Tag Archives: personal data

Birgit Sippel makes first public statement on ePrivacy – and why it shouldn’t stifle innovation

The European Parliament’s new Special Rapporteur for the proposed ePrivacy Regulation, German MEP Birgit Sippel, has made her first public statement setting out her beliefs – and she didn’t mince her words.

Speaking at the IAPP Europe Data Protection Congress, she told a sold-out event that online and offline privacy should be afforded the same status:

“Would you allow a stranger to go into your bedroom or look through your drawers without your permission?” she asked. “No, you probably wouldn’t.”

Sippel also called for over the top (OTT) providers, including services such as messaging and dating apps, to be covered by the ePrivacy Regulation, arguing: “Some of us may send an SMS text, while others may use a service like WhatsApp. One is covered by the current ePrivacy Directive, while the other is not. Consumers need the same protections for both.”

She also called for an abolition of surveillance-driven advertising – and the need for implemented legislation to make good on universally-agreed freedoms such the right to personal privacy.

One key theme from her speech was that businesses have the answers to innovating with privacy – and that compliance with privacy regulation need not stifle new ideas.

She said that businesses are innovative and should be able to create ways of obtaining meaningful consent without causing consumer fatigue.

Here at digi.me, where we have built a bespoke Consent Access platform so our users – and those who want consented access to their data – can do just that, we couldn’t agree more.

New legislation will always bring challenges, but in rising to meet those we create superior products that exceed consumer expectations while being compliant.

And that’s certainly a win-win situation for everyone. So here’s to innovation!

Analysis: The pros and cons of privacy and data protection laws

The starting point for most privacy and data protection laws is creating a safer environment for all of us and our personal data – but the inevitable overreach often has far-reaching consequences

Most privacy and data protection laws have the noble aims of making us and our personal information safer – but overreach in the detail is a common side effect of attempts to do the right thing.

The consequences of this legal overreach can themselves be far-reaching – not just to personal privacy, but to technological innovation as a whole, if creators and those with grand ideas feel stifled by the competing needs of overlapping legislation.

The worst case scenario? Potential stagnation for technological innovation.

The broad scope of privacy and data protection laws is generally to ensure the free flow of personal data between the member states, while their ultimate purpose is to regulate how such data should be processed in order to maintain a balance between the various interests of the personal data ecosystem.

Of course, constant fluctuations in both technological and socio-economic contexts make achieving these grand aims a challenge. Regulation is always lagging behind new technological and market challenges, even as it struggles to keep up.

As Maria Macocinschi, who is studying for a doctorate in law at the University of Turku in Finland, notes: “The rigidity in revising and adapting the laws to the fast technological and economic developments is creating frustrations not only for consumers but also for companies.”

She also cites the much-praised General Data Protection Regulation (GDPR), which comes into force in May next year, as a well-intentioned law that may have adverse side effects.

She said: “GDPR, for example displays two contradictory trends. While it ensures a simplification of the regulatory environment and harmonisation of the standards, it also poses additional burdens and costs for companies. Therefore, the free flow of information might be quite affected by these overwhelming obligations.”

Regulation is inevitably deeply complicated, balancing as it must the conflicting interests of the various parties involved (public and private institutions, and consumers) as well as translating more traditional human values in a constantly changing digital environment.

Laws around surveillance are a good example of clashing interests and values: while surveillance such as CCTV is employed primarily for the protection of the citizens for security reasons, the same technologies are now being used in ways that seem to undermine the same values once sought to be protected.

Countries like China, for example, are trying to use technology that will predict when a crime is going to take place, before it even happens – the very stuff of sci-fi films.

The potential for horrifying consequences for those caught up in it makes it increasingly important that surveillance, and the emerging dataveillance phenomenon, should be carefully regulated to ensure a balance between the public interest, the economic rights of companies and the individuals’ privacy and data protection.

In terms of increasing the efficiency and effectiveness of current data protection laws, Maria says there are three broad areas that should be considered:

  • We need to look at how traditional legal concepts should be revised, taking into account the current state of information innovations
  • We need to look at how we regulate the emerging actors in this burgeoning ecosystem, as well as the new methods of collecting and processing data.
  • We also need to reframe the importance of the legal requirements for consent in the intensified and opaque dataveillance systems.

