Analysis: The pros and cons of privacy and data protection laws

The starting point for most privacy and data protection laws is creating a safer environment for all of us and our personal data – but the inevitable overreach often has far-reaching consequences

Most privacy and data protection laws have the noble aims of making us and our personal information safer – but overreach in the detail is a common side effect of attempts to do the right thing.

The consequences of this legal overreach can themselves be far-reaching – not just to personal privacy, but to technological innovation as a whole, if creators and those with grand ideas feel stifled by the competing needs of overlapping legislation.

The worst case scenario? Potential stagnation for technological innovation.

The broad scope of privacy and data protection laws is generally to ensure the free flow of personal data between the member states, while their ultimate purpose is to regulate how such data should be processed in order to maintain a balance between the various interests of the personal data ecosystem.

Of course, constant fluctuations in both technological and socio-economic contexts make achieving these grand aims a challenge. Regulation is always lagging behind new technological and market challenges, even as it struggles to keep up.

As Maria Macocinschi, who is studying for a doctorate in law at the University of Turku in Finland, notes: “The rigidity in revising and adapting the laws to the fast technological and economic developments is creating frustrations not only for consumers but also for companies.”

She also cites the much-praised General Data Protection Regulation (GDPR), which comes into force in May next year, as a well-intentioned law that may have adverse side effects.

She said: “GDPR, for example displays two contradictory trends. While it ensures a simplification of the regulatory environment and harmonisation of the standards, it also poses additional burdens and costs for companies. Therefore, the free flow of information might be quite affected by these overwhelming obligations.”

Regulation is inevitably deeply complicated, balancing as it must the conflicting interests of the various parties involved (public and private institutions, and consumers) as well as translating more traditional human values in a constantly changing digital environment.

Laws around surveillance are a good example of clashing interests and values: while surveillance such as CCTV is employed primarily for the protection of the citizens for security reasons, the same technologies are now being used in ways that seem to undermine the same values once sought to be protected.

Countries like China, for example, are trying to use technology that will predict when a crime is going to take place, before it even happens – the very stuff of sci-fi films.

The potential for horrifying consequences for those caught up in it makes it increasingly important that surveillance, and the emerging dataveillance phenomenon, should be carefully regulated to ensure a balance between the public interest, the economic rights of companies and the individuals’ privacy and data protection.

In terms of increasing the efficiency and effectiveness of current data protection laws, Maria says there are three broad areas that should be considered:

  • We need to look at how traditional legal concepts should be revised, taking into account the current state of information innovations
  • We need to look at how we regulate the emerging actors in this burgeoning ecosystem, as well as the new methods of collecting and processing data.
  • We also need to reframe the importance of the legal requirements for consent in the intensified and opaque dataveillance systems.

So how do we balance the necessary values and rights for the democratic functioning of the society with preserving personal privacy? This, of course, raises questions of how much privacy is desirable, legally and otherwise?

As with so many other things, regulation initially and superficially seems to be the natural answer here – providing guidelines for the protection of individual interest and public good. However, the law by itself cannot achieve this goal.

Furthermore, the extent to which we all, as consumers, promote and open up our own private lives through social media poses its own problems. The internet is a growing force in all our increasingly transparent lives. With the big data crunching capabilities of all the information we have willingly or unknowingly put out there, the ability for public and private actors to know far more about us than we are comfortable with has never been more real. Our identities, behaviours, transactions and other preferences and vulnerabilities are all gathered and exploited for various obscure purposes.

Again, legislation such as the GDPR is trying to address this, by putting more power over personal information back in the hands of consumers – but here too, law-making inevitably runs behind real life, meaning we are always struggling to keep up.

A new right to data portability (Art. 20 GDPR) and a revised right to be forgotten (Art. 17 GDPR) are aiming to build a stronger protection for the data subject and redress consumer sovereignty. However, such powers for individuals are not absolute. The interest in the protection of information privacy will always be balanced against other public interests as necessary in a democratic society (Recital 73 GDPR).  

So how should we try and find this balance moving forwards?  Maria has three key suggestions.

She said: “Balancing conflicting interests is difficult but not impossible. A first step would be educating individuals about what informational privacy is and the real benefits and consequences of sharing personal information. In a democratic society, a person should not isolate herself from the rest of the community, but rather participate and contribute to the decision making.

