Can GDPR’s “Data Portability” change the game for personal data ownership?
Just like introducing number portability in mobile meant that mobile users (and not mobile operators) could own their mobile number and hence not be captive, so data portability puts the ownership of a data subject’s data firmly in his/her hands, with the ability to move that data to a competitive provider, and in the same way not be held captive.
Data is the oil that powers the digital economy, and every business is, or should be, defining itself as a data company. Up until now, however, companies that process personal data have been unrestricted in their use and sharing of it with 3rd parties – in effect, acting “as if they own” this data – some more responsibly than others.
The General Data Protection Regulation (GDPR) comes into effect in the EU next month on 24 May 2018. Under GDPR, companies must get explicit permission before collecting each item of personal data, and also be more explicit about how the information will be used and shared. In future, businesses will have to give consumers an enticing reason to be forthcoming with their permissions.
A key provision (Article 20) requires businesses to make information they store about European consumers “portable.” That means that you and I can request our data from a car-rental shop, airline, grocery store, gym or restaurant chain, and then give that info to another business —if they make the right offer.
The effectiveness of data portability will depend on how broadly or otherwise that the personal data definition will be interpreted. Article 20 states that it has to be data that “he or she has provided”, so is unlikely to include derived data. For instance if you provide the symptoms that you are experiencing to your doctor, this is personal data, but his/her diagnosis of flu is what is derived and is “owned” by your doctor, who may share it with colleagues or a specialist.
It will be interesting to see whether our posts, photos and “likes” on social media will be deemed to be personal data that we have provided, and that should therefore be portable from one social media platform to another “in a structured, commonly used and machine-readable format” as specified in GDPR.
Does the data that comes from your heart rate monitor, website search history or transactions on an online service constitute personal data? Some go so far as to assert that even IoT data, like your home water-meter data, constitutes personal data, as it has a lot of information about your personal lifestyle and habits. Ultimately these definitions will probably be tested and decided in court.
An open question is how willing companies will be to share. After similar rules were adopted for the finance industry, banks have been reluctant to hand over information to rivals. Utility companies in the U.K. have also made it hard for customers to access energy-consumption data when searching for a better deal. GDPR has teeth, with sanctions including fines of up to €20 million or 4 percent of global revenues.
These measures should have the effect of not only empowering the data subject, but also promoting competition between service providers.
If we begin to reframe the use of personal information as an asset to accelerate industry, commerce, education, health and finance it will free up a powerful new- networked economy, where the value of data will be realised as both an asset and an annuity. The research indicates that transparency actually leads to people sharing more data rather than less, providing they understand why it is being collected and how it is used.
GDPR also provides that it should be just as easy for a data subject to withdraw permission as to provide permission, and to tell the data processor to either port or delete its data (similar to the “right to be forgotten” rule introduced in the EU some 4 years ago). It seems that these rights may be incompatible with solutions based on blockchain technology with its immutability, meaning that records cannot be altered or deleted – and which is one of its great strengths.
Will the EU set the global standard for personal data protection? Facebook announced last week that its 1.5-billion non-EU users would not be protected by GDPR, and that “it planned clearer privacy rules worldwide”.
What is clear is that for a new order of personal data monetization to flourish, we need to solve the issue of personal data ownership at a global level.