In 2018, as I was writing this book, two major events convulsed the world of personal data politics. The first was the Cambridge Analytica/Facebook scandal in March 2018. News outlets were consumed for weeks with the unfolding story of how over 50 million Facebook users’ personal information had allegedly been employed by the data profiling company Cambridge Analytica to manipulate voting behaviour in the presidential election and the British Brexit referendum, both held in 2016. Christopher Wylie, the whistle-blower who had been employed by Cambridge Analytica, claimed that the data analytics company was able to access and use Facebook users’ content to provide insights into their deepest thoughts, beliefs, hopes and fears. Many news stories, blog posts and commentaries written about this scandal described the ways in which Facebook and other major internet companies like Google, Amazon and Microsoft collect and use personal information from online interactions and apps, as well as discussing the practices of personal data mining, brokering and profiling companies. These reports commonly used language suggesting that there was a crisis in personal data privacy and security. For example, the British Daily Mirror (22 March 2018) published a story with the headline ‘Massive Facebook data breach sees “50 million users exposed” in Cambridge Analytica scandal – are your personal details safe?’, while the Guardian’s coverage featured headlines such as ‘“Utterly horrifying”: ex-Facebook insider says covert data harvesting was routine’ (20 March 2018).

The second major event was the European Union’s General Data Protection Regulation (GPDR) legislation, which came into force in May 2018. This legislation was intended to harmonize existing privacy laws across the European Union and replace national data protection rules. It was particularly directed at regulating the ways in which data industries and their clients store and process digitized personal information and rendering the processes more transparent to digital media users (European Commission 2018). The introduction of the GDPR is an important indicator of the strength of concern among governmental bodies, in some countries at least, about the ways in which their citizens’ personal data may be exploited and misused by third parties. Internet companies, including the ‘Big Five’ – Facebook, Apple, Amazon, Microsoft and Google – were forced to make changes to comply with the GDPR. These changes included providing more explicit information to users about how the companies use personal data, and opportunities for users to withhold their consent to their data use and to find their data, rectify inaccuracies and delete their data if they wish. The GDPR only applies to the European Union (EU), but as many internet companies have or seek users in the EU as well as other parts of the world, most have made changes that apply globally.

These events are responses to the intensification of what has been termed the ‘datafication’ of everyday lives (van Dijck 2014). Datafication enrols an expanding array of digital technologies that are directed at recording aspects of human lives and bodies and rendering them into digitized information. These details are the personal data that are the subject of this book. People’s interactions online; their use of mobile and wearable devices, mobile apps and other ‘smart’ objects; and their movements in sensor-embedded spaces all generate multiple and continual flows of personal data. These data record details about intensely personal actions, habits and preferences, social and intimate relationships, and bodily functions and movements. They can include such attributes as a person’s age, gender, date of birth, telephone number, family members, friends and other contacts, email address, home address, educational qualifications, place of work, sexual identity and preferences, ethnicity or race, physical appearance, geolocation, purchasing habits, holiday locations, health status and many more. Internet browsing and search histories using tools such as Google Search document histories of users’ interests and preoccupations. Social media sites, including Facebook, Instagram, Twitter and Snapchat, encourage people to continually upload status updates that may include details of their recent activities and social encounters, photographs and videos of themselves and their family members and friends, and information about their hobbies and pastimes, political interests and work life.

The smartphones people carry with them as they move through their days emit constant updates of their physical location using geolocational sensors. The apps that have been uploaded to the phones generate further personal details that are collected by the app developers, often including users’ contacts and geolocation. Work-related platforms such as LinkedIn register and display members’ educational qualifications and work histories. Content curation and sharing sites, including YouTube and Pinterest, and streaming services such as Netflix and Spotify, record viewing and listening preferences. Messaging apps contain many details about people’s relationships and lives as they communicate with others. Electronic health records archive details of visits to doctors, medical tests, medications and therapies. Digitized transport and border security systems record people’s travel. Surveillance cameras, facial recognition software and sensors embedded in public spaces document their appearance and movements.

Meanwhile, the use of dating apps and platforms generates details about people’s private relationships and sexual preferences. Online customer loyalty reward programs and shopping websites track their purchasing habits. A multitude of apps, software platforms and wearable devices have been designed that encourage people to engage in self-monitoring of their bodies and lives by generating data about themselves, including their heart rate, physical activity, moods, reproductive cycles and sleep patterns. Children can be datafied before they are even born, using digitized foetal ultrasound images and other information about them that can be shared online by their expectant parents. As they enter the school environment, details of children’s bodies and activities become further documented through the use of educational and learning analytics software.