Therefore, data protection regulations should not be perceived as tools facilitating the invisibility of the individuals to the rest of the world. Rather, they provide the necessary measures to ensure their safe participation in the society. Disclosing personal information is a requisite for identification in a digital environment of disappearing bodies, and for effectively communicating their consumer preferences to the companies.

Secondly, each participant in the personal information ecosystem should acknowledge the importance of privacy intermediaries. For controlling and managing their personal data, individuals need the technical architectures (such as digi.me) and supportive guidelines (privacy guardians).

The technological development should not be perceived by consumers and legislators as a big threat to privacy and personal data. While technology might pose some risks, it can also provide useful solutions for the protection of individuals and their fundamental rights. Therefore privacy and sharing are not foes, but complementary to each other. “

This blog is a joint venture between digi.me and Maria Macocinschi

Differential privacy? No, Apple, it’s all about private sharing

We think private sharing is this year’s differential privacy – and we’ll tell you why

Apple has hit the headlines again with news that it may not be using its vaunted differential privacy tool – which mines user data while protecting that person’s identity – quite as it said it would.

Differential privacy was last year’s big news from Apple, which has always talked a strong game on protecting user data. The idea is that by injecting random noise into personal data before it is uploaded to the cloud, Apple’s dataset as a whole can produce meaningful insights without personally identifying any individual users. They may or may not have made some changes to that, which are not our concern here.

But what did pique our interest here at digi.me was the most interesting line from the article, one that talks about a “failure of imagination” in correlating disparate data sets.

A ‘failure of imagination’ is absolutely the one thing we don’t lack here, having built a product that does just that very effectively. And actually, we’re confident that what we call private sharing is a much better way of, well, sharing your data privately.

Why? Crucially, you have control of your datasets, in your own 100pc secure library. If you choose to store that in the cloud, you and only you control access to it – digi.me doesn’t see, hold or touch your data, ever.

The biggest deal is in how you share your data – which is only on your terms, with consent that can be revoked at any time, through our unique Consent Access platform.

In short – you’re in the personal data driving seat with digi.me.

But the ultimate private sharing isn’t really sharing at all – this is when an app – which you have consented to let see certain and defined elements of your data – runs an algorithm over that data, simply returning the result.

In this use case, which could be used for insurance or loan qualifying checks, no data has left your device, but the provider you’re working with has what they need to offer you the best rate as determined by your circumstances.

And because it hasn’t left your device, your data 100 per cent private, while still being shared in ways that benefit both you and companies dealing with you.

Differential privacy is so 2016. Private sharing is the future – and you heard about it from digi.me first.

 

 

Digi.me partners with ID Exchange to help Australians do more with their personal data

Digi.me has partnered with Sydney start-up ID Exchange to help Australian consumers enjoy more control over their personal data.

ID Exchange and digi.me will collaborate as vanguards for personal data sharing, working jointly to simplify user processes around consent. Together, they will execute cutting-edge solutions that provide security as well as consented sharing through a seamless customer experience.

ID Exchange, which is based at leading FinTech incubator Stone & Chalk, is a unified Opt Out/Opt In operator whose centralised approach for aggregated consent naturally couples with digi.me’s philosophy on seamless personal data sharing.

Digi.me allows individuals to easily aggregate a broad and deep range of financial and social media data from platforms including the likes of Facebook, Twitter and Instagram and then share it, if they wish, under a bespoke Consent Access program. It supports data from all major Australian banks, and health, wearable and music data will soon be available.

Crucially, digi.me’s solution ensures that individuals hold all their own personal data about themselves in their own 100 per cent private library – digi.me does not see, touch or hold user data ever.

Jo Cooper, Founder of ID Exchange, said: “Collaborating with digi.me plugs Australia into global opportunities to accelerate personal data sharing and provides consumers, corporates and developers a comprehensive platform to safely consolidate and intersect cross market data whilst maintaining jurisdictional regulation compliance for privacy, permissioned access and security.”

Julian Ranger, Founder and Executive Chairman of digi.me, said: “Australia is one of the world leaders when it comes to data privacy so it was an easy decision for us to make when deciding to explore this market more closely to widen our global footprint.

We’re delighted having found ID Exchange that we have a partner who shares the same philosophy as us in putting the individual in control of their data. Moreover through Jo’s tremendous drive and experience we’re confident of making significant progress very soon.”

Both Julian and Jo were on the panel of the Australian British Chamber of Commerce seminar event titled The consent economy: the $5 billion trade in you and I, which took place on Tuesday, October 10 at 3.30pm at the Commonwealth Bank Innovation Centre in Sydney.

