MyData Tallinn Aug 30 – Sep 1 / Helsinki
In association with
We are the power ...of data Announcing the MyData Declaration for a just, sustainable and prosperous digital society
Centre pages pull-out
WHY THE WORLD NEEDS THIS TO HAPPEN NOW
THE MYDATA DECLARATION IN FULL
WHAT THE EXPERTS SAY ABOUT IT
A new, better way of doing business The launch of the MyData Declaration marks a significant step in the development of the personal data ecosystem. It sets out a path towards making real the shift to more human-centric ways of using personal data and deriving value from it – both for individuals and for organisations. Here, its key architects – Daniel Kaplan, Antti ‘Jogi’ Poikola and Tanel Mällo – explain what the Declaration aims to achieve. discussing that and of challenging those decisions. We think we have an answer so we’re trying to express that.
Internet of Me: At its simplest level, explain what the MyData Declaration of Principles is. Daniel Kaplan: First, it’s statement of what an established community actually stands for and wants to call out to the world. Second it is a set of commitments saying not only what we stand for but that we’re going to commit to making it happen. This is not just an ethics code – we want to make it happen in terms of changing paradigms in the data economy and ethics in the normal order of business when personal data is concerned. We want to be clear that this new order of business is different. This is a statement that not just anyone is able to sign just to ‘privacy wash’ their own practices. Antti Poikola: The Declaration of Principles is a tool for communication. It speaks inwardly to our community but it also has this other angle which is extending beyond the community. It doesn’t really help if it only communicates internally. IoM: Why is it important to formulate a Declaration of Principles, and why now? Is the need greater now than before? DK: There are a lot of reasons why it is
becoming important now. One of them in Europe is the GDPR which is clearly raising standards in terms of privacy. We are both supportive of GDPR but also moving beyond that in terms of empowering people. We need to make it clear that what we’re doing is specific and is providing more value. The second thing is that the players that have been looking and hacking at that idea of empowering people with their data and giving them more agency are becoming more mature. For a long time it was about writing, research and reports and trying out things and doing trials or studies. Now there are companies entering the marketplace and dealing with actual users and actual corporate partners and so we’re all going public in a way. That means we need to state what this community brings to the table. The third reason is that the discussion on how the data economy is empowering or disempowering people has never been louder. Of course there are the privacy issues and what the big platforms are doing but there are also all those discussions on algorithms, AI and machine learning. There are decisions that programs take on our behalf that can have huge importance in our daily life, from whether we can get insurance to our ability to access a public service. The question is do we still have a way of understanding and
AP: There are more organisations that are dealing with these issues because of the GDPR and other reasons and they need to make decisions on what direction to take. This means that there will be new players entering the arena and trying to study what’s happening and so far it has been rather fragmented. It’s been quite hard to grasp. There are players in the community who truly share something in common, but what that is has been unclear and that makes it very hard for someone entering to grasp what the new ideas are that are shaping the field. I think GDPR is definitely one of the key things prompting interest right now. It’s a nice piece of legislation and it has increased the number of people aware of these issues. Those people need some sort of clear communication of what the MyData perspective brings to the table, both in regard to GDPR and beyond it. IoM: What do you hope the Declaration will achieve in broad terms for all the different organisations that might be interested in it? AP: I hope that it’s something that different organisations can adopt and reference so it becomes an anchoring point for this humancentric personal data thinking. I hope that it will be signed by a number of organisations and industries and then that those that sign actually care about it so they might put it on their website and in other materials and come back to it. Then the next phase is that the media acknowledge it and policymakers recognise that this Declaration exists, so it becomes a powerful piece of text that anchors this movement and community. DK: There are three target audiences. First is the people who are already engaged in some
capacity in making that change happen and making MyData happen. Second is all the organisations currently collecting and processing personal data, and there are quite a lot of them. It’s about calling upon them to change their practices and trying to help them recognise that this can have huge social and economic value. Third, media and users. There’s a kind of evangelisation that needs to happen which says there’s an alternative to the current state of affairs, not one that has people and organisations opposed, but one that restores the conversation between them. IoM: Do you see the Declaration evolving in the short term? This is a new set of principles – will there be scope to amend or have you distilled it to core essentials? AP: There definitely needs to be a process of updating it in a way that it can have subsequent versions. This is the first version and it should not change every day. We will start getting feedback and will see how organisations react. If there are some flaws and suggested improvements these should be integrated into a next version. IoM: It would be great to see larger organisations come on board and support this. There would be a clear PR perspective of being seen to do the right thing, but is there also a direct benefit of helping them develop better operating models? DK: We think there is. Then it is a question of the status or the role of various organisations. I have been working with at least half a dozen very large organisations, ‘data controllers’ who have been trying to create personal data protection “charters” and publish them, especially towards the media and their customers. They were really sincere about that. However, the difficulty they faced was, first, to be able to say more than ‘We’re doing what the law says’, and second, to get business units to accept that the charter really meant that some practices should change. How does this make business sense? Trust is hugely important, of course. However, asserting that you will do the right thing is no longer enough to build trust: you need to prove you’re serious, by providing real, accessible, ‘one-click’ mechanisms for people to view their data, to review and manage the consents they’ve given you, or to discuss decisions your algorithms have made on their behalf.
