Declaration of Mydata principles
Day by day, the importance of personal data in society is increasing. For this reason, is urgent to make sure individuals are in position to know and control their personal data, but also to gain personal knowdlegde from them and to claim their share of their benefits. MyData pursues that goal, a network of 90 organisations and 600 individuals. MyData is working to empower individuals with their personal data, helping them develop knowledge, make informed decisions and interact more consciously and efficiently with each other as well as with organisations.
Today, the balance of power is massively tilted towards organisations, who alone have the power to collect, trade and make decisions based on personal data, whereas individuals can only hope, if they work hard, to gain some control over what happens with their data. The shifts and principles that we lay out in this Declaration aim at restoring balance and moving towards a human-centric vision of personal data. We believe they are the conditions for a just, sustainable and prosperous digital society whose foundations are:
Trust and confidence, that rest on balanced and fair relationships between people, as well as between people and organisations;
Self-determination, that is achieved, not only by legal protection, but also by proactive actions to share the power of data with individuals;
Maximising the collective benefits of personal data, by fairly sharing them between organisations, individuals and society.
1. MYDATA SHIFTS: WHAT NEEDS TO CHANGE
Our overriding goal is to empower individuals to use their personal data to their own ends, and to securely share them under their own terms. We will apply and practice this human-centric approach to our own services, and we will build tools and share knowledge to help others do the same.
1.1. FROM FORMAL TO ACTIONABLE RIGHTS
In many countries, individuals have enjoyed legal data protection for decades, yet their rights have remained mostly formal: little known, hard to enforce, and often obscured by corporate practices. We want true transparency and truly informed consent to become the new normal for when people and organisations interact. We intend access and redress, portability, and the right to be forgotten, to become “one-click rights”: rights that are as simple and efficient to use as today’s and tomorrow’s best online services.
1.2. FROM DATA PROTECTION TO DATA EMPOWERMENT
Data protection regulation and corporate ethics codes are designed to protect people from abuse and misuse of their personal data by organisations. While these will remain necessary, we intend to change common practices towards a situation where individuals are both protected and empowered to use the data that organisations hold about them. Examples of such uses include simplifying administrative paperwork, processing data from multiple sources to improve one’s self-knowledge, personalised AI assistants, decision-making, and data sharing under the individual’s own terms.
1.3. FROM CLOSED TO OPEN ECOSYSTEMS
Today’s data economy creates network effects favoring a few platforms able to collect and process the largest masses of personal data. These platforms are locking up markets, not just for their competitors, but also for most businesses who risk losing direct access to their customers. By letting individuals control what happens to their data, we intend to create a truly free flow of data – freely decided by individuals, free from global choke points – and to create balance, fairness, diversity and competition in the digital economy.
2. MYDATA ROLES: WHO DOES WHAT
Please note: “Roles” are not “Actors” an individual or organisation may fulfill one or more roles at once.
An individual that manages the use of their own personal data, for their own purposes, and maintains relationships with other individuals, services or organisations.
A data source collects and processes personal data which the other roles (including Persons) may wish to access and use.
DATA USING SERVICE
A data using service can be authorised to fetch and use personal data from one or more data sources.
PERSONAL DATA OPERATOR
A Personal Data Operator enables individuals to securely access, manage and use their personal data, as well as to control the flow of personal data with, and between, data sources and data using services. Individuals can be their own operator. In other cases, operators are not using the information itself, but enabling connectivity and secure sharing of data between the other roles in the ecosystem.
3. MYDATA PRINCIPLES: WHAT WE WANT TO ACHIEVE
In order to produce the shifts that are needed for a human-centric approach to personal data, we commit to working towards and advocating the following principles:
3.1 HUMAN-CENTRIC CONTROL OF PERSONAL DATA
Individuals should be empowered actors in the management of their personal lives both online and offline. They should be provided with the practical means to understand and effectively control who has access to data about them and how it is used and shared.
