Feminist data protection

Introduction: distinguishing privacy and data protection

‘Feminist data protection’ is not an established term or field of study: data protection discourse is dominated by doctrinal legal and economic positions, and feminist perspectives are few and far between. The marginalisation of feminist voices within mainstream discourse, in and of itself, is common enough to not be surprising (see Charlesworth, 2011, p. 17). Nonetheless, the relative lack of feminist engagement with data protection strikes as somewhat curious in light of the manifold feminist debates surrounding a closely related concept: privacy.

The notion of privacy has been subject to extensive feminist critique and exploration, especially insofar as it concerns the gendered division between private and public spheres and its deconstruction (Allen, 1988; MacKinnon, 1989; Hurtado, 1989; Bhattacharjee, 1996; Scott and Keates, 2004; DeCew, 2015; Weinberg, 2017). Many writers have noted, in particular, the instrumentalisation of privacy to protect the perpetrators of domestic violence (Kelly, 2003). The feminist critique of privacy is, at this point, well-known enough to have entered mainstream debates: it was evoked, for instance, in the 2017 landmark judgment of the Indian Supreme Court, which recognised the existence of a constitutionally protected right to privacy in India.1 The judgment noted in this sense that ‘[m]any writers on feminism express concern over the use of privacy as a veneer for patriarchal domination and abuse of women’, but stressed that, nonetheless, ‘women have an inviolable interest in privacy’, privacy being ‘the ultimate guarantee against violations caused by programmes not unknown to history, such as state imposed sterilization programmes or mandatory state imposed drug testing for women’ (§ 140 (d)).

This duality of privacy has also been highlighted by many feminist authors (e.g. Allen, 1988, 2011; Squires, 2018; Wischermann, 2003; Klaus and Drüeke, 2008).2 It is reflected in several recent developments which indicate an incipient, albeit oftentimes timid, awareness of the need to look at privacy (and data protection) differently. In this context one might mention the work on gender-based violations of privacy carried out by the United Nations Special Rapporteur on the Right to Privacy (2020), or work by NGOs such as Privacy International (2018), among others (e.g. Chair, 2020). Historians of privacy have been exploring past connections between feminism, liberation and privacy (Igo, 2018), and American scholars keep active exploring privacy’s potential to counter the oppression of women, queer folks, and racial and religious minorities (Skinner-Thompson, 2020).

Privacy and data protection are often viewed in tandem (Solove, 2002, pp. 1109-1115; Whitman, 2004, pp. 1189-1195; ECJ, Schecke, and Eifert, 2010). Perhaps this relation accounts, in part, for the relative lack of feminist engagement with data protection: a feminist critique of data protection could perhaps be viewed as unnecessary because privacy has already been dealt with at length from such perspective, and the two concepts are too entwined for data protection to be considered worthy of separate debates. However, for all their areas of overlap, privacy and data protection should not be conflated (Bieker, forthcoming; Cohen, 2019, p. 23; González Fuster, 2014a). They have separate genealogies (González Fuster, 2014b) that have generated differing approaches, connotations and debates in various contexts. Data protection may serve interests other than privacy,3 and it may be better or less well suited at responding to different kinds of potential harms based on how it has been conceptualised thus far, or could be conceptualised in the future. Against this backdrop, we ask: what potential does feminism hold for data protection, and what potential does data protection hold for feminism?

We note at the outset that we approach these questions based on a broad understanding of feminism. Questions of gender are, of course, central to feminist analysis, but gender itself is ‘embedded in a range of social, political, cultural, and ideological formations’, as Angela Davis has put it. Feminism, therefore, ‘involves so much more than gender’ (2016, chapter 8; see also Butler 2007, pp. 4-5 and, in the context of data feminisms, D’Ignazio and Klein, 2020, p. 14). It is impossible, in other words, to tackle questions of gender, sexism and patriarchy without simultaneously accounting for other forms of oppression such as racism, (neo-)colonialism, capitalism, etc.4 To disregard these in favour of an ostensibly universal notion of womanhood or sisterhood (see critically Mohanty, 2006) is to disregard how various oppressive structures interact and, collectively, impact differently upon different women and gender non-conforming people (Combahee River Collective, 1977; hooks, 1981; Davis, 1983; Collins, 1990; Lorde, 2007; Crenshaw, 1989, 1991; Collins and Bilge, 2020).