Beyond trust, empowering your customers with their data, so they can use them, also makes a lot of business sense, but this is so new that corporations have a harder time understanding it. Customers equipped with tools and data can better express what they are and want; that can be great, so long as you’re ready to listen. Also, even large corporations are being reintermediated by the large web platforms. They are at risk of losing direct consumer relationships. When people, not platforms, handle their data, this direct relationship can be restored. We believe this is the central message. We’re talking about a significant change in the normal order of business, though. No data controller would be in the position of being entirely ready to do all that is in the Declaration which is why a lot of the statements are expressed as ‘we want this to happen’.On the part of organisations that are committed to creating tools and services in this – what we call the core PIMS community or MyData community – it’s a way of recognising the common efforts needed in order to turn this into normal business or administrative practice. Brands should learn to work with them. Standards organisations should work on what they do. Large business software providers should get ready to integrate them. AP: One of the key motivations is to communicate to the outside world that this is what to do. It is a statement to outside
I hope it’s something that different organisations can adopt and reference so it becomes an anchoring point for this human-centric personal data thinking. I hope it will be signed by a number of organisations and then that they actually care about it.
but also to inside. Organisations are also combinations of many people and if there is a decision on some level that this is what they want to do – signing this Declaration – then it becomes a roadmap internally. People can refer to the principles and see how far their practices are from these principles and how can they move in this direction. IoM: How do you see compliance being monitored? If an organisation signs up does there need to be a way to make sure they’re not just ignoring or forgetting about it? AP: When we launch we won’t have any mechanism to check or give some sort of trust mark. It may well be that this comes later. But this is going to be hard to fake. If you sign this Declaration and then do something completely different, making that public would risk bad publicity. But later on I think this could become more formal – something like a trust mark, a certification. DK: We’re not introducing some regulation or pseudo regulation. We’re trying to effect a positive and very wide-ranging change and that means that we want to focus on enabling and engaging people rather than providing a new kind of rigidity and dogma. This should be seen as a set of goals that are clearly desirable - clearly a win-win-win for organisations, corporations, people and society. Maybe at some point we will realise it is becoming this set of fairly established and tested practices that can converge as strongly verifiable criteria, in some cases as corporate codes or industry best practices. IoM: GDPR significantly empowers individuals with new rights. As consumers and digital citizens what is your ideal vision of what the Declaration means for them? DK: The key change for us is that what the GDPR and other data protection laws provide is a level of control over what organisations do with personal data that they collect and process. What we’re trying to say is that people should not only be able to control but should be able to do things with their own data that make sense to them. Of course, those things will be done via tools and services – but tools and services that people have elected to use in order to fulfil their own goals or respond to their own needs, which is a very different situation to where an organisation tells you ‘I’m going to use your Continued on Page 4
Continued from Page 3 data for my own corporate or organisational goals, let me know if that’s OK’. People should be in control and this is what the law provides and it also draws a number of red lines. We think there’s enormous untapped value in providing people with agency over their data and helping them or letting them use their data, just as organisations do. Another important point of the Declaration is a move from formal rights to actionable rights. Most people don’t know much about these regulations, which themselves are hard to enforce – rights such as being able to access and modify information, and the right to be forgotten which exists in the GDPR. We think these should become what we call ‘one-click rights’ – simple, obvious. OK I want to know something, so I click and I get to know. This information is not right or I don’t want the organisation to have it – one click and that changes. AP: People are starting to understand the value of their personal data and they want to make the most of it. They want simplicity in their actions with data. When the ideas in this Declaration get adopted more widely it means a better digital life, more simple and secure, with data solving people’s needs. DK: One thing that is very important in the change we’re trying to effect is that the current data economy favours very large data gathering and processing platforms such as social networks and Google, and also a lot of intermediaries. This has enormous