Unlocking the Economic Value of Personal Data Balancing Growth and Protection

Rethinking Personal Data Project, Workshop Summary, Brussels, 8 October 2012

October 2012

 World Economic Forum 2012 - All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by any information storage and retrieval system. The views expressed are those of certain participants in the discussion and do not necessarily reflect the views of all participants or of the World Economic Forum.

Summary
Personal data can drive innovation, investment and sustainable economic growth, and greatly improve social welfare. There is a risk, however, that this value will not be realized given concerns about security, privacy, control and trust.
The World Economic Forum convened a half-day workshop as part of the ongoing Rethinking Personal Data project (www.weforum.org/personaldata). More than 70 participants from different stakeholder communities, including government, industry, academia, think tanks and civil society, took part in the workshop. Participants came from multiple countries from across Europe, the US and the Middle East. Government representatives included European parliamentarians, the European Commission, data protection regulators, EU member states and more. There were also representatives from a wide range of industries, including healthcare, financial services, logistics, automotive, IT and telecommunications. Some of the high-level messages that emerged from the day included: There is a need to ensure that rules governing personal data flow are flexible enough to enable new business models, accommodate technology evolution, enable user trust and meet the requirements for user transparency There was an acknowledgement that the basic data protection principles are not flawed and are still applicable in many ways. However, the challenge is that they do not work in todays world; they are not being effectively implemented. In particular, notice and consent was highlighted as not delivering real effective choice to individuals to ensure permissioned, trusted flow of data There was broad agreement on the need to refresh and update existing privacy principles given the significant shifts in technology and the way data is collected and used; it has been decades since the original Fair Information Practice Principles (FIPPs) were written Within the existing principles, the focus should be on five principles grouped in two areas - The openness and individual participation principles are key, but need to be refined and strengthened; it may be possible to interpret other principles through these - The principles concerning collection limitation, purpose specification and use limitation need to be redefined given they are based on the old approach of data having a single purpose Individuals are now both producers of data as well as consumers; the old, somewhat paternalist, approach of viewing the individual exclusively as the data subject and the organization as the data controller is no longer valid Use of codes of conduct could help enable flexibility in the regulatory framework, and a potential mechanism for a globally interoperable policy framework There was agreement on the importance of gathering better evidence on how personal data is used to create and at times destroy value; several ideas on what should be measured and how to measure it were discussed Participants highlighted the importance of considering different applications of personal data across different sectors; deeper and more transparent knowledge exchange about the manner in which data flows through the ecosystem could lead to better decision-making by all stakeholders

Participants discuss how to strike the balance between growth and protection over lunch

Balancing Growth and Protection

Over lunch, participants discussed how to strike the balance between using personal data to create social and economic growth opportunities for all and the need to protect individuals.
The discussion was stimulated by three introductory comments from different stakeholder perspectives government, industry and civil society. From the government perspective the following issues were identified: A one-size fits all approach does not reflect the realities of how individuals use data It is important to reflect different sectoral uses of data, which is why case studies prepared for this event were so useful It is important for policy-makers to apply a reality check and to try to square the circle of not halting business use of data, but also protecting the citizen Definition of personal data should not cover all data about an individual as that would prevent lots of positive uses Consent should not always be explicit, but can often be implied as part of delivering the service Clarify liabilities between data controller and data processor as data moves Given the complexity, it is important not to rush the discussions on the EU data regulation From the perspective of industry, the following points were addressed: The massive increase in the amount of data generated, particularly from mobile (always connected real-time data) and social media, is a significant megatrend This creates potentially significant opportunities to create new value for individuals, companies and society, but also poses challenges to data privacy and protection Experts from academia and civil society noted: This is a very complex issue that requires a nuanced approach to resolve There is an emerging consensus that there should not be a rebalancing of rights these should remain absolute However, the process/governance requires improvement to ensure confidence of all stakeholders this needs to be open, transparent and clear.