How might we place feminism, thus understood, in relation to data protection? We begin by summarising a number of recent interventions in the broader fields of data sciences and surveillance studies which, although they do not usually refer explicitly to the notion of data protection, can teach us about the kind of themes and questions that are important from a feminist perspective. We then turn back to data protection itself and consider how it might be understood, critiqued and possibly reimagined in feminist terms. Finally, we return to the term ‘feminist data protection’ and the different directions in which it might be further developed—as a feminist approach to data protection, as the protection of feminist data, and as a feminist way of protecting data—and we provide an overview of the papers included in the present special issue on feminist data protection.

Feminist surveillance studies and data feminisms

The feminist writings on themes of privacy, surveillance and data processing already constitute a veritable feminist archive.5 It is impossible to do justice to their depth, breadth, and variety here—all the more so since feminism employs a broad range of perspectives and methods (Abu-Laban, 2015, p. 45; see generally Vergès, 2021, pp. 19-20), often emphasising embodied, situated and contextual knowledge (Koskela, 2012, p. 50; Costanza-Chock, 2018; D’Ignazio and Klein 2020, p. 83). It is also difficult and delicate to trace a firm line between writings about surveillance, privacy and data protection and works on the rights of women online, including on online harassment and gender-based violence, which have a direct connection with privacy (Citron, 2014; Goldberg, 2019)—and which would equally deserve detailed discussion. Here, we merely hope to sketch some broad lines and distil some common themes to provide an impression of the kind of work that could inspire (or form part of) feminist data protection.

Doing critical research and explicitly taking a feminist stance almost inevitably means questioning the status quo—things as they currently stand—and thus also questioning the objectivity in which the status quo commonly dresses itself: it is about ‘wishing, hoping, aiming at everything that has been deemed impossible’ (Olufemi, 2020, p. 1). This involves challenging the objectivity of certain modes of governance, the alleged objectivity of technology, and the techno-determinism and lack of accountability which come with it (Benjamin, 2019, pp. 40-41, 53; see also Magnet, 2011; Nkonde, 2019-2020, p. 32). Connections can be drawn, for example, to big data myths that ‘bigger data are considered somehow more true’—which has ‘close ties with the spectre of objectivity so well-known to feminist critics of knowledge production’ (Shephard, 2016, p. 4; see also boyd and Crawford, 2012).

Rather than being seen as objective, the various forms of technology, surveillance and data processing must be regarded in light of their social origins and contexts (Corones and Hardy, 2009, p. 388; Haggerty and Ericson, 2000; Zuboff, 2015, p. 75). Technology is embedded in social relations (see e.g. Bijker and Law, 1992), in a relationship that can be understood as co-constitutive (e.g. Latour, 2005). Accordingly, it should come as no surprise that technology, surveillance and data processing reproduce, entrench and deepen various forms of discrimination, marginalisation and oppression already present in society (see for instance Gilliom, 2001). A particular form of discrimination and marginalisation is sometimes captured as ‘bias’ within data systems. ‘Bias’ can be a useful framing to draw attention to discriminatory effects, but it can also be a reductive term, since it may signal the possibility of an easy fix by diversifying the underlying data set or the team behind it—which in many cases falls short of a just or even, for some, a liveable solution. For example, while diversification of fields such as machine learning is sorely needed (World Economic Forum, 2018), diversity will not realistically, by itself, achieve the upheaval of these fields’ structures of marginalisation and exclusion. Behind a pleasant rhetoric of diversity there often lurks the tokenisation and gaslighting of those from marginalised groups, especially women of colour (Birhane and Guest, 2021, pp. 65-68; Benjamin, 2019, pp. 19-20, pp. 61-62; Hassan, 2018; see generally Ahmed, 2012).

