This blogpost is a comment based on the recent release of HATDeX briefing paper that articulates the HAT technical provisioning solution for corporations and its commercial model. You can read the paper here. As Chief Economist of HATDeX, I am part of the team that designed the solution. However, I feel it was important to articulate some of my thoughts around its legal implications as it also has economic implications on the ecosystem.
Research has shown that ‘ownership’ of personal data is a rather nebulous, hard to grasp concept. Cases such as Google v perfect 10 and Apple v FBI imply that it is hard to draw the boundary on who actually ‘owns’ what data, particularly when it moves around various public and private spaces on the Internet, and gets used by different entities for different purposes. Since data is bits and bytes of digital information that can disappear and appear, any talk of ownership doesn’t really make sense. Instead, most discussions on data involve rights; who has what rights over what data and where.
This is true of personal data as well, because even if the data is about an individual, it is often created and collected by the firm that owns the technology (e.g. a supermarket collecting data about your purchases, or Google). So personal data, in essence, is co-created. However, to date, firms have more rights over the data than individuals themselves. Many feel that it is time to rebalance this systemically, both through enabling technology and through the law.
Learning from various case laws, the HAT takes a stand on personal data, on behalf of individuals, in four ways:
(1) RIGHT TO ACQUIRE: Individuals have the legal right, due to various national freedom of information acts, to access their own data held on other internet services, and to acquire it for their own use. The HAT supports and enables the exercise of this right by creating universal data plugs that allows users to pull in their data into their HAT, if they are available.
(2) RIGHT TO USE ACQUIRED DATA: Individuals should be enabled not only to acquire the data, but also to store and use it for themselves (and collectively for the public good) through “transformative work” i.e., it alters the original work “with new expression, meaning, or message.” (See Google v perfect 10). We take this mean that individuals could recombine personal data in different ways, view it, use it and even sell it for a profit if they choose to. The HAT enables this through Rumpel, the HAT hyperdata browser.
(3) RIGHT TO GRANT RIGHTS: Rather than ‘ownership’ rights, we talk of “custodial” rights, notably the right to give rights, which is a sort of ‘super’ right. In the physical world, custodial rights normally belong to the owner of a property, who has the right to grant rights of access, rights of use, etc. In the digital world, it works slightly differently since there is no clear owner of the data. Our approach is to enable individuals who obtain a HAT to enter into a contract with the HAT Platform Provider (HPP), under which the individual gets custodial rights to all data that is brought into his or her HAT. We believe this is similar to the way Apple awards full ‘custodial’ rights of an individual’s personal data on their iPhone to that individuals. The HAT enshrines this within the End user license agreement between the HPP and the HAT user and regulates this through HPP certification.
(4) RIGHT TO PRIVACY AND SECURITY: HPPs therefore have the right to preserve their business of giving HATs that are secure and private to individuals (the way Apple does) and have the right to resist any attempt by parties to access the personal data since it involves reputational risk, and would also have the right to encrypt HATs to build trust and reputation so that the HPPS themselves have no access to the personal data of the individuals.
To operationalise these rights, we have to build the HAT in such a way that it is clear that the HAT epitomises individuals themselves, and is not just an account of the service provider; in asking for permissions to access or use HAT data, it is the individual that gives the permission, and not the HAT technology provider. For example, if the government wishes to access your emails, it is your email provider that gives access, because an email user is technically an account, a record on the provider’s database, and the provider has full rights to that database. We were clear from the outset that the HAT technical solution must not be the same. We therefore have to build the technical solution such that:
- Legally, in terms of the agreement with the HPP, individuals have full custodial rights over their own data on the HAT; and
- Technically, it is absolutely clear what data is at rest, in transit into and out of the HAT, so that it is obvious what data is shared, publicly or privately, for HAT services such as Rumpel (hyperdata browser) and Marketsquare (community space for HATs) and other HAT applications.
The HAT technical solution reflects this commitment (see the technical solution briefing paper here that describes how this is operationalised). First, by giving individuals a HAT where data is at rest in a container that has clear boundaries, we are able to allow a HPP to both technically and legally award custodial rights of HAT data to the individual. Second, the fact that data only enters and leaves HATs through APIs (data debits going out and data plugs coming in with full permission and control of the individual) means that it is also clearer what data exists and when data is in transit, is private, public or shared.
Our HAT solution aims to reduce ambiguity of personal data rights and to empower individuals, while ensuring privacy even from their own HAT platform provider. Whether or not it is robust enough to withstand various challenges will be down to future case laws. Right now, we are keen to get down to the real mission of the HAT – to create greater value and use of personal data for individuals, companies and society as a whole.