What does it mean: users in full control over their data?

In the domain of personal data management, it has become fashionable to use phrases such as ‘full user control’[1]?and ‘user-controlled’[2]. But what does it actually mean: users in full control over their data?

Concept

Conceptually, to ‘control’ something means to “exercise restraining or directing influence over”[3]?it. Thus, users being in full control over their data equals users exercising exclusive restraining or directing influence over their data. In other words, the user — and the user only — decides who knows what about them within what context.

This concept of users in full control over their data translates into two premises. Firstly, only the user decides who has access to their data — and can revoke this access at any time. Secondly, the user has a full overview of all instances of access granted by them.

The premises lead to a string of practical consequences that will be discussed below.

First consequence: originals only

The first consequence is that when it comes to user data only originals — and no copies — are to exist. While this sounds radical, it is the consequence of the user being the only decision-maker on who has access to their data.

Let’s assume a situation in which copies would exist outside the realm of the user. In this situation, others would control access to these copies. As a result, users would have to rely on the goodwill of these others to ensure that access to the copies is being granted according to the users’ decisions only. Since there never is an ironclad guarantee that others do exactly what they should do, users would not be in full control over their data; the control would be shared.

Now let’s assume a situation in which users would have full control over copies of their data but the originals would be located outside of their realm. In this case, others control access to these originals. As was the case in the first situation, users would have to rely on the goodwill of these others to ensure that access to the originals is granted according to the user’s decisions only. Again, the user would not be in full control.

What would happen if the user would be in full control over originals as well as over copies? In this case, copies are redundant since the user already has full control over the originals. The user naturally could decide to send copies to others but this would mean giving up their full control.

Only in a situation in which originals exist (and no copies) and the user decides exclusively who has access to these originals, the user is in full control. This means that no databases containing data are to exist independent of the users whose data are stored in them. Organizations responsible for user data such as personal data would somehow have to cooperate with the users and together with them manage the originals in such a fashion that the user is in full control of who has access to the data.

While this might seem to be an unsurmountable requirement, the solution is surprisingly simple: users would need to have their own data vaults in which organizations responsible for their data store these data. Within this constellation, the organizations would have the exclusive right to add, edit, and delete data for which they are responsible (think for instance telephone numbers by telcos) while the user has the exclusive right to disclose these data by means of granting revocable access.

Second consequence: independent personal data spaces

While stand-alone data are important, combined they may lead to major insights that might inspire actions that benefit the user. When data are subjected to business rules, automation of otherwise cumbersome processes becomes possible, thus making the user’s life easier. But, in order to achieve these outcomes, external services would need to import user data.

This is the next challenge. If users are to be in full control, they cannot export copies of data to services for processing, even if only temporarily. Somehow services need to find a way to handle data without extracting these to their realm.

A solution to this challenge is to add a separate, independent personal data space (PDS) to the data vault. Whereas the vault concerns data only, the PDS is the space in which services perform their computations based on these data. The resulting output then becomes new data in the vault. The user decides who has access to this output.

There are a few prerequisites to make this solution work. Firstly, it is the exclusive opt-in decision of the user whether or not to use a PDS and in-PDS services. Secondly, the integrity of the in-PDS services is vouched for by the service providers and audited by external third parties. Thirdly, the integrity of the data used as input for in-PDS service computing is vouched for by the data sources — either by organizations responsible for the data or, in the case of user-generated data, by the user — and audited by external third parties. Fourthly, the data needed as input for in-PDS services computing is inaccessible to the PDS suppliers and the service providers (as well as the vault suppliers).

Third consequence: no monopolies

The third consequence is that users may be dependent on monopolist organizations to store data for which these organizations are responsible in their digital vaults. Being dependent on monopolists would mean that these organizations could force users to comply with restrictive terms of use of the data that are stored. This would severely limit the control of the user.

A federative system needs to be in place in which multiple providers of personal data simultaneously store data in the user vaults. The resulting data redundancy empowers the position of the user and weakens the position of the potentially abusive monopolists.