The discriminating impact of data processing is not exclusively connected to biased input and training data; social sorting and discrimination are its inherent effects (Gandy, 2010; Lyon, 2003). Computer-assisted decision-making might be less prone to individual biases, yet it ‘may also normalize the far more massive impacts of system-level biases’ and ignorance with respect to structural disadvantages (Gandy, 2010, p. 33). Guzik (2009, p. 12) claims that ‘predictive data mining discriminates by design’ since its main aim is to distinguish groups and to sort individuals into them (see also Taylor, 2017, p. 15). These groups are the foundation for decisions, e.g. about which users get to see which advertisement, which group will be subject to further security checks and more. Data from one individual might lead to conclusions that affect all members of an artificially created group. The effect of individuals being sorted following their individual data into groups, leading to group categorisations that become the basis of how individuals are treated, might be called statistical discrimination (Guzik, 2009). Since the group and collective aspect of personal data processing becomes more important in big data and machine learning environments, scholars began to increasingly focus on group and collective aspects of data protection beyond the individual (e.g., Matzner, 2014; Mantelero, 2016; Taylor, Floridi, and van der Sloot, 2017).

The idea that data bias can be countered by the diversification of underlying data sets, while apposite in some contexts, can also distract from the fact that certain technologies should, from a feminist standpoint, be opposed entirely rather than merely being made more inclusive and accurate (Powles and Nissenbaum, 2018). The field of facial recognition and its various offspring and connected practices, such as automated gender recognition, is one such case. Feminist scholars have long since exposed the inaccuracies (or, more precisely, the variable degree of accuracy) of facial detection and facial recognition along the lines of race, gender and their intersections (Buolamwini and Gebru, 2018) as well as the binary and cisnormative assumptions of gender it employs (Keyes, 2019; see also Costanza-Chock, 2018). In light of the way these technologies are used by the carceral state for the surveillance and oppression of marginalised groups, however, fighting for inclusion may prove harmful rather than emancipatory (Kalluri, 2020; Keyes, 2019; Hassein, 2017).

Inequality, in brief, should often not be seen as a minor deviation within data processing practices and machine learning, but rather as constitutive of the field and hence not amenable to a technical fix (Fourcade and Johns, 2020, p. 827): ‘sexism is a feature, not a bug’ (Hicks, 2021). Surveillance and data processing have historically been used as tools of patriarchy, slavery and colonialism as well as for the regulation and oppression of queer people (Browne, 2015; Foucault, 1977; see also e.g., Khan, 2017; Mason and Magnet, 2012, p. 106; Shephard, 2016, p. 3 and pp. 6-8; Conrad, 2009, p. 384). They should thus be viewed as rooted in these historical practices rather than focussing on some shadows of a specific shiny, new technology which is supposed to otherwise magically fix societal problems. A decolonial feminist lens helps to bring these issues to the fore with particular clarity, highlighting for example the continuing logics of data extraction from the Global South while creating additional dependencies on corporations from the Global North (Milan and Trere, 2019, pp. 326-327; Couldry and Mejias, 2019, p. 6; Birhane, 2020; Cohen, 2018, p. 221), and the pernicious narratives of data for development or surveillance humanitarianism (see Pendergrast, 2019).

A further issue of particular interest from a feminist perspective is the normativity and normalising tendency of categorisation within data processes (Ball et al., 2009, p. 354; D’Ignazio and Klein, 2020, p. 100). We can ask not only which subjects are included in certain data processes or technologies and on which terms, but also how gendered and racialised subjecthood is constituted and essentialised in these contexts in the first place (Browne, 2015, p. 114; Hicks, 2019, pp. 26 and 29; Keyes, 2019; Beauchamp, 2019, p. 15). And again, this is not only true for the modern iterations of classifications such as the gender ‘options’ on Facebook (Bivens, 2017), but also for other data practices (see Hicks, 2019) such as the development of driver’s licenses not just as means of identification but as a way of ‘consolidating racial, gender and ability categories into population-level typologies and hierarchies’ (Adair, 2019, p. 585).