effects on competition, especially on smaller organisations or specific industry corporations that do not have the capacity and maybe the know-how to become data platforms. It is a system that favours the creation of near monopolies or choke points between organisations and their customers, or users. They have to go through search engines, social networks and intermediary platforms in order to do business with people and that’s a huge value shift. The fact that people actually get to manage their own data and their own terms of engagement can also restore balance and choice both for people and for companies in how they engage with this or that service provider, brand or organisation. It’s not about the disappearance of the large platforms because there’s value they create – but in terms of competition and innovation and consumer relationships it’s huge. 4
IoM: What does the roadmap look like and what plans do you have to encourage people to sign up to the Declaration? AP: I imagine that we will deliver the Declaration widely and launch the web version of it where it can be signed digitally. I would like to see people from different roles – data providers, operators and data-using services – signing it and then we have a meeting coming later this year and that’s when we discuss setting up an organisation that could be taking the MyData conference and Declaration under its umbrella. DK: We want to have as many organisations and people as possible sign this Declaration before the end of MyData2017, so that it gains traction and actually starts working, even informally, as a kind of beacon or a point of convergence for people in organisations who are willing to go in this direction. Then, yes, the next step is that it needs to live on its own so people can go on discussing it and it can be published and commented on in media and conferences and industry places. We know that, for example, some regulators and the European Commission are interested. They’ve just written the GDPR and that’s not going to change any time soon, but this might serve as inspiration for where things go next.The next step is clearly that this is a set of principles that supports the creation of an organisation and so the path forward is organising this community so that it becomes self aware and starts doing things in common. There will be advocacy, evangelisation – not just towards public agencies but towards corporations and industry groups – and maybe also working with standards organisations. IoM: If you could fast-forward, say, five years, what would be your ideal scenario in terms of what this Declaration achieves? DK: Five years – maybe a little more – from now, the goal is that this is normal business practice. It’s obvious for everyone that when you deal with personal data this is how you do it. The moment when only organisations could deal with personal data and people would only hope to gain some level of control looks like a prehistoric moment – a little odd. People will ask ‘how could that have been good to have such an asymmetric market and society? It can’t be right – not just morally but in terms of creativity, innovation, value creation, trust and so on.’
Coming back to today, the kind of progress we’d like to see is first of all the players who are building tools, services and the first use cases and trying to establish a footprint on different markets become mature. There’s awareness on behalf of VCs and other investors. There’s initial works, agreements and projects with large, established corporations that do real-life trials or even launches on specific markets. Those players are also pioneers – they would continue exchanging and sharing experience and helping each other improve. Maybe the following stage is that more large organisations – not just the internet platforms but also banks, insurance companies and retailers – see the light and start changing their practices, working with the original pioneers. It’s necessary that a number of standards or collective solutions emerge. I’d like to see providers of important IT platforms start to incorporate the principles inside their offer– I’m talking Salesforce, SAP, Oracle, IBM, people like that. IoM: How optimistic are you that the big platforms will be brought round to a human centric approach? Will it be partially driven by GDPR or just better business opportunities to empower customers? AP:The human centric approach is still below their radars. They are in so strong a position and existing business models are so deeply rooted that they don’t change much. But at some point I do believe that there will be a significant change if individuals can be sharing their own data – then either they do change their business models or new players with new offerings emerge. I wouldn’t be here if I didn’t believe there can be change. But it’s not going to be easy and fast. DK: If you look at those platforms it’s very easy to see the difficulties but there are also interesting signs. For example some of them, specifically Google and Facebook are actually the most advanced companies in the world in terms of allowing portability of data and that should be a warning sign to other organisations. One way for them to still be there in that new landscape we’re hoping for is that they could leverage their incredible ability to invent and innovate in order to be big players in the new landscape as well. They’ve done that before.