The digitized information generated by these entanglements of people with digital devices, apps, sensors and online platforms may be characterized as ‘personal data’. Popular representations of these personal data and their futures often lean towards polar extremes. Novel technologies that generate and process personal data are frequently portrayed in news coverage and industry promotional material as almost magical in the possibilities they offer human existence. Many of the positive imaginaries of digital technologies rest on the ideal of surpassing and extending the capabilities and capacities of the fleshly body. It is contended that these devices offer people opportunities to record far greater reams of information about themselves, ready to store and access, than they could using time-honoured analogue technologies (such as pen and paper) or the sensory and memory capabilities of their bodies. Claims are made by digital developers and entrepreneurs that digital devices and software can generate and process information about people that can be used for better self-knowledge and optimization of various aspects of their lives – their health status, longevity, freedom from disability, improved physical fitness, mental wellbeing, greater productivity and so on – in short, to create ‘better’ humans.

In contrast to these positive and optimistic portrayals, however, a multitude of techno-dystopian visions about the risks and harms of datafication have also received public dissemination in news and other popular cultural forums and by data privacy activists and civil society organizations. As was evident in news coverage of the Cambridge Analytica/Facebook scandal, public claims are frequently made that personal data offer unprecedented access to people’s innermost secrets by unscrupulous and sometimes criminal third parties seeking to uncover and exploit these intimate insights. In many cases, people have little opportunity to discern who is accessing their personal details and how their data are being viewed and used by others. Personal data can be accessed and used without people’s knowledge or consent: including illegally by hackers and cybercriminals and via non-malicious data breaches or leakages due to human error.

The Cambridge Analytica/Facebook scandal is only one of a series of highly publicized events that have occurred since 2013 relating to the ways in which digitized information about people was being commodified and exploited by a range of agencies, both legally and illicitly. In 2013, the whistle-blower Edward Snowden released documents demonstrating how the governments of the United States, Canada, the UK, New Zealand and Australia were spying on their citizens as part of the Five Eyes Alliance global mass dataveillance program. Five Eyes intelligence agencies were revealed to be accessing citizens’ private emails, phone call data, online searches and other personal data as part of their surveillance activities, and sharing these data with each other. Since then, various other controversial uses of people’s personal data by commercial and government organizations as well as data leaking and hacking scandals have occurred: for example, Facebook’s and OKCupid’s manipulation of information provided to users of their platforms, and massive data breaches and hacks related to personal data held by dating sites; large companies such as Uber, Yahoo, Target, Equifax, the JP Morgan Chase bank and Ebay; and government and healthcare and health insurance organizations. Some of these data breaches or leaks have involved hundreds of millions and even billions of users. These details can be used for identify theft, reputational damage and blackmail. For example, stolen personal data related to dating and sexual relationships have been used for extortion attempts, as in the case of the adultery website Ashley Madison data hack in 2015.

The tension between the contrasting and multiple uses of digitized details about people and the implications for their lives requires sustained examination. In this book, I seek to explore these complexities and identify their sociocultural underpinnings. In my previous book The Quantified Self: A Sociology of Self-Tracking (2016b), I discussed the ways in which the emergence of novel modes of generating digital data about humans and their activities and movements has facilitated new understandings about how people learn about and conceptualize their bodies and selves. I developed the concept of ‘lively data’ in the attempt to characterize and explain the vitality of human–data assemblages (see also Lupton 2017b; 2018b). The first element of the liveliness of personal digital data relates to the ways in which they are generated and what happens thereafter. The intimate information that is continually generated about people as they go about their lives contributes to human–data assemblages that are heterogeneous and dynamic, their character changing as more data points are added and others removed. Digital data may therefore be described as having their own social lives as they circulate in the digital data economy and are purposed and repurposed. These data can continue to be lively even once the human to whom they refer is dead. Second, digital data constitute forms of knowledge about human (and nonhuman) life itself: the attributes of being alive. Third, personal digital data have impacts on people’s lives, shaping the decisions and actions that people make for themselves, and those that others make on their behalf. Finally, personal digital data are forms of human livelihoods, contributing to the commodification of information as part of the digital data economy.