What holds true for personal data suppliers holds good for technical suppliers too. Not one supplier is to be responsible for all components of the vault. And, for different components of the vault, multiple suppliers should be available.

A good way to prevent technical suppliers from overreaching is to carve the vault up into fully independent components — identity, authorization, and storage — without any central server component that could be used to exercise influence. The components are to be compatible with many suppliers in order to minimalize supplier leverage. In addition, to avoid storage supplier influence, storage is to be distributed.

Also, the application that ties the fully independent components together and provides them as data vaults to users, may not be a monopolist in order to avoid this application being in a position to impose restrictions on its users. Therefore, users must have a choice to migrate their original data to other vault applications. This means that multiple vault applications must exist and that the vault applications must be interoperable.

Staying on the topic of vault applications, they may not have the capabilities to interfere with their users’ data. While they enable the rights of the organizations responsible for data and the rights of the user, they may not have any of these rights for themselves. Ideally, the applications should be unaware of who is a user, who is a data supplier, and what data are stored and disclosed. To ensure that users do not have to take the vault application administrators’ and managers’ word for it, the vault applications are to be open source.

Similar preconditions apply to PDS suppliers: the suppliers should be unaware of who is the user, who is an in-PDS service provider, what data are used as service input, and what the outcomes are of the in-PDS computing process. PDSs are to be open source too for reasons of transparency and accountability.

Fourth consequence: users as owners

The fourth consequence of users being in full control of their data is that it can’t be allowed that the application that provides vaults could in the future turn against its users and starts to demand rights that undermine users’ control.

One solution to this challenge is the already stipulated existence of multiple vault applications so that users can vote with their feet and migrate their data to another application. Another solution is to make users themselves the owners of the vault application so that they are in full control.

The solution of having users in full control of the vault application also provides an answer to the next challenge: data requesting third parties forcing individual users into granting views to personal data, or forcing them into granting views to far more personal data than the users themselves would want or would be sufficient under the principle of data minimalization. The reason that these third parties could do this, is that they represent a sizeable might, especially when confronted with atomized individual users.

Users in control of their own vault application can form a far more effective resistance to the might of third parties than individual users could. This means that the collective of users is to act as a kind of user interest group, defending the user’s right to be in full control.

Fifth consequence: full overview

While the first four consequences have dealt with the first aspect of the user being in full control — only the user decides who has access to their data and can revoke this access at any time — the fifth consequence deals with the second aspect: the user has a full overview of all instances of access granted by them.

The solution to this challenge is obvious: the vault application must include a functionality allowing its individual users to have a full overview of all instances of access granted by them. It also needs a log register of all views that third parties have actually had on the user’s data.

Summary

Summarizing the above, this is what it ideally takes to enable users — and the users only — to be in full control of their data:

· Data exists as originals only — no copies are allowed;

· The data originals are stored in personal vaults in which multiple organizations responsible for these data write these data — having the sole right to add, edit, and delete — while users have the sole right to grant revocable view rights to third parties;

· Separate, independent personal data spaces (PDS) are to be available opt-in to users to allow for in-PDS service computing processes. The resulting output then becomes new data in the vault. The user decides who has access to this output;

· The vault consists of fully independent supplier-agnostic components — identity, authorization, and storage — without any central server components; storage, in addition, is to be distributed;

· There are to be multiple, interoperable suppliers of vault applications that tie the fully independent components together;

· The vault applications are to be unaware of who is a user, who is a supplier, and what data are stored; the PDS suppliers are to be unaware of who is the user, who is an in-PDS service provider, what data are used as service input, and what the outcomes are of the in-PDS computing process;

· The vault applications and PDSs are to be open source for reasons of transparency and accountability;

· The users of the vault application are to be the owners of the application;

· The vault applications must include a functionality allowing its individual users to have a full overview of all instances of access granted by them and a log of all views.

[1]?F.i. COM (2021) 281: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity, Legislative financial statement, 1.4.2; 1.4.3?https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0281

[2]?F.i. COM (2021) 281: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity, Recital (3)?https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0281

[3]?Merriam-Webster dictionary