Alexander Alvaro, Vice-President of the European Parliament, discusses the EU Data Protection Regulation

Challenges of privacy and protection

Privacy law was established with the assumption that the sharing of personal information was harmful - notice and consent is a reflection of this. For many new services (e.g. Twitter, Foursquare, Yelp and Facebook), the presumption is individuals want to share; the value comes from sharing Personal data lockers allow the individual to be both the data subject/creator and controller; organizations and laws need to reflect this shift Challenge of applying a nuanced social concept of privacy, which in the offline world is clearly contextual to the online world where context is more difficult to define

Challenge to ensure organizations that can create dramatic social benefits (e.g. in healthcare) by using data for secondary purposes other than the original purpose of collection are able to do so Challenge is to find ways to do data collection without creating bureaucracy and without turning consumers into liars (e.g. asking consumers to say they have read and understood T&Cs) Very different views were expressed on whether regulatory attempts to protect individuals would help facilitate or restrict the flow of data; resolving this challenge is key to unlocking value of data

Socioeconomic benefit of data flow

Participants highlighted some examples of how data is being used to create value: - Healthcare for research and better patient care to save thousands of lives - Automotive telematics/sensors in car to help authenticate owner to improve efficiency and reduce theft, reduce driver fatigue, prevent road accidents, improve fuel efficiency, etc. - E-commerce and logistics to deliver products efficiently and offer better service to customers Distinction was drawn between the free flow of data and free flow of knowledge. New approaches can create ways for organizations to access and use data to generate insight and knowledge without having to own or store data. This could be potentially facilitated by the individual having more control over use of data through opt-in However, many argued that while this new approach might work in some circumstances, it could also lead to a tragedy of the data commons where individuals will not opt-in because of transaction costs the time and effort required to understand and make this decision. A key question is how do we enable free flow of data in those circumstances where user control may not be effective or appropriate? Potential for a harm minimization approach where data could be used to create value without explicit consent unless there specific harm to an individual

William Hoffman, World Economic Forum, outlines the three key questions for discussion

Role of trust
Trust is something that regulation itself will not achieve; it comes in part from effective enforcement of rules that are appropriate to different contexts The possible role for co-regulation with effective enforcement was suggested as a good way to build trust; this would be one way to take into account context and complexity of the challenge but still build trust Key to building trust is to acknowledge that most personal data has multiple rights holders. While some data is "owned" by the individual, most data has lots of stakeholders who have rights to it including individuals, the private sector and governments. By establishing joint rights and trading rules to exercise these rights, we can help build trust Ensuring effective security of data is key to building trust; government and the private sector needed to work together It is also important to address trust between organizations (including companies and governments) when exchanging data and particularly to ensure data can cross borders effectively One way to build trust is through the use of safe harbour provisions that allow field trials with hundreds, thousands of people, and work out what works and what doesnt through experiment

Principles for Trusted Flow of Personal Data

Shared principles were seen as the anchor points for global governance and a way of strengthening accountability, predictability and trust.
Principles have been a core part of the governance of personal data, but the manner in which they are implemented needs to be updated to reflect how much the world has changed. Principles for personal data can be grouped into three areas protection and security, rights and responsibility for using data and accountability/enforcement. There was an acknowledgement that the basic data protection principles are not flawed and are still applicable in many ways. However, the challenge is that they do not work in todays world; they are not being effectively implemented. In particular, notice and consent was highlighted as not delivering real effective choice to individuals to ensure permissioned, trusted flow of data Participants were in general agreement on the need to revisit privacy principles given the significant shifts in personal communications technology, the adoption of cloud-based services, and the manner in which data is collected, stored and analysed. Since the privacy principles were written in the 1970s and 1980s, the value of connecting, sharing and analysing data has grown significantly. Within the existing principles, there are five which create the most tension in the ecosystem (specified in Figure 1). These are the ones participants felt should be clustered into two areas. The openness and individual participation principles were viewed as the primary two principles to revisit and reconceptualize given the increased role of individuals as both producers and consumers of data. With this structural change in data flows, the shift in control to the individual should be more thoroughly reviewed and understood. With a refresh on a more user-centric approach on control and openness, it was suggested that these models could then serve to inform new approaches to limits on collection, use specification and consent.

Figure 1: The OECD Privacy Principles grouped according to the three key areas for dialogue provided a framework for discussion

With broad recognition that a move away from the traditional notice and consent models was needed, participants suggested individuals simply do not have agency over the secondary uses of personal data throughout the ecosystem. To address this lack of visibility on the relational aspects of data (What is its provenance? Who is it related to? What are the associated permissions for using it?), it was noted that a broader use of metadata may serve as a technological means to address this current deficiency. Additional ideas in this area of discussion included grouping the principles of collection limitation, purpose specification and use limitation, together under a cluster of Processing Principles. This grouping could be aimed at maintaining the contextual integrity in the use of data as it flows through the value chain.

