My Data has conceptually a strong link with data protection as many types of data concerning people, such as health data involve personal data. Data protection laws and regulations are intended to control how personal data is used and thus are about safeguarding our right to privacy, which is enshrined in for instance in Article 8, ‘Right to respect for private and family life’, of the European Convention on Human Rights (ECHR). So, use of “information relating to an identified or identifiable natural person” which is presently included in the Data Protection Directive, is controlled under European data protection legislation to guarantee the protection of a right to protection against the unauthorized collection and use of personal data.
Personal data – among other data – has also become a valuable asset giving for instance companies insights into how people use services and thus being able to better understand how to tailor services to users but also how to target advertising to users of seemingly free services where people are typically granted access at zero monetary cost and users instead pay with the information they provide.
My Data principles require that each individual should be able to access data concerning him or her as well as to be able to determine who then has access to that data. In Finland, for example, one My Data initiative has been the Taltioni Health Account which aims to allow people to store their health data in one location. Data can be accessed and updated by different providers of health and well-being services while each individual retains control to their data and gains an overall view to their health based on data
At the EU level, data protection legislation has been reformed by introducing the new, General Data Protection Regulation (GDPR) which replaces the Data Protection Directive already from 1995. The GDPR is set to take effect in 2018. The GDPR introduces the right to data portability, i.e. that each individual should be able to access data concerning him or her in a way that also enables them to make further use of that data in a meaningful way:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…”:
In practice this means that for instance users of an online service should be able to access his or her personal data. However, for this legal framework to have practical effect, effective exercise of this right to data portability should also make it possible to transfer such data to another service, and this requires APIs, and data interoperability so that interfacing systems can exchange information also in practice. This in turn requires different industries to be able to establish common standards to facilitate this kind of interoperability.
Moreover, the ’right to be forgotten’ has been established by the Court of Justice of the European Union in 2014 and subsequently introduced into European data protection legislation as part of the GDPR. Article 17 (Right to erasure) of the GDPR provides that the data subject has the right to request erasure, such as delisting search results, of personal data related to him on any one of a number of grounds including non-compliance with article 6.1 (Lawfulness of processing) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. In practice this could mean that for instance data which is either no longer relevant or is excessive should be erased.
At the moment, there are quite many open question about the actual effects of the implementation of the GDPR. While the GDPR provides a legal framework that supports the My Data approach to personal data, it should be secured that the My Data approach in the management and utilization of personal data could be achieved in a way that is supportive to the interests of all stakeholders affected by those processing activities. The progress of Taltioni and other My Data initiatives requires industry-wide cooperation, as discussed below e.g. regarding adopting common standards, as well as demand from consumer side meaning that people are willing to take control of data concerning them.
Lexia / Petteri Günther, Senior Associate, Attorney at Law and Markus Myhrberg, Partner, Attorney at Law