So how do we balance the necessary values and rights for the democratic functioning of the society with preserving personal privacy? This, of course, raises questions of how much privacy is desirable, legally and otherwise?

As with so many other things, regulation initially and superficially seems to be the natural answer here – providing guidelines for the protection of individual interest and public good. However, the law by itself cannot achieve this goal.

Furthermore, the extent to which we all, as consumers, promote and open up our own private lives through social media poses its own problems. The internet is a growing force in all our increasingly transparent lives. With the big data crunching capabilities of all the information we have willingly or unknowingly put out there, the ability for public and private actors to know far more about us than we are comfortable with has never been more real. Our identities, behaviours, transactions and other preferences and vulnerabilities are all gathered and exploited for various obscure purposes.

Again, legislation such as the GDPR is trying to address this, by putting more power over personal information back in the hands of consumers – but here too, law-making inevitably runs behind real life, meaning we are always struggling to keep up.

A new right to data portability (Art. 20 GDPR) and a revised right to be forgotten (Art. 17 GDPR) are aiming to build a stronger protection for the data subject and redress consumer sovereignty. However, such powers for individuals are not absolute. The interest in the protection of information privacy will always be balanced against other public interests as necessary in a democratic society (Recital 73 GDPR).  

So how should we try and find this balance moving forwards?  Maria has three key suggestions.

She said: “Balancing conflicting interests is difficult but not impossible. A first step would be educating individuals about what informational privacy is and the real benefits and consequences of sharing personal information. In a democratic society, a person should not isolate herself from the rest of the community, but rather participate and contribute to the decision making.

Therefore, data protection regulations should not be perceived as tools facilitating the invisibility of the individuals to the rest of the world. Rather, they provide the necessary measures to ensure their safe participation in the society. Disclosing personal information is a requisite for identification in a digital environment of disappearing bodies, and for effectively communicating their consumer preferences to the companies.

Secondly, each participant in the personal information ecosystem should acknowledge the importance of privacy intermediaries. For controlling and managing their personal data, individuals need the technical architectures (such as digi.me) and supportive guidelines (privacy guardians).

The technological development should not be perceived by consumers and legislators as a big threat to privacy and personal data. While technology might pose some risks, it can also provide useful solutions for the protection of individuals and their fundamental rights. Therefore privacy and sharing are not foes, but complementary to each other. “

This blog is a joint venture between digi.me and Maria Macocinschi

Differential privacy? No, Apple, it’s all about private sharing

We think private sharing is this year’s differential privacy – and we’ll tell you why

Apple has hit the headlines again with news that it may not be using its vaunted differential privacy tool – which mines user data while protecting that person’s identity – quite as it said it would.

Differential privacy was last year’s big news from Apple, which has always talked a strong game on protecting user data. The idea is that by injecting random noise into personal data before it is uploaded to the cloud, Apple’s dataset as a whole can produce meaningful insights without personally identifying any individual users. They may or may not have made some changes to that, which are not our concern here.

But what did pique our interest here at digi.me was the most interesting line from the article, one that talks about a “failure of imagination” in correlating disparate data sets.

A ‘failure of imagination’ is absolutely the one thing we don’t lack here, having built a product that does just that very effectively. And actually, we’re confident that what we call private sharing is a much better way of, well, sharing your data privately.

Why? Crucially, you have control of your datasets, in your own 100pc secure library. If you choose to store that in the cloud, you and only you control access to it – digi.me doesn’t see, hold or touch your data, ever.

The biggest deal is in how you share your data – which is only on your terms, with consent that can be revoked at any time, through our unique Consent Access platform.

In short – you’re in the personal data driving seat with digi.me.

But the ultimate private sharing isn’t really sharing at all – this is when an app – which you have consented to let see certain and defined elements of your data – runs an algorithm over that data, simply returning the result.

In this use case, which could be used for insurance or loan qualifying checks, no data has left your device, but the provider you’re working with has what they need to offer you the best rate as determined by your circumstances.

And because it hasn’t left your device, your data 100 per cent private, while still being shared in ways that benefit both you and companies dealing with you.

Differential privacy is so 2016. Private sharing is the future – and you heard about it from digi.me first.

 

 

Digi.me partners with ID Exchange to help Australians do more with their personal data

Digi.me has partnered with Sydney start-up ID Exchange to help Australian consumers enjoy more control over their personal data.

