A little-noticed section of the recent EU General Data Privacy Regulation (GDPR) has the potential to fundamentally alter the underlying economics of the Internet.
Buried under the frantic scramble for compliance, few organizations have spent much time thinking about the full impact of Article 20 that outlines the new requirements for personal data portability.
Is this a fundamental change to the data industry?
Europeans now have the right to:
“… receive the personal data concerning him or her… in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance …”
This clause was explicitly included to increase competition in the data marketplace, combatting the “natural monopolies” based on information. (Other EU policies along the same lines have included forcing mobile phone companies to allow reuse of existing phone numbers when changing provider, etc.).
An EU white paper discussing the article makes it clear that it must be easy to obtain and transfer data to a competing service:
“For example, a data subject might be interested in retrieving his current playlist (or a history of listened tracks) from a music streaming service, to find out how many times he listened to specific tracks, or to check which music he wants to purchase or listen to on another platform. Similarly, he may also want to retrieve his contact list from his webmail application, for example, to build a wedding list, or get information about purchases using different loyalty cards, or to assess his or her carbon footprint.”
This also applies to things like your social networks.
The practical result of these rules is that ownership transfers from those who gather personal information to those who generated it: in effect, I now own my data for the first time.
An an individual, I can demand to receive my personal data from a supplier, and I can demand that the supplier then deletes all the personal information they have on me (subject to legal constraints – e.g., companies have a right to keep prior billing information, since it’s a statutory part of the accounting record). This is far from being an agreed-upon full “legal ownership right” to the information, but (as the famous saying goes), possession is nine-tenths of the law.
As any economist can tell you, ownership rights have a profound impact on how markets are structured. So this might just be the start of a truly fundamental change to the entire industry.
What are some of the consequences?
What can you do today if you have an awful customer experience with a company? You can complain directly to the company or to the world in general on social media. But you now have another potent weapon: you can demand that the company gives you all your personal data and then exercise your “right to be forgotten.” Given the complex nature of computer systems in most organizations, this is currently likely to be a very manual and expensive process for the companies involved. And the threat has real teeth. If they slip up, the potential fines are enormous.
2. Social justice
This is revenge multiplied by social activism. There have been many calls in the past to boycott stores or companies for their perceived abuses. Imagine a coordinated tidal wave of data portability and deletion requests. Today’s small data compliance teams would be completely overwhelmed.
What’s in it for me?
Let’s say you’ve been a loyal customer of a supermarket chain for many years and have been using their loyalty card. You could now go to them and say “Hey, I was thinking about forcing you to delete all that information – unless you’d like to give me a discount?” In other words, your new “ownership right” can now be monetized in new ways. And in fact, the new California e-privacy law, due to come into force in 2020, makes this explicit. It includes:
“a ‘do not sell my personal information’ option on public-facing interfaces and websites that collect personal information. Companies must take measures to not discriminate against users who opt out, but at the same time they can offer price incentives to those who choose to opt in.” [my emphasis]
Come try our service. Individuals are unlikely to find the motivation to ask for discounts themselves, but competing supermarket chains might well decide to help things along. For example, a new entrant into the market might decide to execute a campaign along the lines of “download your data, give it to us, and we’ll give you a discount!”
We’ll sell your data for you. The next step is inevitably brokers that sell your data rights on your behalf, helping you pool your information across all retail outlets, say, then providing it to the people that provide the best return.
What happens next?
The market for information is unlikely to change overnight, but the industry is waking up to the possible consequences. You should be proactive in figuring out what these changes mean to your organization and industry.
Introduce automated data-portability platforms. At a minimum, organizations should put in place automated systems to let customers download their data and exercise their right to be forgotten. Business cloud platforms are a great way to gather up the required information from multiple systems and provide it in a governed way.
Think about how you can gather and leverage information in new ways. Use techniques like design thinking to figure out how you might be able to benefit from data portability in your industry.
- Legal study on ownership and access to data
- What if people were paid for their data?
- Cartoon: Data Mine