Professional Documents
Culture Documents
WEF IT UnlockingValueData BalancingGrowthProtection SessionSummary
WEF IT UnlockingValueData BalancingGrowthProtection SessionSummary
World Economic Forum 2012 - All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by any information storage and retrieval system. The views expressed are those of certain participants in the discussion and do not necessarily reflect the views of all participants or of the World Economic Forum.
Summary
Personal data can drive innovation, investment and sustainable economic growth, and greatly improve social welfare. There is a risk, however, that this value will not be realized given concerns about security, privacy, control and trust.
The World Economic Forum convened a half-day workshop as part of the ongoing Rethinking Personal Data project (www.weforum.org/personaldata). More than 70 participants from different stakeholder communities, including government, industry, academia, think tanks and civil society, took part in the workshop. Participants came from multiple countries from across Europe, the US and the Middle East. Government representatives included European parliamentarians, the European Commission, data protection regulators, EU member states and more. There were also representatives from a wide range of industries, including healthcare, financial services, logistics, automotive, IT and telecommunications. Some of the high-level messages that emerged from the day included: There is a need to ensure that rules governing personal data flow are flexible enough to enable new business models, accommodate technology evolution, enable user trust and meet the requirements for user transparency There was an acknowledgement that the basic data protection principles are not flawed and are still applicable in many ways. However, the challenge is that they do not work in todays world; they are not being effectively implemented. In particular, notice and consent was highlighted as not delivering real effective choice to individuals to ensure permissioned, trusted flow of data There was broad agreement on the need to refresh and update existing privacy principles given the significant shifts in technology and the way data is collected and used; it has been decades since the original Fair Information Practice Principles (FIPPs) were written Within the existing principles, the focus should be on five principles grouped in two areas - The openness and individual participation principles are key, but need to be refined and strengthened; it may be possible to interpret other principles through these - The principles concerning collection limitation, purpose specification and use limitation need to be redefined given they are based on the old approach of data having a single purpose Individuals are now both producers of data as well as consumers; the old, somewhat paternalist, approach of viewing the individual exclusively as the data subject and the organization as the data controller is no longer valid Use of codes of conduct could help enable flexibility in the regulatory framework, and a potential mechanism for a globally interoperable policy framework There was agreement on the importance of gathering better evidence on how personal data is used to create and at times destroy value; several ideas on what should be measured and how to measure it were discussed Participants highlighted the importance of considering different applications of personal data across different sectors; deeper and more transparent knowledge exchange about the manner in which data flows through the ecosystem could lead to better decision-making by all stakeholders
Participants discuss how to strike the balance between growth and protection over lunch
Alexander Alvaro, Vice-President of the European Parliament, discusses the EU Data Protection Regulation
Challenge to ensure organizations that can create dramatic social benefits (e.g. in healthcare) by using data for secondary purposes other than the original purpose of collection are able to do so Challenge is to find ways to do data collection without creating bureaucracy and without turning consumers into liars (e.g. asking consumers to say they have read and understood T&Cs) Very different views were expressed on whether regulatory attempts to protect individuals would help facilitate or restrict the flow of data; resolving this challenge is key to unlocking value of data
William Hoffman, World Economic Forum, outlines the three key questions for discussion
Role of trust
Trust is something that regulation itself will not achieve; it comes in part from effective enforcement of rules that are appropriate to different contexts The possible role for co-regulation with effective enforcement was suggested as a good way to build trust; this would be one way to take into account context and complexity of the challenge but still build trust Key to building trust is to acknowledge that most personal data has multiple rights holders. While some data is "owned" by the individual, most data has lots of stakeholders who have rights to it including individuals, the private sector and governments. By establishing joint rights and trading rules to exercise these rights, we can help build trust Ensuring effective security of data is key to building trust; government and the private sector needed to work together It is also important to address trust between organizations (including companies and governments) when exchanging data and particularly to ensure data can cross borders effectively One way to build trust is through the use of safe harbour provisions that allow field trials with hundreds, thousands of people, and work out what works and what doesnt through experiment
Figure 1: The OECD Privacy Principles grouped according to the three key areas for dialogue provided a framework for discussion
With broad recognition that a move away from the traditional notice and consent models was needed, participants suggested individuals simply do not have agency over the secondary uses of personal data throughout the ecosystem. To address this lack of visibility on the relational aspects of data (What is its provenance? Who is it related to? What are the associated permissions for using it?), it was noted that a broader use of metadata may serve as a technological means to address this current deficiency. Additional ideas in this area of discussion included grouping the principles of collection limitation, purpose specification and use limitation, together under a cluster of Processing Principles. This grouping could be aimed at maintaining the contextual integrity in the use of data as it flows through the value chain.
