Event Recap: New institutions for data — four years of GDPR and paths forward

On May 25, 2022, Prifina partnered with Orrick, Herrington & Sutcliffe LLP to organize an in-person event in San Francisco to talk with industry leaders and pioneers about the current trends in data, recent legislative initiatives in the EU and beyond, and how emerging technologies could be used to create value from user-generated data.

On May 25, 2022, the Prifina team gathered a group of leading experts in data technology and privacy laws to discuss the emerging institutions and technologies that will shape the new data ecosystem. We were very privileged to host these rockstar panelists and discuss the hottest topics on data:

• Shannon Yavorsky (event host and partner at Orrick)
• Dr. Jennifer King (Stanford Institute for Human-Centered Artificial Intelligence)
• Elena Elkina (Partner/Co-Founder, Aleada Consulting)
• Prof. Dr. Axel Metzger (Humboldt University of Berlin)
• Vishwanath Raman (Head of Enterprise Solutions, Oasis Labs)

The panel discussion was moderated by Markus Lampinen (Co-Founder and CEO of Prifina).

If you missed the event, below, you can find seven take-away ideas that define where we are now, and where the data market is heading in the near future.

1/ Current Trends in the Market

Markus Lampinen from Prifina opened the event by noting that data is no longer a goldmine for companies — it also carries a lot of restrictions and liabilities. For many companies and developers, getting access to data is quite a considerable challenge that poses significant difficulties in building and improving their products. At the same time, there are new types of technologies coming out (e.g., federated learning, differential privacy, privacy-preserving computation, blockchain, etc.). Also, consumers are becoming savvier and show interest in taking control of their data.

“These changes in the data market — more data being generated, new technologies, and regulations that aim to unlock data — seem like a perfect storm for innovation.” — Markus Lampinen (Prifina)

Markus also explained that there are more signs of decentralization in the data market. In the early stages of the Web, we have seen the trend where everyone became able to create a website, and desktops no longer require physical servers. In the past 5–7 years, some of the most remarkable decentralization shifts have occurred in the financial markets, where the Payments and Services Directive (PSD2) and the Jobs act facilitated the innovations around the idea of open banking.

Similar decentralization trends are visible in the data market: regulations in the EU and US are moving to unlock more data. Companies like Prifina are building tools for individuals to help them collect data from different data sources (wearable devices and online accounts) and get value from that data. Markus shared his excitement about these shifts because there are many opportunities for individual consumers, businesses, and developers to build unique and valuable applications on top of that data.

Markus invited the panelists to think about whether it would be possible to create new data marketplaces that are more user-centric, where the data is user-owned, and the ecosystem is fairer overall. More specifically, if we look at the health and wellness data, there are so many preventative and predictive applications that could be built and that can actually save lives, provided that we have an open marketplace.

“When we think about the future of data marketplaces, we should think of them as a choice: do we want to have centralized data marketplaces, or do we want something else? Fundamentally, this is about a choice for our future.”— Markus Lampinen (Prifina)

2/ EU’s Efforts to Rebrand Itself as the Global Leader in Data

Prof. Axel Metzger — currently visiting fellow at UC Berkeley — shared his excitement about the vibrant innovation ecosystem in the Bay Area. He shared his observation that the US stands out differently from the EU with its strong business community and a reactive regulator. He emphasized that when it comes to regulating emerging data privacy issues, the EU and US share very different philosophies: the regulator in the EU is very active.

Axel highlighted an interesting observation — that the EU is trying to rebrand and position itself as the global leader in data privacy. He noted that in the last two years, the EU has been pushing forward the adoption of numerous pieces of legislation: The Digital Markets Act, the Data Governance Act, and the Data Act, the Digital Services Act (to name a few). Technically, these “Acts” are regulations — which means that they will have a direct effect in all EU Member States.

Calling these new pieces of legislation “Acts” is a powerful signal showing that the EU is very ambitious in creating incentives for innovation to concentrate in the territory of the EU. Axel wondered whether the EU had got inspiration from the US, where most important federal laws are called “Acts” (such as Sherman Act). He was curious to see what results this type of rebranding will have and whether these new regulations would actually achieve their objectives of putting the EU as the leader in data.

Shannon Yavorsky from Orrick explained that all these legislative processes have ripple effects on companies outside of the EU. She noted that even today — 4 years after the GDPR came into effect — she has clients who are still working on their data processing agreements or building maps of data.

“EU legislation has become a blueprint for many other countries. Actually, also the Californian Consumer Privacy Act (“CCPA”) is based on the GDPR’s consumer-rights-based approach to privacy.” — Shannon Yavorsky (Orrick)

Shannon emphasized that many similar pieces of legislation are coming out in other US states (Virginia, Connecticut, Colorado, Utah, etc.). Companies realize that they can not just be reactive to privacy legislation; instead, they have to build proactive programs that are global and scalable. Companies are looking to build data maps that are global rather than just for one specific jurisdiction.