We are entrepreneurs, activists, academics, listed corporations, public agencies, and developers. For years, we’ve been using different words for what we do – MyData, Self Data, VRM (Vendor Relationship Management), Internet of Me, PIMS (Personal Information Management Services) etc, while sharing a common goal: to empower individuals with their personal data, thus helping them and their communities develop knowledge, make informed decisions, and interact more consciously and efficiently with each other as well as with organisations. Together, in recent years, we have formed a network whose participants share experience, develop common projects, meet at the MyData conference, and take part in collective endeavours towards a human-centric approach to personal data. It is now time to take this work out in the world and prove its potential impact on individuals, society, and the economy. Today, we believe it is time to publicly assert the values that drive us – and call on those who share those values to act upon them. Join us in reversing the paradigm of personal data. Join us in creating the MyData movement.
The MyData Declaration As the importance of personal data in society continues to expand, it becomes increasingly urgent to make sure individuals are in a position to know and control their personal data, but also to gain personal knowledge from them and to claim their share of their benefits. Today, the balance of power is massively tilted towards organisations, who alone have the power to collect, trade and make decisions based on personal data, whereas individuals can only hope, if they work hard, to gain some control over what happens with their data. The shifts and principles that we lay out in this Declaration aim at restoring balance and moving towards a human-centric vision of personal data. We believe they are the conditions for a just, sustainable and prosperous digital society whose foundations are:
• Trust and confidence, that rest on balanced and fair relationships between people, as well as between people and organisations. • Self-determination, that is achieved, not only by legal protection, but also by proactive actions to share the power of data with individuals. • Maximising the collective benefits of personal data, by fairly sharing them between organisations, individuals and society.
The MyData Declaration
MYDATA SHIFTS: WHAT NEEDS TO CHANGE
Our overriding goal is to empower individuals to use their personal data to their own ends, and to securely share them under their own terms. We will apply and practice this human-centric approach to our own services, and we will build tools and share knowledge to help others do the same. 1.1. From Formal to Actionable Rights In many countries, individuals have enjoyed legal data protection for decades, yet their rights have remained mostly formal: little known, hard to enforce, and often obscured by corporate practices. We want true transparency and truly informed consent to become the new normal for when people and organisations interact. We intend access and redress, portability, and the right to be forgotten, to become “one-click rights”: rights that are as simple and efficient to use as today’s and tomorrow’s best online services.
1.2. From Data Protection to Data Empowerment Data protection regulation and corporate ethics codes are designed to protect people from abuse and misuse of their personal data by organisations. While these will remain necessary, we intend to change common practices towards a situation where individuals are both protected and empowered to use the data that organisations hold about them. Examples of such uses include simplifying administrative paperwork, processing data from multiple sources to improve one’s self-knowledge, personalised AI assistants, decisionmaking, and data sharing under the individual’s own terms.
1.3. From Closed to Open Ecosystems Today’s data economy creates network effects favoring a few platforms able to collect and process the largest masses of personal data. These platforms are locking up markets, not just for their competitors, but also for most businesses who risk losing direct access to their customers. By letting individuals control what happens to their data, we intend to create a truly free flow of data – freely decided by individuals, free from global choke points – and to create balance, fairness, diversity and competition in the digital economy.
MYDATA ROLES: WHO DOES WHAT
Please note: “Roles” are not “Actors” – an individual or organisation may fulfill one or more roles at once.