One of the key points of discussion was around how to deal with different types of data the principles predominantly apply to data that is actively collected. How do we deal with data that is passively collected or observed? With inferred data created by proprietary algorithms? Consistent with discussions held in other regions of the world, there was also recognition of a class of use cases aimed at serving the larger public good. This issue continually arises as a key uncertainty requiring additional discussion. The challenge lies in how to achieve a balance between the engagement of individuals yet establishing a sufficiently large pool of anonymous data for analysis that would avoid a tragedy of the data commons. One of the consistent points of discussion was that models built on leveraging anonymous data to create this data commons were highly problematic. While conceptually there is a need for a rich data commons, the design and implementation of this concept requires a great deal more debate and discussion. Anonymous data and its increasing ability to be deanonymized were also topics receiving much attention. Because of the de-anonymization risk, approaches which considered virtually all data types to be linked to an individual would lead to significant reductions in value creation. Instead, a focus on ensuring de-anonymization did not take place through both technological and policy approaches was seen as being more appropriate and sustainable. The point was made that the continual advances in technology to re-identify data (and the incentives of multiple actors in the ecosystem to do so) should not be underestimated. A combination of technical innovations (more robust permissions via
metadata), legal innovations (adoption of legally binding system rules with strict non-compliance penalties) and improved data literacy by individuals so they could make effective choices were factors that all needed to be more fully developed. In addition, participants emphasized the importance of strengthening accountability and enforcement. This is perhaps one of the critical areas needed to ensure a balanced ecosystem. While the principle as it stands is fine, there needs to be further work on how to make this a reality. The need to more fully explore co-regulatory approaches utilizing binding corporate rules (BCRs), which are currently used for international transfers, was seen as a means for developing a more flexible, contextually relevant and efficient approach for implementing the principles.
Figure 2: The positive feedback loop from gathering better evidence on how personal data is used
Figure 3: Framework for capturing use cases for how personal data creates or destroys value
10
Workshop Participants
John Jolliffe Gerald Deck Jasper Meyers Dirk Linnenbruegger Karim A. Lesina Stefan Scholer Kostas Rossoglou Ian Emond Tilmann Kupfer Cecile Plaidy Bjarne Rasmussen Richard Thomas Leszek Izdebski Willem Debeuckelaere Jean-Philippe Moiny Alan Mitchell Alexandra Krenzler Jacques Bus Cameron Craig Marie-Hlne Boulanger Nicole Dewandre Rosa Barcelo Achim Klabunde Anne-Christine Lacoste Sean Kelly Alexander Alvaro Erika Mann Nicolas de Cordes Titus Goll Marisa Jimenez Pat Walshe Reehan Sheikh Daniel Pradelles John H. Clippinger Ira Rubinstein Senior Manager Director and Lead Counsel, Europe Middle-East and Africa Senior Corporate Counsel Executive Vice-President, IT Strategy & Enterprise Architecture Executive Director, EMEA Government Affairs Head of Strategic Corporate Planning Senior Legal Officer European Affairs Policy Officer Vice-President, Trade and International Affairs Lawyer Vice-President Adviser, Global Strategy Managing Director, IBSG President Research Fellow Strategy Manager Senior Manager, European Affairs Secretary General Partner Head of Unit, Data Protection Advisor to the Director-General Policy Coordinator - Data Protection Head of Sector IT Policy Head, International Cooperation and Legislative Policy Member of the European Parliament Member of the European Parliament Director, European Affairs Vice-President, Marketing Vision Consultant Public Affairs Senior Counsel, European Privacy Policy Director Privacy Senior Information Officer Privacy Officer, Europe Middle East and Africa Chief Executive Officer Senior Research Fellow, Adjunct Professor Adobe Systems Akamai Technologies Alcatel-Lucent Allianz SE AT&T AUDI AG BEUC, The European Consumer Organisation British Airways BT Group Plc BT Group Plc CA Technologies Centre for Information Policy Leadership Cisco