We want privacy, data security and data minimisation to become standard practice in the design of applications. We want organisations to enable individuals to understand privacy policies and how to activate them. We want individuals to be empowered to give, deny or revoke their consent to share data based on a clear understanding of why, how and for how long their data will be used. Ultimately, we want the terms and conditions for using personal data to become negotiable in a fair way between individuals and organisations.
3.2 INDIVIDUAL AS THE POINT OF INTEGRATION
The value of personal data grows exponentially with their diversity; however, so does the threat to privacy. This contradiction can be solved if individuals become the “hubs” where, or through which cross-referencing of personal data happens.
By making it possible for individuals to have a 360-degree view of their data and act as their “point of integration”, we want to enable a new generation of tools and services that provide deep personalisation and create new data-based knowledge, without compromising privacy nor adding to the amount of personal data in circulation.
3.3 INDIVIDUAL EMPOWERMENT
In a data-driven society, as in any society, individuals should not just be seen as customers or users of pre-defined services and applications. They should be considered free and autonomous agents, capable of setting and pursuing their own goals. They should have agency and initiative.
We want individuals to be able to securely manage their personal data in their own preferred way. We intend to help individuals have the tools, skills and assistance to transform their personal data into useful information, knowledge and autonomous decision-making. We believe that these are the preconditions for fair and beneficial data-based relationships.
3.4 PORTABILITY: ACCESS AND RE-USE
The portability of personal data, that allows individuals to obtain and reuse their personal data for their own purposes and across different services, is the key to make the shift from data in closed silos to data which become reusable resources. Data portability should not be merely a legal right, but combined with practical means.
We want to empower individuals to effectively port their personal data, both by downloading it to their personal devices, and by transmitting it to other services. We intend to help Data Sources make these data available securely and easily, in a structured, commonly-used and machine-readable format. This applies to all personal data regardless of the legal basis (contract, consent, legitimate interest, etc.) of data collection, with possible exceptions for enriched data.
3.5 TRANSPARENCY AND ACCOUNTABILITY
Organisations that use a person’s data should say what they do with them and why, and should do what they say. They should take responsibility for intended, as well as unintended, consequences of holding and using personal data, including, but not limited to, security incidents, and allow individuals to call them out on this responsibility.
We want to make sure that privacy terms and policies reflect reality, in ways that allow people to make informed choices beforehand and can be verified during and after operations. We want to allow individuals to understand how and why decisions based on their data are made. We want to create easy to use and safe channels for individuals to see and control what happens to their data, to alert them of possible issues, and to challenge algorithm-based decisions.
The purpose of interoperability is to decrease friction in the data flow from data sources to data using services, while eliminating the possibilities of data lock-in. It should be achieved by continuously driving towards common business practices and technical standards.
In order to maximise the positive effects of open ecosystems, we will continuously work towards interoperability of data, open APIs, protocols, applications and infrastructure, so that all personal data are portable and reusable, without losing user control. We will build upon commonly accepted standards, ontologies, libraries and schemas, or help develop new ones if necessary.
4. ACTIONS: WHAT SHOULD HAPPEN NOW
Sign the Declaration, as an individual and/or as an organisation. This Declaration is written in the future tense: if your organisation isn’t quite there, but is committed to moving into this direction, it should still sign it!
Comment on the Declaration. This Declaration will evolve over time, based on your ideas and practical experience. There will be an initial review after 6 months.
Use the Declaration to further your own projects and intentions. Base your trust framework, or your terms of services, on it. Use it to lobby and convince clients, partners, stakeholders etc.
This Declaration of Principles draws upon many sources of inspiration, the most significant ones being:
The MyData Principles (Open Knowledge Finland)
The MesInfos Self Data Charter (Fing)
The Project VRM Principles (Project VRM)
The ODI data sharing principles (Open Data Institute)
The Personal Data Ecosystem Roles & Definitions (PDEC)