WHEN you scan a loyalty card, use a discount code online, or let your phone’s GPS log your commute, you are not sharing much. But somewhere, a company you have never heard of is combining all of it, and what it knows about you now is something you never agreed to share with anyone.
Oligarchy means rule by the few, in the interest of the few. We recognise it in politics. We have not yet learned to recognise it in the invisible infrastructure that governs everything we do online, where a small number of companies have accumulated more usable knowledge about ordinary people than any government in history, and where the laws written to protect you were written to protect them instead.
The data broker industry is this oligarchy. These companies harvest credit card swipes, loyalty scans, GPS pings and purchase histories, package them into dossiers and sell access to anyone willing to pay. The industry generates $200 billion annually and its greatest political achievement is not avoiding regulation but shaping the regulation to serve as a shield, and the shield is privacy self-management. This is oligarchy by design.
Laws like Europe’s GDPR and America’s CCPA grant individuals the right to opt out of data collection and to demand the deletion of their records. The framework rests on individual rights and treats individuals as the right point of control. To opt out, you must identify every broker holding your data, potentially hundreds of companies, contact each one individually, complete separate forms, verify your identity and, in many cases, provide a government-issued ID. The process can take weeks of full-time effort. And even then, data resurfaces. For abuse victims, it is worse. Brokers demand additional information as proof of harm, forcing victims to surrender more sensitive information to brokers than brokers originally held. The opt-out becomes retraumatisation and drags victims back into the shadows of the very harm they are trying to escape.
Modern data systems do not need our records to reconstruct us.
The problem is not that consumers (the least powerful actors) failed to identify every broker or comply with procedure. This approach failed because the law has assigned them the task of self-managing privacy harm where management is impossible. The industry and entities that generate exposure at scale face no ongoing obligation. You do.
But there is a deeper problem, one that makes even deletion rights meaningless. Privacy law is organised around regulating specific data points: names, addresses, phone numbers and identifiers. Rights are triggered by the collection or disclosure of particular items, and compliance is measured by whether those items were noticed, consented to or deleted. This model assumes a linear relationship between a specific disclosure and a specific harm. That relationship no longer exists.
Modern data systems do not need your records to reconstruct you. Machine learning models infer your religion, your political views, your health status and your location from behavioural residue alone. What you stream can reveal your ethnicity or sect. Your family associations, your prior addresses, your device signals feed a system that continuously reassembles you, with or without your direct identifiers. You consent to each piece individually, but you never consented to what the system builds from all of them combined.
The regulatory design that shields this industry globally becomes institutional policy in countries where the state is also a customer. In Pakistan, the state has no incentive to regulate data brokers because it acquires data from private companies for its own surveillance. Regulating the industry would mean closing a door that the state keeps deliberately open. Where corporate and state power align against individuals, the oligarchy becomes visible — because the system is designed in a way that is supposed to fail.
Law professors Chinmayi Sharma, Thomas Kadri and Sam Adler have proposed the most serious response yet to the scale of this problem. Writing in the California Law Review earlier this year, they call for a centralised registry — one request, every broker legally compelled to remove your data permanently across their entire supply chain.
The de-identification standard is the most important alternative to deletion; it requires data to be permanently unlinkable and incapable of re-identification through direct or indirect methods. It asks whether the system retains the ability to reconstruct data and redistributes the responsibility from the individual to the data brokers who generate profit from their exposure.
‘Designed for privacy, controlled by you.’ That is Meta’s tagline for its AI glasses. It is also what privacy self-management has always promised.
The writer is a lawyer based in Karachi.
Published in Dawn, July 10th, 2026






