Commission for the Protection of Privacy Council of Europe Ctrl-Shift Deutsche Telekom Digital Enlightenment Forum DLA Piper UK LLP European Commission, DG Justice European Commission, DG Connect European Commission, DG Connect European Data Protection Supervisor European Data Protection Supervisor European Parliament European Parliament Facebook France Telecom German Dialogue Marketing Association (DDV) Google GSM Association Health Authority of Abu Dhabi (HAAD) HP ID3, MIT Information Law Institute, NYU School of Law France Germany The Netherlands Germany Belgium Germany Belgium Belgium Belgium Belgium Switzerland United Kingdom USA Belgium Belgium United Kingdom Germany Belgium United Kingdom Belgium Belgium Belgium Belgium Belgium Belgium Belgium Belgium France Germany Belgium United Kingdom United Arab Emirates France USA USA
11
Ken Anderson
Intel
USA
Geoffrey A. Manne John Grumitt Frdric Donck Robin Wilton Jamie Ferguson David Jacoby Chris Hutchins Simon G. Davies Marc Davis Jean Goni John Bowman Alex Fowler William Heath Daniela Fabian Masoch Timothy Edgar Brendan Van Alsenoy Kaliya Hamlin Alin Stanescu Cynthia O'Donoghue Christopher Mikkelsen Aurlia Debru Chris Sundermeier Simon Torrance Luk Vervenne Berin Szoka David Dean Kenneth Neil Cukier
Lecturer in Law Vice-President Director, European Regional Bureau Technical Outreach Director - Identity and Privacy Vice-President, Health IT; Fellow, Institute for Health Policy Senior Security Researcher Vice President of European Affairs Information Systems and Innovation Group, Department of Management Partner Architect, Microsoft Online Services Division Director, Privacy Head of EU and International Data Protection Policy Global Privacy and Public Policy Leader Co-Founder Global Head, Data Privacy Senior Legal Advisor Directorate for Science, Technology and Industry; Information and Communications Policy Executive Director Senior Public Policy Strategist, Government Affairs Europe Partner Co-founder European Affairs Officer General Counsel, Chief Privacy Officer Chief Executive Officer, Telco 2.0 Initiative Chief Executive Officer President Senior Partner and Managing Director Data Editor
International Center for Law & Economics, Lewis & Clark School International Diabetes Federation Internet Society Internet Society Kaiser Permanente Kaspersky Liberty Global London School of Economics Microsoft Corporation Microsoft Corporation Ministry of Justice of the United Kingdom Mozilla Mydex CIC Novartis International AG Office of the Director of National Intelligence Organisation for Economic Co-operation and Development (OECD) Personal Data Ecosystem Consortium Qualcomm Reed Smith LLP Refugees United Renault Nissan Alliance Reputation.com, Inc. STL Partners Synergetics nv, TAS3 Tech Freedom The Boston Consulting Group The Economist
USA United Kingdom Belgium United Kingdom USA Sweden Belgium United Kingdom USA Belgium United Kingdom USA United Kingdom Switzerland USA France USA Belgium United Kingdom Denmark Belgium USA United Kingdom Belgium USA Germany United Kingdom
Penelope Naas Scott L. David Rob Conway Russell Schrader Antonella Galetta
Vice-President Public Affairs Executive Director, Law School Chief International Affairs Officer Associate General Counsel and Chief Privacy Officer PhD Researcher
UPS University of Washington VimpelCom Ltd Visa Vrije Universiteit Brussel - LSTS
12
Contact
Sincere thanks are extended to the industry experts who contributed their unique insights to this workshop. We are also grateful for the commitment and support of The Boston Consulting Group (BCG) in their capacity as project adviser. Visit www.weforum.org/personaldata Contact: William Hoffman Associate Director Information Communication and Technology Industries Tel.: +1 212 703 2332 E-mail: william.hoffman@weforum.org Carl Kalapesi Project Manager (BCG Secondee) Information Communication and Technology Industries Tel.: +1 917 392 0789 E-mail: carl.kalapesi@weforum.org
13
The World Economic Forum is an independent international organization committed to improving the state of the world by engaging business, political, academic and other leaders of society to shape global, regional and industry agendas. Incorporated as a not-for-profit foundation in 1971 and headquartered in Geneva, Switzerland, the Forum is tied to no political, partisan or national interests.
World Economic Forum 91-93 route de la Capite CH-1223 Cologny/Geneva Switzerland Tel.: +41 (0) 22 869 1212 Fax: +41 (0) 22 786 2744 contact@weforum.org www.weforum.org
14