In the consent economy, operators such as ID Exchange and digi.me, which now has a global presence thanks to a recent merger with leading US personal data specialists Personal, which put consumer needs first will take the lead.

The partnership between digi.me and ID Exchange opens collaborative opportunities across Australian and the UK economies where issues around personal data are coming to the fore as the new and far-reaching EU General Data Protection Regulation comes into force in May 2018.

Digi.me wins a Citi Tech for Integrity award!

We’re delighted to announce that we have won a Citi Tech for Integrity Challenge award.

Digi.me won the prize from the Dublin leg of the challenge, which encouraged technology innovators from around the world to create cutting-edge solutions to promote integrity, accountability and transparency in the public sector and beyond.

The awards were announced at an event hosted by the International Monetary Fund (IMF) to highlight the crucial role technology can play in tackling corruption around the world, and were given to companies that offered solutions that merited additional recognition.

Our bid showcased digi.me as a product that can help deal with challenges as diverse as corporate governance, anti-money laundering and identity validation and passed through two initial rounds before we were selected for the demo day in Dublin.

There, we showcased a demo version showing multiple streams of data being uploaded to the app, with innovations addressing the specific ‘pain points’ being shared in presentation format.

These include using technology to analyse and identify patterns of fraudulent health insurance claims, and leveraging emerging technologies such as blockchain to create digital identities for the large population of people, such as refugees, who do not have legal identity papers.

At the demo day, digi.me demonstrated how our product can be used to:

  • enable governments to efficiently and effectively identify refugees who have had to flee their home countries without identification papers. Their digi.me account is effectively an audit trail of their online life and therefore a way to identify both them and their circumstances, as well as reducing costs and waiting times for immigration departments.

  • enable insurance companies to reduce insurance fraud, with a knock-on effect of reducing insurance premiums for consumers

  • enable governments and NGOs to identify the correct individual recipient of any offered support, using their digi.me account to validate who they are and audit what was received. This method could be used for goods, vouchers or financial support whether beneficiaries are present or not.

Plans and sponsors coming together for Data Hack Iceland 2017! #letsgetpersonal

We’re delighted to say more sponsors, challenges and prizes have been added to our Data Hack Iceland 2017 event, which is taking place on October 7 and 8 in Reykjavik.

And to make it even more inclusive, we are also offering a Virtual Challenge, meaning anyone from anywhere in the world can take part!

Attendees will get the first ever access to a public-facing API, which includes, financial and social data, to open a spectrum of new possibilities and innovative solutions.

The health data will cover prescriptions, vaccinations, medications, allergies, doctor appointments, hospital visits and medications administered during those visits.

Test financial data, from bank and credit card accounts will also be available, as well as social media data such as likes, posts and shares – and we hope all teams will be able to build something functional and exciting over the course of the weekend.

Prizes ranging from flights, tickets and accommodation for an entire team to Slush in Helsinki in November to Start Up Iceland 2018 tickets, smart devices, cash and Onymos licences are on offer for the winners of the various challenges – so get involved!

Find out more and register at Data Hack Iceland 2017

 

 

Great news – you can now add financial data to your digi.me

We’ve very excited that you can now add details of your finances to your digi.me library.

Having your financial accounts in one place within digi.me allows you to take control of your money and gain greater insight into your spending, and is just the start of enhanced social streams that will soon inclue data from every area of your life.

Once you’ve added your bank accounts details, you can keep track of balances and payments, as well as what’s coming in and what’s going out, while spending categories let you see where your money goes for better budgeting.

You can also search across all your accounts for a particular transaction or by vendor.

Adding financial data is done via Yodlee, a service that allows consumers to securely consolidate and manage their financial information on the web. More information about what exactly that means, and why it’s completely secure, can be found here.

Getting started couldn’t be simpler. You will need to visit our product page to download the latest version of the app, because we have given it a complete upgrade so it can accommodate different streams of data as well as social.

digi.me-finance2

Then you will be prompted to create a library with Dropbox – being based in the cloud means that, for the first time, your central digi.me library can be accessed on all your devices. Once you’ve done that, follow the prompts to add as many accounts as you want.

digi.me-finance3

This is a major new feature and it is still early days, so all feedback is welcome. This can be given simply by shaking mobile devices or clicking the bug icon on desktop.

You will notice that your finance details are laid out a little differently from a normal statement list, because as part of the data normalisation our app does, we display a timeline tapestry of your life. This tiled display is customisable, and you can create favourite saved searches and organise your data how it makes best sense to you.

