Thankfully, several models are available that could help resolve what seems like a tough trade-off
Listen to this article
In my book Privacy 3.0, I had suggested that we were entering the third age of privacy—a period in which increasingly stringent privacy regulations could, if we are not careful, deprive us of some benefits that data has to offer. Since the time of its publication, a number of countries seem to have come to similar conclusions, recognizing that unless they can come up with a better solution for protecting personal privacy, they will never be able to unlock the value inherent in personal data.
The EU, whose General Data Protection Regulation (GDPR) is widely recognized as today’s gold standard for privacy regulation, has tacitly acknowledged the need for extra-legal solutions that data subjects can use to better control their data. The European Data Strategy, adopted in February 2020, states that individuals should be given tools so they can take control of their data and decide, at a granular level, what is to be done with it. This strategy is going to be implemented through the enactment of the EU Data Governance Act, which will establish “common data spaces" that will, through a combination of technical infrastructure and governance rules, make data more widely available for use in society while ensuring that entities which generate it remain in effective control of it.
Australia, for its part, has launched its Consumer Data Rights (CDR) initiative, aimed at ensuring that citizens have greater access to their own data, allowing them to obtain this data in a usable form so that they can direct it to be securely transferred to trusted third parties. The first implementation of the CDR has been in the country’s banking sector, where granular data transfers between participant banks has been made possible through a centrally-defined protocol. Similarly, India’s implementation of the Data Empowerment and Protection Architecture (DEPA) in the financial sector (with the launch of the Account Aggregator framework), offers tools through which users can more effectively manage the flow of their personal financial data.
While there are clearly a number of different normative technologies being developed to augment existing data protection regulations, they all fall into two broad categories. The first provides data subjects with tools they can use to manage personal data, right from the moment it is created, thus allowing them to determine how it is subsequently shared to the point of even controlling how insights generated from this data are used. Examples of this approach include the Solid project (promoted by Sir Tim Berners-Lee) and the MyData model of human-centric design. Both these sets of tools operate on data from before it is collected, granting individuals full control over the data’s entire life-cycle and giving them tools with which to manage its creation, storage and use as well as to control its flow between different data controllers. However, in order for these tools to proliferate, they need to be widely adopted by a large enough number of users that would convince data controllers of the necessity of implementing these protocols in their offerings.
Tools in the second category are designed to unlock personal data already under the control of data controllers operating in different sectors of the economy, so that the data they control can be securely transferred to others with the consent of users. Australia’s CDR and India’s DEPA frameworks are examples of this, offering users technology frameworks through which data sharing has been implemented in the financial services sector to start with. While there are several differences between the Indian and Australian frameworks, broadly speaking, tools in this category operate on data silos, unlocking data that has already been collected by making it easy to transfer it to other entities with the required consent. For this approach to have a substantial impact, these frameworks need to be adopted by institutions that control data. This might seem daunting, except that when that happens, the benefits of safe and convenient data sharing would be unlocked for all customers of participant entities.
On the face of it, these two approaches may seem contradictory, given how they focus on opposite ends of the spectrum. However, a closer examination suggests that they are not mutually incompatible. With so much data already stored in silos that are effectively beyond the ability of individuals to control, we need to implement a DEPA-like approach to unlock that data for the benefit of the consumer. Absent such an intervention, users will be unable to utilize their data that has already been aggregated in sectors such as finance and health. At the same time, tools like Solid are necessary to implement personal data stores in which newly created data can be managed so that the information contained within them can be more effectively used without detrimentally affecting personal privacy.
No technology can, of itself, deliver the data-driven future I had written about in my book. As promising as these tools are, they need to derive their legitimacy from privacy principles embedded in the law. At the same time, laws alone are incapable of delivering the level of data governance required in a world increasingly dependent on data. They need to be augmented by technology solutions that are compatible with the statutory framework.
We need models that combine normative technologies with smart regulations. Thankfully, we have more than just a few options to choose from.