Welcome to the DHIs new blog series on the 'ins and outs' of citizen-centred data sharing!
This topic is very apt at the moment with the new General Data Protection Regulations coming into effect in May as well as countries such as Norway, currently in the process of implementing a national identifier to link all of a person’s data. This blog series will give you an insight into the changing nature of data sharing as we advocate for person-centred data sharing methods. I will also use this opportunity to exemplify various European regions which have succeeded in this domain and can share data seamlessly across many different boundaries using national identifiers. Finally, i will finish this series with a Scottish perspective to understand how our country can take key learnings from other European regions.
What is Personal Data anyway?
According to the law, personal data means “any information relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly”. This could mean reference to an identification number (e.g. social security number) or one or more factors specific to a person’s physical, physiological, mental, economic, cultural or social identity (e.g. name and first name, date of birth, biometrics data, fingerprints, DNA – the list goes on!)
What’s special about Personal Data and why do we need the new GDPR law?
Many people and organisations nowadays talk about the personal data economy because it has been demonstrated that personal data has universal significance and impact, affecting all industries including retail, financial services, health, transport, e-commerce and public administrations. Personal data has been deemed a horizontal enabler rather than a vertical industry or sector, meaning that it supports all industries to thrive and cannot be contained to one sector. Data is becoming the backbone of modern life. In almost every establishment, operation, interaction and exchange – data is involved at some point. The most successful businesses of the digital age (so far) have found their success by bringing a layer of data to existing markets, for example Airbnb, Uber, eBay and Amazon.
Reports show that the UK is at the forefront of data innovation and the UK data economy continues to grow in both size and significance. Analysis predicts that data will benefit the UK economy by up to £241 billion between 2015 and 2020. Currently an individual’s personal data is protected in the UK by the Data Protection Act 1998, internationally recognised as a gold standard. Since 1998, with the expansion of technologies and connectivity, data flows have increased in magnitude and in order for the UK economy to continue to benefit from data, the flow of the information must be unrestricted and effective. To that end, the European Commission proposed a comprehensive reform of data protection rules in the EU back in 2012. This was proposed to give EU citizens back control of their personal data resulting in the GDPR and LED directives being released in 2016. The EU General Data Protection Regulation (GDPR) has been designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens around data privacy and to reshape the way that organisations approach data protection. The law was first approved in April 2016 and is due to take effect in May 2018, at which point any non-compliant organisations will face heavy fines. The new law brings a potential fine of €20M or 4% of global turnover (whichever is higher) for companies which misuse personal data.
The personal data ecosystem, although it is deemed as revolutionary, is still developing and needs time to evolve to ensure everyone benefits. In such a changing environment, companies may see that the cost of holding personal data will become more expensive as regulations take effect. This may incentivise companies to explore new ways of using people’s personal data which don’t involve storing it.
Why centralized data sharing needs to be decentralized
A high proportion of the ‘Big Data’ that's now being collected is actually personal data - information about people, their attributes, behaviours and transactions. Until now, organisations such as Facebook and Amazon have been the main users of personal data, simply because they had the technology and resources to do so. Naturally, that has focused attention and resources on the organisational benefits of data use and has resulted in a perception that the value which can be gained from data exchange is unbalanced towards the organisational perspectives. In recent years, there has been a rapid consolidation of power among the biggest internet players who continue to make profit from data with little public transparency. Much of our data is held in large warehouses, making it vulnerable to hackers. As a result of these different factors, the potential value of the internet is not being realised. As is argues in NESTA’s Me, my data and I:
"Centralisation and monopolisation of personal data enables the internet economy to function, but it does so in a way that produces inefficiencies and inequities for individuals, society and businesses, not to mention ethical concerns. In a world of ubiquitous connected devices, wearables and lives lived online, our data can paint incredibly accurate pictures of our identities. In today’s personal data economy, these identities have limited privacy and autonomy."
Behind each personalised advert on the web there is a complex personal data market. In some cases, such as Facebook, personal data is not shared with third parties but is used to make advertising space more valuable through profiling and segmentation techniques and is the means by which Facebook make their profits. However, in recent news, CEO Mark Zuckerberg released a public apology letter following a recent data sharing scandal whereby personal data of 50 million Facebook users were sold to a data analytics company, Cambridge Analytica in 2014. At first, 270,000 people’s data were analysed, but the ‘personality quiz app’ was able to exploit the way that Facebook held data to gain information about millions of other individuals. In light of the new GDPR laws, the social network giant could have faced trillions of dollars in fines had this happened after May 2018. However, the UK data protection regulators and the European Commission have raised a formal inquiry into the scandal.
Making data sharing more person-centred
In some instances, data relationships are beginning to be reset to enrich the value exchange for citizens where data protection is respected, and citizens are given back control of their data. The more empowered people are, the more likely they are to feel the system is working fairly. By decentralizing the power dynamics towards individuals will develop an ecosytem of privacy, autonomy and digital rights. A major European Commission Horizon 2020 project DECODE (Decentralized Citizen Owned Data Ecosystem) aims to give the people of Europe control of their personal data so they can secure their privacy and reclaim their digital sovereignty. The project will create new technologies which put people in control of how their data is used so they can decide who has access, and for what purposes. In doing so, DECODE will create a new digital economy ecosystem, enabling in particular the rise of more localised, democratic models for pooling and sharing data. These new technologies will be piloted in Amsterdam and Barcelona. A key principle of this will be the pursuit of social value over purely economic return. It will also enable governments to be more responsive to citizen needs. DECODE is a prime example of the new direction data sharing should take.
- The personal data economy will benefit each and every citizen by enriching their transactions
- Personal data is a horizontal enabler to all sectors
- Data sharing has been centralised for too long – the time to decentralise power is now
- The GDPR law has the purpose of giving EU citizens back control of their personal data