Data is being aggregated and exploited without the resulting benefits being passed on to consumers and businesses, regulator warns.
BIS (Bank for International Settlements) has published a new paper calling for jurisdictions to move to data governance systems that restore control over data to consumers and businesses generating the data, by requiring more granular consent prior to their use by service providers.
The paper notes an expansion in the availability of data and their processing over the last two decades due to technological developments, highlighting that consumers and SMEs often do not know the benefits of the data they generate and often find it difficult to assert their rights regarding the collection, processing and sharing of such data.
“Inaccessible data, including data walled off in silos owned and operated by big tech firms, represent a significant cost to consumers and to society,” the paper says. It highlights costs associated with consumers feeling disempowered and losing trust in the security of the system they live in, as well as an inability to reap the benefits of data ownership.
The paper says big tech firms aggregate and exploit personal data, without passing on the resulting benefits to consumers. It points to a lack of global consensus on an optimal data governance system – both within countries and across borders.
In most countries, privacy laws recognise the rights of individuals to their data and grant them control over how data is collected, shared and processed. However, consumers often find it difficult to effectively exercise consent because consent mechanisms are too broad and sweeping, and newly created data are often kept in data silos under the control of a single company.
The paper proposes a data governance system that corrects for these “market failures” by restoring control of data to the consumers and merchants generating the data (i.e. data subjects). Such systems should be open, with consent that is “revocable, granular, auditable, and with notice in a secure environment”.
The conditions for effective data-sharing should include notice and consent, purpose limitation, data minimisation, retention restriction and use limitation. The consent system should also be data subject- and data user-friendly, feature low transaction costs, and replace “broad and sweeping” consent with “granular” consent.
“Such a consent-based system will empower data subjects to use their data for their own benefit,” the paper says, adding that trust in the system and widespread adoption can be enhanced by mandating large public digital infrastructures as specialised data fiduciaries.
The paper cites the experience of India’s DEPA (Data Empowerment Protection Architecture) as an example where such a system can operate at scale and with low transaction costs, describing the architecture and the data flows underpinning the application of DEPA to the financial sector.
The paper proposes a granular template that can be used for benchmarking data governance systems in various jurisdictions. The template offers a roadmap to enable existing systems to transition from one where data controllers employ data for their own benefit – to one where data custodians pass on these data to others for the benefit of data subjects.
It also presents a representative oversight framework for digital public infrastructure comprising a regulatory authority, a self-regulating organisation, and a technology standards organisation.