Data ownership: Time to start reading those T&Cs

null

In the run-up to GDPR, the attention of businesses has understandably been focused on issues of data privacy and the rights of the consumer, including the ‘right to be forgotten’.   Article 17, the Right to erasure or 'right to be forgotten', states “the data subject shall have  the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”. For companies that store information on behalf of their customers, it basically means the customer wants to ‘close their account’ and not allow the vendor to keep anything on file pertaining to them.   

As the development of the Internet of Things (IoT) gathers pace, a new area of focus will emerge centre stage: ‘data ownership’. As the growing processing power of the latest technology continues to transform data into an ever-more valuable resource, the question of who owns data is becoming an increasingly thorny and complex one. For example, if you use a fitness app to track your running or cycling workout, such as a Strava, do you really own all the data about your exercise? 

Today, we see an ever-growing list of use cases where the issue of data ownership is a very important one but also one where the complexities are such that it is very difficult to reach a conclusive answer. One of the most contentious of these areas is around predictive maintenance in the transport industry.   

The latest advances in IoT and device monitoring allow car, aircraft, train manufacturers, and so on, to install and monitor various mechanical systems through sensors within the machines that they build. The rationale is that by doing that they will be able to keep downtime to a minimum by monitoring sensors to predict likely maintenance cycles; taking the machine offline; scheduling its repair and then quickly getting back online again.   

This reduction in unplanned downtime brings extensive benefits to the airline of course. The whole process does, however, raise some serious concerns around the issue of data ownership. The airline feels that they own the data because they purchased the plane. However, the manufacturer of the parts may also feel it has a claim to ownership. It may be that as part of the terms and conditions of the contracts that were signed they retain the rights to all the information across all the planes they have created parts for.    

That becomes an especially thorny issue when parts manufacturers look to use their expertise to get into maintenance services and build it into a multimillion pound business.  Their claim to ownership of the data is, of course, critical to their success in this undertaking.  The issue comes if their customer, for example the airline itself, asserts its claim to data ownership and uses that to set up its own branded maintenance company. There then becomes a conflict of interests, the airline could even start to compete with the service provider by offering a maintenance service to other airlines.   

Connected cars, of course, is another area rife with data ownership issues. The EU’s eCall directive requires all new cars be equipped with eCall technology from April 2018. In the event of a serious accident, eCall automatically dials 112 - Europe's single emergency number.   

It’s a great example of how digital technology can be applied to help save people’s lives. But what if your car was always transmitting a continuous stream of data about your location and behaviour to the dealership at which the car was bought? What if that data was then shared with third parties including insurance companies?  And what if your premium was upped as a result, with the insurance company using it as a justification that it has analysed the available data and come to the conclusion that you are a high-risk driver with a tendency to speed in built-up areas? It is not an altogether fanciful projection of what might happen in the future. After all, the technology needed to deliver this is pretty much in place already.   

There is a host of other examples where disputes over data ownership could potentially raise even more complex issues. Take healthcare, for instance. New areas of research are increasingly looking to deploy nano-technology machines into the human body. They have a monitoring capability and a failure rate like any other machine. The benefit of such machines being connected is clear. If the machine detects an anomaly, medical teams can be alerted and quickly send paramedics in a bid to save the patient’s life.    

Once again, the question of data ownership and right of use is increasingly more contentious. Ultimately who owns this data – is it the patient, the medics that fitted it in the first place, the manufacturer of the device, what about the insurance underwriter of the manufacturer, or even the patient’s health insurance company?   

So far, it has mainly been manufacturers that have asserted a claim to it. But because they underwrite the devices, insurers may feel that they have a claim. After all, if a specific brand of car braking equipment starts to fail and they start getting multiple claims, an insurer with access to the relevant data would be better placed to tell the manufacturer, for example: “you said only one in ten thousand of these machines would ever fail but based on five year’s worth of data that is patently untrue.”   If this is true for planes, trains and automobiles, then it’s equally true for devices that we wear or inserted into our bodies.

People who use Fitbits regularly might also be advised to give some thought to data ownership issues. A health insurance company with access to that information could potentially analyse a customer’s activity levels through the data held on a Fitbit device and decide to raise insurance levels as a result.   

So, what can consumers do to protect themselves and navigate safely through what is an increasingly complex data ownership landscape? Individuals certainly need to be clearer about the terms and conditions they have signed up to and whether they have ticked the opt-in box, not least because this opt-in clause may have profound implications for themselves and their data in the future.     

GDPR certainly takes some steps in the right direction here by banning the usage of “pre-ticked opt-in boxes” as a valid way of gaining an individual's consent. However, anybody who wants to avoid contentious data ownership issues in the future will be well advised to ask themselves when they buy that new connected car or purchase their next Fitbit: have I checked through all the necessary terms and conditions? Do I really understand what I’m opting into? 

Much of the debate we have seen so far around GDPR has been on the themes of data security and data privacy. These are key areas of course but as the data-driven age progresses, businesses and individual consumers alike will come to realise that the complex issue of data ownership is at least as important if not even more so.   

Ciaran Dynes,  SVP of Products for Talend 

Image Credit: Stux / Pixabay