I did a little survey among relatives and friends to test their theories. My son told me it was a consequence of the recent Facebook–Cambridge Analytica data scandal. Some friends had no clue at all. As I myself was unsure if the messages required any action, I also asked if and how they were responding. Quite a few postponed reading their emails (“no time right now”), except for those where they needed to check a box to keep accessing a website or service. Many did nothing at all.
The more data savvy folks mentioned the General Data Protection Regulation (GDPR). This EU law, which came into effect on May 25th, requires all public and private institutions to improve the effectiveness of data protection, increase transparency on what they do with our data, and provide active choices for users about what data they want to share. Interestingly, the GDPR email messages were actually quite varied in nature. Some said, “We protect your private data, don’t worry” with lots of links to the company’s privacy policies – a 50+ page document that feels as attractive to read as the stipulations of my car insurance contract. Sometimes, there was a short summary that simply explained what the company had done, requiring no action from the user. A few companies, including Facebook and LinkedIn, offered an even more sophisticated menu of options that allows users to decide what they want to share before continuing. Very few of my colleagues (nor myself) have used this option. How can users be expected to understand all of this? Moreover, do I really have a choice if I want to keep using their service?
This is it.— European Commission ?? (@EU_Commission) May 24, 2018
Today, our EU #DataProtection rules enter into application, putting the Europeans back in control of their data.
Europe asserts its digital sovereignty and gets ready for the digital age.
Read our statement → https://t.co/P19IRPWfqv #GDPR pic.twitter.com/hwCKSj2TjE
While the GDPR seems like a necessary step in reclaiming our “agency” to manage privacy in a data 4.0 world, it is not sufficient. Over lunch, a colleague recently made a profound, disruptive and revolutionary proposal: What if the companies that hold the majority of our private data were to pay us for it?
At first this sounds a bit crazy and possibly unrealistic. After all, data companies are offering us free access to many tools and services, from online street maps to professional networks and dating apps. But as they say, there is no free lunch. Many people are starting to realise there exists a trade-off between our data and privacy and the “free” tools and services these websites and data companies provide. This is where discussions around paying users for their data have begun. Recently, one user in the UK even offered to sell his Facebook data on eBay. It’s true that there is an unlimited hunger for our data in view of the forthcoming AI revolution: to train robots and do machine learning, you need lots of data. Hence, the demand for our data will only continue to rise.
With the enactment of GDPR, we are now at a tipping point, and in some parts of the web, one model is already emerging. Look at YouTube. They pay vloggers for their uploaded videos through ad revenue, which has been a huge incentive in attracting more people to watch and contribute to the platform. Another model could involve the adoption of a “data tax”, which would charge companies that profit from user data. Certainly, if our data becomes a traded good with a real price, we will all finally make the effort to find out what happens to it, where it is stored, with whom it is shared, what gets re-sold, and where the mash-up and merging with other data takes place. Money will make us act and ensure that we finally take data privacy as seriously as we should. And companies will benefit, too, through better quality data that will instigate further innovation.
Regardless of the approach, the details of how we get financial compensation or other goodies beyond access to a free service must be worked out, as does the transition to a new model. More debate on this is needed, and the UN World Data Forum 2018 from 22-24 October in Dubai, will be an ideal forum to continue these discussions. I look forward to sharing my views on the right to privacy, data protection and transparency, and the overall business model and learning what others, such as the UN, World Bank and other partners, think of these ideas. While most of us have not yet taken any concrete actions following the GDPR, the genie is now out of the bottle. Data producers were forced to respond and adjust to the new legislation. Now it’s time for the data community to follow suit and determine how these changes will affect us as both organisations and individuals.
Johannes Jütting, Manager, Partnership in Statistics for Development in the 21st Century (PARIS21)