We have many more sources of data and new features in the works, but the next one up is Google Drive as an alternative home for your library. If you would like to be part of the beta for that, you can sign up at www.digi.me/beta

Five personal data lessons we need to learn from the Equifax hack

The Equifax data breach, which has leaked critical personal information including Social Security numbers and birth dates on an estimated 143m Americans, as well as Britons and Canadians, is one of the largest ever, both in scale and the importance of the data stolen. So what lessons can we – and must we – learn from this demonstration of individual powerlessness in the face of data theft?

  1. Honeypots of data are hugely attractive to hackers. We know this, it’s common sense – and yet still we are persisting with the centralising of personal data rather than returning it to the individual. Putting each of us in control of our own personal data, so we can choose when and with whom it is shared, is all that makes sense.
  2. When our data is sold from behind our backs, we don’t know who has it. The nature of Equifax’s credit-scoring business, which takes data from a number of sources to help other companies assess creditworthiness, makes it hard to assess whose data was stolen – and for individuals, whether they were involved in the breach. Again, so much better to have individuals as the hub of all their data, sharing it with insurance companies, for eg, when needed, or letting algorithyms run over the data on the phone and just return the result, in what we at digi.me call private sharing.
  3. When our data has been breached by a third party, we’re reliant on them to tell us. Equifax has set up a website for people to check if their personal details were part of the breach, but there have been widespread reports of the site returning different results for the same data. It also requires a Social Security number, making it useless for anyone outside the US. Not to mention the fact that the breach took weeks to come to light, potentially giving the hackers time to use the information they had stolen before its owners even knew it was gone. We are not in control of our own data, which is created by us. That model – where our data is used for profit by others – needs to change.
  4. Those involved are at significant risk of fraud for years to come. This is not an email breach, where the people involved can simply change their passwords and (largely) put a stop to the damage. The information stolen, which also included addresses, drivers licence details and credit card numbers, means those affected are at significant risk of identity theft – and will be for years to come. We must use breaches such as these as drivers for change – otherwise nothing will change.
  5. Finally, and possibly most scary of all, we don’t know what this means. We don’t know if this hack will translate into increased levels of theft and fraud, or whether other information held by similar credit-scoring companies is any more secure. Or, indeed, whether Equifax will be punished for this breach.

What we do know is that trusting others with our personal information has seen it leaked over and over again. The fundamental method of personal data management must move back to the individual from central stores. And until it does, massive breaches of this scale, and the subsequent hassle and problems caused to those the data actually belongs to, will continue. Regulation has a part to play, but so too does consumer behaviour – and we need to be clear that this is not ok, on any level.

Come and join the digi.me personal data hackathon

Calling all developers, designers and entrepreneurs (or indeed anyone with curiosity and flare!).

Are you interested in building personalised online experiences without losing control over or the privacy of your personal data?

Then our Data Hack Iceland hackathon is for you!

Being held on October 7 and 8 in Reykjavík, Iceland, the #letsgetpersonal event will feature personalised data, health and social data challenges.

Two identified so far are the digi.me challenge: build a cool innovative app using digi.me’s Consent Access platform with a focus on health and finance as Dattaca Labs and digi.me make private sharing real.

There is also a Code for a Cause challenge, looking at how we can better use open or user contributed data to give deeper insights into or tackle social problems including unemployment and environmental issues, with others to follow.

Ideas will be judged on their fundability, execution, UI/UX, originality and scalability, and the prizes include the Icelandic Data Hack Trophy for the best solution, as well as a VIP tickets package worth $2000.

Find more details of how to register, prizes, the schedule and rules visit https://www.digi.me/datahackiceland. A limited number of sponsorships are available.

 

Digi.me delighted to have signed MyData Internet of Me principles

We are delighted to have signed up to the Declaration of MyData principles, and urge anyone else with an interest in how personal data is held and managed to sign too.

The principles, which are a first version and will evolve with a second version expected after feedback in six months, are designed to “make sure individuals are in a position to know and control their personal data, but also to gain personal knowledge from them and to claim their share of their benefits.”

As the introductory text notes: “Today, the balance of power is massively tilted towards organisations, who alone have the power to collect, trade and make decisions based on personal data, whereas individuals can only hope, if they work hard, to gain some control over what happens with their data.

