Strengthening privacy via a new market mechanism
A new completely different market mechanism to tackle privacy issues, which addresses the absence of personal data markets and a bargaining power imbalance between companies and consumers, has been proposed by the Global Initiative for Digital Empowerment (GIDE).
This ambitious initiative, published on 21 November by Dr Paul Twomey, Professor Dennis Snower and Vicente Arias González, has the title Innovation in the digital economy architecture: Ensuring regulatory simplification drives innovation and growth.
The Innovation in the Digital Economy Architecture (IDEA) Framework aims to complement current data laws by introducing “market-based mechanisms to make enforcement and compliance more efficient and simpler.” The authors state that the proposal drives innovation and economic growth without rolling back fundamental rights through “enhanced control over verified personal data, expert fiduciary representation, fiduciary duties to act in the best interest of data subjects, and collective negotiation.”
The IDEA framework has been developed by GIDE over the past three years in consultation with European stakeholders. GIDE brings together 130 diverse experts from over 30 countries.
The problem
The authors consider that often the data collection transactions are based on the use of a person’s data which is “extracted without meaningful consent and knowledge.” The problem is that “data subjects are not empowered to become active participants in decisions about how data about them is processed, both individually and collectively.” In addition, Data Protection Authorities face an uphill battle with the duty of “intensive oversight with limited capacity.”
Proposed solution: The IDEA framework
The IDEA framework aligns economic incentives with consumer interests and democratic oversight using “four mutually reinforcing market-based mechanisms that convert fundamental rights and obligations into enforceable market outcomes.”
- Effective control over Key Personal Data (KPD)
- Collective representation through expert fiduciaries
- Fiduciary duties including binding legal obligations of loyalty, care and transparency aligning these fiduciary organisations’ activities with consumer interests
- Collective negotiations to help groups of consumers define terms of data use.
The fundamental idea is that the IDEA framework’s market-based design unleashes innovation “by realigning incentives towards trust, quality and efficiency” …. [and] ….”turns personal data into a negotiated asset” from which consumers “can negotiate receiving compensation or benefits in kind.”
The authors consider that this model could work anywhere in the world and propose five policy recommendations which could achieve multiple policy goals.
My questions to the authors
Question 1 - Have you received any response from social media companies and others to this challenge to their business model? If so, what kind of response and from whom?
Answer - "Social media companies have not yet gone on the record. But some of them in informal conversations see the benefit of letting market forces drive compliance, rather than facing rising and fragmented regulatory pressure across countries and regions."
Question 2 - Are there any successful models of fiduciary organisations specifically for personal data? If so, which?
Answer - "There are two different types of institutions: Expert Fiduciaries and Key Personal Data (KPD) Registries.
Expert fiduciaries are organisation which are charged with the specific purpose of negotiating data processing practices on behalf of groups of consumers. Storing data is not an essential part of their activities.
The IDEA framework does not necessarily support the notion that expert fiduciary organisations also offer data registry services. However, for good governance we would prefer for them to be separate institutions. We don't want to create another concentrated market.
The model is existing on a building model of fiduciary sharing information like in the financial services industry. As we have argued, personal data markets do not operate as a market. Some potential participants could include: law firms, accounting firms, offline co-operatives, professional associations, banking, insurance and financial service fiduciaries, and regulated agents with an existing fiduciary duty, for example, health entities.
Data registry operators have two main characteristics. First, they store citizen data in a secure environment. Second, they manage access on behalf of citizens. They verify requesters, check consumer authorisation, and deliver the agreed data and terms in machine readable form. Companies that already have such capabilities include existing critical infrastructure administrators which already run authoritative systems.
For example, domain name registries operate at a national or international scale and follow governance models that match the demands of a KPD Registry.
There are various existing organisations that could play a role in establishing a data registry. Technologies could be centralised or distributed. None of these companies represent groups of consumers nor have the expertise to negotiate data processing terms with major social media or any other type of companies. That's the missing link."
My assessment
My assessment is that the IDEA framework is worth studying. While there are aspects which need to be developed, it tackles the current opaque barter system for personal data for free or reduced-price goods and services when “consent” to lengthy complex privacy policies is often given without most people knowing to what they are consenting with complex privacy policies of sometimes thousands of words.
New ideas take time to take root
In Europe, it took years from when the three-point car safety belt was first fitted in Volvo cars in 1959 until 1965 when they were required to be fitted in front seats of cars manufactured in Europe after the evidence proved that they saved lives.
The January 1962 issue of the UK’s Consumers Association’s testing and advocacy magazine Which? strongly advocated seat belt wearing. In 1967, new cars in the UK had to be fitted with front seat belts by law. But it was not until 1991 that it became compulsory for adults in the UK to wear seat belts both in the front and in the backs of cars.
The GIDE team has already contacted the European Commission to start discussing their proposals soon to be followed by Members of the European Parliament.
There are plenty of issues to resolve while the IDEA framework develops and matures. It is more complex conceptually than car seat belts. But it is broadly a market solution designed to run alongside and be compatible with the current legislative approach to tackle the mass processing of personal data by regulation.
Stewart Dresner
Founder and Publisher, Privacy Laws & Business
See: