In regards to a few separate discussions this week, it is becoming increasingly apparent that privacy has changed. In light of PRISM, Data Protection as a privacy industry and a privacy law focal point is falling apart.
Recently I started to engage privacy and research discussions from the context that: “Modern privacy is about personal information control and less and less about what is now considered data protection.” In fact, a few great discussions at the Horizon Digital Roundtable revealed how difficult a deep dive into how we define privacy and the what is construed as access rights to data need a refresh.
Some of the questions that came out of this I put forward here.
The big one i have is; What would the world look like if a person was the data controller for their own personal information and it was provisioned to companies?
This is a key topic that needs discussion. I have heard this topic come up in a number of different ways over the last few weeks and in fact mentioned a lot in the context of VRM for many years now.
In the context of an individual being the data controller for their own personal information. How is personal information control a privacy by design approach to information sharing and identity management?
This followed on with my sentiment that.
Does a person in control of sharing personal information with a company make the company more privacy complaint?
How does a company who takes data from a person in control of information sharing show that they are more compliant and trustworthy than a company that stalks people and keeps big unnecessary profiles?
Can personal information control be a cheaper way for companies to be compliant with new laws and show how good they are to customers?
Is personal information control, in conjunction with services aimed to open notices and policies, be the answer for international transfers of personal information? (A New Safe Harbour?)
Rethinking and defining Access to Data.
The access and correction data protection and privacy laws were written in a time when people didn’t have the means to provide their own identity and data. Not only do most people have face book accounts, but, people are able to keep their own data in their own data stores, alway accurate and correct, and provision this on an attribute by attribute basis. This would be a very big deal with impact on privacy and security, as people would be able to provision their own data with limited amount of identity attributes, for specific purpose (as termed in law) as oppose to the current, everything is pubic data model.. Of course this information would still require data protection but the control and management of personal information can be outsourced to the individual. Data minimisation as a common practice would be an an attainable reality.
The entrenchment of data protection law and the requirement for people make accounts and share their identity with every service and company is no longer a tenable rationale for personal information gathering in today’s information age.
As a result, I would like to argue that personal information control dramatically changes the compliance landscape. First of all, privacy is discussed in terms of data protection where an entire industry of privacy professionals are employed to advise on data protection when data protection is increasingly inefficient and broken, many people, employee’s have access to protected data. Data is tapped by different governments with no respect for jurisdiction. People have their information tracked aggregated and sold and aggregated. Data protection as the trust model for information control and privacy becomes increasingly less plausible.
As an alternative, companies that took this data would easily show a higher compliance level then companies who took their own copy of your data. Data minimisation, could be augmented by User Managed Access to data. Overall, people would be in much better control of personalisation and the context to which their personal information is used.
What is more important, is that the precepts that we hold as constant in privacy and data protection need to be re thought and redefined.
In privacy law there is a common provision about ‘access to data’ (My Data) that a company holds about a data subject. Today this is a persons profile (or part of a profile), created in order to identify oneself to consent to terms. People have the right of access to data, and in the EU in 2016 there will be the provision to the right of data portability. Not only to correct and amend it data portability will formalise the personal information control tools so people can provision their own data to companies. Rather than keep track of many accounts and passwords and terms and privacy policies, we can keep track of our own data and companies can be provisioned.
No longer is it a question of when people will become in control and of provisioning personal data, but it is the how. Also, under which terms will personal data be controlled. Customer Commons is working on this right now and there is an issue that is now on the radar.
In such a scenario people are the point of integration. In terms of open data, people can integrate ubiquitous sensor data, or open data from companies with their own information. At the root of this is the terms, conditions, privacy policies and the administrative processes people need to use to control their own information.
Open Notice is an effort the says that closed policies and terms of services are no longer tenable. When people provide consent, and personal profiles they should be able to also point to their own personal profile which they control. With out this discussion Facebook is becoming the defacto personal data storage architecture. Before the discussion of a standard set of terms becomes relevant, in many jurisdictions the basic control for personal information control already exist.
So, how do we discuss the variation to the privacy theme, not discuss data protection but discuss information control. What is the best way to look at the economic performance of policies if we can use them to control personal information? How do we illustrate to the lobbyist s and regulators that if privacy policies and terms were opened then it would be cheap and profitable for companies to be compliant with data protection laws.
Bottom line, since PRISM data protection and the current data protection regime is falling apart faster than ever. Safe Harbour, and current laws need to be re-interpreted in terms of information control possible today and not a legacy of data protection that are no longer relevant.
As a result Open Notice effort has spawned a minimal viable consent tag specification as a work item in the ISWG at Kantara. The intention with this is to provide a common structure for listing policies and relevant information pertaining to a consent so that the marketplace has a common point to start managing policy from.
A consent tag will be inherently extensible and is intended to provide companies with a platform to provide value and personal information control to people.