ID Exchange and digi.me will collaborate as vanguards for personal data sharing, working jointly to simplify user processes around consent. Together, they will execute cutting-edge solutions that provide security as well as consented sharing through a seamless customer experience.

ID Exchange, which is based at leading FinTech incubator Stone & Chalk, is a unified Opt Out/Opt In operator whose centralised approach for aggregated consent naturally couples with digi.me’s philosophy on seamless personal data sharing.

Digi.me allows individuals to easily aggregate a broad and deep range of financial and social media data from platforms including the likes of Facebook, Twitter and Instagram and then share it, if they wish, under a bespoke Consent Access program. It supports data from all major Australian banks, and health, wearable and music data will soon be available.

Crucially, digi.me’s solution ensures that individuals hold all their own personal data about themselves in their own 100 per cent private library – digi.me does not see, touch or hold user data ever.

Jo Cooper, Founder of ID Exchange, said: “Collaborating with digi.me plugs Australia into global opportunities to accelerate personal data sharing and provides consumers, corporates and developers a comprehensive platform to safely consolidate and intersect cross market data whilst maintaining jurisdictional regulation compliance for privacy, permissioned access and security.”

Julian Ranger, Founder and Executive Chairman of digi.me, said: “Australia is one of the world leaders when it comes to data privacy so it was an easy decision for us to make when deciding to explore this market more closely to widen our global footprint.

We’re delighted having found ID Exchange that we have a partner who shares the same philosophy as us in putting the individual in control of their data. Moreover through Jo’s tremendous drive and experience we’re confident of making significant progress very soon.”

Both Julian and Jo were on the panel of the Australian British Chamber of Commerce seminar event titled The consent economy: the $5 billion trade in you and I, which took place on Tuesday, October 10 at 3.30pm at the Commonwealth Bank Innovation Centre in Sydney.

In the consent economy, operators such as ID Exchange and digi.me, which now has a global presence thanks to a recent merger with leading US personal data specialists Personal, which put consumer needs first will take the lead.

The partnership between digi.me and ID Exchange opens collaborative opportunities across Australian and the UK economies where issues around personal data are coming to the fore as the new and far-reaching EU General Data Protection Regulation comes into force in May 2018.

Five personal data lessons we need to learn from the Equifax hack

The Equifax data breach, which has leaked critical personal information including Social Security numbers and birth dates on an estimated 143m Americans, as well as Britons and Canadians, is one of the largest ever, both in scale and the importance of the data stolen. So what lessons can we – and must we – learn from this demonstration of individual powerlessness in the face of data theft?

  1. Honeypots of data are hugely attractive to hackers. We know this, it’s common sense – and yet still we are persisting with the centralising of personal data rather than returning it to the individual. Putting each of us in control of our own personal data, so we can choose when and with whom it is shared, is all that makes sense.
  2. When our data is sold from behind our backs, we don’t know who has it. The nature of Equifax’s credit-scoring business, which takes data from a number of sources to help other companies assess creditworthiness, makes it hard to assess whose data was stolen – and for individuals, whether they were involved in the breach. Again, so much better to have individuals as the hub of all their data, sharing it with insurance companies, for eg, when needed, or letting algorithyms run over the data on the phone and just return the result, in what we at digi.me call private sharing.
  3. When our data has been breached by a third party, we’re reliant on them to tell us. Equifax has set up a website for people to check if their personal details were part of the breach, but there have been widespread reports of the site returning different results for the same data. It also requires a Social Security number, making it useless for anyone outside the US. Not to mention the fact that the breach took weeks to come to light, potentially giving the hackers time to use the information they had stolen before its owners even knew it was gone. We are not in control of our own data, which is created by us. That model – where our data is used for profit by others – needs to change.
  4. Those involved are at significant risk of fraud for years to come. This is not an email breach, where the people involved can simply change their passwords and (largely) put a stop to the damage. The information stolen, which also included addresses, drivers licence details and credit card numbers, means those affected are at significant risk of identity theft – and will be for years to come. We must use breaches such as these as drivers for change – otherwise nothing will change.
  5. Finally, and possibly most scary of all, we don’t know what this means. We don’t know if this hack will translate into increased levels of theft and fraud, or whether other information held by similar credit-scoring companies is any more secure. Or, indeed, whether Equifax will be punished for this breach.