Elena Elkina further shared her insights from working with global clients. She explained that there are many cultural differences regarding how companies view data, and whether compliance with data privacy regulations is perceived as just a checkmark. Elena noted that there is much work that needs to be done to continue educating company employees about the handling of customer data and raising awareness about data in organizations. Elena also gave examples where companies who were reluctant to commit to the adoption of privacy-first solutions from the outset ended up paying more.

3/ Building User-Centric Tools to Manage Data: An Example of Genetic Data

Dr. Jennifer King from Stanford asked whether it is possible to talk about individual privacy rights when the data is out of the individual consumer’s control? She noted that California’s CCPA has been a great milestone, and much work has been done in the background. However, from the consumer experience point of view, it has done very little: the data is actually outside of our actual control.

Jennifer shared some thoughts from her work conducted with the World Economic Fund in the past few years. She authored two landmark reports on consent and data intermediaries. She shared her excitement about these topics. Jennifer noted how important it is to think about the shift of the data ecosystem from one where data is being held on platforms to one where individuals hold data through software or through intermediaries that act on the individual’s behalf.

Then, panelists embarked on the topic of individual’s genetic data. Jennifer explained that when individuals want to get their genome sequenced, they end up interacting with such companies as 23andMe. She asked whether it would be possible to imagine that an individual could actually own one’s genome and what are the possibilities of utilizing such genome data. What about licensing this extremely sensitive data? Jennifer wondered if she can’t really manage her online photos, what are the chances that she could be able to use her own genome data?

Vishwanath Raman from Oasis Labs followed up by explaining that data is a non-rivalrous good: unlike physical asset, if I give my data to somebody else, such a third party can make a copy of that data, which means that I lose control of it. This is the outcome that we want to avoid. We want to have an environment where my data is secure and under my control.

“To me, data privacy is all about the human agency: I need to know for what purposes my data will be used, and there should be technology solutions that actually guarantee and enforce my expectations.” — Vishwanath Raman (Oasis Labs)

Vishwanath continued that genetic data is only one example; there are many other situations where it is necessary to have constraints of how data is used, who can access what data, and what data should be actually protected. Take patients’ medical data, data from interconnected devices, location data, and so forth. He explained that there are already technologies that help achieve all such goals. Privacy-preserving computation tools are already increasingly applied in B2B settings, although these technologies are still very, very complex.

4/ Correlations of Various Data Sources

One of the fascinating areas for innovation with data revolves around various models to correlate data from different data sources. Vishwanath Raman from Oasis Labs explained there are many verticals in which many opportunities exist: think of health and wellness data, IoT and interconnected devices, industry (B2B) applications where entities use various sensor-powered devices, etc. He emphasized that the core focus should be on these two questions: (i) how to generate value from such a correlation of data sources? (ii) although the technology is available, how can we bring these solutions into the hands of individual users?

When it comes to the use of data, one of the significant obstacles nowadays is that the data is stuck in centralized institutions. Vishwanath briefly mentioned that there is much buzz in the blockchain space to create various decentralized autonomous organizations (“DAOs”) where more transparency and data security could be embedded. Overall, there are many other dimensions where innovation in this newly emerging data marketplace is possible.

Here are some practical cases illustrating the significance of correlating data that were discussed by the panelists:

• Predictive pre-natal analytics. Vishwanath noted that he was working on a project intending to pull the data from electronic health systems and other data sources, such as the financial or demographic data of a patient. Such correlations of various data sets could help identify whether any stress-related factors may affect the health of child-bearing women. Identifying such stressors could help build predictive analytics and curtail possible complications during the pregnancy.
• Markus Lampinen shared his experience with a team from one Ivy League university working on ca. 16 million hand-written doctor notices and prescriptions. The difficulties of decyphering doctors’ scribbles are only part of the issue. Another primary consideration was that if those 16 million records could be digitized, such information should be made available publicly — so that third parties could benefit from this significant endeavor and build new types of use cases. Otherwise, keeping the results of such an initiative would miss the point and opportunity.
• Shannon and Elena elaborated on how complex it is for companies to comply with data subjects’ requests to access data. Even if companies already have their data mapping in place, in many cases, there are competing obligations to keep various customer data (e.g., transaction records, data for tax purposes, or contractual obligations). Practically, these competing obligations make the exercise of data subjects rights very complicated and costly. Markus added that it could often be the case for banks that complying with customers’ data access requests may mean that the bank has to open decades-old paper files and scan hundreds of pages.

“Answering data subjects’ requests is like performing brain surgery. It takes time, and it is often like putting a 10,000 pieces puzzle together.” — Elena Elkina (Aleada Consulting)

5/ Data Access Rights under the Data Act

Prof. Dr. Axel Metzger further elaborated about the key objectives of the EU Data Act the proposal of which was published at the end of February 2022. The key objective of the Data Act is to unlock user-generated data from silos. More specifically, the Data Act enshrines a new right for users to ask the data holders to provide all the user-generated machine data. “Users” in the Data Act are both individual consumers as well as business entities. Also, the scope of “data” to which users have access is defined very broadly. Precisely for these reasons, some people call the Data Act as the “GDPR 2.0 for businesses”.

