On 10th of July 2013 (4 PM Brussels time / CET), as part of the "Future Fridays" series of webinars on Futurium, Carolyn Nguyen (Microsoft, US) and Harald Zwingelberg (Independent Center for Privacy Protection, DE) shared their vision on the Future of Personal Data. It was moderated by Jacques Bus (Digital Enlightenment Forum)
In the opening Jacques Bus emphasised the trend to a seamless integration of on-and offline life of citizens and the consequences to rethink the identity (autonomous self) of the individual in relation to the social onlife (on/offline life). A proper balance between the individual and the social is necessary to ensure a sustainable and innovative society.
The discussion on electronic privacy and identity started already in the seventies of the 30th century, but is currently heating up in the political and technology domain. This Webinar aims to present a framework for this discussion and will try to link questions solutions based on interdisciplinary thinking (technical, legal, social, economic and political).
1. Carolyn Nguyen (Microsoft) presented joint work with Jacques Bus (Digital Enlightenment Forum) to give a new stimulus to the discussion on personal data ecosystems.
In the coming decade, the seamless integration of citizens’ on- and offline lives will become an increasingly important issue facing society. It will require that individuals be able to manage how information related to them is used, whether directly or through other means, in a way that meets with their preferences, contexts, and values, all within existing social and legal boundaries. To address these challenges, we need new thinking and new concepts to structure an interdisciplinary discussion (including science, technology, law, politics and business), and formulate approaches that ensure protection of personal data as well as innovation in service and policy development.
(This abstract is a shortened version of the vision on personal data ecosystems - please find the full vision here)
In this webinar, Carolyn and Jacques aimed to facilitate and further this discussion by presenting a possible framework that can be used to shape the dialogue, and select technological development and issues that should be taken into consideration. They proposed a terminology framework that incorporates critical aspects of this conversation, including personal data management, context, and trust. They also introduced a layered model to structure the dialogues on those elements that are required to build trust networks within an ecosystem to support context-aware personal data management. This is essential to the self-determination of individuals in the digital world, and the development of trustworthy user-centred data ecosystems that can enable this. It will also stimulate sustainable socio-economic innovation that will help countries to thrive in a data-driven era.
After the presentation the discussion focused on how citizens could obtain real control on their data management. Current legislation does not address this notion. Building trust network in sectors can help introducing context in the management and inducing a certain level of control. Also, can data minimization realistically be implemented in practice and what are the consequences for service providers.
2. Harald Zwingelberg discussed the impacts of the draft eIDAS Regulation of the EC on some privacy preserving technologies in the field.
The draft eIDAS Regulation currently in discussion at the European Parliament will have a major impact on how trust and privacy can be preserved and managed in the future Internet and any related development in society.
European eID experts share the opinion that upcoming eID schemas and related legislation should support data minimisation by allowing attribute selection and that pseudonymous or anonymous authentication should be possible and enforced on service providers where necessary (see SSEDIC eID Adoption Survey p. 32 et seq.). However, the current draft of the eIDAS Regulation does not foresee data minimisation, nor does it require foreign services to adhere to the principle of data minimisation even if the national eID of the customer supports such features. This should be changed such that further development in the area of eIDs should not be hindered but rather encouraged, in order to raise hope that future versions of eIDs may support privacy enhancing solutions such as Privacy-ABCs (Attribute—based Credentials) or the already existing solution for example for simple age verification of the German national eID “neuer Personalausweis”.
Further, the national authentication service, which is mandatory for all notified eID schemas, is likely to be able to profile the behavior of the users by learning which services from outside of the own member state have been visited by the users. For the authentication services, but also for any other involved entities, clear data protection rules including maximum retention periods for personal data are necessary, and need to be incorporated in the eIDAS Regulation. This presentation will provide some potential solutions as basis for further discussion with the audience.
See also the ABC4Trust web-page dedicated to the eIDAS Regulation here.
The discussion on this presentation brought a number of issues that would benefit from deeper discussion. The regulation aims to create interoperability between the eID systems of Member States for public services with sufficient assurances of linking a set of attributes to a unique natural person. It does not exclude data minimisation and hopes to stimulate its use in the private sector. It also allowed Andrea Servida from the EC and closely related to the regulation proposal to explain certain issues.
In the general discussion Big Data and its consequences for privacy were brought up. The spirit of Big Data based on “collecting first and finding out later what can be done with it” seems in direct contradiction to the general OECD privacy principles on purpose binding and minimal data use. It was questioned what this means for the processing of Big Data and for privacy. Should we develop a new legal framework which would at least express some basic principles taking into account ethical values and human rights. And/or should we work towards reformulating personal data protection regulation in terms of addressing proper data use rather than protecting categories of data.
It was concluded that important issues were addressed which should be worked out further into concrete policy suggestions.
An extensive follow-up will be given in the Digital Enlightenment Forum (DEF) 2013 (See www.digitalenlightenment.org) being held 18-20 Sep in Brussels. The last day will be a joint DEF-EC Futures Workshop on "The Future of Personal Data". Participants to this Webinar are very welcome to the Forum.
Short biographies of the speakers:
Dr. M-H. Carolyn Nguyen is a Director in Microsoft’s Technology Policy Group, responsible for policy initiatives related to data governance and personal data management. Her work is focused on helping to shape relevant long term technology policies globally in these areas by engaging with stakeholders, and raising awareness of potentially disruptive impacts of emerging technologies, such as big data and the internet of things, on existing social, economic, and policy frameworks.
Participation to all webinars is free and open to all who are interested in the subject. The webinar took place entirely online in a virtual room.
Those who want to understand all technical nuts and bolts of participation in our webinars through the virtual room may read the webinar mini-manual, downloadable from here.
NB: If you cannot click on the "click to join" button, this is because you have not yet signed up to Futurium or you are not logged in. You will instead see a "log in to join" button - click on this and become a registered Futurizen. You will then be able to register to this webinar, join events and comment on, vote for and contribute to all the content on Futurium.