BIS Adds Pressure on Big Tech to Give Data Control to Consumers

BIS

The Bank for International Settlements (BIS), the world’s main central bank umbrella group, published a report on Thursday (May 5) proposing new data governance frameworks that would allow individuals and firms to get more control over the data collected on them by Big Tech firms and banks.

Technological developments over the last two decades have led to an explosion in the availability of data and their processing, and according to the report, while most countries already have some laws around data use, most individuals still are not aware of what is at stake, or their rights over their data.

The authors of the report suggest that authorities should adopt new data governance systems to “level the playing field between data subjects and data controllers.” Some of the recommendations include that firms should be required to get clearer consent to collect data (for example replacing a “broad and sweeping consent with a “granular” consent), they should also better explain how the data has been used or it will be used and make it easier to be accessed by those from whom it was harvested.

Legislation around data is mostly regulated through privacy or data protection laws and the scope of these laws differ widely between countries. For instance, the European Union is used as case study as one of the countries with the most protective privacy/data laws in the world, the General Data Protection Regulation (GDPR). Alternatively, in the U.S., there is currently no federal privacy law, and only a few states are adopting comprehensive privacy laws. But even the GDPR has issues, and its enforceability is complex in certain cases.

The challenge for consumers and companies is how to exercise control over their data, because either they don’t have the rights under existing laws in their countries, or when they have, it is very difficult to do it, the report argues. Additionally, newly created data are often gathered and retained in proprietary digital platforms “data silos” and stored on these corporate platforms in incompatible formats.

The report offers a view of the standards that a new governance system should meet when data is shared between data providers and data users, how long the data should be retained and who will process the data. There are five principles or standards: purpose limitation, data minimization, retention restriction, use limitation and operational resilience.

While this report offers an overview of best practices in this space and provides some recommendations for governments to “level the playing field,” it doesn’t contain the level of detail necessary to undertake legislative changes. It rather seeks to generate debate and provide background information if a country is considering passing new data protection laws.

Read also: EU’s New Data Act May Compel US Firms To Share More Data

The European Commission is working on a comprehensive regulatory data framework. On Feb. 23 it proposed new rules to complement existing legislation governing data. The proposed Data Act is the second main legislative initiative resulting from the European strategy for data that intends to boost the EU’s leadership in the regulation of the data-driven society.

The Data Act seeks to empower consumers by giving them the option to easily take their data from one provider to another, and for small and medium-sized companies to have more power to negotiate better data-sharing contracts. While the proposed rules are not indented to limit the capacity of Big Tech companies to collect data generated in Europe, these rules may oblige them to share more data with EU firms and consumers.

The Data Act will complement the GDPR and the recently approved European Governance Data Act, which aims to increase data sharing among public institutions and companies.

Read more: EU Governance Data Act to Boost AI, Data-Sharing