One of the key points of discussion was around how to deal with different types of data the principles predominantly apply to data that is actively collected. How do we deal with data that is passively collected or observed? With inferred data created by proprietary algorithms? Consistent with discussions held in other regions of the world, there was also recognition of a class of use cases aimed at serving the larger public good. This issue continually arises as a key uncertainty requiring additional discussion. The challenge lies in how to achieve a balance between the engagement of individuals yet establishing a sufficiently large pool of anonymous data for analysis that would avoid a tragedy of the data commons. One of the consistent points of discussion was that models built on leveraging anonymous data to create this data commons were highly problematic. While conceptually there is a need for a rich data commons, the design and implementation of this concept requires a great deal more debate and discussion. Anonymous data and its increasing ability to be deanonymized were also topics receiving much attention. Because of the de-anonymization risk, approaches which considered virtually all data types to be linked to an individual would lead to significant reductions in value creation. Instead, a focus on ensuring de-anonymization did not take place through both technological and policy approaches was seen as being more appropriate and sustainable. The point was made that the continual advances in technology to re-identify data (and the incentives of multiple actors in the ecosystem to do so) should not be underestimated. A combination of technical innovations (more robust permissions via

metadata), legal innovations (adoption of legally binding system rules with strict non-compliance penalties) and improved data literacy by individuals so they could make effective choices were factors that all needed to be more fully developed. In addition, participants emphasized the importance of strengthening accountability and enforcement. This is perhaps one of the critical areas needed to ensure a balanced ecosystem. While the principle as it stands is fine, there needs to be further work on how to make this a reality. The need to more fully explore co-regulatory approaches utilizing binding corporate rules (BCRs), which are currently used for international transfers, was seen as a means for developing a more flexible, contextually relevant and efficient approach for implementing the principles.

Participants discuss principles for personal data in breakout groups

The Need for Better Evidence

Overall, there was widespread agreement that a deeper, crosssectoral understanding of how data can used to either create or destroy value is needed in the marketplace.
With a deeper and more robust evidence base, a positive feedback loop could be established between individuals, civil society, governments and private sector stakeholders. Deeper and more transparent knowledge exchange about the manner in which data flows throughout the ecosystem, could lead to better decisionmaking by all stakeholders Participants highlighted some of the areas where evidence is being measured, including anecdotes and stories, some measures of individual behaviour (both actual measures and survey or polling measures), data access requests, data breaches and market value of companies collecting and using data. To help structure the conversation around what is already being measured in terms of case studies, the World Economic Forum presented a simple framework for discussion. At the workshop, participants shared 10 case studies on how personal data is being used to create (and in some cases destroy value), what the scale of the impact is and what issues or concerns such applications raised. By considering a range of applications, participants discussed how principles and rules needed to reflect the range of different contexts in which personal data is being used.

Figure 2: The positive feedback loop from gathering better evidence on how personal data is used

What is already being measured?

Overall, participants felt relatively limited evidence was being systematically captured on how personal data is being used to create value. There is also a perception that there is a bias towards things that are easy to measure and are easily seen.

Figure 3: Framework for capturing use cases for how personal data creates or destroys value

What should be measured?

There are a number of areas where suggestions were made on what should be better measured to increase understanding and ensure better decision-making by all stakeholders. Some of the main areas include: Benchmark status quo measurement where are we at the moment in terms of costs of current approaches to data protection which can then be used to monitor trajectory and direction of change Producer surplus and consumer surplus of different offerings (e.g. OBA) Social attitudes and consumer understanding Quality of service and user experience Regulatory compliance and cost/benefits Measurement of risk, harm and trust Contextual analysis of data data types, harms, value for diff industry sectors Marginal costs/benefits of opt-in vs opt-out

How should we measure in an adaptive, iterative way?

The possibility of creating a dynamic always on approach to measuring how data is being used was discussed. In effect, the view is that it would be helpful to start using big data to measure the impact of big data. In addition, a crowd-sourcing approach that involves individuals in the collection of data about how data is used and to enforce and monitor good and bad uses is seen as particularly effective. Lastly, participants discussed collaborative methodologies of capturing evidence, for example through trust frameworks.

