It’s once again the time of year for scanning the personal data and privacy horizon and predicting the shape of the next 12 months.
I will start with two predictions about privacy regulation.
The first, which is dead certain, is that there will be more regulation across the world, including the US, based strongly on Europe’s GDPR and California’s Consumer Privacy Act, as well as other similar legislation.
The second is that there will be calls to go further than GDPR et al to help solve data asymmetry, for example, and improve the current disparity over access.
Data portability is key to the future – but it needs to be properly enabled with requirements to use “well-formed APIs”, the best and most efficient way to transfer data securely and regularly in real, or near real, time.
Meanwhile, an increasing focus on interoperability will lead to more initiatives to develop personal data standards. This is all to the good, but must not be at the expense of focusing on getting data released now, standards or not. We must understand the limitations here, that standards take time – and in fact we will be writing on this further this year.
I also predict that MyData solutions (including but not only digi.me) will start to become more widely adopted in real use cases with hundreds of thousands and maybe millions of users, showing that privacy and innovation are not in conflict, but go hand in hand when the individual is at the centre of their digital life.
The open question is how quickly these solutions will be adopted by the big companies, tech giants and brand giants – I predict two or more big names, maybe surprising to some, will be major MyData players by the end of 2020.
In terms of health, I said last year that 2019 would see health data become the key area that will enter the public consciousness. Whilst that occurred amongst health professionals and at Government level, it didn’t really have the same impact with the wider public, but I think it will in 2020. This will be spurred by great initiatives such as the Dutch MedMij project which is actively paying for businesses to get health data in the hands of Dutch citizens because of the huge benefits of Patient Centricity.
Moving to identity, I wish I could say 2020 would be the year of Self Sovereign Identity (SSI) but I don’t think 2020 will be the break-out year for SSI. Too much still remains to be done in the SSI world, and without both technical and business interoperability being enabled I think it will be at least a further year before we see any major changes in the Identity mess we live in today – sorry!
In terms of digital advertising, with Competitions and Markets Authority (CMA) investigations in the UK, as well as deepening issues with background data collection re GDPR, CCPA, et al, the digital advertising industry is in for a hard time in 2020. Will much change? Probably not at the level of what the consumer sees; but underneath and within the industry I think there will be a great searching for new solutions that allow targeted advertising to continue but within privacy rules and starting to respect the individual.
A lot of this will be trying to do the minimum to survive, but a few may start to see that MyData solutions promise a way forward that improves the outlook for everyone in the advertising chain, from advertisers and publishers to individuals and the intermediaries. In many ways this is my least certain prediction, but the one I hope will be the case.
To go with this prediction is my plea that takes us back to regulation. Cookie consent is a nonsense – I hope that calls for further expansion of privacy regulation revisit this area. I would like to end this piece by quoting from digi.me’s response to the CMA investigation into digital advertising:
“Cookie Consent is just not manageable – unlike consent for apps and services of which an individual may do a few in any one day, individuals can ‘surf’ many tens of pages in as short a time as an hour. Just searching for a specific item to buy for example – being asked to consent for each site when landing and then moving away is frankly non-sensical.
“The trade-off of having to discern that site’s specific format of consent and then dealing with it is out of all proportion to the value gained. Surely for web browsing consent defaults should NEVER include personal data tracking (but anonymous data for web site maintenance does make sense) – and a request for other than default consent for site maintenance should only be requested when an individual has accessed the site for an extended period or has an account.
“It is important though, whatever action is or is not taken with regard to cookie consent, that the problems of this particular consent use case are not conflated with the more episodic consent for personal data from the individual for specified apps and services.”
Timely and appropriate Julian – well-done! I would be very interested in your views on the security of HuaWei networks, which seem to have caused much consternation and confusion to HMG and UK public generally.