Last week the World Economic Forum sponsored a high-level workshop on the idea of the ‘personal data ecosystem’ and how it might look in different contexts. The event raised some interesting conflicts regarding the way different sectors conceptualise, never mind deal with, personal data. Represented there were the health sector, leaders of NGOs working in crisis response, government data protection and open data representatives, along with a substantial group of national regulators from the EU and US, and representatives of e-commerce and transport firms. Each had been facing challenges to do with managing personal data on a large scale, and had been brought together to see if there was common ground around the idea of a personal data ecosystem.
The World Economic Forum has been convening industry and NGOs around personal data issues for a few years. Over that time, it’s observed a declining level of trust among the public that their data is being used securely and fairly by corporations. The organisation’s 2012 report on personal data points out that like it or not, data is being constantly emitted by individuals and processed by corporations, and that the scale of the regulation problem is huge, not least because of the speed at which the technology evolves, rendering regulatory solutions rapidly obsolete. The WEF’s report notes that ‘individuals are no longer primarily passive data subjects. They are also increasingly the creators of data,’ and that this data occupies a regulatory space somewhere between a commodity and a dimension of the individual’s private identity. There is some debate about how much ordinary people want what industry is terming a ‘highly personalised interaction with brands’, although it does to some extent depend on how the question is phrased. I don’t want ‘more efficient marketing’ coming in my direction, but I may want to be able to tell whether the transport I take to work is functioning each morning – and these are both sides of the same big data coin.
Much depends on who asks the question. The phrase Personal Data Ecosystem suggests a degree of control over one’s personal data, yet the processes envisaged vary radically across industries and governments. As a test: if you take any discourse about big data that focuses on personal data, and replace the word ‘consumer’ with ‘citizen’, does the discussion still sound reasonable? In most cases it doesn’t – because where ‘consumers’ can ‘extract value’ from their personal data, they can only do so in ways mediated by corporations, which in turn allow those corporations to extract value from the process overall. This is not data citizenship, but obedience to the data oligarchy. Corporations cannot be expected to be neutral conduits – they are channelling our data because it makes them money, and any solution developed under their auspices will reinforce that dynamic.
The discussion at the Brussels event was interesting because it mixed corporations with powerful civil society representatives who were actually working on technology to do with personal data, something which doesn’t happen enough. In the e-commerce community discussion it was clear that the challenge revolved around how emerging technical solutions should take account of emerging regulatory instruments such as the European Data Protection Directive, which themselves are responding to industry developments. In other discussions, however, mixed solutions were proposed on the model of the UK government’s public/private partnership ‘mydata’ program, which aims to let people manage their personal data outside the corporate sphere. The personal data ecosystem, it seems, can mean anything along the spectrum from complete corporate control to (mainly) autonomous use of data by individuals.
Along with the idea of the personal data ecosystem, ‘accountability’ was another flexible concept. Someone at the gathering mentioned to me that the idea of accountability for data protection wasn’t very applicable to institutions using data for crisis response. The humanitarian community at the event appeared to disagree strongly, arguing that their use of data was, if anything, more complicated by the fact that data subjects weren’t in a position to consent to the use of data that identified them. To their credit, no one wanted to be ‘in charge’ of the data on a long-term basis – suggesting that even in extreme situations such as earthquakes and epidemics, NGOs feel the pressure of dealing with personally identifiable data.
One conclusion that emerged from this discussion was that humanitarian models for data use might be one place to look for good regulatory and technological responses to the personal data problem. An ‘opt-out’ rather than ‘opt-in’ model for allowing one’s personal data to be shared in crisis situations (like some organ donor registers) was one idea proposed, in response to an example where the Japanese government refusing to share details of where blind and disabled people lived in the Fukushima disaster zone because of data protection regulations.
The main conclusion, however, was that a new taxonomy of data is badly needed. Industry, government, and citizens are too frequently in disagreement as to what exactly constitutes personal data and what doesn’t – and without an understanding of how data gets positioned in each category, or flows between them, it’s impossible to have a real discussion about how to govern and regulate those flows.
Overall, the discussion over the course of the day evolved from one focused on the mirage of a single brilliant technical solution – or even a collection of them – to the recognition that we lack a definition for personal data, and that without being able to articulate an epistemology it’s hard to build a regulatory framework that can offer something of use to the different communities using personal data. The Oxford Internet Institute has held a discussion on exactly this problem – what is data? – but we too noted that new taxonomies and epistemological clarity were missing from almost all the ‘data debates’. This suggests that another community – academic researchers – have something important to contribute to a discussion that is currently led by corporations and institutions such as the EU and WEF, but that we have to find ways to convene and communicate across communities if our work is to contribute where it may be needed the most.