Karl Steinacker explains that in a society of rapid technological change personal data accounts should become the cornerstone of digital interactions, much like a personal bank accounts of today which have transformed beyond recognition in the last 40 years. The key, he argues to change is government legislation and, critically, civil society involvement.
As someone who has lived the transition from the analogue to the digital age, I remember money in paper bags, rental books, and discount stamp booklets. Hiding one’s savings under a mattress or in bed linen was common in a society in which – at least for the wage-earning and rent-paying segments of society – cash was the only thing that mattered.
Although cashless payment transactions have been the norm for most for several decades, it is only recently that consumers in the European Union have gained the legal right to a basic bank account. Also, today’s bank accounts offer customers confidentiality and thus the right to regulate payment transactions and financial circumstances privately, without third-parties spying. The fact that the tax office might have access is no contradiction since there is also an obligation to pay taxes and to contribute to the maintenance and further development of the community.
Data collection about us is changing rapidly
Government legislation is trying to keep pace with increasingly rapid technological development. Since 2018, thanks to the General Data Protection Regulation (GDPR) of the European Union, each citizen should have sovereignty over his sensitive data. But where did need for such a law arise from and does it work?
By way of explaining, a quick story: I travel a lot. I lived abroad for many years. My typewriter was stolen in East Africa in 1989. It went without a trace or shred of evidence connecting it to me. Now consider today: I have several digital identities and have left digital traces on four continents, plus the cyber world. Since I don’t keep a diary, Facebook helps me: every log-in, I am a customer since 2009, is meticulously listed, no matter if I log in from Western Europe or East Africa. Thanks to GDPR Facebook must share this comprehensive logbook so I am aware which data Facebook has collected about me. But, and it is a big but, this doesn’t give me any sovereignty over this data.
Thinking ahead, one day my self-driving electric car will whir through the streets of tomorrow and leave data at each sensor it passes. Twin questions arise; who stores that data and who has access to it? The questions don’t end there, in fact, those are just for starters, consider:
The need for digital identities
By now it should be clear that the data sovereignty of the individual will only work if there are appropriate infrastructures, legal regulations and profitable business models.
First of all, there is a need to define “digital identities”. Some questions should prompt what they might be. For example, who can and should know who is behind an IP address and who owns the data of a smart electricity meter that buys and sells electricity? Is it possible to make anonymous purchases on the Internet, replicating cash transactions on high street and vending machines? Clear names make sense for online tax returns and other interfaces between citizens and administration. But beyond that, is it just the government-certified identity of my ID card, or do we accept that the big tech companies set up parallel worlds of crypto identities and currencies on their platforms?
It is normal to set up and use accounts that banks operate for us. Modern consumer societies would be unthinkable without the integration of millions of workers and consumers into cashless payment systems. Global trade too. Banks are regulated by the State.
Consumer protection is part of any government’s agenda. This is a well-established system that we take for granted.
In the digital society, where everyone leaves digital traces everywhere and constantly, intentionally and unintentionally, a comparable system is lacking. It is, therefore, necessary to rethink Data Protection and Trust, individual responsibility and State protection, and the associated business models in a new and, above all, practical way.
An EU regulation (eIDAS) largely unknown to the public paves the way for private electronic trust services and a transnational research project (www.LIGHTest.eu) is working on the necessary digital infrastructure. Start-ups and IT companies are proposing a new technology for this purpose: Blockchain. But technological and technocratic solutions alone will not suffice, we need a broad discussion in our societies. At the same time, quick and bold decision making is called for. Otherwise, a few companies will once again roll-out technologies in a regulatory void and, once again, try to impose a fait accompli to our societies.
Personal data account
The concept of an personal data account is the cornerstone for effective data sovereignty for the simple reason that I can only control what is with me. This applies not only to my money but also to my personal data. My data account is the place where my patient file belongs – and only there. Data retention? Yes – if the storage takes place in my data account!
Politicians everywhere need to realise that access to the mobile Internet is a basic need, comparable to access to bank accounts. But really, this is yesterday’s talk. Today, our societies need to create sufficient and inexpensive storage space on a massive scale, so that data accounts can be set up for everyone. The digital infrastructure for effective cloud computing should, as the provision of electricity and water, roads and public transport, be regarded as a public utility.
The task is gigantic, but not illusory: new laws and regulations must be drawn up. We need institutions that represent the interests of citizens in the digital space while private providers develop profitable business models for each of us managing his digital privacy. Civil society groups, associations, academia, schools – everyone is called upon to participate in this key project for a democratic and digital society.
I have arrived at the end of my short journey through time. I confined myself to the era of cash payments and typewriters. I could have looked further back, to Mesopotamia before our time, for example. There, according to the ethnologist David Graeber, the account was invented in temples before even the money was invented. I cannot judge whether this is the historical truth, but I am convinced that the concept of the account will still be needed for a long time to come: Only data accounts for everyone’s personal data can bring practical meaning to the concept of data sovereignty.