To focus on subjecthood also raises the question of who is seen as subject and who is objectified—within surveillance and data processing practices, who collects data and whose data is collected, who is acting and who is acted upon, who is watching and who is being watched (Koskela, 2012, p. 51; Andrejevic, 2014; Abu-Laban, 2015, p. 46; Gurumurthy and Chami, 2016)? Women and other marginalised groups have long been familiar with the ‘male gaze’ which may not only lead to self-regulation and behavioural modification by virtue of the constant feeling of being watched (Khan, 2017), but can also be understood as ‘visually dismembering and reconstituting women’s bodies’ (Mason and Magnet, 2012, p. 107). The ‘white gaze’ similarly involves the ‘imposition of race on the body’ (Browne, 2015, p. 7).6

Not only the likelihood, but also the consequences of being watched can differ greatly. The narrative that ‘those who have nothing to hide have nothing to fear’ disregards the way in which surveillance erodes democratic structures in general, but also fails to account for the uneven distribution of how much can safely be revealed along lines of gender, race, class, residency status, occupation and other factors (Shephard, 2016, p. 13). We might think, for example, of data processing leading to the possibility of stalking and sexual harassment of women (Mason and Magnet, 2012), to tracking of pregnancy and abortion or to being outed as queer or as a sex worker (Kovacs, 2020). Furthermore, under neoliberal capitalism practices of self-tracking are becoming more common—and the example of menstrual apps clearly demonstrates the extent to which this can involve the unwaged labour of women and others who menstruate (McEwen, 2018).

In sum, feminist interventions in the fields of surveillance, data processing and machine learning invite us to ask different questions than those that otherwise dominate research agendas. In particular, they invite us to ask uncomfortable questions about power structures and the ways in which they are gendered, raced and classed (Kalluri, 2020; D’Ignazio and Klein, 2020, ch. 1)—and to investigate how they have been and can continue to be opposed and dismantled (Costanza-Chock, 2018). Whatever the dangers involved, where there is surveillance, there is subversion and parody to undermine it, and where there is a white, male gaze, there is also an oppositional gaze (Browne, 2015, pp. 10 and 58, building on hooks, 1992).

Data processing, data protection and feminist critique

While feminist interventions have analysed the dynamics of data processing and the dangerous outcomes such processing can produce, they have rarely engaged explicitly with data protection (but see e.g., Peña and Varon, 2019; Suárez-Gonzalo, 2019). A preliminary issue is how data protection should itself be understood: reference is often made to the European legal context and particularly to the General Data Protection Regulation (GDPR; see Daly, 2021, p. 67), but even so data protection has been construed in many different and sometimes contradictory ways (Bieker, forthcoming; Hustinx, 2017; Tzanou, 2017; Lynskey, 2015; Docksey, 2015; Kokott and Sobotta, 2014; Kranenborg, 2014; Purtova, 2012; Rouvroy and Poullet, 2009; De Hert and Gutwirth, 2006).

One way of approaching the notion of data protection is to go back to its origins. The discourse on data protection in Europe started in the 1960s with the introduction of data processing in the public service—already then with a marked international dimension, building on parallel reflections on the other side of the Atlantic regarding what the United States would eventually conceptualise as ‘informational privacy’. When the German state Hesse set out to employ large databases for public information systems, it also enacted the first legislation to use the term ‘data protection’ (González Fuster, 2014a, p. 56), the Datenschutzgesetz of 1970. A report prepared for the German Ministry of the Interior concerning the foundations of data protection and its future development shines some light on how data protection was understood at the time: it was viewed as a necessary companion of data processing due to the inherent power asymmetry between those who process and control the data and those whose data are processed (Steinmüller et al., 1972, p. 40ff). The report recognised that data processing may have adverse effects both on individuals and on society as a whole, and was therefore viewed as encompassing both individual and structural dimensions (Steinmüller et al., 1972, pp. 34 and 44; see Bieker, forthcoming). It is also noteworthy that even at this early stage of discussion, data protection was considered a necessary safeguard to protect minorities in particular, as they could easily be discriminated against with the use of data processing technology (Steinmüller et al., 1972, p. 40).

Elements of these early conceptualisations continue to play a role in current debates on data protection—in particular, data protection is still conceptualised by some authors as a response to the power imbalance that lies at the heart of data processing (Bieker, forthcoming; Lynskey, 2015, p. 105; Malgieri and Niklas, 2020, p. 2; Rouvroy and Poullet, 2009, p. 68 and pp. 73-74). While there is no agreement on how to remedy, mitigate or transform this power imbalance, the notion of ‘data protection as a critique of power’ (Bergemann, 2018, p. 126) makes it a potential ally of the various feminist perspectives discussed above. In this sense, data feminism, according to the principles formulated by Catherine D’Ignazio and Lauren Klein, ‘begins by analyzing how power operates in the world’ and ‘commits to challenging unequal power structures and working toward justice’ (2020, p. 17).

