GDPR / HSS Inspired Data Liquidity & Future Of Privacy
Data liquidity is a new concept signifying seamless flow of consumer data ‘to where it is needed and when it is needed’ throughout a given ecosystem, as a function of data portability. As much as service providers / vendors harbor an epic misunderstanding on ownership rights of consumer data, it is the consumer who owns it. Data portability/interoperability in our current centralized systems, particularly in EHR (electronic health records), is prone to compromising privacy / confidentiality during data exchange between third parties.
We are developing a decentralized data liquidity system of personal online data (PODs) that places personal data in full control of its owner at all times without compromising the privacy / confidentiality conundrums of portability. This essentially means doing away with the cumbersome system of connecting diverse centralized databases for data interoperability using countless APIs as against a single POD API connecting with all of them.
Liquidity is the degree to which an asset can be quickly moved from one location to another within an ecosystem without compromising its integrity and intrinsic quality.
We are already quite familiar with the term liquidity in economics, such as market liquidity, wherein the asset is equity / security / share. However, in data liquidity the asset is personal data.
Data liquidity basically is a function of data portability wherein the data is no longer confined to databases or data silos in IT infrastructures such as supply chain management systems, financial systems, healthcare systems, social media, etc. An important attribute of liquid data should be that it flows to where it is needed and when it is needed without compromising privacy and confidentiality.
Strength Of Data Protection Laws Worldwide
In the digital age, data privacy typically applies to critical personal information, including identification credentials, health and medical records, financial data (bank account and credit card numbers). Most countries do have some sort of data protection / user privacy laws in place ranging from heavy to limited in their regulatory strength.
The latest enactment of General Data Protection Regulation (GDPR) by the European Union is the most important change in data privacy regulation in two decades, and has created quite a stir among the data controllers worldwide. GDPR is designed to give EU citizens more control over their personal data.
General Data Protection Regulation (GDPR) was adopted by the European Parliament on 14 April 2016, and became enforceable beginning 25th May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable across the European Union. Experts who participated in the formulation of the GDPR wrote:
“GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a complex and protective regulatory regime.”
Snowden Impact On The Strength of GDPR
Some GDPR supporters attribute its passage to the whistleblower Edward Snowden. The Snowden revelations in 2013 were crucial in changing the course of the GDPR legislation in the European Parliament (EP). The revelations outraged Europeans, bringing the importance of Internet privacy issues to prominence, and compelling the EP to reverse its opposition to rules strengthening privacy. Thus the coalition of European privacy activists prevailed over the powerful Silicon Valley lobby in convincing EP to pass the GDPR as it stands today.
The GDPR, however, subsequently garnered support from businesses who (perhaps reluctantly) regard it as an opportunity to improve their data management. Mark Zuckerberg asserts that “Internet needs new rules”, and has called for GDPR-style laws to be adopted in the US.
Consumer rights groups across the globe are the most vocal proponents of the legislation.
The GDPR Fallout
On the GDPR’s effective date, some international websites began to block EU users entirely, others, such as Klout, and several online video games, ceased operations entirely to coincide with its implementation, citing the GDPR as a burden on their continued operations. Behavioural advertising placements in Europe fell 25–40% on 25 May 2018.
Facebook and subsidiaries WhatsApp and Instagram, as well as Google LLC (targeting Android), were immediately sued just hours after midnight on 25 May 2018, for their use of “forced consent”. Three complaints claimed over €3.9 billion in compensation.
On 18 January 2019, further GDPR complaints against Amazon, Apple Music, DAZN, Filmmit, Netflix, SoundCloud, Spotify, and YouTube, alleging that they failed to include sufficient background information, or provided insufficient or unintelligble raw data. A maximum total fine of €18.8 billion for these eight companies is predicted.
Data Protection Noose Is Tightening Worldwide
Brazil recently created the National Data Protection Authority (ANPD) and enacted the Brazilian General Data Protection Law (LGPD). The LGPD taking effect in August 2020, is largely aligned to the EU General Data Protection Act (GDPR).
On February 11, 2019, US Department of Health & Human Services (HHS) announced proposed rules to support the seamless and secure access, exchange, and use of electronic health information (with Federal Register publication on March 4, 2019).
The proposed rule is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment.
The proposed rule places a strong focus on a patient’s ability to access their health information through a provision requiring that patients can electronically access all of their EHR (electronic health record) at no cost.
India’s online market stands second only to China. Data Security Council of India (DSCI) and Nasscom have backed rigorous data privacy and protection for years. And ever since the Supreme Court of India ruled in favor of
“the right to privacy being deemed a fundamental right”,
the focus on data protection to enhance citizen safety and security has increased. In a move to drastically improve healthcare delivery in India and protect patient data, a new Digital Information Security in Healthcare Act (DISHA) was drafted in 2017 and now waiting to come in force soon. Claimed to be first to protect health data of citizens, DISHA has three primary objectives — setting up a central and state level digital health authority, enforcing privacy and security measures for digital health data, and regulating the storage and exchange of electronic health data.
Soon to come in to force, experts believe DISHA is going to be as stringent as the GDPR.
