A follow-up to briefing note: Giving Economic Power of Personal Data Back to Citizens: A briefing note to government
In my January 2019 briefing note, I discussed the need for government to help individuals regain control and economic power over our data. My note highlighted the need to regulate data conduct, to make currently opaque data transactions more transparent so that public trust can be achieved with better data-sharing models than the ones we currently have.
Work around personal data is a fast-moving space, so it’s not surprising that the Department for Digital, Culture, Media and Sport has published a report that endorses the need for personal data portability and mobility. The report finds that “action on personal data mobility can be a vital stimulus for the next major stage of growth in the digital economy.” It states however, that while the GDPR legislation has been an important step in enshrining the data portability rights of the individual over their personal data, it does not create the structures to support value generation from it.
This report, which among other discussion points, calls for establishing a Coordinating Entity to facilitate and coordinate the delivery of the personal data mobility market. This is a step in the right direction. Data mobility is key to innovation and we should all work towards a world where sharing personal data is safe, secure and beneficial to the person, industry and society. However, the current centralised data sharing model is inadequate. It opens up a whole host of issues, and chief amongst them are:
Consent is easily abused and not meaningful.
The centralised data sharing model requires consent for sharing. This multiple “consenting” is starting to become untenable to individuals, creating effort and cognitive load for individuals and incentivising “dark design” to mislead users.
Freedom to reuse and reshare
As individuals, we cannot freely reuse or reshare our personal data if we don’t legally own the rights to it, whether these are rights to the HAT database holding our data, or some form other of intellectual property rights (IPR). For example, if we hoover up our Tesco data to give to Sainsbury’s, the channel for sharing would surely be closed by Tesco, as it is their right as the “source”. Without having data rights such that we can license the data we own, we will forever be at the mercy of such sources. Data rights need to be more broad-based and decentralised to individuals themselves; otherwise, data-sharing will not work and we will be looking at even more privacy intrusions.
Beyond Control: Children’s data
A common response to personal data consent is to give “control” back to individuals. Control is insufficient. Children have no “control” over their data and a guardianship model, where their parents or guardians are given access and control of this data, can only be possible with legal data ownership rights. Otherwise, we will have to depend on every application in the world to deal with children’s data in their own way.
Beyond Control: The deceased.
Similarly, there is currently no legal framework for transferring our data to our estate when we die; once again, because we do not have broader data ownership rights.
The third and fourth points are particularly pertinent in light of the recent case of British teenager Molly Russell, whose bereaved family had to fight for access to personal data in her locked iPhone so that they could better understand her suicide.
We need a policy that broadens data ownership rights for individuals, one that incentivises technologies like the open-sourced HAT technology (which confers these rights to individuals) to be widely used and understood. Currently, individuals are only given a narrow set of data rights I.e. access and consent-based data-sharing granted under the GDPR. We need a policy that broadens these rights, so that new data-sharing models can emerge.
With controversies such as the Facebook/Cambridge Analytica incident, it is easy to fall into a sense of indignation and launch campaigns like #DeleteFacebook to shut down all data-sharing practices. But it’s not data-sharing itself that is to blame; it’s the current centralised regime of data-sharing where most of the ownership rights of our data are held by corporations.
I hope the government can implement a policy of broader data ownership rights, including IPR of personal data by individuals that can be licensed for use and sharing. The HAT technology has proven that such data ownership rights can exist. This would lead to greater public assurance and trust which in turn would encourage individuals to engage in the digital economy, spurring greater innovation and society benefit as well as reaping the benefits themselves.