data we can delete is your phone number.
Hope this answers.
I have to admit, that reply did anger me a little bit. In my line of work, I know for a fact that the claim that “the only data we can delete is your phone number” is not true. Data removal or deletion is not at all impossible from a technical point of view, and that by law [Section 10 (2) of the PDPA states that “it shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required…] they have to honour my request fully.
A small part of me did want to just blow them off in my next email, especially given how I was already frustrated with the fact that I gave them my data for nothing. But I reminded myself that I am a professional, so I will pursue this matter accordingly.
I had no choice but to reply with a stronger message.
“No,” I said. “Please delete everything.”
Please delete the following data from your systems:
1. Any personally identifiable information
2. The photos of my selfie, IC, and driver’s license that I sent through the app to get my membership approved (but did not happen)
3. My location data
I then quoted the above-mentioned section of the PDPA with regards to data retention, and clarified that:
- I have never used the App
- I no longer have the intention to ever use the App
They waited until the next day to give me a phone call (so much for deleting my phone number) regarding my request.
In that phone call, they said that the deletion of my data means I would not be allowed to register with the App anymore. They were calling me to inform this (something they did not mention before), and to ask for my verbal confirmation that I want to proceed after knowing it.
By this time, I just wanted my data off their platform, so I said yes to that condition. As upset as I was that I was left with no choice, and not given any prior information regarding blocking me as a possible future user, I was determined to send the message that tech companies must not hold on to people’s data, especially personally identifiable ones, when there is no need for it.
After all this, the company sent me an email confirming that my account has been deleted and all data has been removed from their system.
Bear in mind that even with this written confirmation, I have no technical assurance that the deletion did, in fact, happen. This experience has made me lose trust in the platform as a user, which in turn, affect my inclination to use their services.
This is only one of many examples why tech companies need to start looking into the meaningful protection of Privacy if they do not want to lose business.
I made the decision not to name the company here because my aim is to educate the public on the importance of data protection to privacy, not to defame the reputation of any company.
Personally, and professionally speaking, I have not lost faith in tech companies to do the right thing by their customers. There are many technologies being developed today that would protect people’s privacy by design, and would not affect the business’ ability to make money.
The future is limitless, we just need to be brave enough to ask how.
Disclaimer: This article is written on the personal blog of Maryam Lee and therefore not representative of any other persons or organisations.