Governing Personal Data (and Why You Should Care)
Sharing economies break down data-barriers and make, in the process, previously hard-accessible-data more ‘shared’. No doubt the positive effects of this evolution are plenty, but what happens with personal data in the process? Isn’t ‘personal data’ the only data that makes us as individuals unique and which can (and should) be owned by the individuals themselves? Shouldn’t we own and protect this data ourselves?
Data protection laws around the world try to provide additional transparency and control around the usage of personal data. But those data protection laws also aﬀect economic welfare. An informed regulatory policy regarding privacy issues must always balance the positive and negative welfare eﬀects of the uses of personal data.
That being said, are the data protection laws going far enough? There have been numerous examples of cases where anonymized data is still used to identify individuals. For example, research out of MIT specified that “just four fairly vague pieces of information – the dates and locations of four purchases – are enough to identify 90% of the people in a data set recording three months of credit-card transactions by 1.1 million users.” So, this raises the question: is PII data is the only data that should be protected by the data protections laws?
The problem is that in the end, personal data is hard to manage. US reports show that 91% of the people interviewed said they have lost control of their personal data. And 80% of the users of social networks are concerned about companies and other third parties accessing data they share.
How convenient would it be if people can manage all their personal data in a singular spot? One answer might be to anchor people’s identity in one or several blockchains, as this could give us more granular control over our identity and personal data. A recent article in the Economist gives the example of a potential tenant who wants to prove to a landlord that his income is high enough to pay the rent. Today, he often needs to allow access to his entire credit history, while this would allow him only to disclose that bit of information. The issue with this approach is that the tech giants’ value is derived from the fact that they control the personal information, and they most likely not keen to go down this road.
But not everyone seems to be concerned if their personal data is out there. Instead, they are only concerned if there is enough transparency in how it is used. While results of studies vary substantially, more practical, recent research shows that people are willing to sell their contact details for an average of $15, and their Facebook data for $19, if the use of the data is transparent and unambiguous. This is somewhat disconcerting because some of these data points are especially sensitive, and because the Facebook timeline data also contains information on third parties (Facebook’s “friends”). It appears participants to the research completely ignore this externality on others. In addition, there is the unwillingness to pay for additional privacy. (source: Beresford, A. R., Kübler, D., & Preibusch, S. (2012). Unwillingness to pay for privacy: A field experiment. Economics Letters, 117(1), 25-27. )
It is my opinion that providing transparency, a key principle of the EU General Data Protection Regulation (GDPR), and a singular spot where you own and manage the availability and use of your personal data are the only elements that will give people back the control of their personal data and avoid abuse by third parties. While the GDPR forces companies to maintain information about how data is used and inform the subject of that use, the informing part could be more transparent and should be available for consultation at any moment.
I also believe that data governance is a key element to provide transparency and insight into how your personal data is used. Whenever your personal data is distributed or centralized (and therefore more controllable), it is the governance that provides transparency by understanding what data is available, how it is used by the different players, and who “owns” your data.
What is your stance on your personal data? Are you concerned your personal data will be misused by organizations ?