The SCL Technology Law Futures Forum in June included a debate on personal data stores. One of the speakers, William Heath explains the benefits and costs and responds to some of the questions raised on the day.
The global problem new personal data services seek to address is well known. Search engines, credit agencies, smartphones, social networks and every manner of Web 2.0 service exploit personal data in a manner the individual can neither understand nor control. We check the box but give no meaningful consent (as the 2013 film 'Terms & Conditions May Apply' shows so powerfully).
The way we handle personal data today is dysfunctional in terms of law and of practical logistics.
It never occurred to those who drafted the European Data Protection Directive that the data subject might become the data controller. It is far from clear that this is evident to those now drafting revisions to the directive (whether the organisations lobbying to reduce the new protections understand this is another matter). But that is what happens in practice when individuals use personal data stores to transact with the outside world.
Exposition: how Mydex CIC addresses the problem
I am chairman of Mydex CIC. Mydex is a Community Interest Company (CIC), a UK-based social enterprise providing personal data services. The Mydex service includes an online personal data store and portable ID, both free in perpetuity to the individual. The individual sets the personal encryption key. Only the individual holds that key. Mydex CIC has no key and cannot see the individual's data. Only the individual, as data controller and enjoying a domestic exemption under the DPA, is able to see his or her data and approve its sharing with others under a uniform contract - a data sharing agreement.
Mydex CIC contracts with legal entities who wish to connect with Mydex-enabled individuals for the exchange of encrypted structured personal data under the control of the individual. This exchange happens in the context of a legal and technical trust framework.
Mydex is contracted as a UK Government Identity Assurance provider for digital public services. Its trust framework has been ratified and listed by the Open Identity Exchange. The entire Mydex CIC company and its operation is ISO27001 certified for its Information Security Management Systems.
Making a 'virtuous circle' of UK ID and Midata initiatives
The move to 'digital by default' services is hampered by lack of trust and sheer inconvenience (for example filling out endless forms or making provable claims using paper documents). But as organisations start to make structured and contracted connections to individuals, placing the individual at the heart of their digital service architecture, this creates a virtuous circle of trust. The virtuous circle embraces key government initiatives and has the potential to simplify life and address key challenges faced by business and public services in transitioning to transacting securely online.
The 'data exchange' aspect of government's Midata policy (developed by BIS and codified in the Enterprise Reform Act 2013) supports this. Mirroring US 'blue button' initiatives for health data and anticipating the European requirement for 'data portability', the policy puts regulated sectors including telecoms, banks and utilities on notice to make client data available to the customer in a common structured data format via APIs. This mirrors the data giveback or 'data liberation' services introduced by the leading social networks in response to enduring concerns about their control of personal data.
Some of the data made available this way will have a distinct value: it might prove, for example, that an individual pays a gas bill, has a bank account, a degree or driving licence, is employed or lives at a specific verified address.
Personal data stores let individuals identify themselves. They let people acquire and store their data under Midata-like data exchange services. They can hold it secure and allow controlled sharing, within the technical and legal trust framework, with other parties.
Using proof of claims this way plays directly into another key current government initiative: the Identity Assurance programme run by Cabinet Office's Government Digital Service (GDS). The antithesis to the previous National ID card scheme (which would have held all data in a central database but not been usable for online services), IDAP is designed principally for security and convenience in using 'digital by default' public services.
A strong set of nine Identity Assurance principles have been developed by the Privacy and Consumer Advisory Group working with GDS.
So in simple terms the Mydex-enabled individual can acquire digital proof of their social and official standing as a by-product of transacting online. They can reuse these claims to get more convenient access to further digital services. The Mydex trust framework means that consent is now meaningful. The terms and conditions consistently help the individual. That completes the virtuous circle.
Responding to questions about trust
Equipping people to look after their own data for online transactions is an important new social and economic function. Services purporting to offer personal control are being launched rapidly by new start-ups and existing service providers. It raises deep questions about trust, including the governance, business model, technology platform as well as legal issues.
Mydex CIC was set up to address these challenges and provide a benchmark for trust and transparency working for the individual and enabling secure connections for them with their suppliers, and public services and apps.
The personal data ecosystem envisaged by personal data services such as Mydex CIC is a fundamental change. It raises questions. At the SCL Technology Law Futures Forum several of these were set out by Judith Rauhofer, Lecturer in IT Law at Edinburgh University.
Judith Rauhofer pointed out that such services would need to pass the test of convenience ('the Mum test'). They needed to address the question of longevity (what happens to the data if a service ceases to operate) and how one can overcome the dependency on universal broadband access for cloud based services.
While it is good to offer customers more power, she said, many services on offer would not affect the underlying contracts people have to enter with their service providers. Where the underlying power relationship does not change, there's a risk of illusion of power when only limited power exists.
What she had heard described about Mydex was probably, in her view, best practice in this context, but not all providers would do it in a manner that best favoured the individual. She felt it might be necessary to have a regulatory or certification framework to create and enforce that trust. In the longer term, Judith Rauhofer was worried about a shift of control to the individual, not as a right but as an obligation. Given that power and wealth are unequally distributed in society, it was important to preserve the EU approach to privacy as an inalienable right. Any move to a more US-style 'property rights' view of data might create new monopolies and dangerous power structures.
These are important points. Our view at Mydex is that restoration of control over personal data to individuals is helpfully seen as a form of emancipation in the European enlightenment tradition. We believe it is best done in the context of strong data protection law, such as we have in Europe, properly implemented. Contract law is a powerful and flexible way to protect individuals' interests; it is no substitute for inalienable human rights.
At Mydex CIC we welcome the emergence of a growing range of personal data services. As the services proliferate there is an important service to be done to ensure that services which promise to act in the interests of the individual genuinely do so. Any emergence of phoney trust frameworks or false claims of consumer empowerment services and apps must be recognised and called out.
This will require the sort of vigilance Judith Rauhofer called for, and which indeed she exemplified at the SCL Technology Law Futures Forum.
Mydex fully accepts the core challenges to be addressed, including universal availability and a design that demonstrates convenience and benefits to all parties right from outset and in the absence of any network effect.
A healthy personal data ecosystem requires both diversity and interoperability. Mydex already participates in initiatives to set out the core principles involved, for example Doc Searls' VRM Principles, the work of the Personal Data Ecosystem Consortium and of OIX which has played a valuable role in research and exploration of UK ID Assurance services. Mydex fully accepts the UK government's Identity assurance principles as an excellent template for identity assurance providers.
But Judith Rauhofer is right to point out that there is no clear and established set of global central governance, technical, commercial and legal standards for new personal data services. Nor is there any credible mechanism for conformance or enforcement.
Clearly there is a risk or inevitablility that some - perhaps a majority - of new personal data services will cloak old-style instincts for exploitation and organisational control in the new language of devolved personal control. It is a subject to which SCL should return. There's more work to do, and a role to be filled.
William Heath is chairman and co-founder of Mydex CIC: https://mydex.org/