In early 2016, after four years of researching the ‘return of personal data to individuals’, we launched the MesInfos pilot with a clear goal in mind: move Self Data to the ‘next level’. Why, after many years of exploration and experimentation, did we feel it was time to change gears?
We had three reasons.
● We felt that the situation (people’s increasing distrust toward organizations – especially regarding the ways organizations use their personal data; the total asymmetry between them in terms of data access and processing capabilities, etc.) could not be allowed to last, and that the time had come to imagine a more sustainable economy and, above all, a desirable society.
● We saw that a change was taking place: there was an ecosystem of services and platforms emerging around personal data (personal clouds, so-called ‘VRM’ services. etc.); more and more conferences were being held on the subject; we were having fruitful discussions with companies who shared our interest in conducting experiments or even creating strategies around Self Data; the European laws regulating personal data protection were evolving, the GDPR was passed, etc.
● Finally, after four years of work with partners and collaborators – some of whom have been exploring the subject with us from the beginning – we knew that if we wanted to learn more about the future of Self Data (and its implications from a technical, organisational standpoint, as well as the uses we might find and the value it could offer to individuals, etc.), we had to move from theory into experimentation, and we launched this ambitious pilot project.
The format we chose for this pilot was already – partially – tested in 2013 during a short, preliminary experiment using modest technologies (at that time we focused on data file transfer rather than developing an API to transfer data, for example). The goal of the present pilot was to get several large data-holding organizations around the same table and encourage them to return the data they hold to several thousand of their customers or volunteer test subjects (versus the 300 participants we had during the first experiment). To do this, it was necessary for potential testers to have dedicated tools that would enable them to receive, view, understand, store and reuse data with new third-party services (This is what we have termed ‘Self Data’). To give shape to this vision, we chose to collaborate with French personal cloud startup Cozy Cloud. Finally, since we wanted to broaden our knowledge of personal data use and value, we put together a team of researchers from various disciplines (sociology, marketing, ergonomics, etc.).
A little more than a year after the launch of the pilot, what assessment can we make of it? It’s difficult to talk about our conclusions, considering that we are still in the middle of things. However, we have already learned a lot, especially about the challenges and difficulties inherent in personal data restitution by organisations. Much remains to be learned, as the majority of our pilot testers are not yet officially invested. So what happened during that first year?
An in-depth study on making data available. Identifying appropriate data, setting up restitution procedures – which meant developing APIs, or relying on existing APIs – and documenting technology development efforts to make them ‘reusable by third parties’ was quite a long and involved process itself. But working on data restitution also means working on an overall framework (legal and technical), clarifying responsibilities in the data transfer chain and assuaging the concerns of data holders about making data available on the platform – especially in terms of security. Although holders are no longer responsible for the data once it is in the hands of individual testers (on their personal cloud) who can theoretically do what they want with it, restitution is still a jump into the unknown for organizations that have only just discovered Self Data. The ‘data’ area of the project is complex, and it took nearly 6 months to bear fruit.
Getting from use cases to service prototypes proved to be a challenge. One of the pilot’s goals is to create use cases and Self Data services that testers can experiment with from their Cozy. This is perhaps one of the most complex aspects of the pilot, for reasons that we had already identified during the first experiment. There is the difficulty of attracting startups and entrepreneurs to an emerging market, especially on a new platform (Cozy in this case), the complexity of finding ways to approach a new subject and the quite limited scope of data being given back, which made it difficult to uncover rich cross-data use cases . . . Even though the work started about a year ago (producing about ten prototyped services), these complexities continue to be major obstacles that we still need to overcome. Remember: the Self Data ecosystem – beyond the pilot, in France and internationally – is still in its infancy.
How were we to present not only personal data, but also this new ‘personal cloud’ space? Data visualization and personal clouds are familiar concepts for technophiles, but are alien to most people. Framing new concepts is always a challenge: how to make Self Data and personal clouds intelligible, appropriate and easy to use (among other things)? Cozy had to evolve its interface radically for it to be able to address the pilot’s wider audience.
The evolution of the regulatory context: a green light – and a red one
The MesInfos pilot was conceived from the outset as a collective project (explicitly involving partners in major decisions and project management) because Self Data development must necessarily be grounded in a wider ecosystem of data holders, personal data platforms, third-party services and individuals. We spent time reflecting on the evolution of this international ecosystem, the longer-term development prospects of Self Data, what should/could MesInfos become as of 2018 …
All this was taking place within a shifting legal landscape, given that the (newly-passed) GDPR signaled major regulatory changes in terms of personal data, including granting individuals the right to data portability. The scope and limitations of this right were the subjects of intense debate between the autumn of 2016 and the spring of 2017. Article 29 of the GDPR has since provided a set of guidelines specifying data scope, data types and possible modalities of application. Article 29 has thus been the subject of many – sometimes paradoxical – debates between the actors involved in the MesInfos pilot, and more generally in the Self Data community. Should the scope of the data handed back and the data restitution process in the pilot be the same as defined by the right to portabiity? Does testing things in the pilot necessarily mean that organizations will have to implement these changes more broadly on long-term (after the pilot)? How can we immediately get started on data portability modalities beyond the sample of 3,000? After all, in 2018, the right to portability will apply to all European citizens!
To keep the MesInfos pilot on track, we launched a separate study that focuses exclusively on compliance with the right to portability legislation (how to support organizations implementing compliance measures and ensure that personal data offers value that can be shared equally by organizations and individuals?). The Rainbow Button project was born, and is advancing in parallel with the MesInfos pilot. While the MesInfos pilot aims to test, learn about and implement Self Data in a sandbox environment, the Rainbow Button project seeks to identify the specifications for a common framework (UX, technical, legal …) to guide compliance with EU portability legislation that takes effect in May of 2018. The MesInfos pilot and the Rainbow Button study are complementary and mutually beneficial. This work has taken a long time to mature, but is now truly beginning to take shape.
We set the bar very high. None of these projects is fully completed – much work remains to be done, especially on the service prototypes. The next few months will also be time for feedback, research, teaching, documentation and formalisation. Having discussed our experiences with other actors in the international Self Data ecosystem (MyData in Scandinavia and Europe, VRM elsewhere), we have come to realise just how unique and exciting the MesInfos pilot continues to be. That shift to the ‘next level’ will depend on how the personal data ecosystem takes shape beyond the MesInfos pilot, and on the long-term commitment of data holders. In this, the newly-legislated right to portability may very well help Self Data, and open the door to a whole new market, if everyone plays the game.