In 2010, the World Economic Forum (WEF), launched a project on Rethinking Personal Data. The project brought together experts from business, government, academia and end user privacy and rights groups to examine the challenges and opportunities involved in properly managing the explosive growth of personal data in the digital world. In January of 2011 they published their first report, - Personal Data: the Emergence of a New Asset Class.
The report’s overall point of view is that personal data is a new asset class touching all aspects of society. It is potentially as valuable a resource in the 21st century as heavily traded physical goods like oil have been in the past hundred years. The report recommends the development of a principled, collaborative and balanced personal data ecosystem that is capable of evolving and improving over time.
This past May, the WEF released a second report, Rethinking Personal Data: Strengthening Trust. I found it to be an excellent overview on the subject. It observes that throughout history, economic value creation has been linked to the ability to move and trade physical goods. Similarly, “data needs to move to create value. Data sitting alone on a server is like money hidden under a mattress. It is safe and secure, but largely stagnant and underutilized.”
But, personal data lacks the trading rules and policy frameworks that exist for widely traded physical assets. As a result, there is little trust among the key stakeholders, - individuals, governments and the private sector, - which could undermine its long-term potential.
Generally, these different stakeholders have different perspectives and concerns, especially around the key issues of ownership and privacy. This a complex, emotionally charged debate.
In response to surveys, individuals generally say that they want enhanced control over their personal data, increased transparency on how it is used, and some kind of fair value in return. However, their actions are often quite different. While many say they care deeply about privacy, they share information quite widely online. They often sign up for services not knowing how their data will be protected or whether it will be shared. They rarely read the privacy policies of the organizations providing these services, which are usually written in hard-to-comprehend legal language.
Companies, on the other hand, view the data they have captured or created about individuals as theirs. Data is an asset on which they have invested significant resources. They want to leverage the data to create business value, better understand the behavior of their customers and help themselves become more productive. They struggle with how to best protect all the data they now have access to, as well as trying to figure out the different regulations pertaining to its use.
Governments are trying to leverage all this data to stimulate innovation and drive growth, while simultaneously protecting individuals. This is indeed a tall order given the rapid pace of change and the lack of clear rules and overall transparency.
Individuals, companies and governments do not much trust each other regarding the use of personal data. This is not surprising given their different and sometimes conflicting interests. There is continuing debate among these different stakeholders, as well as among different regional jurisdictions on what the best approach might be for allowing data to flow in a trusted manner. In addition, as the report points out:
“ . . . [W]hile personal data may be about an individual, it is generally created through the interactions of multiple parties. The actors involved, therefore, have valid rights and responsibilities to the data and may require different permissions to exercise those rights. These rights are therefore generally shared rather than exclusive. They are shared because rights arise in a social context and are realized only through the recognition by other parties.”
“In this light, the widely debated question of “who owns data” frames the issue as a binary “either/or” choice. Ownership is a complicated legal and social construct that does not necessarily grant exclusive rights. Even when an individual or organization is considered to “own” personal data, they most often do not have complete control over it.”
To help restore the needed trust, the Rethinking Personal Data report proposes a dialogue among all the stakeholders focused on three key areas: protection and security; rights and responsibilities for using data; and accountability and enforcement.
Protection and Security: How can personal data be protected and secured against intentional and unintentional security breach and misuse?
At the very least, all organizations that collect, store and access personal data have an obligation to protect and secure their data to avoid it being compromised or misused. They must have in place effective security procedures that are appropriate to the sensitivity of the data being protected.
But, while this is absolutely necessary, it’s far from sufficient. Given that the management and storage of data general comprises a distributed system with multiple parties, - e.g., merchants, financial institutions, telcos, service providers, and so on, - you need a collaborative, interdependent approach for the protection of data, rather than the current fragmented, independent approach. This is a critical requirement to ensure the flow of data and to properly realize its value. In the end, the system will be as secure as its weakest link.
Rights and Responsibilities for Using Data: How can rights and responsibilities, and therefore appropriate permissions, be established for personal data to flow in ways that both respect its context and balance the interests of all stakeholders?
This is a very, very challenging question. Traditional legislative approaches, such as the recently proposed European Commission Data Protection Regulation attempt to spell out the rights of individuals and the responsibilities for the organizations holding personal data. It aims to give individuals more control over their personal data, provide clarity to all stakeholders on their rights and responsibilities, and harmonize data protection rules across the EU.
However, it is unlikely that such a traditional legislative approach will be able to keep pace with our fast changing, hyperconnected world. It is practically impossible to develop legislation appropriate for all uses and types of personal data. There are just too many possible combinations. Moreover, such a legislative approach is way too slow to adequately respond to future uses of data.
We must develop more dynamic approaches that take into account the different contexts in which the data is used, and are flexible enough to adapt to our fast-changing world. This is the path being followed by ID³, a new multidisciplinary non-profit institution with close ties to MIT’s Media Lab which is attempting to develop architectural frameworks, open source software and educational content for the protection, sharing and monetization of sensitive data.
ID³ aims to create digital trust frameworks, which it defines as: “A combination of software mechanisms, contracts, and rules for defining, governing and enforcing the sharing and protection of information according to a common and independently verifiable standard of performance. Whenever possible, such governance mechanisms and contracts should be self-executing and self-correcting.”
Accountability and Enforcement: How can organizations be held accountable for protecting, securing and using personal data, in accordance with the rights and established permissions for the trusted flow of data?
The Rethinking Personal Data report observes that: “Trust is critical to the functioning of any sustainable, networked system. But trust is an ambiguous term open to many interpretations. As many observers have pointed out, trust is impossible without accountability from organizations that collect, secure and use personal data.”
Accountability requires pragmatic enforcement mechanisms to ensure two different kinds of actions: organizations must properly protect and secure the data under their control; and all stakeholders must use the data in accordance with the rights and permission established for its flow. The enforcement mechanisms for each are likely to be quite different. The first is more straightforward. All organizations have an obligation to protect and secure whatever data is under their control and prevent data breaches and misuse.
Much more complicated are the standards for accountability to ensure the proper use of the personal data. We need enforcement mechanisms that are as dynamic and context sensitive as the mechanisms needed to establish the rights and permissions in the first place. Ideally, the digital trust frameworks developed for defining and governing the use of the data should also include the needed verification and enforcement mechanisms.
These are all new, challenging problems for which there are no easy answers. In its conclusions, the report recommends that all stakeholders “engage in a structured, robust dialogue to restore trust in the personal data ecosystem,” including the development of common principles and new models of governance. In addition, the report recommends the establishment of living labs where the various stakeholders can collaborate and learn together how to best develop and test comprehensive solutions to these highly complex and important problem.