“The shifts and principles that we lay out in this Declaration aim at restoring balance and moving towards a human-centric vision of personal data. We believe they are the conditions for a just, sustainable and prosperous digital society whose foundations are:

  • Trust and confidence, that rest on balanced and fair relationships between people, as well as between people and organisations;
  • Self-determination, that is achieved, not only by legal protection, but also by proactive actions to share the power of data with individuals;
  • Maximising the collective benefits of personal data, by fairly sharing them between organisations, individuals and society.”

The six key principles are human-centric control of personal data, the individual as the point of integration, individual empowerment, data portability and re-use, transparency and accountability and interoperability.

MyData hopes that organisations and companies working in the personal data ecosystem will take and use these principles, to further their own projects, as well as build their own trust frameworks and terms of service.

They accord strongly with our own Internet of Me vision, with the individual at the centre of and in control of, their connected life. And we are also very happy to be a sponsor of the MyData conference next week in Tallinn and Helsinki.

Watch out for more updates on that!

 

Digi.me merges with Personal to create global personal data control powerhouse

Digi.me and Personal are combining forces through a merger, bringing together the leading European and US companies in the emerging personal data ecosystem to provide a single integrated solution for consumers and businesses.

Both companies have pioneered innovative technologies to empower individuals to gain control over the growing amount of data and analytics about themselves that fuels the digital world. They directly address the challenge of enhancing privacy while increasing the ability of people to benefit from sharing and analysing data, including by apps on a mobile phone without the data ever having to leave the phone.

The combined business will be called digi.me, with its global HQ near London in the UK and the US operation based in Washington, DC. Personal’s enterprise solutions, known as TeamData, will be spun off as a separate information security and productivity company for businesses. The combined global workforce of over 60 people will continue to work for digi.me.

“We are excited to bring together the best of digi.me and Personal to accelerate the growth of our combined products and network of partners,” said Julian Ranger, Founder and Chairman of digi.me. “We have each built complementary infrastructure and products necessary for individuals to easily aggregate and share data whilst maintaining its security and privacy. It’s a win-win for individuals and for companies who embrace this model of transparency and trust.”

“Everything is powered by data today, but without clear benefit for the individual,” said Shane Green, Co-founder and CEO of Personal, who will serve as CEO of digi.me (US). “In a world of rapidly expanding artificial intelligence, analytics and personalised experiences, it is critical that we as individuals have the tools and rules to ensure our interests are also served by our data.”

Digi.me and Personal have raised over $45 million between them, attracting leading investors such as the Omidyar Network, SwissRe, Planetary Holdings, TCS Capital Management, Allen & Company, Revolution Ventures, Ted Leonsis and Esther Dyson.

Digi.me allows individuals to easily aggregate a broad and deep range of their social media data from Facebook, Instagram, Twitter, Pinterest, Flickr and other popular sources along with financial data from hundreds of sources in a secure library.

Companies and developers can then use digi.me’s APIs to request access to integrated data sets to provide better data-driven experiences, services, and rewards, and to provide other benefits like rich personal analytics. Health, wearable and music data will also be available soon after the merger. Current partners of digi.me include Swiss Re, Western Digital, Lenovo, Amgen, Dattaca Labs and FNAC.

Personal is focused on secure, collaborative creation and management of reusable data constantly needed by people at home and work to complete thousands of information-related tasks. It supports a multitude of data types from passwords, credit cards and IDs to detailed data for office and home use such as insurance, health and personal data of employees and family members. A free version of Personal’s TeamData app will be available for individual use following the merger and will be integrated into digi.me later this year.

The combined version of digi.me and Personal will allow seamless management of thousands of different types of both feed and manually-created data, supported by the industry’s leading structured data ontology and data normalisation technology. It will also allow secure sharing and far richer data-driven experiences between individuals and third party apps, and allow companies to reduce business and regulatory risks by requesting access directly from users.

“People assume there is a fundamental trade-off between sharing data and privacy, with Americans historically favouring sharing and Europeans favouring privacy” said Rory Donnelly, CEO of digi.me. “That no longer has to be the case when the individual controls much of the critical data about them and their lives. We are delivering the exact permission-based technology solution regulators and CEOs have been seeking.”

“There simply isn’t any way we can create this exciting, data-driven future without individual agency over data,” said CV Madhukar, Investment Partner at Omidyar Network. “Companies can use data to improve our lives, but their interests must be balanced with that of the individual: users must always have choice over who they reward with their trust and data.”

Find more information about digi.me, including the app, at https://www.digi.me, Teamdata is at https://teamdata.com/