If understood as a critique of power, then, there is clearly some measure of affinity between data feminisms and data protection. However, as noted above, understandings of data protection are not uniform or consistent. As so often, dominant understandings—particularly those prevalent within legal discourse—tend to shift the focus away from challenging power structures and instead offer merely individualistic, liberal frameworks which largely serve to preserve and legitimise the status quo (Padden and Öjehag-Pettersson, 2021, p. 13; Bergemann, 2018, p. 127). The conventions of legal discourse also bring assumptions of objectivity and rationality with them which, as feminist and other critical approaches to law have long since pointed out (MacKinnon, 1983; Charlesworth, Chinkin, and Wright, 1991; Kennedy, 1997; Theilen, 2021), serve to mask the gendered power structures of which law forms part—in a very similar way to the alleged objectivity of technology mentioned above. Against this backdrop, it becomes important to offer a feminist critique of data protection by centring categories such as gender, race and class, but also more generally by applying feminist insights on the analysis of unequal power structures to those involved in data processing (Peña and Varon, 2019; Suárez-Gonzalo, 2019, p. 184).

We might ask, for example, who the subject behind data protection is (Malgieri and González Fuster, 2021). In legal terms, the ‘data subject’ is defined simply as an ‘identified or identifiable natural person’ (Article 4(1) GDPR). It is thus assumed to exist as a pre-constituted subject, thereby side-lining the above-mentioned questions of how subjecthood is constituted in the first place and the conditions and gendered power structures which shape it (see critically, Cohen, 2019), for example the way in which self-tracking may involve digital reproductive labour which produces both data and subjectivities (McEwen, 2018, p. 246). By positing a data subject ostensibly ‘unmarked’ by notions such as gender, race, and class (see generally Frankenburg, 1993), it also becomes difficult to respond appropriately to the way in which surveillance and data processing specifically target women and other marginalised groups, as described above. It would therefore be necessary, at a minimum, to ‘emphasise existing inequalities between different data subjects and specify in a more systematic and consolidated way that the exercise of data rights is conditioned by many factors such as health, age, gender or social status’ (Malgieri and Niklas, 2020, p. 2).

One area in which these questions of subjecthood become particularly tangible is the question of consent. Feminist theory and praxis has a complicated relation to the notion of consent, both highlighting its importance (‘no means no’) and offering trenchant critiques of its limitations. In that vein, for example, it has been argued that commonplace understandings of consent unrealistically presuppose a free, liberal subject capable of making a meaningful choice (see Hirschmann, 1992; Drakopoulou, 2007) and that foregrounding consent therefore fails to account for—and hence legitimates—gendered power structures which shape the situation in which consent can be given (Lacey, 1998; MacKinnon, 1989; Pateman, 1988; Loick, 2019).

The same argumentative structure can be transferred to critiques of data protection: when focussing on consent to data processing, we easily lose sight of the way in which the situation of consent-giving is itself shaped by the more general power imbalance between data subject and controller (see generally Peña and Varon, 2019, pp. 13-14; Suárez-Gonzalo, 2019, p. 184; Cifor et al., 2019; Bietti, 2020, p. 339; Padden and Öjehag-Pettersson, 2021, pp. 12-13; de Hingh 2018, pp. 1279-1281; Bergemann, 2018, p. 113). As necessary a safeguard as consent may be in certain situations, then, it also constitutes another way in which data protection is diverted away from truly challenging the unequal power structures inherent in data processing. This goes both for the capitalist logics of data extraction underlying large-scale data processing (Andrejevic, 2014, p. 1675) and for the gendered and racialised foundations of surveillance.

These dynamics are not necessarily specific to the notion of consent, however—a fact which is important to note since, at least from a European legal perspective, consent constitutes only one possible legal base for data processing (see Art. 6 GDPR) and thus plays a less central role within data protection than is sometimes assumed. Other bases for data processing, too, can be questioned from a feminist perspective: for example, in light of the insights from data feminisms canvassed above, it seems immediately clear that interpretations of the ‘public interest’ will involve preconceptions about which persons or groups should be subject to regulation and surveillance.