Data Selves offers a complementary discussion to The Quantified Self of how personal digitized information – derived not only from self-tracking activities but also from a wide variety of humans’ engagements with digital technologies – are conceptualized, used and interpreted as part of subjectivity, embodiment and social relations. Working and thinking particularly with perspectives from scholarship in feminist new materialism, I acknowledge the importance of paying attention to practices, affects and sensory and other embodied experiences, as well as discourses, imaginaries and ideas, in identifying the ways in which people make and enact data, and data make and enact people. In so doing, I seek to explore the onto-ethico-epistemiological (Barad 2014) dimensions of living with and through our lively data, generating our ‘data selves’. This approach recognizes that understandings, knowledges and ethical positions are always entangled and mutually generative.

Much of the digitized information about humans that is currently collected and processed can be used for dataveillance (Raley 2013; van Dijck 2014), or the watching and monitoring of people using their personal data. Dataveillance can be employed for a wide variety of purposes. It is undertaken at the personal or interpersonal level, involving voluntary self-surveillance or the consensual surveillance of others. In some cases, people have been informed about how their personal data may be used and have agreed to terms and conditions and privacy policies concerning third-party use. They may choose to actively collect digitized information about themselves using devices and software specifically designed for this purpose. They can take the opportunity to view their personal information, reflect on its meaning and use it to improve their lives, contribute to their memories or achieve self-knowledge. They can choose to connect with other people online, consensually sharing and responding to personal details as part of social networks and friendships. People can also sometimes review data about themselves collected by other actors, such as social media metrics, employee dashboards, educational outcomes, medical records and so on.

However, people’s digitized details can also be used by third parties to betray, discipline, marginalize or even punish them, and to deny them rights and opportunities. Dataveillance can operate at the organizational level, conducted by actors such as commercial enterprises, government intelligence, security and policing agencies, social security agencies, transport organizations, workplaces, educational institutions and many more. Researchers have identified ‘function creep’, or the ways in which datafication technologies and personal datasets have become dispersed into and used in different domains well beyond their original purpose (Timmermans et al. 2010; Kitchin 2014; Lupton 2016a; 2016b). As I outlined in The Quantified Self, there are many ways in which people may be pushed or even coerced into generating and sharing digitized information about themselves. Some businesses now offer reward schemes that provide financial or other compensation to people who share their personal data with them. Retailers’ customer loyalty schemes collect information about people’s purchasing habits, and some companies encourage people to upload their physical activity data generated by wearable devices. Employers now often encourage their employees to take up self-tracking as part of workplace wellness programmes, staff competitions and challenges or productivity campaigns, or compel workers to use software and sensors to monitor their movements and engagements online. Schools may require their students to sign up to apps or platforms in which their learning is tracked, or to use physical activity monitoring equipment in physical education lessons. Health and life insurance companies have begun to encourage their customers to engage in health- and fitness-related self-tracking using apps or wearable devices, and to share their data with the companies, so that individualized premiums can be calculated based on this information. Car insurers offer similar schemes for clients, in exchange for digital data on their driving habits. Social security and law enforcement agencies may demand that the people in their remit share personal data such as their income and physical location with them.

Underpinning these initiatives is the notion that personal digitized information is valuable. In the contemporary information economy – or what Zuboff (2015) calls ‘surveillance capitalism’ – personal data, like human tissue, blood or cells, have become commercial commodities, attracting a form of biovalue that can be exploited for profit by a diverse range of actors (Ebeling 2016; Lupton 2016b). These ‘small data’ on individuals accumulate into larger datasets and become ‘big data’ (Kitchin 2014; Zuboff 2015). Surveillance capitalism is built on an emergent logic of accumulation that depends on the continual collection of data and their extraction and analysis to generate revenue (Fuchs 2014; Zuboff 2015; Sadowski 2019). Personal data can be used by an app, device or platform developer to be sold to third parties such as advertisers and data-broking and -profiling companies, or to better market their product to targeted audiences. The vast profits of internet empires Google and Facebook depend on the monetization of personal data. A secondary industry of data miners, harvesters and brokers has sprung up, in which data about people are traded and brought together to create profiles or to use in algorithm decision-making processes. People’s digitized information is used to optimize systems, model probabilities and train artificial intelligence software (Andrejevic 2013; O’Neil 2016; Sadowski 2019). Government agencies or researchers may use some of these data for managerial or research purposes. There is even an industry that seeks to preserve and exploit the ‘digital assets’ of dead people (Arnold et al. 2017; Öhman and Floridi 2018).

Personal data can be further used in digitized systems that reproduce or set social norms of behaviour and discipline and regulate ...