Prometheus Endeavor believes our current combination of practices, laws and accepted norms is out of balance. This is especially true when it comes to personal information: who knows what about us, collectively and individually, how that knowledge is used, how it affects us, and how we live our lives. This balance needs to be restored. We need a new Personal Information Bill of Rights.
A number of mitigating steps are under consideration; some have been enacted. Some big tech companies are taking a customer-oriented view. Apple asks for our trust and gives us the ability to limit use of our information by others who use their platform. Most others argue that the benefits outweigh the sacrifice of knowledge and control. In the EU, where Big Tech is not trusted, the law is “Opt-in” based; individuals must actively choose to give up knowledge. Not so much elsewhere.
A new Personal Information Bill of Rights
Just as the U.S. Bill of Rights doesn’t replace the U.S. Constitution, but identifies and clarifies individual rights, a Personal Information Bill of Rights (PIBoR) will give agency to all players. It will provide a framework to set enforceable guardrails.
A Personal Information Bill of Rights should be based on four simple principles:
1 — The individual owns their data and knowledge.
2 — The individual can license the use of that data and knowledge.
3 — The individual can know what data and knowledge is stored and maintained on a platform.
4 — The individual can have any shared data modified at their request.
1. The individual owns their data. — At the first point of data collection, the first human/platform interface, the individual owns any data associated with their interaction unless the individual opts-in to a different arrangement. This would cover: 1) data about me, 2) data about my behavior on your site/system, 3) data not associated with your site/system. At this point, the platform will have severe restrictions on what value it can provide the individual due to the restrictions on data ownership. A platform could offer some value-added services in exchange for sharing the data.
Just as the U.S. Bill of Rights prevents government from taking property or forcing one to provide shelter and food to the military, PIBoR should allow participants to deny the use or presence of any and all cookies, bots, sniffers and remotely similar technologies at any time entirely at the individual’s preference. This may, often will, reduce or eliminate the ability to use a service, but that should be the right of the participant, first, the provider second.
2. The Individual can license their data to the platform. — Since the individual owns the data, they can choose what data can be used or shared to whom and for what purpose. Wouldn’t it be nice to be able to say to Facebook that it is OK to share my personal information, but only with my friends, but not with their friends or your friends?
Sharing data with a provider yields value for them. It is less clear the value that the individual receives from giving up the exclusive rights to their information. This would provide a clear communication of the exchange of value involved.
Today, platforms have the ability to change terms and conditions at will, and they do so frequently. These changes should give the individual the ability to continue the sharing, extend it, or restrict it.
Platforms want to own the data and provide the consumer the right to opt out of sharing.
3. The individual can know what information is stored and shared. License agreements today can run into the tens of pages, loaded with legalese that few have ever read. Just as the Fair Credit Reporting Act required simple, clear terms for loans, the PIBoR also needs clear standards for individual licensing agreements as well as those between technology companies and application providers. In order to let an individual, know what knowledge is being gathered, how it is used, and to whom it is brokered, the contracts have to clearly and reliably state that information.
PIBoR will have a system to evaluate provider-provider and participant-participant contractual adherence to PIBoR, and a participant oriented “Consumer Reports-like” rating and review “agency.” The rating will be easily and publicly known. Although a provider can challenge the rating it will still be published but noted as under challenge.
4. The individual can modify or delete the information. — A decision on the part of an individual to share data must be reversible. The information may be incorrect or damaging. The individual should have control. Providers and participants also will expect the ability to be deemed to be innocent of intentional harm until proven otherwise. As long as errors are rectified, and intent is not proven, providers should be free of liability.
Lastly, in the US Bill of Rights, there are other rights not expressly stated in the Bill of Rights and all rights not expressly given to the Federal government are reserved to the states. In the same manner PIBoR, providers and consumers have rights beyond PIBoR and PIBoR would reserve to the participant all rights not explicitly given to providers.
Where from here?
We can expect a great deal of discussion and not a little conflict over an individual’s ability to opt in and opt out. There will be concurrent conflict over who owns the data about an individual and what to do with the data already collected.
These interactions will play out differently in the EU where the General Data Protection Regulation (GDPR) holds sway than in the US, where it doesn’t, than in China, where their own path is being followed, to the rest of Asia, to India and the rest of the world. Diplomats and lawyers will be well employed.
As so much of the economy is effectively global, stakeholders of all sorts representing providers, individuals, regulators and more, will try and gain consensus and resolution of differences. Vendors, vendor verticals, governments, and consumer groups will align, reform, realign and, likely, occasionally cannibalize their associates. Stakeholders will try to influence legislative solutions to the participant/provider tensions and a lot of time will be spent in court houses.
All the above will occur, but in the end, individuals, consumers, cannot be slaves to providers. At the same time, providers cannot be charities to consumers. The starting positions for consumers and providers above are mutually abhorrent to the other. In a classic application of the Overton Window we expect the consumers and providers, for the most part, to move toward the center, toward a place where both can have some cake and eat some as well; and that’s OK.
About The Prometheus Endeavor
Our mission is to apply our knowledge and management experience to further the IT and Digital Endeavors of society, its institutions, and businesses. The Prometheus Endeavor does not do consulting or represent vendors. For over 30 years, members have advised and managed some of the most successful deployments of IT.