Data Silos: A Medical Tragedy
A Forbes report calls data silos as “healthcare’s silent shame.” Overcoming health data silos is proven to lead to cost savings. In US alone the estimated value of such savings range from $30 — $300 billion every year.
Remarkable progress has been made in designing Electronic Health Record (EHR) systems, and they work great. But they don’t get along with each other.
The global EHR market was valued at $25.4 billion in 2018 and is expected to reach $40 billion by 2024, growing at a CAGR of 6.2% during the forecast period.
For billionaire Los Angeles Times owner and biotech celebrity Patrick Soon-Shiong, MD, the dirtiest four-letter word in the context of digital health is
Hospitals, clinics and doctor’s offices, insurance providers, health networks, digital health devices, EHR vendors silo their data. They don’t share.
Data Portability, Interoperability & Liquidity
Data portability is the right to transfer personal data from one organization to another organization or to the data subject herself / himself. In theory it might sound easy, but it is far too difficult in practice.
Interoperability refers to the basic ability of computerized systems to connect and communicate with one another readily, even if they were developed by widely different manufacturers and supplied by different vendors. As much as EHR interoperability is desired for freer flow of information between different providers and systems, it is seriously lacking.
Increasing the flow of patient data between providers, facilities and pharmacies could boost accuracy and can alleviate the burden placed on patients to remember their complete medical history for each new provider.
An important attribute of liquid data should be that it flows to where it is needed and when it is needed without compromising privacy and confidentiality of data subject.
The American Medical Association (AMA) calls data liquidity a priority in their framework to improve the usability of EHRs. Dr. John Mattison, AMA Advisory Committee on EHR Usability says:
“Data liquidity is critical to optimal patient safety and quality outcomes, especially as it supports a complete health record, and is essential for safe transitions between different care providers.”
Legal Ownership Of Personal Data
As established by the GDPR, personal data is owned by the data subjects, rather than the data controllers. However, individuals’ ownership of their data will become effective only when they have the means and the incentive to exercise their rights of ownership.
Senator John Kennedy (R-LA) recently introduced the “Own Your Own Data Act of 2019” bill. This bill takes the personal data ownership a step further. It declares that “each individual owns and has an exclusive property right in the data that individual generates on the internet” and requires that social media companies obtain licenses to use this data.
Currently Who Controls & Manages The Data?
A review of all the existing and proposed data privacy laws tells us that these regulations assume that the corporations control and manage the user data through their centralized servers. As a consequence, data portability between two corporations, always, without exception, implies exchange of user data between two disparate servers. This essentially means the industry has to adopt standardized application programming interfaces (APIs), to access their personal data. Such standardization is difficult as each data server will have its own data structure and protocols. It is for this reason that most EHR systems, despite about half a century of their existence, do not share well with others. However, the regulations favoring more data liquidity will compel a change.
Who Should Control & Manage Personal Data?
Ideally, if ownership of personal data lies with the data subjects, the subject should control and manage the data. However, this isn’t technologically possible with the legacy client-server systems.
The recent advancements in decentralization protocols and web technologies have made it possible to store personal data in “PODs” (personal online data stores) hosted on a peer to peer network. One can control the permission of how much third party sites or apps can “read or write” to one’s own POD. The POD data can interact with any number of applications using a single API. Thus PODs acheive liquidity keeping user privacy intact, and without getting lost in the maze of disparate centralized servers of the legacy systems.
Liquidus PODs: Liquidity With True Data Ownership
True data ownership means:
users should have the freedom to choose where their data resides and who is allowed to access it.
It also means seamless flow of data to any destination that needs it.
Since you own your data, you are free to store it in your POD at home, at workplace, or with an online POD provider of your choice. You can move it at any time, anywhere. You can even segregate your data by creating multiple PODs, wherein each POD serves a specific purpose or profile, which may be personal, professional, social, medical or financial.
You just have to give your apps permission to read or write to parts of your POD. The apps read from your POD and also write to your POD. Data saved to your POD becomes available across all your apps automatically. There’s no need to sync, because your data stays with you all the time.
Freedom From Liability
Privacy regulations are only triggered if a company stores and manages users’ personal data.
No control over user data means no liability.
At a time when Googles and Facebooks of the world are penalized with billions in fines for non-compliance with GDPR, disengaging the service providers from user data, frees them from any liability risk. If they don’t control subject data, they don’t trigger GDPR or any other privacy regulation for that matter. So, instead of continuing as controller of subject data, these service providers can connect with users’ PODs and access their authorized personal data via the POD API to deliver their services.
European Parliament’s recent promulgation of GDPR is indeed pushing the envelope of the digital strategy in general and privacy in particular. The ideas contained within GDPR are neither entirely European, nor new. They can be found to some extent in U.S. privacy laws. The strength of GDPR though was essentially made possible because of the Snowden revelations that the GDPR opponents could not overcome.
All of the world’s major data controllers are now facing billions of Euros in non-compliance penalties. Other data privacy laws across the world are also being modelled after the GDPR. The trends clearly indicate that full unencumbered ownership of personal data is moving from the data-controller (company) to the data-subject (user). This warrants technological transformation from traditional centralized data-controller managed client-server infrastructure to data-subject managed decentralized infrastructure. The former needs stringent privacy regulations, while the latter makes them redundant.