Over the last five years there has been much talk about the rise of personal data stores as a means of individuals "taking back control" (for want of a less Brexit-laden phrase) of their data. The concept is simple – a person can store their data in their own personal data store, deciding who they will share data with and managing all of their data in one place.
In theory personal data stores allow people to have greater oversight and control over how their data is used, provide a much quicker and easier way of disclosing information and allow organisations to access meaningful information instantly.
There is no limit to what personal data stores can hold: bank account data, insurance details, utility bill information, energy consumption, health records, fitness tracker information, identification documents, shopping lists, the list goes on…
However, personal data stores have not yet taken off in the way that many had hoped. So, what is holding back the development of the personal data store market? And can anything be done from a legal perspective to change this?
Imagine the scene: you have a busy day coming up in the office but need to renew your house insurance, check on your elderly mother who lives alone, do some grocery shopping and complete a questionnaire prior to your annual health check-up. On the train on the way to work you log in to your personal data store, authorise a price comparison site to access your insurance data to obtain quotes, check on your mother via her online health monitor (to which she has allowed you access via her personal data store), share your grocery list with your preferred supermarket and arrange online delivery, and permit your health provider to access your health information (including recent test results and your latest fitness tracker statistics) in order to complete the health questionnaire.
This can all be completed in your half hour journey to work without the need to log in to numerous sites, remember different passwords and complete endless forms. From the individual's perspective, having everything in one place is much more convenient and easier to manage.
The individual can also, in theory at least, exercise more control over the way in which their data is used by third parties. At the point of authorising access to data the individual can place limits on the purposes for which and over what period data may be used.
For organisations, the opportunities are also self-evident. If the organisation is trusted by the individual, there is the potential to gain access to a much richer dataset than would otherwise be held by the organisation and furthermore the dataset is maintained and updated regularly by the individual.
There are also other potential benefits. If data is only required for a limited period, the organisation can access the relevant data and use it for the required task and then delete it. The organisation therefore minimises data storage requirements and reduces the risk of data breaches by virtue of the fact that less information is held. For the organisation there is also a much lower likelihood of subject access requests, data portability requests and data erasure requests being made because all of the data ultimately resides in the individual's personal data store. Time and money that would otherwise be spent on managing and responding to such requests can be used elsewhere.
Security is a major concern for personal data stores. If all of your data, including your financial data and sensitive medical data, is stored in one place then ensuring the security of the platform on which the data is stored will obviously be paramount. This concern is not insurmountable if appropriate encryption is in place; however, it is key for consumer confidence that data security is demonstrably robust. There is also an interesting question of liability if a data security breach occurs.
The major barrier to the uptake of personal data stores is lack of critical mass. To work effectively, personal data stores need to have an eco-system of organisations and individuals using the same platform. In order to be attractive to businesses, personal data stores need to have sufficient users to make it worthwhile investing in interfaces and technology to enable extraction of data from the stores. To date, none of the personal data stores on offer have been able to attract users in sufficient numbers to make them sufficiently attractive for large numbers of businesses and other organisations to start using them to obtain data.
On the other hand, from the individual's perspective, if a personal data store platform only offers limited functionality and interfaces it does not become a 'one stop shop' for data management so its usefulness is diminished. Lack of uptake on both sides becomes a vicious circle.
So, what can be done to incentivise businesses and individuals to move to a personal data store platform?
For individuals, ease of use is key but so too is control over use of data. Many of the personal data stores on offer allow individuals to centralise storage of their information, which makes accessing and sharing data easier but they do not truly give individuals control over how their data is used once it has been shared. Often once organisations have obtained access to data via a personal data store they will continue to use it in the same way as if they had gathered it through their own online form or via a call centre. In this scenario the personal data store merely becomes another conduit for gathering information with no real control exercised by the individual.
In order to properly give individuals control over use of their data it is necessary to place legal limitations on how organisations can use data obtained from a personal data store. The difficult question is how this can be achieved using existing legal structures.
Under the General Data Protection Regulation (as with the current regime under the Data Protection Directive) organisations must have a legal basis to make their data processing activities lawful. Consent is one legal basis which could be used to limit the way in which organisations may use personal data. If an individual offers access to data only on the basis of consent, conditions can be placed on that consent. For example, consent could be provided only to use of data for a one-off activity (such as entry into a competition) or for a limited period. This works well when organisations do not require data in order to provide a product or service. However, if ongoing use of data is paramount to enable delivery of a service then organisations will be unlikely to be willing to rely on consent as the legal basis for processing.
In addition, from a regulatory perspective there is nothing to stop an organisation from informing individuals that they wish to access data not on the basis of consent but for their own legitimate interests. In these circumstances, provided that organisations are transparent about their data use and there is a genuine legitimate interest that is not outweighed by the privacy interests of the individual, there is no legal requirement for consent. It will then be up to the individual to consider whether they are willing to allow access to data via their personal data store on this basis. In reality, if an individual wishes to use the relevant provider it is likely that they will have little choice but to agree to the terms offered by the provider. In effect, individuals will have no more control over use of their data than they do now.
There are two potential solutions to this conundrum. The first would require a change to the way in which data is treated from a legal perspective. The second requires personal data store providers to place contractual limitations on the way in which businesses are permitted to access and use data via the platform.
Under English law, data is not classified as property. There are no inherent rights in data and therefore no way in which use of data can be licensed in the same way as software, logos or written materials that are protected by copyright, trade mark rights and other intellectual property rights. If this position was changed, such that personal data was deemed to be the property of the relevant individual, then use of such data could be limited via a licence granted by individuals to organisations wishing to use that data. Any breach of such licence terms would enable individuals to take legal action against the relevant organisation.
This is an interesting proposition. However, it seems unlikely that there will be any imminent shift in the legal treatment of data. We therefore need to consider how existing legal structures could be used to achieve the same result.
Personal data store providers control the infrastructure used by individuals to store their data and by organisations to access that data. Providers therefore have contractual relationships both with the individuals using the service to store and manage their data and with organisations wishing to interface with the platform to obtain access to data.
Providers therefore have an opportunity to place restrictions on the way in which organisations are permitted to use data obtained via personal data stores as a condition of use of the platform. This could include requirements to offer easy to use controls to individuals over how their data will be used (for example preference centres where individuals can control who can use data for marketing and time periods for which use of data is permitted) and prohibitions on imposing wide use of data requirements on individuals as a condition of receiving a service.
If such controls were mandatory, use of the personal data store is likely become a much more compelling offering for the individual. This should assist with increasing the volumes of individuals using personal data stores, in turn attracting organisations to use the platform.
In order to work, organisations will obviously need to be willing to sign up to such controls. This will require a significant shift from the culture that is pervasive in many organisations, which sees obtaining more and more data on an indefinite basis as the best way to gain customer insight and obtain a competitive advantage.Personal data store providers will need to have a compelling offering, which enables real insight for businesses, with rich datasets and accurate information available easily and instantly. If such data is on offer, then organisations should soon see the benefits of having 'on tap' information available under stricter controls over its use.
The ecosystem necessary to make personal data stores convenient for individuals and attractive to businesses is complex. In order to attract individuals to use personal data stores, providers need to offer not only a means of managing data but an effective way to control use of data. It is possible to do this via contractual restrictions placed on organisations wishing to interface with the personal data store platform. Both personal data store providers and businesses will need to take a leap of faith to change the way in which data is controlled in order to make it work.
First published by Privacy Laws & Business in September 2017.This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.