Person An individual that manages the use of their own personal data, for their own purposes and maintains relationships with other individuals, services or organisations. Data Source A data source collects and processes personal data which the other roles (including Persons) may wish to access and use. Data Using Service A data using service can be authorised to fetch and use personal data from one or more data sources.
Personal Data Operator A Personal Data Operator enables individuals to securely access, manage and use their personal data, as well as to control the flow of personal data with, and between, data sources and data using services. Individuals can be their own
Data Using Service
operator. In other cases, operators are not using the information itself, but enabling connectivity and secure sharing of data between the other roles in the ecosystem.
The MyData Declaration
MYDATA PRINCIPLES: WHAT WE WANT TO ACHIEVE
In order to produce the shifts that are needed for a humancentric approach to personal data, we commit to working towards and advocating the following principles:
3.1 Human-Centric Control of Personal Data Individuals should be empowered actors in the management of their personal lives both online and offline. They should be provided with the practical means to understand and effectively control who has access to data about them and how it is used and shared.
3.3 Individual Empowerment In a data-driven society, as in any society, individuals should not just be seen as customers or users of pre-defined services and applications. They should be considered free and autonomous agents, capable of setting and pursuing their own goals. They should have agency and initiative.
We want privacy, data security and data minimisation to become standard practice in the design of applications. We want organisations to enable individuals to understand privacy policies and how to activate them. We want individuals to be empowered to give, deny or revoke their consent to share data based on a clear understanding of why, how and for how long their data will be used. Ultimately, we want the terms and conditions for using personal data to become negotiable in a fair way between individuals and organisations.
We want individuals to be able to securely manage their personal data in their own preferred way. We intend to help individuals have the tools, skills and assistance to transform their personal data into useful information, knowledge and autonomous decision-making. We believe that these are the preconditions for fair and beneficial data-based relationships.
3.2 Individual as the Point of Integration The value of personal data grows exponentially with their diversity; however, so does the threat to privacy. This contradiction can be solved if individuals become the “hubs” where, or through which cross-referencing of personal data happens. By making it possible for individuals to have a 360-degree view of their data and act as their “point of integration”, we want to enable a new generation of tools and services that provide deep personalisation and create new data-based knowledge, without compromising privacy nor adding to the amount of personal data in circulation.
3.4 Portability: Access and Re-Use The portability of personal data, that allows individuals to obtain and reuse their personal data for their own purposes and across different services, is the key to make the shift from data in closed silos to data which become reusable resources. Data portability should not be merely a legal right, but combined with practical means. We want to empower individuals to effectively port their personal data, both by downloading it to their personal devices, and by transmitting it to other services. We intend to help Data Sources make these data available securely and easily, in a structured, commonly-used and machinereadable format. This applies to all personal data regardless of the legal basis (contract, consent, legitimate interest, etc.) of data collection, with possible exceptions for enriched data.
3.5 Transparency and Accountability Organisations that use a person’s data should say what they do with them and why, and should do what they say. They should take responsibility for intended, as well as unintended, consequences of holding and using personal data, including, but not limited to, security incidents, and allow individuals to call them out on this responsibility. We want to make sure that privacy terms and policies reflect reality, in ways that allow people to make informed choices beforehand and can be verified during and after operations. We want to allow individuals to understand how and why decisions based on their data are made. We want to create easy to use and safe channels for individuals to see and control what happens to their data, to alert them of possible issues, and to challenge algorithm-based decisions. 3.6 Interoperability The purpose of interoperability is to decrease friction in the data flow from data sources to data using services, while eliminating the possibilities of data lockin. It should be achieved by continuously driving towards common business practices and technical standards. In order to maximise the positive effects of open ecosystems, we will continuously work towards interoperability of data, protocols, applications and infrastructure, so that all data are portable and reusable, without losing user control. We will build upon commonly accepted standards, ontologies, libraries and schemas, or help develop new ones if necessary. Whenever possible, we want them to cover not just personal data, but also non-personal data.