What we do know is that trusting others with our personal information has seen it leaked over and over again. The fundamental method of personal data management must move back to the individual from central stores. And until it does, massive breaches of this scale, and the subsequent hassle and problems caused to those the data actually belongs to, will continue. Regulation has a part to play, but so too does consumer behaviour – and we need to be clear that this is not ok, on any level.

Come and join the digi.me personal data hackathon

Calling all developers, designers and entrepreneurs (or indeed anyone with curiosity and flare!).

Are you interested in building personalised online experiences without losing control over or the privacy of your personal data?

Then our Data Hack Iceland hackathon is for you!

Being held on October 7 and 8 in Reykjavík, Iceland, the #letsgetpersonal event will feature personalised data, health and social data challenges.

Two identified so far are the digi.me challenge: build a cool innovative app using digi.me’s Consent Access platform with a focus on health and finance as Dattaca Labs and digi.me make private sharing real.

There is also a Code for a Cause challenge, looking at how we can better use open or user contributed data to give deeper insights into or tackle social problems including unemployment and environmental issues, with others to follow.

Ideas will be judged on their fundability, execution, UI/UX, originality and scalability, and the prizes include the Icelandic Data Hack Trophy for the best solution, as well as a VIP tickets package worth $2000.

Find more details of how to register, prizes, the schedule and rules visit https://www.digi.me/datahackiceland. A limited number of sponsorships are available.

 

Digi.me delighted to have signed MyData Internet of Me principles

We are delighted to have signed up to the Declaration of MyData principles, and urge anyone else with an interest in how personal data is held and managed to sign too.

The principles, which are a first version and will evolve with a second version expected after feedback in six months, are designed to “make sure individuals are in a position to know and control their personal data, but also to gain personal knowledge from them and to claim their share of their benefits.”

As the introductory text notes: “Today, the balance of power is massively tilted towards organisations, who alone have the power to collect, trade and make decisions based on personal data, whereas individuals can only hope, if they work hard, to gain some control over what happens with their data.

“The shifts and principles that we lay out in this Declaration aim at restoring balance and moving towards a human-centric vision of personal data. We believe they are the conditions for a just, sustainable and prosperous digital society whose foundations are:

  • Trust and confidence, that rest on balanced and fair relationships between people, as well as between people and organisations;
  • Self-determination, that is achieved, not only by legal protection, but also by proactive actions to share the power of data with individuals;
  • Maximising the collective benefits of personal data, by fairly sharing them between organisations, individuals and society.”

The six key principles are human-centric control of personal data, the individual as the point of integration, individual empowerment, data portability and re-use, transparency and accountability and interoperability.

MyData hopes that organisations and companies working in the personal data ecosystem will take and use these principles, to further their own projects, as well as build their own trust frameworks and terms of service.

They accord strongly with our own Internet of Me vision, with the individual at the centre of and in control of, their connected life. And we are also very happy to be a sponsor of the MyData conference next week in Tallinn and Helsinki.

Watch out for more updates on that!

 

Digi.me merges with Personal to create global personal data control powerhouse

Digi.me and Personal are combining forces through a merger, bringing together the leading European and US companies in the emerging personal data ecosystem to provide a single integrated solution for consumers and businesses.

Both companies have pioneered innovative technologies to empower individuals to gain control over the growing amount of data and analytics about themselves that fuels the digital world. They directly address the challenge of enhancing privacy while increasing the ability of people to benefit from sharing and analysing data, including by apps on a mobile phone without the data ever having to leave the phone.

The combined business will be called digi.me, with its global HQ near London in the UK and the US operation based in Washington, DC. Personal’s enterprise solutions, known as TeamData, will be spun off as a separate information security and productivity company for businesses. The combined global workforce of over 60 people will continue to work for digi.me.

“We are excited to bring together the best of digi.me and Personal to accelerate the growth of our combined products and network of partners,” said Julian Ranger, Founder and Chairman of digi.me. “We have each built complementary infrastructure and products necessary for individuals to easily aggregate and share data whilst maintaining its security and privacy. It’s a win-win for individuals and for companies who embrace this model of transparency and trust.”

“Everything is powered by data today, but without clear benefit for the individual,” said Shane Green, Co-founder and CEO of Personal, who will serve as CEO of digi.me (US). “In a world of rapidly expanding artificial intelligence, analytics and personalised experiences, it is critical that we as individuals have the tools and rules to ensure our interests are also served by our data.”

