The ability for iPhone users to control tracking will have a $10-billion impact on Facebook’s future revenue says Meta.  This impact demonstrates the power of individual control, is a clear example of where individual control works, and why individual control will always be part of data governance.  However, the simple “yes” or “no” used in phone apps cannot govern all the responsible and answerable uses of data pertaining to individuals.  Instead, the fair processing of data pertaining to individuals is dependent on the duty of care that comes with data stewardship.  And data stewardship is dependent on decisioning criteria that comes from democratic institutions. 

Individual control dates back to 1967’s “Privacy and Freedom” by Alan Westin.  It has been nurtured by the OECD Guidelines and is the preferred approach of the GDPR, as the impediments to legitimate interests demonstrate.  Individual control is the approach taken in state privacy laws enacted over the past few years and the ones that will be enacted by state legislatures this year.  It is also the key instrument of the new “data dignity” movement championed by the Ethical Tech Project.  But data use is complicated. What is appropriate is contextual, and the individual is not the only concerned stakeholder. 

So, in the end, fair processing of data pertaining to individuals is dependent on the duty of care that created the basis for data stewardship.  That duty of care must come from legislation that has clear criteria so that data services individuals and so that potential adverse consequences are understood, mitigated, and managed.  Those criteria are part of the IAF FAIR AND OPEN USE ACT and may be found in the Act’s definition of “Adverse Processing Impacts.”  If you don’t have time to read the model legislation, just read the definition which can be found here.