The MyData Declaration
ACTIONS: WHAT SHOULD HAPPEN NOW
Sign the Declaration, as an individual and/or as an organisation. This Declaration is written in the future tense: if your organisation isnâ€™t quite there, but is committed to moving in this direction, it should still sign it! Comment on the Declaration. This Declaration will evolve over time, based on your ideas and practical experience. There will be an initial review after 6 months. Use the Declaration to further your own projects and intentions. Base your trust framework, or your terms of services, on it. Use it to lobby and convince clients, partners, stakeholders etc.
go to: www.mydata.org/declaration
REFERENCES This Declaration of Principles draws upon many sources of inspiration, the most significant ones being: The MyData Principles (Open Knowledge Finland) The MesInfos Self Data Charter (Fing) The Project VRM Principles (Project VRM) The ODI data sharing principles (Open Data Institute) The Personal Data Ecosystem Roles & Definitions (PDEC)
How the Declaration will make a difference
Data is not an abstract concept. It is very real, and each of us generates huge amounts of it every day in this digital, connected world. So, while this Declaration deals with our rights and power over our personal digital information, for most people its impact will be felt in the real world through the apps and services that play an increasingly important part in our lives. Our personal data is a hugely valuable commodity to big companies that harvest and use it. The world we envisage as a result of this Declaration is fairer because it allows each of us to benefit from that value. It is, however, less about purely direct financial value than it is about having agency over our information – being able to make choices about who can use it, what for, and knowing what’s in it for us, but also being able to use that data to our own benefit, or that of the community. Antti ‘Jogi’ Poikola, one of the architects of the Declaration, explains: “I believe more than getting direct monetary income from the data, at least in the shorter term, that there will be more transparent ways of changing data into services. It will enable things to work very smoothly and nicely, and
doing something good for me with my own data. I think that’s a more interesting future than actually selling your own data.” Few people will have the inclination or the time to micro-manage all their various data flows. It should be automated within services to allow us to make preferential choices. For example, whether your data is used for advertising purposes or not. Once that choice is made, it is reflected in your daily data life when you use all sorts of services. Also, our personal data can make a lot of sense to us personally, in a lot of ways: monitoring our health and wellbeing, understanding our finances across the large variety of services and institutions that we deal with, managing administrative paperwork (not as papers or PDFs, but as data on rights, dues, deadlines, warranties), reshaping our purchase choices to better fit our values. This is what is called a human-centric approach. While many companies will insist that their customers always come first, most still seek to own as much data as possible on them and therefore to ‘own’ their customers. But each of us is a customer (or user) of many, many different companies
and organisations. They can only ever see a small part of us. Human-centricity places us at the centre as the point of control over our data universe. The potential for self- and collective knowledge, and for empowerment, is enormous. Such an approach is better for us as citizens and consumers. We believe it is also better for businesses who can have a much more direct relationship with their customers by making them active parties in any decisions over the use of data. And it is good news for new, smaller players working in the personal data ecosystem who don’t have the advantage of the vast pools of data held by the dominant tech platforms. Making human centricity a fundamental right all of us as citizens can enjoy has been the driving vision for the work of the PIMS (Personal Information Management Service) and the MyData communities in drafting this Declaration. Jogi says: “There was some essence that kept this group together and I think it is really the vision of putting the individual into the centre and allowing digital human rights to become a reality. These are very big words, but that’s something that touches us personally.”
Internet of Me is the publication for the personal data ecosystem.
Why we’re supporting this important Declaration
Julian Ranger Founder & Chairman, digi.me This Declaration is necessary because this is a new area. If we think of it as the IoM/ MyData principles, people don’t know what it means. If every company has to say what it means and consumers, businesses and governments are hearing ten different stories – albeit saying the same thing – then it’s hard for people to get a handle on it. So if we have one consistent set of principles that we can sign up to it will be, first of all, more recognised but also people will then read the principles and understand them and immediately be able to grasp the fact that these companies are doing this new thing. So it’s about visibility, understanding and a level of commonality. Now, it’s a little bit more than that because these are real principles. I believe the principles should be allowed to be aspirational as well, but you should state that if you are a signatory but you don’t meet all the criteria now you will meet them in a given time. When you sign up to this Declaration you are signing up for a minimum standard. It’s not a trust badge because no one is assessing you to do it right now. But you are clearly indicating you are doing it and if it transpires that you are not, there should be come-back. It’s bringing this new methodology onto the work stage in a common way. If you think about digi.me, we have three core principles – privacy, security and interoperability. Interoperability is important – it’s important that individuals are not locked into digi.me or anybody else. It’s important that they know this is an ecosystem and this ecosystem needs principles for interoperability. Therefore what this is showing is the maturing of an ecosystem and these are the fundamental principles for it to be successful.