Axel then explained several use-cases that are frequently provided to illustrate the reach of the Data Act. One such use-case relates to data generated by vehicles (cars, tractors, etc.). Pursuant to the Data Act, users of such vehicles (imagine a farmer driving a tractor or a car rental company having a fleet of 100 rental cars) can request the manufacturer to provide all the data generated by such vehicles. The aim of the EU Commission is to create a new aftermarket for such machine-generated data.

Axel also presented his thoughts about several general trends in the recent EU legislation. First, there is a general attempt to make sure that the application of the GDPR is not affected. The goal is to make sure that the effect of the GDPR is not affected. Second, there is a lot of thought put into understanding the utility of machine-generated data. Data Act is the primary document aiming to deal with that. Third, some debates are focused on the practical nuances of users’ consent and whether it could be somehow developed in a way to promote human agency. Fourth, “data intermediaries” seem to be emerge as one of the core European issues: data itermediaries are mentioned in several recent EU regulations which require data data intermediaries to register, have their seat in the EU, and operate in a certain way.

The panelists then went on to discuss the pros and cons of this proposal and addressed some of the practical difficulties that may arise in implementing the Data Act.

6/ Fundamental Data Privacy Rights: Ideals vs. Reality

The panelists and participants in the audience then explored some of the hot issues in the light of the current events in the US. Dr. Jennifer King noted that different from the EU, “in the US, we are not operating the human rights framework.” She suggested that is about the time “to figure out the baseline human rights that we all agree on, what aspects of autonomy or privacy are fundamental and something that we will not be able to give up.” Some time was dedicated to the ongoing Roe v. Wade discussion. Some panelists noticed that although the right to privacy is enshrined in the Constitution of California, this right, however, has been applied primarily to relations between the state and the individual (not in the private sector).

The debate then shifted to the practical utility of data privacy rights outlined in the GDPR and CCPA. Shannon Yavorsky questioned how many individuals actually try to exercise those rights. She shared her valuable experience working with corporate clients who have to face data access requests submitted by employees. Before the GDPR and CCPA came into effect, employees could request access to their employment-related data only during the discovery stage of the litigation with the employer. However, nowadays, employees tend to exercise their GDPR and CCPA rights to get access to their employment-related data (e.g., email communications etc.) which they would otherwise would have no access to.

Markus Lampinen from Prifina stepped into the discussion to explain the enormous wealth of data that individuals get by exercising their GDPR and CCPA data access. In the case of health and wellness data, an individual can access rich sets of data collected by smart wearable devices such as smartwatches or smart rings. For example, the Oura ring can allow the user to get access to their body temperature measured at 30-second intervals. Clearly, there are increasing amounts of data that could be valuable. The question is whether such data is usable and whether this data could create value on the consumer side.

“When you look into the consumer space, you really have to make sure that people can use those tools without any burden. You don’t want it to be a hassle — all the complex things should happen in the background.”—Dr. Jennifer King (Stanford)

7/ Paths Forward: Could Data Intermediaries Curtail Consumer Biases?

Markus Lampinen noted that it is very easy to oversimplify the data market, to say that there are data holders and data subjects. However, in reality, it is not as obvious — there are many stakeholders in the data ecosystem, and their incentives are very different.

Dr. Jennifer King continued that in her work, she sees how the academic community is increasingly concerned about the dominance of the top-five companies. This trend continues as we venture deeper into AI space because those five companies have amassed tremendous amounts of data.

Then there is the question of unlocking the data and creating a set of public resources for research purposes. One of the major questions concerns where the data is sourced from: is it scraped from the internet? Who is doing this work? Would it be possible to get small and medium-sized companies to participate in this space?

Jennifer also emphasized the need to create more programs and opportunities to educate consumers about their data rights and utilize their data. Dr. Jennifer King and Prof. Axel Metzger both agreed that data intermediaries could be really helpful for consumers in managing their data and getting value from it.

“We need to have intermediaries in the data protection law. There should be a broad consent that intermediaries can really do something in helping consumers. Data intermediaries is a big area of opportunities for the European Union and beyond.” — Prof. Axel Metzger (Humboldt University of Berlin)

The Prifina team wants to thank all the panelists and event participants for joining us in celebrating 4 years of the GDPR. We are looking forward to next events together!

Connect With Us and Stay in Touch

Prifina is building resources for developers to help create new apps that run on top of user-held data. No back-end is needed. Individual users can connect their data sources to their personal data cloud and get everyday value from their data.

• Follow us on Twitter, Medium, or LinkedIn.
• Listen to our podcast.
• Join our Facebook group Liberty. Equality. Data. where we share notes about Prifina’s progress.
• You can also explore our Github channel and join us at Slack.