Why the EU Wants People to Have Control Over Their Personal Data

The Internet is an incredible thing. But like any groundbreaking innovation that changes every aspect of human society and industry, there’s a bit of a learning curve.

For a while, in order to foster the true potential of the digital age, the overriding approach was to “go with the flow.” But as experience has informed us of the ramifications of a digitally connected world, it’s come time to make some adjustments in order to empower those on the network.

This, at least, is the idea behind the EU’s General Data Protection Regulation, adopted this past April. Ten years in the making, the GDRP outlines rules surrounding data security, portability and ultimately, control over that data — with the aim to “to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market.”

Fundamentally, these rules are about protecting individuals. Under the GDRP, companies have an obligation to protect customer data and report security breaches in a timely fashion. The regulations also introduce the concept of data portability, which enables customers to easily move their data from one service to another. There’s also an additional directive involving the algorithmic processing of personal data — think: machine learning.

As BloombergView’s Leonid Bershidsky argues, “the EU is on the right track”:

“It and other regulators should realize how machine learning technology is being used, and they should give citizens more power in their potentially losing battle with corporate and government applications.”

[…]

“I would even argue that they should go further than that: People should have the right to determine exactly which bits of data they should allow any system to collect and process, and they should be able to opt out of certain algorithmic uses of their data.”

All of which, of course is easier said than done. The GDRP is set to take effect in 2018, but 75% of EU cloud services “lack key capabilities to ensure compliance,” according to a recent study.

Part of the immense challenge of transitioning toward GDRP is that the reforms expectations flip the status quo on its head. The prevailing model until now has long favored the cloud. Individuals give up rights to their personal data in exchange for digital services. When our online activities consist of browsing blogs and sharing on social media, such a setup makes sense for the sake of cost and convenience.

But as our digital lives continue to evolve, that model is breaking down. The Internet isn’t just where we upload silly photos anymore. It’s where we shop, where we sell, where we bank, where we apply for a loan. Today, the stakes are that much higher and with it comes the expectation of individual control and autonomy.

Figuring out a new framework for addressing these challenges is difficult but not impossible.

As American Banker reported last month, the Windhover Principles were crafted back in 2014 by MIT and various industry leaders to serve as a guiding outline for designing such a framework — advocating “a portable identity solution that could enable strong privacy protections for users.”

Banks could serve a pivotal role in implementing and managing such identity and data services, the report added.

Whatever the way forward, the future appears clear. It’s time to shift control of our digital lives back to ourselves — which is why we’re so passionate about the potential of global iD.

And the EU’s latest reforms is another big step toward getting there.