We have been helping and working towards this because we see that you don’t get an ecosystem unless it has its own fundamental principles. There is nothing in this Declaration that I can’t sign up to. It think it’s also important to me that the biggest companies in the world can sign up to it. There has been too much business bashing in this whole area. If they sign up to it and carry on doing what they do it would make a mockery of it but if they sign up to it committing to moving towards it in a given time it doesn’t make a mockery at all. They will be held accountable by public opinion.
Katryna Dow Founder & CEO, Meeco We at Meeco see this Declaration a significant step towards aligning the competing needs around personal data. We support its creation and affirm the importance of making it public – this is an important first step. Democracy and human rights have been shaped by the declarations society has drafted and agreed to. These rituals shape our society, from the Declaration of Human Rights to the way countries and companies formulate a constitution that embodies the principles that guide actions and decisions. So, this Declaration outlines our shared vision for how we have come together as a community, developed solutions and will work together for the data rights of those we serve. While there is symbolic importance to this Declaration, I would hope this is the first step towards what may become a trust framework and, from there, actually be enshrined in legal terms and conditions. One of the challenges obviously with this set of principles is that we want to be inclusive. We want to give citizens, patients, students, employees, and customers new digital rights but at the same time we understand that
we need to work alongside the regulatory framework that’s changing in Europe – for instance GDPR, ePrivacy and PSD2. We understand that enterprises and governments are on their journey towards putting what we hope will be mutually inclusive trust frameworks in place. I believe the aim should be a set of legal terms and conditions that will be afforded to customers which set out means by which organisations will respect data, be transparent around their business practices and they will be committed to some form of mutual value associated to the collection and use of data. The personal data market is beginning to take shape. As it starts to mature it will be essential to maintain this clear vision to guide our collective actions. Now is the time we can make the most difference to all our stakeholders – citizens, regulators, governments and institutions – in the way data is ethically collected and used with consent. The opportunity to create economic and societal value is significant if we get this right.
Michele Nati, PhD Lead Technologist, Personal Data and Trust, Digital Catapult The personal data ecosystem is seeing involvement of a large number and variety of stakeholders spanning different sectors, from traditional ones, such as the internet and advertisement network, to more emerging ones, fostered by the rapid growth of the Internet of Things and wearable technologies. While driven by different interests, involved stakeholders are now requested by GDPR to put at the centre of their activities the individuals, showing them transparency and guaranteeing them control over their data, in order to gain the trust of always more privacy savvy consumers. The Declaration is a good starting point for all these stakeholders to recognize a commonality
in their intents, define baseline principles for operations while fostering competition, as well as innovation and development of new opportunities to guarantee advanced, transparent and trusted personal data based services to their customers in existing and emerging markets. We believe that by supporting the Declaration, and by sharing this with other supporting organisations, a more transparent ecosystem will develop for the personal data economy. This will also help to identify the organisations willing to be at the forefront of the GDPR compliant personal data economy and more easily develop possible collaborations between them and the innovative SMEs we work with, in order to deliver more user centric services to our societies.
