28 September 2017. By Mike Swift.
The premise that Europe's forthcoming General Data Protection Regulation will be a massive and costly regulatory headache for hundreds of companies has been accepted as axiomatic.
Compliance with the GDPR will be a policy and engineering challenge for companies that collect, store or process personal data. They will have to offer consumers the ability to access that data, and to edit, move, or delete it.
But there is another valid way to look at GDPR and the US Federal Communications Commission's abortive attempt last year to require Internet service providers to get affirmative consent from subscribers before sharing their personal data with digital advertisers, data brokers and other third parties.
For a handful of digital startups hoping to use such rules as a springboard to growth, the long-predicted arrival of a "privacy economy," in which consumers get a financial benefit from the use of their personal data as part of a consensual exchange that shelters companies from regulatory risk, may finally be at hand.
That, at least, is the vision of privacy entrepreneurs such as Jon Fisse, the founder and CEO of a New York-based company called Atomite. Launched in 2016, the startup is in the process of partnering with wireless carriers, automakers and others to allow consumers to customize what personal data they share, and to get rewards for information they choose share.
In return, mobile network operators or other platforms that use Atomite's user interface would qualify for a de facto regulatory "safe harbor" under the GDPR and other privacy laws.
The Atomite online interface would allow consumers to choose what data to share in order to earn "Privacy Points" they could redeem for goods and services, similar to the points system some credit cards offer. That same online privacy "dashboard" would also allow companies to reduce the likelihood of running afoul of the GDPR or other privacy laws, even as they develop alternative revenue streams.
"We really try to be one of the bridges between industry and regulators," including Data Protection Authorities in European member states, the US Federal Trade Commission, the FCC and other regulators, Fisse told MLex.
"We're trying to create a software solution that will allow B2C [business-to-consumer] companies that are heavily regulated ... to listen to regulators, to be credible to regulators, but not to be put in a strait jacket" over their use of consumer data, Fisse said.
In addition to the regulatory safe harbor, such software would provide consumers with gift cards or other incentives to share personal information with mobile networks, car companies and other consumer-facing businesses that partner with Atomite, particularly companies that are collecting large amounts of sensitive information.
Large telecoms and online platforms may have little choice but to give consumers more control over their data. A recent 10-country survey commissioned for the Mobile Ecosystem Forum found that trust issues are blocking consumers from wider adoption of mobile apps and other products.
MEF's Global Consumer Trust Report for 2017 found that one quarter of respondents were completely prevented from buying, downloading or using apps because of concerns about privacy or security — up from 14 percent the previous year. In 2017, the share of respondents naming trust issues as the most important barrier to adoption grew to 40 percent, up from 35 percent the previous year.
The recent large breaches of Equifax and Yahoo, which affected hundreds of millions of people in the United States and other countries, won't help shore up that trust.
Fisse last year sketched his view to the FCC to allow Internet service providers to comply with the regulator's proposed privacy rules by allowing private "Trusted Third Parties" such as Atomite to create online "consumer-facing privacy dashboards" .
The FCC's ISP privacy rules were permanently blocked this year by a Republican majority in Congress following the election of President Donald Trump. But that may prove to be a Pyrrhic victory if Democrats are able to use privacy and cybersecurity as a political issue to make gains in the elections of 2018 and 2020.
And other countries appear to be following Europe's path under GDPR of tighter regulatory controls on privacy and data security.
Noting the global trend toward tighter privacy regulations, Canada's Privacy Commissioner last week asked the country's parliament to give his agency power to write rules and impose fines rather than just audit the digital privacy practices of companies that do business in Canada.
None of that is guaranteed, of course. For years, observers have been predicting the emergence of "a privacy and reputation economy," where a constellation of Internet companies would provide services that allow people to discover what information exists about them online, to counter false information, and even to allow people to share personal information with advertisers voluntarily.
That day hasn't arrived. Even such proselytizers as Fisse concede that it's still an "embryonic consumer data marketplace."
While the coffers of Google and Facebook have swollen because of the personal data they are able to gather about their users, and consumers say they are more uneasy about the amount of data amassed about them, there's no sign of them stopping from using those services.
In 2011, Shane Green helped launch Personal, a Washington DC-area startup that aimed to act as a data agent with online advertisers. Green's vision was that consumers who chose to use Personal to make specific information, such as interests or favorite brands, available to advertisers could get 5 to 15 percent of a purchase price back. Personal would make money by taking a cut of the rebate.
But Personal was never a massive success, and it has now merged with digi.me, another startup that offers to make its users' data available to digital advertisers for a price.
"I've spent $30 million over the last seven years figuring out the things consumers don't want to do to manage their data," Green ruefully joked during a recent panel discussion at a global mobile conference in San Francisco.
But with the GDPR poised to force US companies to allow users to move, or "port" their data to other platforms when the law takes effect in May 2018, one barrier to Green's vision is about to fall away. Green said that until the GDPR, companies have seen giving data back to customers as a risk; GDPR makes it a requirement.
"For seven years it's been almost impossible for companies in the US to take that step," Green said. But now he feels the world has changed, and that a new "consent economy" is about to take hold.
"The GDPR," Green said, "is quite revolutionary."