A tale of personal data, trust and consent

Those who have read the entire terms of service form before ticking ‘yes’ throw the first stone. And they who have understood them, do not keep this power to yourselves! Realistically though, you are a minority because, as Mika Leivo, ICT Architect at the City of Helsinki, says: “If the average person read every consent and every cookie pop-up, they would spend around four months to a year just doing that.” And honestly, people have better things to do.

Regulation vs practice

Yet, we should not disregard these seemingly infinite scrolls of legalese so quickly. Instead, Espoo and Helsinki, among other cities, invite us to demand better options to enforce our rights on personal data. Both cities share the values of MyData Global network, which declares on its website that “we, you and I, should have an easy way to see where data about us goes, specify who can use it, and alter these decisions over time.”

A noble goal considering that today, if regulations such as the General Data Protection Regulation (GDPR) have been put in place to guarantee people’s digital rights, in practice, organisations have the power to collect, trade and make decisions on personal data, and individuals struggle to regain control over their data.

For example, at the moment users often don’t have a choice but to opt-in, because opting-out would result in refusal of service. A point that Yann Huaumé, Vice-President for Digital Affairs and Smart City at Rennes Metropole raised back in September during the Eurocities Knowledge Society Forum. To prevent digital resignation, users’ consent should first of all be ‘meaningful’.

Wilhelmiina Griep, Project Manager for City as My Data Operator at the City of Espoo. (c) Ellun Kanat / Anna Valli

“Consent should also be convenient to give,” adds Wilhelmiina Griep, Project Manager for City as My Data Operator at the City of Espoo. “As long as it requires a lot of activity from the citizen, it won’t be a smooth service, and it will never be appealing for them.”

Consent should be convenient to give, or it will never be appealing for people
— Wilhelmiina Griep, Project Manager for City as My Data operator at the City of Espoo

Espoo and Helsinki are working in this direction through the Finnish MyData project – an initiative linked to the MyData network though financed by the Finnish Ministry of Finance. “Our consent form is a small box that addresses the everyday person with a summary of what they are consenting to,” says Leivo. “It explains in clear language what’s the purpose of collecting this data. What the benefits are for the user. Why we are asking this data. What data we are asking. What we are using it for and how. We then have the more classic large scroll with all the details, which people can read and review too if they want.”

What’s in it for me?

Being transparent and clear about what data is collected and for what use certainly plays a role in building trust between the public administration and its people. “We should be more open in telling the public how we are using the data and what is the benefit for them,” says Leivo. “We have all this data but are we using it proactively? Are we making the most of it? What can we do to make our services better? That’s where we need to engage with citizens and communicate the benefits that could be achieved,” explains Griep.

Paradoxically, people are content to share data without much transparency or clarity every day because they feel like they are getting a specific service in return, for example, on social media. The data collected by the local government is, more often than not, collected without clear communication about the direct or indirect benefits. In some cases, people fear that this data may be used against them.

Cities like Espoo and Helsinki want to change this and make the advantages explicit. “It can be a reduction in taxes because the data you shared allowed a more efficient service,” says Leivo, “or a better service that gives you what you are entitled to without you having to go through all the administrative steps to prove that you are.”

Shared principles

Trust is the buzzword when it comes to personal data sharing, and it’s the service provider’s responsibility to prove to people that they are trustworthy. An added reason for citizens of Helsinki and Espoo to trust their cities is that the MyData project put together a list of principles that guide data management and sharing actions. This is a way to guarantee users of the MyData operators that these principles are ensured.

These principles can be summarised as:

  • Individuals have the right and practical means to manage their data and privacy.
  • Personal data must be technically easy to access and use.
  • Shared MyData infrastructure enables decentralised management of personal data, improves interoperability, makes it easier for companies to comply with tightening data protection regulations, and allows individuals to change service providers without being dependent on a specific vendor or service (vendor lock-ins).

“When joining the MyData community, you commit to guaranteeing these ethical rules,” says Leivo. “This works as a pre-check. Users of MyData know and trust that these basic digital rights are guaranteed.”

Users of MyData know and trust that these basic digital rights are guaranteed
— Mika Leivo, ICT Architect at the City of Helsinki

Making sharing data simple

Confusing and unclear terms of service are not the only barrier to the smooth management of one’s personal data. Who knows how many service providers have your data? And which data? If you have to share it with someone else, how do you do it? Download it and send it by WeTransfer? Easy access to what you consented to, portability and interoperability are more obstacles that the MyData project wants to solve.

“For example, in Finland, the local government can’t share its data with others, even with the permission of the person,” says Leivo, “which means that the individuals themselves must demand the data from the city, download it and send it to the other entity. This creates more work for the individual and unnecessary copies of the same data, making it more difficult to keep the data up to date and useful.”

A change in infrastructure is necessary

To sum it up, Espoo and Helsinki, through the MyData project, are trying to:

  • ensure data interoperability and portability through open infrastructures that make it possible for individuals to change service providers without vendor lock-ins;
  • foster a cooperative approach to data sharing and management that could work across all sectors;
  • guarantee consent-based data management and control for the individual without storing all their data in centralised repositories.

How? By proposing a change in infrastructure because today’s models are lacking, like the API ecosystem (the systems for transmitting data) where individuals don’t have an overview of their personal data flows between services or the aggregator model where the lack of interoperability between aggregators boxes individuals and companies into one data service provider and transparency and privacy towards individuals are not prioritised.

Let’s imagine four roles that can be played in a piece of data management and sharing infrastructure: the individual that manages their personal data; the data source, which collects and processes the data that others wish to access and use; the data-using service that can be authorised to access and use the data, and the personal data operator that enables individuals to access, manage and use their data, as well as control its flow between data sources and data-using services.

In Helsinki, the MyData project offers a MyData account that acts as the personal data operator. “If I start wondering what I consented to, I can always go back to MyData,” explains Leivo. “Without accessing the services or the service provider sites, I can see the list of consents I have given, the dates, the purposes and if they have been used and how frequently they have been used. I don’t have to rely on the service provider to tell me what they are doing. I can see for myself.”

If I start wondering what I consented to, I can always go back to MyData
— Mika Leivo, ICT Architect at the City of Helsinki
From ‘MyData – A Nordic Model for human-centred personal data management and processing’ by the Finnish Ministry of Transport and Communication

To Finland and beyond

This model echoes the agreement between the Council and the European Parliament on the Data Governance Act (DGA) from 30 November. Among the tools supporting the availability and safe use and reuse of data, the DGA introduces the concept of trusted data intermediaries, offering guidelines similar to the MyData model and including services offered by MyData operators.

The Finnish MyData project involved the cities of Helsinki, Espoo, Turku and Oulu and has reached its end. However, finnish cities continue their collaboration and are looking into extending the MyData project to the private sector, to the national government and across borders. “We have hundreds of Estonian school kids coming to school in the Helsinki region, for example,” says Leivo. “It would be very convenient if we could exchange the data on their studies.”

As it stands, most of us still have to pretend-read all terms of service and keep track of who we give access to our data, but maybe a brighter future lies ahead.

*Photo credits: Anna Matilda Valli / Ellun Kanat

Wilma Dragonetti Eurocities Writer