David Alexander CEO & Chief Platform Architect, Mydex CIC Mydex CIC, founded in 2007, has seen the digital economy and, in more recent times, the personal data economy grow and take great steps to fulfilling its potential over the last ten years. The core values of the Mydex Platform remain unchanged: to empower individuals to manage their lives more effectively through convenient, trustworthy access and control of their personal data, and how it is used by them and others. Reading the MyData Declaration, we were delighted to feel a strong sense of alignment with the values that we believe are vital to the success of the personal data ecosystem benefiting individuals, society and the economy alike. In particular, we believe in creating a just, sustainable and prosperous digital society that realises the collective benefits of personal data and empowers individuals with the tools they need to benefit from their personal data. We agree that it is important to empower individuals to exert control, express consent and share their personal data under their
own terms, in a way that is convenient and useful for them and others. As the paper points out, the individual should be the point of integration for data flow and security, and as the vital step in allowing individuals to benefit from their data. The value and significance of trust between all parties is a defining factor in the growth of the ecosystem, and interoperability is a core value that will allow individuals freedom of movement and autonomy in their management of their personal data. We also agree that accountability will be a crucial step in levelling the playing field between individuals and organisations, allowing those who misuse data to be held to account. The undersigning of a Declaration such as this is a big step forward in working together to nurture and strengthen the principles many of those in the ecosystem share as their core tenets and motivators. We support this growth and partnership, and we look forward to working together, driving the personal data ecosystem forward to achieve our common goals.
The opportunity to create economic and societal value is significant if we get this right.
Katryna Dow Founder & CEO, Meeco
Tristan Nitot Chief Product Officer, Cozy Cloud First, letâ€™s state the obvious: Digital is here to stay. And now, for the less obvious, the way the digital world is working is not sustainable at all. All personal data is being gathered into the hands of a couple of internet giants, where consumers have very little control. Traditional brands are also losing a lot in the digitalisation of the world. The MyData Declaration is important as it opens the door to a better digital future, a more balanced and fairer digital society. Cozy Cloud has been built precisely in order to build open source, decentralised solutions to address the issues I have just described. Having other organisations and individuals joining us in signing the MyData Declaration is making our position stronger as it makes all of us part of a larger movement, the MyData movement.
Itâ€™s also important that the biggest companies in the world can sign up to it.
Julian Ranger Founder & Chairman, digi.me
The benefits of human centric data Manage daily life and the documents it generates Discover, experience and share
Control digital identity and personal data MANAGEMENT
Make and implement better choices
DECISIONS AND ACTION
Contribute to the production of collective knowledge
Sounder action through better selfknowledge
Live according to one’s value
A brief history The MyData Declaration emerged out of the European PIMS Community which met in Brussels in November 2015 and then in Paris (April, 2016), Helsinki (August, 2016), London (December, 2016) and Berlin (March, 2017). It is the response to one of two goals – to develop a set of principles for human centric personal data. The other is to establish a MyData Global Network as a legal entity. A draft version was sent to the founding members of the MyData Global Network, as well participants of the Berlin workshop. It received more than 90 comments.
The initial version of the Declaration you see in this publication – which drew inspiration from a thorough reading of 20 existing charters and statements of principles – was written by three people who are all heavily involved in the PIMS Community as well as in organising the MyData conference: Antti ‘Jogi’ Poikola from Finland, researcher at Aalto University, founding member and former chairman of the Open Knowledge Finland association, main organiser of the MyData conference and leading author of the Finnish MyData white paper.
Daniel Kaplan from France, co-founder and scientific advisor to Fing and France’s MesInfos project, and member of the MyData conference’s core team and core contributor of the MesInfos Self Data Charter. Tanel Mällo from Estonia, who is head of the Research Administration Office at Tallinn University, leads the MyData Estonia network, is a member of the MyData conference’s core team, and is in charge of MyData2017’s Tallinn events.
Contributors The following contributors took part in workshops and/or provided comments to the initial versions of the declaration:
David Alexander, Malte BayerKatzenberger, Simon Carroll, Fabien Coutant, Paul-Olivier Dehaye, Katryna Dow, Harri Honko, Viivi Lähteenoja, Joss Langford, Hubert Le Lièpvre, Joachim Lohcamp, Maarten Louman, Maciei
Machulak, Robert Madge, Jack Mitchell, Michele Nati, Tristan Nitot, Kei Ohashi, Juuso Parkkinen, Julian Ranger, Geoff Revill, Clara Schmitt, Doc Searls, Tarmo Toikkanen, Luk Vervenne, Colin Wallis.
MyData in association with Internet of Me