Within the current legal data protection framework, it can be regarded as difficult to effectively challenge not only individual acts of data processing but rather the discrimination against groups and collectives, as well as certain technologies, business models or mass surveillance practices altogether (see Daly, 2021, p. 88; Rule, 2012, pp. 67-68). Take the example of artificial intelligence (AI). Early conceptualisations of data protection included a prohibition of hyper-complex processing operations: if they were so expansive or complicated that a controller could not describe their necessity comprehensively, they would not be allowed (Podlech, 1982, p. 456). Today, hyper-complex processing operations could still be understood as violating various rules and principles of data protection law (Bieker, forthcoming); however, the express formulation of a prohibition did not find its way into written law, and the GDPR is not commonly read as containing such a prohibition. Instead, the legislator takes a sectoral approach to certain technologies. Even the current proposal for an EU regulation on AI (EU Commission, 2021), which includes a prohibition of certain AI practices, only rules out a very limited number of applications and includes, tellingly, exceptions for law enforcement.

As mentioned above, there is a risk that notions like transparency, fairness or accuracy, which play a prominent role in liberal data protection discourse (Maxwell, 2015), may function merely as a distraction from more foundational feminist concerns about the way technologies such as automated gender recognition both entrench cisnormative views of gender as ‘readable’, normalise mass surveillance along gendered and racialised lines, and expand the reach of the carceral state at the expense of already oppressed groups. At least in the legal conceptualisation of data protection, such practices will largely continue to be legitimated by reference to the public security interest (Bigo, 2012, p. 277; see e.g. ECJ, Digital Rights Ireland, 2014, paras. 41-42; ECJ, La Quadrature du Net and others, 2020)—which in turn is based on perceptions of risk that are strongly shaped by notions such as gender, race and class (see Stachowitsch and Sachseder, 2019; Beauchamp, 2019; Costanza-Chock, 2018; Currah and Mulqueen, 2011).

Since data protection, as it is commonly understood, is so strongly tied up with the European legal order, aspects of this integration process place limitations on it in several ways. The project of European integration is not as simple as often portrayed and many scholars offered understandings and conceptualisations of this process beyond the discourse of liberalism, human rights and peace (see e.g. Bigo et al., 2021; Wiener et al., 2018). One aspect is that the preservation of colonial power structures played a considerable role in European integration (Garavini, 2012; Hansen and Jonsson, 2015). This stands in contrast to decolonial feminism, which would aim to direct the critical potential of data protection towards challenging data extraction from the Global South, rather than re-consolidating European values as universal (see Arora, 2019, p. 718). Given that one of the main aims of the European Union is to establish a free market, and the EU is thus wedded to (neo)liberalism and capitalism (O’Connell, 2019), why would we expect it to move beyond a capitalist (Daly, 2021, pp. 88 and 92), individualised approach to data protection and instead centre projects of collective resistance (Suárez-Gonzalo, 2019, p. 184; Hull, 2015, p. 98; Arora, 2019) or communal, non-commodifying data practices, as feminist voices would demand?7 Of course, data protection could be (re-)imagined in many different ways, some of them with more emancipatory force than others. In reckoning with its dominant conceptualisations, however, we need to be aware that they are developed ‘within a context that includes systematic constraints and pressures’ (Marks, 2009, p. 2)—and that these constraints limit the feminist potential of data protection as a critique of power.

Outlook: where could we take ‘feminist data protection’?

We noted at the outset that ‘feminist data protection’ is not an established term or field of study—not yet. The picture sketched above perhaps points towards a further reason for the relative lack of feminist engagement with data protection: as a term strongly associated with European legal doctrine and thus also linked to neoliberal, capitalist logics it might seem to hold little interest for feminist endeavours of social transformation.8 Indeed, although data protection has been and can be conceptualised as a response to the asymmetric power structures inherent in data processing, its radical potential is limited by the way those very power structures fade into the background within individualistic, law-based approaches which dominate mainstream debates. Against this backdrop, we would like to suggest three complementary ways of understanding ‘feminist data protection’, each of which points towards different forms of analysis and offers different possibilities and prospects.