Further Reading on Evidence and Principles

Barth-Jones, Daniel C., The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now (June 4, 2012). Available at SSRN: http://ssrn.com/abstract=2076397 or http://dx.doi.org/10.2139/ssrn.2076397 Brynjolfsson, Erik, Hitt, Lorin M. and Kim, Heekyung Hellen, Strength in Numbers: How Does Data-Driven Decisionmaking Affect Firm Performance? (April 22, 2011). Available at SSRN: http://ssrn.com/abstract=1819486 or http://dx.doi.org/10.2139/ssrn.1819486 Halvorson, George, Goldsbrough, Peter, Kennedy, Simon, Kent, James, Close, Karalee and Becker, Daniel, The Digital Dimension of Healthcare, Report of the Digital Innovation in Healthcare Working Group 2012, Global Health Policy Summit. Available at http://www.globalhealthpolicyforum.org/docs/GHPS_Digital_Innovation_Report.pdf International Institute of Communications, Personal Data Management: The Users Perspective, Executive Summary. (October 9, 2012). Available at http://www.iicom.org/resources/open-access-resources/doc_details/226-personaldata-management-the-users-perspective Rubinstein, Ira, Big Data: The End of Privacy or a New Beginning? (October 5, 2012). Available at SSRN: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2157659 Tene, Omer and Polonetsky, Jules, Big Data for All: Privacy and User Control in the Age of Analytics (September 20, 2012). Northwestern Journal of Technology and Intellectual Property, Forthcoming. Available at SSRN: http://ssrn.com/abstract=2149364 World Economic Forum, Rethinking Personal Data: Strengthening Trust, (May 2012). http://www.weforum.org/personaldata

10

Workshop Participants
John Jolliffe Gerald Deck Jasper Meyers Dirk Linnenbruegger Karim A. Lesina Stefan Scholer Kostas Rossoglou Ian Emond Tilmann Kupfer Cecile Plaidy Bjarne Rasmussen Richard Thomas Leszek Izdebski Willem Debeuckelaere Jean-Philippe Moiny Alan Mitchell Alexandra Krenzler Jacques Bus Cameron Craig Marie-Hlne Boulanger Nicole Dewandre Rosa Barcelo Achim Klabunde Anne-Christine Lacoste Sean Kelly Alexander Alvaro Erika Mann Nicolas de Cordes Titus Goll Marisa Jimenez Pat Walshe Reehan Sheikh Daniel Pradelles John H. Clippinger Ira Rubinstein Senior Manager Director and Lead Counsel, Europe Middle-East and Africa Senior Corporate Counsel Executive Vice-President, IT Strategy & Enterprise Architecture Executive Director, EMEA Government Affairs Head of Strategic Corporate Planning Senior Legal Officer European Affairs Policy Officer Vice-President, Trade and International Affairs Lawyer Vice-President Adviser, Global Strategy Managing Director, IBSG President Research Fellow Strategy Manager Senior Manager, European Affairs Secretary General Partner Head of Unit, Data Protection Advisor to the Director-General Policy Coordinator - Data Protection Head of Sector IT Policy Head, International Cooperation and Legislative Policy Member of the European Parliament Member of the European Parliament Director, European Affairs Vice-President, Marketing Vision Consultant Public Affairs Senior Counsel, European Privacy Policy Director Privacy Senior Information Officer Privacy Officer, Europe Middle East and Africa Chief Executive Officer Senior Research Fellow, Adjunct Professor Adobe Systems Akamai Technologies Alcatel-Lucent Allianz SE AT&T AUDI AG BEUC, The European Consumer Organisation British Airways BT Group Plc BT Group Plc CA Technologies Centre for Information Policy Leadership Cisco Commission for the Protection of Privacy Council of Europe Ctrl-Shift Deutsche Telekom Digital Enlightenment Forum DLA Piper UK LLP European Commission, DG Justice European Commission, DG Connect European Commission, DG Connect European Data Protection Supervisor European Data Protection Supervisor European Parliament European Parliament Facebook France Telecom German Dialogue Marketing Association (DDV) Google GSM Association Health Authority of Abu Dhabi (HAAD) HP ID3, MIT Information Law Institute, NYU School of Law France Germany The Netherlands Germany Belgium Germany Belgium Belgium Belgium Belgium Switzerland United Kingdom USA Belgium Belgium United Kingdom Germany Belgium United Kingdom Belgium Belgium Belgium Belgium Belgium Belgium Belgium Belgium France Germany Belgium United Kingdom United Arab Emirates France USA USA