As inboxes full of updated privacy notice emails can attest, the General Data Protection Regulation (GDPR) is here. The GDPR is the EU’s regulation on data protection, which came into force on May 25th and grants individuals greater knowledge of and control over their personal data. As a regulation, it is a binding legislative act, not just a directive, and will be directly binding and applicable in EU member states.
Civil society organisations face unique, sometimes daunting challenges to implementing the GDPR. Some of these challenges are specific to the GDPR, but most relate more broadly to how we interact with technology and data as a sector. Facing each challenge thoughtfully will help us think more clearly about what we’re doing and how we can do things better in future, not just for the GDPR but for our constituents, too.
At its core, the GDPR means we can no longer gather personal data “just in case”, and that we must clearly articulate why we need to collect and store it. The Engine Room’s work focuses on supporting civil society to increase their impact through strategic, responsible use of data and technology. The attention on the GDPR has given us a lot of opportunities to continue developing and sharing these intentional approaches.
Treating GDPR compliance as a one-off endeavour is a potential pitfall facing NGOs tackling implementation. As it stands, NGOs may already be pursuing technology and data projects in one-off bursts, without considering ongoing tool maintenance or how technology integrates into existing work. We’ve long advocated for taking a more critical and strategic approach to implementing technology and data projects, and think that there is a lot to be gained from doing the same when it comes to the GDPR.
By taking the time now to build strong processes, we can support our organisations’ data governance processes well into the future. Creating processes – like guidance documents on regularly deleting data you don’t need (after considering its value carefully!) or steps for responding to a data breach – can be much more valuable than any one-off checklist. Thinking about compliance as an attitudinal shift, not a single-day project, is key.
Some organisations may see GDPR as an ‘operational’ issue that is peripheral to their overall mission and de-prioritise it as a result. There is a long history of operational issues receiving less attention and fewer resources within the sector. This happens both because organisations lack operations-focused staff with the necessary skills, and because funders are not always willing to provide core funding for organisational development.
When implementing the GDPR, it can be helpful to dedicate an internal point-person (or team) to managing the process of compliance. It might be useful to establish an explicit internal prioritisation of operational tasks, and have a conversation with funders about the necessity of this prioritisation. In our case, it meant creating internal educational documents and templates that would help the entire organisation understand the importance of the GDPR and how it will enhance our work going forward. No matter what, it means realising that strong operations, policies and practices are fundamental to building strong programmes and achieving our mission(s).
One of the great (but tricky) things about the GDPR is that it’s cross-organisational. It affects all data held – whether for finance purposes, communications or programmatic work – and it affects the activities of technology teams. That’s to say, it’s complex.
But so are the challenges that civil society organisations tackle. We’re already mapping information flows, connecting disparate ideas and trying to increase collaboration, sometimes on a daily basis. These same tools are critical in continued adherence with the GDPR. At The Engine Room, we managed this kind of GDPR-specific collaboration by creating things like an audit document that outlines everywhere we hold personal data, how we collect it and who is involved. This required input from every corner of our organisation, and sparked conversations that are continuing today.
The GDPR also provides an opportunity to look outside of our organisations to find new ideas and collaborators. There are many existing networks that bridge NGOs and technology, and the GDPR offers an opportunity to both grow these and create new ones. As one example close to us, the GDPR has popped up on the responsible data mailing list, a space where people share challenges and develop best practices to prioritise the rights of those reflected in the data we hold. It also was the topic of a community call, which highlighted both shared concerns and resources. The eCampaigning Forum (ECF), a network of practitioners using digital media for advocacy, also has a very active mailing list where the GDPR has been under detailed discussion.
Thinking about the GDPR is a valuable opportunity for many NGOs to consider our data in a more holistic way. By placing the GDPR within a larger context of building responsible data practices, we can increase the effectiveness of our projects and better serve our partners and the communities we work with and for. After all, it isn’t just about the GDPR itself, but about the ethical management of the data we hold.
To take this broader approach, it’s important to find communities that perhaps work in a similar area as yours and who also want to make their responsible data practices an ongoing project. For specifics, see a little bit of what we’re doing about implementation. Remember to document, document, document, as demonstrating an intent to prioritise the data rights of individuals will always be a good thing to have in your favour. Use the GDPR as an excuse to do a ‘spring clean’, and take stock of your work, but also make sure to think about how it interacts with your long-term processes.
The GDPR presents a challenge for many resource-strapped organisations, but it is one that we can all face together. With collaboration and coordination, we hope that its implementation will be a positive step for the sector’s long-term tech and data projects.