The first understanding is the one we have been foregrounding thus far: feminist data protection can be understood as a feminist critique of data protection, or as doing and thinking data protection from a feminist perspective. With this understanding, ‘feminist’ is an attribute of ‘data protection’.

This approach brings certain questions, topics and interests into the established field of data protection, and challenges its mainstream methods by looking at structural inequalities and power imbalances, questioning presuppositions of order, fixed categories, normality and objectivity, and examining the possibilities of re-establishing data protection as a field for social transformation. We have noted some ways in which the historical origins of data protection as well as some current debates hold potential in that regard, but also identified some limitations. To acknowledge the latter does not imply that we should disengage from data protection entirely, or position ourselves as unproblematically ‘against’ it. To do so would be to cede even more space to those whose power is, however imperfectly, constrained by current regulations: this becomes clear, for example, in the resistance by certain states to the EU’s stance on both data protection issues and gender equality.9 It does mean, however, that we should be wary of where we place our hopes for social transformation, and that we should not let established liberal discourses on data protection delimit our transformative horizons.

A concrete example of this type of potentially transformative feminist theory and practice ‘of data protection’ is the interrogation of online gender construction via data protection law, and notably through the exercise of data subject rights.10 This implies, in particular, investigating data protection transparency obligations and data subject rights to see how they can be further used to apprehend, and eventually contest and play with, the ways in which gender is attributed online—on the understanding that not only gender but many other categorisations would benefit from this unmasking and interrogation.

The two further understandings of ‘feminist data protection’ we propose, approach the task of thinking beyond established discourses on data protection by building bridges to the various data feminisms canvassed above, which do not necessarily make use of the concept of data protection, or at least aim to radically rethink its connotations. The second understanding of feminist data protection positions ‘feminist’ as an attribute of ‘data’, rather than ‘data protection’: it is thus concerned with the protection of feminist data.

Of course, if one thinks of data simply as ‘given’ (literally, the ‘datum’), then there might not be feminist data. However, this understanding of data is simplistic: there is no ‘raw data’ (Gitelman, 2013; Pendergrast, 2019). We must reflect critically on which information needs to become data before it can be trusted, and whose experiences need to become data before they can be considered as ‘fact’ and acted upon (see Williams, 1995, p. 47; Collins, 2019, chapter 4), which involves tackling the structural marginalisation of women, especially women of colour, beyond mere references to ‘diversity’. Data sciences are increasingly becoming subject to feminist critique along these lines (D’Ignazio and Klein, 2020), and scholars and activists are aiming to develop feminist data sets including art work, literature, interviews, narratives, political writing and much more.11 The protection of feminist data would involve the presence, recognition and the just and democratic handling of these data in common knowledge and consciousness, in politics and activism, in sciences, and in tools like statistical modelling, data visualisation, and crowd-sourcing. It is particularly crucial in contexts in which data concerning feminist resistance places individuals and groups at risk, but in which notions like privacy do not seem useful since visibility is inextricably tied up with resistance to patriarchal structures (see Arora, 2019).

The third understanding of ‘feminist data protection’, finally, takes ‘feminist’ to be an attribute of ‘protection’: it refers, in other words, to a feminist way of protecting data, which involves questioning what it means to ‘protect data’ in the first place.

A first question might be whether ‘protecting data’ is actually about protecting something, as the phrasing of ‘data protection’ would have it, or about protecting someone: debates about the potentially conflicting aims of European data protection law (enabling inter-state data flows and protecting data subjects) point in this direction (see Padden and Öjehag-Pettersson, 2021; Daly, 2021, pp. 87-88). But this would only be a starting point: if protecting data is about protecting some-body, then whose body is it and what are the relations between these individuals, their data, their bodies and society at large? What would it mean to centre the body in our analyses of data processes (see Conrad, 2009; van der Ploeg, 2012; Cifor et al., 2019; Kovacs, 2020), taking into account its constitution through the white, male gaze as described above? Questions such as these point beyond a stable data subject and towards the analysis of how subjecthood is constituted within data practices and what this might mean from a feminist perspective.