11

Ken Anderson

Senior Research Scientist, Vibrant Data Portfolio Manager Intel Labs

Intel

USA

Geoffrey A. Manne John Grumitt Frdric Donck Robin Wilton Jamie Ferguson David Jacoby Chris Hutchins Simon G. Davies Marc Davis Jean Goni John Bowman Alex Fowler William Heath Daniela Fabian Masoch Timothy Edgar Brendan Van Alsenoy Kaliya Hamlin Alin Stanescu Cynthia O'Donoghue Christopher Mikkelsen Aurlia Debru Chris Sundermeier Simon Torrance Luk Vervenne Berin Szoka David Dean Kenneth Neil Cukier

Lecturer in Law Vice-President Director, European Regional Bureau Technical Outreach Director - Identity and Privacy Vice-President, Health IT; Fellow, Institute for Health Policy Senior Security Researcher Vice President of European Affairs Information Systems and Innovation Group, Department of Management Partner Architect, Microsoft Online Services Division Director, Privacy Head of EU and International Data Protection Policy Global Privacy and Public Policy Leader Co-Founder Global Head, Data Privacy Senior Legal Advisor Directorate for Science, Technology and Industry; Information and Communications Policy Executive Director Senior Public Policy Strategist, Government Affairs Europe Partner Co-founder European Affairs Officer General Counsel, Chief Privacy Officer Chief Executive Officer, Telco 2.0 Initiative Chief Executive Officer President Senior Partner and Managing Director Data Editor

International Center for Law & Economics, Lewis & Clark School International Diabetes Federation Internet Society Internet Society Kaiser Permanente Kaspersky Liberty Global London School of Economics Microsoft Corporation Microsoft Corporation Ministry of Justice of the United Kingdom Mozilla Mydex CIC Novartis International AG Office of the Director of National Intelligence Organisation for Economic Co-operation and Development (OECD) Personal Data Ecosystem Consortium Qualcomm Reed Smith LLP Refugees United Renault Nissan Alliance Reputation.com, Inc. STL Partners Synergetics nv, TAS3 Tech Freedom The Boston Consulting Group The Economist

USA United Kingdom Belgium United Kingdom USA Sweden Belgium United Kingdom USA Belgium United Kingdom USA United Kingdom Switzerland USA France USA Belgium United Kingdom Denmark Belgium USA United Kingdom Belgium USA Germany United Kingdom

Penelope Naas Scott L. David Rob Conway Russell Schrader Antonella Galetta

Vice-President Public Affairs Executive Director, Law School Chief International Affairs Officer Associate General Counsel and Chief Privacy Officer PhD Researcher

UPS University of Washington VimpelCom Ltd Visa Vrije Universiteit Brussel - LSTS

Belgium USA Netherlands USA Belgium

12

Contact
Sincere thanks are extended to the industry experts who contributed their unique insights to this workshop. We are also grateful for the commitment and support of The Boston Consulting Group (BCG) in their capacity as project adviser. Visit www.weforum.org/personaldata Contact: William Hoffman Associate Director Information Communication and Technology Industries Tel.: +1 212 703 2332 E-mail: william.hoffman@weforum.org Carl Kalapesi Project Manager (BCG Secondee) Information Communication and Technology Industries Tel.: +1 917 392 0789 E-mail: carl.kalapesi@weforum.org

13

The World Economic Forum is an independent international organization committed to improving the state of the world by engaging business, political, academic and other leaders of society to shape global, regional and industry agendas. Incorporated as a not-for-profit foundation in 1971 and headquartered in Geneva, Switzerland, the Forum is tied to no political, partisan or national interests.

World Economic Forum 91-93 route de la Capite CH-1223 Cologny/Geneva Switzerland Tel.: +41 (0) 22 869 1212 Fax: +41 (0) 22 786 2744 contact@weforum.org www.weforum.org

14