Data ON me or Data FOR me?

Innovating the Contractual Terms Around ‘My Data’

In our Simulator we can look from both individual and organisation perspectives on any data exchange; and see the same data sitting on both in the vast majority of scenarios. A name, a permission, a product detail; they look the same. And they both exist as 1’s and 0’s on a silicon chip, accessed by operating systems, applications, user interfaces, agents and API’s. So what’s the critical difference between looking from the individual individual or the organisation perspective?

Of course, it is the contractual terms under which the data are being gathered, processed and used.

The current norm is that each and every organisation decides what data it wishes to gather, manage and use. They then brief their legal team who come up with a set of terms wrapped up in contractual agreements that are designed to:

1. Enable the organisation to undertake the data processing they perceive to be required for their organisational purposes,

2. Illustrate to regulators how the organisation is meeting its privacy and data protection (and other) obligations.

The model above has been the norm since the World Wide Web emerged as a commercial channel in which individuals and organisations could interact and transact. There is plenty of evidence that this model is very broken, and that clicking ‘I agree’ without reading the agreement is the norm, not last because people know that at the end of reading them they won’t have a whole lot of choice anyway. And then we have cookie notices; probably even more broken than privacy notices. There is literally a whole billion dollar industry dedicated to helping organisation manage ‘consent’, and it is there to prevent organisations being in breach of their regulatory obligations.

That current model is almost exclusively oriented towards data ON me, being managed by a classic data controller model, sometimes with additional data processors.

It does not have to be that way. A contract is a contract, there is nothing in contract law that says such things can’t be proposed by an individual, or an intermediary; i.e. one with an orientation that originates with and for the individual. That data FOR me model is more akin to the relationships we have with our doctors, or lawyers; that is to say we share privately with them and only onwards from them with our permission. Until now, data FOR me, has largely been un-regulated and assumed to happen offline; either non-digital (filing cabinets), or in files (for example spreadsheets) that are built using non-cloud based storage or processing. That is beginning to change with recognition in both UK.Gov and EU regulation that the emerging concept of a data intermediary is a good one. And it needs to; data managed truly offline is an increasing rarity; and as soon as one goes online ‘terms’ come into the mix at multiple levels in that technology stack.

However, individual’s are highly unlikely to propose their own terms from scratch for a data sharing relationship; they do not have the time or resources to do so. Nor would organisations accept such a proposal from single individuals. But work is being done in the IEEE standards body (IEEE7012) to create the concept of standard, machine-readable information sharing agreements, and the group will shortly propose a start point of 11 standard and readily understandable contracts. The model envisaged is very much ‘like Creative Commons, but for data sharing’. That is to say a set of agreements with varying implications are published in canonical form in human, machine and lawyer facing formats. And then parties, individuals or organisations can point to one or more of those options as agreements that they would accept. Each of those options are built using GDPR as the baseline; none enable the surveillance model we see so commonly at present. In other words, they will make sense for organisations who want robust ‘first party’ data relationships with their customer/ citizen/ user/ patient/ employee base; but not for organisations that insist on tracking people across the web and similar.

The IEEE7012 or similar approaches to terms around information sharing have the potential to enable huge changes in the current very broken model. And much as they might initially feel worrying for organisations, I’m pretty sure that many will quickly realise that living without the burden of maintaining agreements that are never read and thus not trusted has more upsides than downsides. We’ll deploy the 7012 agreements in our Simulator as soon as they are finalised and report back on how they shape up.