Questioning the notion of ‘protection’ would be another key element of this understanding of feminist data protection. Philosophical, historical, psychological and ethical research has shown that the act of protecting someone is often situated in asymmetrical, often patriarchal relationships of power. At the same time, concepts of ‘care’ structure feminist discourses regarding private as well as public contexts and their entanglements (Graham, 1991; Larrabee, 1993; Engster, 2005; in the context of surveillance see Abu-Laban, 2015). Especially theories and practices of health care and other care work, but also economic and environmental studies have approached different notions of care. However, there remains a gap in reflecting data protection as ‘care work’. A feminist approach to ‘protection’ needs to leave behind the object of protection as ‘object’, instead working towards dialogical intersubjective forms of encounter involving respect, empowerment and care (see Cifor et al., 2019).

All three ways of understanding ‘feminist data protection’ are important, and while they do not exhaust the field of possibilities offered by various data feminisms more broadly, we believe that they offer significant critical potential for challenging the power structures involved in data processing. It is in that spirit that the articles contained in the special issue which this paper introduces deal with a broad range of topics—and from a wide range of disciplines including but not limited to international relations, law, sociology and ethics—under the umbrella of feminist data protection(s).

Aisha Paulina Lami Kadiri approaches the task of re-imagining data protection by offering a trenchant critique of the data subject. Instead of individualised, liberal notions, she proposes to centre an Afrofuturist data subject that is radically subjective, collective and contextual.

Garfield Benjamin analyses and critiques ‘data collection’ using data feminism and a performative theory of privacy. The contribution discusses the (negative) implications of the term ‘data collection’ under three main narratives: data as resource, data as discovery and data as assumption. Benjamin concludes by exploring several alternative concepts and suggests using the term ‘data compilation’ in order to allow for awareness and critique of power relations.

Jenni Hakkarainen argues that algorithmic discrimination is a collective issue and requires collective redress, which the current rules of legal procedure and access to justice do not offer. She finds that ex ante oversight mechanisms that allow for action on the collective level can remedy these structural issues, as they allow for an intervention before any violations occur.

Laura Carter focusses on the welfare benefits system in the UK and how it utilises both gender stereotyping and surveillance in ways that harm both individuals and society as a whole. She argues that particular data-based surveillance and gender stereotyping act to reinforce each other, creating a vicious cycle in which the surveilled are incentivised to conform, and the non-conforming are increasingly surveilled.

Joana Varon and Paz Peña offer a feminist and anti-colonial analysis of automated decision-making in social welfare programmes. In particular, they draw parallels between feminist critiques of consent and the role consent plays in digital welfare states in the Global South, arguing that we need a collective approach to consent in order to challenge the systems of oppression at play.

Paola Lopez analyses various examples of structural inequalities and defines three types of bias: technical bias, socio-technical bias and societal bias. She shows the benefit of clearly distinguishing between these different types of bias for scrutinising data-based algorithmic systems.

The contribution of Renee Shelby, Jenna Harb, Kathryn Henne examines digital technologies designed to support survivors of sexual and gender-based violence through an intersectional lens, and shows how these technologies reaffirm normative whiteness. Their message is powerful: feminist conceptualisations of data protection must confront and dismantle the ways in which whiteness operates as the normative lens for personal data processing.

Anastasia Siapka and Elisabetta Biasin bring the insights of feminist theories of labour and political economy to bear on data sharing in the context of fertility and menstruation tracking apps. They argue that data protection and consumer protection laws are insufficient to alleviate the power balances involved and explore the potential of a demand for wages for digital labour.

Lucy Hall and William Clapton explore how the deployment of technologies programmed to attempt to detect lies and deceit at the borders of the EU will negatively impact those who are already marginalised. In doing so, they illustrate applications of AI that are inherently (cis)gendered, sexualised and racialised.

Finally, Isabelle Bartram, Tino Plümecke and Andrea zur Nieden examine extended DNA analysis, a technology pushed by security policymakers ostensibly to protect white German women from male migrants, invoking racist imaginaries of a “dangerous other”. The authors conclude that the initiative does not deliver on the promises of a “DNA composite sketch” and will increase unacknowledged institutional bias against minorities due to unquestioned trust in this technology.

In sum, all the contributions will open, we hope, new perspectives for feminist data protection(s), and for data protection generally.