Digi.me and Personal have raised over $45 million between them, attracting leading investors such as the Omidyar Network, SwissRe, Planetary Holdings, TCS Capital Management, Allen & Company, Revolution Ventures, Ted Leonsis and Esther Dyson.

Digi.me allows individuals to easily aggregate a broad and deep range of their social media data from Facebook, Instagram, Twitter, Pinterest, Flickr and other popular sources along with financial data from hundreds of sources in a secure library.

Companies and developers can then use digi.me’s APIs to request access to integrated data sets to provide better data-driven experiences, services, and rewards, and to provide other benefits like rich personal analytics. Health, wearable and music data will also be available soon after the merger. Current partners of digi.me include Swiss Re, Western Digital, Lenovo, Amgen, Dattaca Labs and FNAC.

Personal is focused on secure, collaborative creation and management of reusable data constantly needed by people at home and work to complete thousands of information-related tasks. It supports a multitude of data types from passwords, credit cards and IDs to detailed data for office and home use such as insurance, health and personal data of employees and family members. A free version of Personal’s TeamData app will be available for individual use following the merger and will be integrated into digi.me later this year.

The combined version of digi.me and Personal will allow seamless management of thousands of different types of both feed and manually-created data, supported by the industry’s leading structured data ontology and data normalisation technology. It will also allow secure sharing and far richer data-driven experiences between individuals and third party apps, and allow companies to reduce business and regulatory risks by requesting access directly from users.

“People assume there is a fundamental trade-off between sharing data and privacy, with Americans historically favouring sharing and Europeans favouring privacy” said Rory Donnelly, CEO of digi.me. “That no longer has to be the case when the individual controls much of the critical data about them and their lives. We are delivering the exact permission-based technology solution regulators and CEOs have been seeking.”

“There simply isn’t any way we can create this exciting, data-driven future without individual agency over data,” said CV Madhukar, Investment Partner at Omidyar Network. “Companies can use data to improve our lives, but their interests must be balanced with that of the individual: users must always have choice over who they reward with their trust and data.”

Find more information about digi.me, including the app, at https://www.digi.me, Teamdata is at https://teamdata.com/

Government strengthens UK personal data protection law

Individuals will have more control over their personal data in new measures being announced today.

The new Data Protection Bill, which brings the UK into line with the upcoming GDPR, will give the public new rights, including the right to be forgotten, and the right to withdraw consent for personal data use.

Under the plans, parents and guardians will be able to give consent for their child’s data to be used and ‘explicit’ consent, rather than simple box ticking, will be necessary for processing sensitive personal data.

The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.

Matt Hancock, Minister of State for Digital, said: “Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.

“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”

The Data Protection Bill will also make it easier and free for individuals to require an organisation to disclose the personal data it holds on them, as well as making it easier for customers to move data between service providers.

Elizabeth Denham, Information Commissioner, said: “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”

Julian David, CEO of techUK, said: “The UK has always been a world leader in data protection and data-driven innovation. Key to realising the full opportunities of data is building a culture of trust and confidence.”

NHS Deepmind and the need for transparency in personal data use

The NHS Deepmind deal has been heavily criticised by the Information Commissioner’s Office (ICO) for serious privacy erosion that fell foul of the Data Protection Act

The deal, which shared NHS patient data of 1.6m people with Google’s AI company Deepmind, had “several shortcomings” including that patients were not adequately informed that their data would be used as part of the tests on an app designed to diagnose serious kidney injury.

Elizabeth Denham, Information Commissioner, said in a statement: “There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.

“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.

“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”

Deepmind has admitted that: “We were almost exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole. We got that wrong, and we need to do better.”

There are two fundamental lessons here – and they will be applicable going forward as they are today.

The first is that privacy and innovation can live hand-in-hand. Access to better quality data is a huge boon for innovation across all sectors, but it has to be permissioned and not just handed over. That’s a fundamental human right of the people involved, as well as best practice for ensuring fully accurate data that has the most value. Greater transparency benefits us all.

The second is that users need to be in control of their data, not third parties. This is how situations like this are avoided – by giving individuals control over the data that is about, or created by, them.

In the digi.me world, it then becomes their choice, and theirs alone, what happens to that data. And that’s exactly as it should be.