Privacy and data protection on the Internet has always been a sensitive topic and one of the main barriers against the extensive adoption and use of Internet services. During the last couple of years, there have been heated debates regarding the need to protect citizens’ personal data online, as a result of the emergence of the General Data Protection Regulation (GDPR) in the European Union (EU). At the same time, the world has witnessed major privacy-leaks incidents, which demonstrated the data protection limitations of major online platforms such as the Facebook, Yahoo, and Instagram. The recent leak of nearly 87 million Facebook users’ data as part of the Cambridge Analytica case is only the tip of the iceberg, as it adds up to a number of similar incidents that have occurred during the last decade. For example, personal information of 57 million Uber users and of 600,000 drivers were accidentally exposed in late 2016, while an unauthorized access to “high-profile” Instagram user accounts took place in 2017. Back in 2010, it was found that several Facebook apps were transmitting user identifiers. Moreover, in 2013 a large-scale data breach at Yahoo’s infrastructure occurred, which affected 3 billion user accounts. Despite their adverse effects, these incidents have raised awareness regarding the privacy risks that are associated with the user’s data on the internet. In this context, individual users and our society as a whole are deeply concerned about the privacy implications of Internet services.
Decentralizing Data Ownership and Control
Most of the privacy and data protection vulnerabilities of online services stem from their centralized model for data collection, storage, and processing. This centralized model makes it extremely difficult for individuals to ensure that their sensitive data (e.g., location, purchase behavior, interactions in social media, browsing history) are used solely for the purposes that they are originally provided. In the centralized approach, end-users are forced to entrust their data to a third party, which has the power to abuse the data or even share it with other parties.
A decentralized approach to personal data management is therefore proposed as a remedy to the above-listed challenges. The decentralized approach does not rely on a single party for data collection and processing, but rather provides end-users with fine-grained control over their personal data. Likewise, they also enable new models of trust, governance and data management, which makes users the active participants in the collection, processing, and use of their data in various applications. In the scope of a decentralized approach to data management, sensitive data remains under the control of the user, who decides when and with whom to share his/her data.
The implementation of the decentralized approach to personal data management is not a purely theoretical concept. We are already witnessing practical implementations which are propelled by the rise of distributed ledger (i.e. blockchain) infrastructures. The distributed ledgers enable data control by the peer nodes of the blockchain network rather than aggregating and processing data centrally. As a prominent example, Dock.io is providing one of the world’s first decentralized social network, which aims at alleviating the proclaimed privacy vulnerabilities of mainstream social networks. As another example, the Enigma project provides scalable privacy mechanisms over any blockchain infrastructure. Enigma promotes a unique and disruptive approach to data processing, which employs advanced mathematics in order to allow execution of queries over encrypted data without ever decrypting them. In this way, it guarantees privacy and data protection at all times, in addition to ensuring decentralized data ownership and control.
The rise of Personal Data Market
The decentralization of data ownership and control is also an enabler for entirely new business models, which rely on end-user’s participation in the data management process. In particular, each user can be incentivized to approve access to his/her data, which is a foundation for a personal data market. The interested stakeholders can then ask for permission to access an individual’s data. The process may involve grating monetary (or other) benefits to the end-user in order for him/her to allow access to his/her data. Moreover, end-users should be able to negotiate the access of a third-party to their data, either through asking for higher rewards or even through requesting a higher privacy or data protection level (e.g., use of a reduced dataset with less sensitive data).
The main characteristic of a personal data market is that it alleviates the “silo” nature of personal datasets which are used in most of the current applications. Nowadays, personal datasets are provided by end-users for use within specific applications. It is not technically easy and legally allowable to reuse and repurpose personal datasets across different applications. The personal data market will alleviate this limitation, as data will be always accessed and shared following the end-users’ consent. Data processors will be therefore able to access and repurpose datasets according to the needs of different applications, provided that citizens give their consent.
Personal data markets could be the next evolutionary step towards a transparent and privacy-preserving use of sensitive data. However, they are currently at a research stage due to the existence of both technological and regulatory barriers. At the technology forefront, the advent of blockchains holds the promise to facilitate decentralized data management. Similarly, at the regulatory forefront, the advent of the GDPR regulation provides a framework for regulating the operation of the personal data market. Note however that the human aspects of the personal data market should be also researched, including the impact of personal preferences and of the type of the personal data that is accessed.
General Data Protection Regulation (GDPR)
GDPR is the European Union’s new data protection law. As already outlined, it can be the framework that will regulate the operation of the emerging personal data markets. It will take effect on May 25, 2018, i.e. later this month. GDPR is destined to replace the Data Protection Directive (“Directive”), which has been in effect since 1995. While it preserves many of the principles established in the previous “Directive”, it also gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle or analyze personal data. As such it is more appropriate for supporting personal data markets. At the same time, it provides national regulators with the power of imposing significant fines on organizations that breach the law.
Despite being an EU regulation, GDPR has received global attention. This is because it is considered as a role model for dealing with privacy issues on a global scale. Therefore, it is expected that GDPR will be adopted in several other countries over time. Currently, it applies to organizations that collect and process data within the EU, as well as to the processing of personal data of individuals who reside in the EU by organizations established outside the EU.
GDPR, Cambridge Analytica, Blockchains for data management and personal data markets are some of the concepts that will redefine the way personal data are handled on the Internet. In the next few years, we will witness radical changes in the collection, storage, and processing of personal data by established and emerging data providers. Recent announcements by Facebook in this forefront confirms the above statement. However, many more are yet to come.