Privacy is one of the most consequential political battlegrounds in the API world, because APIs are the mechanism through which personal data flows, gets accessed, gets exploited, and — sometimes — gets protected. Every API that touches personal data is making a privacy decision: who can access this data, under what terms, with what consent, for what purposes. The politics of privacy is the politics of who controls personal data and on whose terms, and APIs sit at the center of it because they’re the technical interface through which data moves between parties. I’ve watched APIs be both the instrument of privacy violation at massive scale and the mechanism for delivering privacy rights, and the difference comes down to how they’re designed, governed, and regulated. Privacy is not a side concern in the API economy; it’s a central political question about power over the most personal information people have.
The data-rights framing is where I’ve grounded privacy politically, and it starts with a simple, frustrating observation. I wrote in 2012 asking why I don’t have easy access to all my own online personal data — because the data that platforms hold about us is ours in any meaningful moral sense, yet we typically can’t access it, move it, or control it. APIs role in data security and privacy, which I wrote about in 2015, is fundamentally about this: APIs can be the mechanism that gives people access to and control over their own data, or the mechanism that locks that data away in platforms that exploit it. The privacy question is, at its core, a question of data rights — whether individuals have genuine rights over the personal data that’s collected about them, and whether those rights are real and enforceable or merely nominal. APIs are how those rights either get delivered or denied.
Cambridge Analytica was the moment privacy-through-APIs became a front-page political crisis, and it crystallized everything. I wrote in 2018 about Facebook, Cambridge Analytica, and the fundamental question of knowing what API consumers are doing with our data — because the scandal was, at its core, a privacy failure enabled by an API. Facebook’s API gave away the personal data of tens of millions of people, and the data of their friends who never consented to anything, with essentially no oversight of how it was used. This was privacy violation at population scale, delivered through an API, and it exposed the structural reality that ungoverned API access to personal data is a privacy catastrophe waiting to happen. The privacy politics of Cambridge Analytica were stark: the people whose data was harvested had no meaningful control over it, no real consent, and no recourse, while the platform that enabled the harvesting faced limited consequences. It was the clearest demonstration that API privacy is a matter of power, and that the power was overwhelmingly with the platforms, not the people.
GDPR was the regulatory response that made privacy a concrete operational reality, and it changed the politics significantly. I wrote in 2018 about GDPR forcing us to ask questions about our data — because the regulation forced organizations to confront questions they’d been avoiding: where is our data, who can access it, what’s our basis for collecting it, how do we honor a deletion request. GDPR established, in law, that individuals have rights over their personal data — the right to access it, to move it, to have it deleted — and that organizations have obligations to protect it. This is privacy as a legal right rather than a platform’s discretionary courtesy, and it shifted real power toward individuals. Privacy-by-design and data minimization, which I wrote about in 2016 under the German concept of Datensparsamkeit, are the operational principles that flow from this: collect only what you need, protect what you collect, and design privacy into systems from the start rather than bolting it on. GDPR turned these from nice ideas into legal requirements, and APIs are how organizations actually implement them.
The transparency dimension is where privacy connects to the broader politics of visibility and power. I wrote in 2017 about transparency around every company who has access to our social data via an API — because privacy isn’t just about whether your data is protected, it’s about whether you can even know who has access to it. The opacity of API data access is itself a privacy harm: when you can’t see which third parties have access to your data through a platform’s API, you can’t meaningfully consent to or contest that access. The thinking about privacy and security of public data that I did in 2017 extends this — even public data carries privacy implications, and the API management layer is where access to data can be made transparent and controllable or left opaque and exploitable. Transparency about who accesses what data, through which APIs, is a precondition for any meaningful privacy, and the platforms that resist that transparency are protecting their power to exploit data without scrutiny.
The hopeful frontier of privacy politics is consent and individual control, and I’ve championed it. I wrote in 2025 about consent APIs — the architectural idea of building explicit, user-held consent into how data access works, so that individuals genuinely control who can access their data and for what. This is the constructive vision: APIs designed from the ground up around consent and individual control, rather than around platform exploitation. The deepest political truth about privacy is that it’s a question of power over personal data, and the current default — where platforms hold and exploit personal data while individuals have little real control — is a choice, not an inevitability. APIs can be designed and governed to give individuals genuine control over their data: consent-forward architectures, transparent access, real data rights, privacy by design. Or they can be designed to extract and exploit personal data while giving individuals only the appearance of control. The privacy battle is over which of these futures we build, and it’s one of the most important political struggles in the entire digital economy, because personal data is the most intimate thing we have, and the API is the mechanism through which control over it is either honored or usurped. I’ve insisted on treating privacy as a political question — not a technical compliance checkbox but a genuine struggle over power, consent, and rights — because the stakes are nothing less than whether people retain any meaningful control over the data that increasingly defines their lives. The API is where that control is won or lost.
References
- Why Don’t I Have Easy Access To All My Online Personal Data
- Open Data And API Efforts Rendered Useless When Privacy Is Ignored
- APIs Role In Data Security And Privacy
- Datensparsamkeit: Data Minimization
- Thinking About The Privacy And Security Of Public Data
- Transparency Around Every Company Who Has Access To Our Social Data Via An API
- Facebook, Cambridge Analytica, And Knowing What API Consumers Are Doing With Our Data
- GDPR Forcing Us To Ask Questions About Our Data
- Consent APIs
