It has been a few months since I've written about data privacy, but it's not out of lack of interest or because it's not important. Neither is true. It's that, the more I think about it, the more I wonder if we even understand the real issues.
There has been a lot happening with controlling our own data. In Europe, for example, GDPR was put into place in May 2018. Is is one of the broadest attempts to restrict what data is collected about us and how it is used, but it doesn't fundamentally change who is collecting and using our data.
Some are going further. Hu-manity.co, for example, has asserted ownership of our data as the "31st human right," declaring: "Everyone has the right to legal ownership of their inherent human data as property."
The concept of data as property, and the corollary that we have the unique right to own that property, is a novel one that flies against the industries that have grown up around using us as the product. Co-founder and CEO Richie Etwaru told TechCrunch: "We’re starting with the idea that your data is your digital property, and we are allowing you to have the equivalent of a title, like you have for your car."
They've got a nifty app -- #My31 -- that uses smart contracts on blockchain to help manage this property, and are partnering with IBM's Blockchain Platform to achieve this. Health data is one of their first areas of focus, in part because there are clear customers for such data; they estimate an individual's health data alone might be worth $200 - $400.
Then there is Health Wizz. As reported by FierceHealthcare, they want to help consumers collect their health information in a "central, virtual depository," then be able to sell it to interested buyers like pharmaceutical companies. They also use a blockchain approach to manage the data and any payments.
Health Wizz will screen buyers, to help ensure that consumers know exactly how their data will be used, although consumers can sell it off-platform too. People will have to be careful about who has their health data because protections like HIPAA primarily apply to health providers and health plans -- not, for example, to Facebook or Google.
In the interests of time, I won't go into other (blockchain-based) patient-controlled health data approaches like Citizen Health, Gem, HealthBank, Iryo, Patientory, Timicoin, or YouBase, any one of which deserves its own discussion. Clearly, there is something happening here.
Some are skeptical about consumers taking control of their own data. For example, Niam Yaraghi, a Fellow at Brookings, argues that data from an individual "has very limited value before processing. It is the aggregation, merging, and analyses of such data that creates value." I.e., a lot of little data is needed before Big Data can produce value.
Moreover, he adds, "even if one could successfully assess the fair value of patients’ data, distributing the fair share of profits to patients would require a sophisticated tracking and accounting system," which would eat into any profits that might be shared with those individuals.
Let's assume, though, that my data is my property, that I control it, and even that there are entities which would pay me for it. The question I have is: what is "my" data?
Many would think about, say, the data gathered at physician visits or hospital stays. It might include my vitals, my prescriptions, my diagnoses/symptoms, lab values, and any procedures or tests. Those feel like data that are "mine," as they are about my health.
But they are also about the healthcare provider(s) who were involved. The data is a record of things they've done, things they've observed, things they've recommended. That's why healthcare providers feel such a sense of ownership about them, and why this kind of data is used in medical reviews and/or malpractice suits. The providers aren't going to give up their "ownership" without a fight.
Or take data gathered by a wearable, including smartphones. Yes, it is a record about me, but is also a record of what the wearable was doing, and potentially how well it did that. The manufacturer might argue that it has a "right" to that data as well, such as to ensure proper operation.
Similarly, when I buy something on Amazon, Amazon, any third party vendors, and my credit card company all view that transaction as data involving them, to which they should have rights, if only as a business record.
Even a uniquely personal data like my DNA is not solely my own, now that "familial" DNA can be used to identify relatives, such as ones involved in a crime. Yes, it's data about me, but it is also data that is also about others related to me.
So what data, exactly, belongs solely to me? If I want to collect and potentially sell it, who has competing interests to it that need to be considered?
There is no question that many privacy laws are woefully outdated, especially HIPAA. Most were engaged in a pre-Internet, pre-smartphone, pre-IoT, pre-Big Data time. All those need to be considered in any updates to those laws. GDPR is probably about as good as we have, but even it makes assumptions that I'm not sure are entirely valid.
Data may be less like a piece of physical property than it is like the atmosphere. I live in it, I partake of it, and I contribute to it, but it's hard to really say what piece of it is "mine."
I don't have any answers to these issues, and I wish all these data start-ups success, but I suspect we're going to need a 21st century re-conceptualization of "data" before we can really come to grips with ownership of it.
No comments:
Post a Comment