Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
EU Commission publishes findings on personal information management services
PIMS present opportunities for individuals to regain control of their own data.
The European Commission has published a report (Report) of its findings from a consultation carried out on personal information management services (PIMS).
What are PIMS?
PIMS are a new emerging technology that generally allows users to store personal data in a type of “locker” or “vault” software. There are various types of services currently on offer, including downloadable applications and websites.
PIMS providers believe that these services hand back power to data subjects, to control who sees their personal data and how it can be used.
Where do PIMS store personal data?
Some PIMS store personal data on the user’s hardware whereas other services store personal data on the cloud.
In many cases the personal data is encrypted with a key that only the user knows. These services are described as “zero knowledge platforms” as the personal data can only be accessed when the user gives his or her consent; even the PIMS provider does not have access to the encrypted data.
How will PIMS providers make money?
The Report finds that there a number of different business models across PIMS providers. Two of the dominant emerging models are:
- The freemium model: these platforms offer a basic service which is free for users and allows them to pay to upgrade e.g. a basic service may only allow users to register one social media account and the user will have to pay to register more. These freemium services may also charge organisations to consume the personal data where the user has consented to it. Many PIMS providers also offer analytics-as-a-service to organisations wishing to access the personal data for a fee.
- The co-operative model: these platforms charge members a fee to join a co-operative and receive a share in the co-operative in return. Organisations are then charged a fee for accessing the personal data and profits are shared between members.
In both cases, organisations will be looking to access better quality data about current and potential customers to create targeted advertising. This is an attractive prospect to businesses in today’s market where ad blockers are being used more frequently to prevent adverts from reaching a user.
The organisations accessing personal data through a PIMS platform may also find it easier to comply with data protection laws as they will have obtained consent form the data subject when interacting with them through the PIMS platform. The conscious giving of consent by data subjects may also help to reduce the creepy factor of targeted advertising.
Data portability and the right to be forgotten, each of which are key features of the upcoming GDPR, might also be more easily exercised through the use of PIMS.
The Report finds that PIMS providers must be transparent about their business models.
There are ethical concerns around the idea of giving individuals the opportunity to sell their personal data to organisations, particularly in relation to sensitive data such as health data.
On the other hand, the idea that only those who can afford to sign up to sophisticated platforms that give data subjects more control over how their data is used, could result in privacy being a privilege for those who can afford it. The Report is clear that privacy should be available to all.
The Report also highlights a potential conflict of interest for PIMS providers who have the responsibility of ensuring the protection of user’s personal data whilst incentivising users to give organisations access to their personal data in order to increase revenue.
The report found that over a quarter of active PIMS providers are based in the UK. Local councils in the UK have already shown an interest in using PIMS platforms to allow individuals to remain in control of their personal data, with Sunderland City Council being one of two public authorities to respond to the consultation.
The Report states that, due to the fast-moving nature of these emerging technologies, “top down” standardisation would not be effective. Therefore, at least for the time being, PIMS providers are free to develop their platforms within the constraints of the current law.
If PIMS providers can find a way to build platforms which successfully give individuals real control and visibility over how their personal data is processed, whilst only providing organisations with access where individuals have given their informed consent, PIMS could prove to be a useful way for individuals to regain control and comfort over how their data is used.
However, it remains to be seen whether the current PIMS business models are viable and if providers can ensure that there is no conflict of interest when charging businesses to gain access to user’s personal data.
This blog post was written by Amelia Day, Trainee Solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.