Revised transcript of evidence taken before
The Select Committee on the European Union
Inquiry on
Online Platforms and the EU Digital Single Market
Evidence Session No. 14 Heard in Public Questions 137 - 145
Witnesses: Michael Ross, Josh Smith, David Alexander and Steve Wood
This is a corrected transcript of evidence taken in public and webcast on www.parliamentlive.tv. |
Members present
Lord Aberdare
Baroness Donaghy
Lord Freeman
Lord Green of Hurstpierpoint
Lord Liddle
Baroness Randerson
Lord Rees of Ludlow
Lord Wei
________________________
Michael Ross, Co-Founder and Chief Scientist, Dynamic Action, Josh Smith, Associate Researcher, CASM, Demos, David Alexander, CEO, Mydex CIC, and Steve Wood, Information Commissioner’s Office
Q137 The Chairman: Thank you very much. I am sorry that we are starting slightly late. As you will have gathered, the previous session involved those who have serious problems, concerns or complaints about their particular businesses and their relationship with online platforms.
You probably were not here when I said that this is a formal session. You will be able to see Committee members’ interests, in so far as they are relevant to the subject matter of this inquiry. Because it is formal, we will take a full note. It will be webcast live. Afterwards we will send you a copy of the transcript, which you can correct. It will therefore be a public record in several senses. We are probably all right acoustically in this room, but do not allow your voice to drop too far. The sound quality in some of these rooms is not very good.
This session is focusing to a significant extent on data and their use by online platforms. We are straying rather more widely than that as well. The ICO has already helped us once in this inquiry, but it would be useful to have a short summary of your view of the main changes in the proposed general data protection regulation and how that will work in relation to platforms, an account of the contentious points that are still outstanding and your general view on where we are going on that front, from the ICO’s point of view.
Steve Wood: Thank you. I will introduce myself again. I am Steve Wood, head of policy delivery at the Information Commissioner’s Office. I am very happy to come back and assist the Committee with these additional questions.
Just to emphasise, the general data protection regulation covers all types of data processing. It was designed to be technology-neutral, because data protection legislation in Europe has generally been revised once every 20 years. Online platforms are not explicitly mentioned in the regulation, but there was a clear policy intention from the Commission at the outset, when it published the regulation, and in statements it has made since, that it was designed to address some of the issues that have arisen because of the way online platforms collected personal data.
The first area in the regulation that is relevant to online platforms is the issue of establishment—where online platforms are established in many member states. If an online platform is established in all 28 EU member states, there is an issue of whether it will have to comply with all the different data protection laws and deal with the different data protection regulators in those member states. The idea behind the regulation is that there would be a concept called the one-stop shop, which would identify a lead data protection authority where the online platform had its main establishment. We know that that is something the online platforms have called for, as they have been dealing with a number of data protection authorities around Europe. Hopefully that will cover the issue of having to deal with different regulators in different member states, which I heard mentioned in the previous session. Where there was an issue of contention—where, perhaps, the lead data protection authority was going to take a sanction that would have an effect right across Europe—it would be fed into an overall mechanism called the European data protection board, where all the European data protection authorities would sit and decide on the measure, but it would be led by the lead data protection authority, which would be the lead regulator across Europe. That is one aspect.
The other aspect where the Commission has been clear in designing the regulation is the issue of fining. It has looked at the fining regimes available to data protection authorities at the moment. The European Parliament is proposing fines of up to €100 million and up to 5% of global turnover, so clearly a step change is anticipated. There seems to be an aim to move fines up to a level that is more comparable with competition law. That is at the highest end of potential fines that the European Parliament has proposed.
There are other areas in the text, on increased transparency and on privacy notices to individuals about how data will be used. There is a clear emphasis on plain English in the text of those privacy notices. That is something that will be relevant to online platforms. There is also the issue of consent—whether consent is explicit—which we know will be relevant.
Other elements in the text are clearly relevant. The concept of data portability is recognised explicitly in the text. Essentially, that would enhance the rights that individuals have already. Individuals already have the right to request their personal data, under existing data protection law. Data portability would give individuals the right to request those data in an open format so that they can be reused. The right to be forgotten will clearly have implications for search engines. We are already seeing some impact of that under existing law. We know already how the Google Spain case has impacted on search engines. Lastly, there is a provision in the regulation relating to profiling, which concerns the right of individuals to object to profiling of them, where that would have an impact on them.
That is a summary of a very large text, dealing with a number of different areas that might affect online platforms. I hope that I have not cantered through it too quickly. It is a summary of the key points.
We believe that the regulation is now entering the final furlong of its negotiation. The messages from Brussels at the moment are that they hope to conclude negotiations by Christmas. That appears to be challenging, but the message from all institutions is that they wish to do that deal by Christmas. That is what we have heard. I stress that the ICO is not involved in the negotiations. The Department for Culture, Media and Sport is the government department that is leading.
The Chairman: We will see them later.
Steve Wood: We are obviously aware and are observing very closely what is happening. There is a general problem of transparency of trialogues as regards what is in the public domain and what I can refer to. If you look at the text that was there at the start of the trialogue, where four columns represent all the different institutions and where the compromise will be reached, it is quite clear that there are a number of different areas that will potentially take quite a lot of negotiation. On the issue of fining, for example, there was quite a wide range of differences between the Parliament, the Commission and the Council about how high fines would be set. There were also a number of different positions around the issue of international transfers and how they should work. Recently we had the judgment of the European Court of Justice in the case of Schrems relating to the safe harbour arrangement for how data are transferred between the EU and the US. That may affect the negotiation. On international transfers, there are different positions between the institutions.
We also know that there are differences on the issue of consent, which I mentioned previously. We can see that from the trialogue text. The European Parliament and Commission favour a model of explicit consent as the single standard, whereas the Council and the Member States seem to prefer to preserve the status quo in the current directive, which sets explicit consent as the standard for sensitive personal data but not for all personal data processing. Lastly, there appear to be a number of differences about research and how it should be handled under the regulation. They relate to how important consent should be for the model when individuals’ personal data are used for research purposes, or to what extent other provisions in the regulation can enable research to happen that may not be based on consent. That is another area where there have been a number of different discussions. I hope that that assists the Committee.
The Chairman: It is a rather complicated picture.
Steve Wood: It is reaching the final stages, but clearly there are still some areas that are being discussed.
The Chairman: Do any of our other colleagues want to comment on that, or shall we move on?
David Alexander: I endorse the summary. We certainly live with it. I was in Brussels on Friday, and the GDPR[1] team was there. The fundamental issue with the digital single market is independence of the data layer and the identity layer. If the data that pertain to digital transactions are not independent of the platforms—if individuals themselves do not have the ability to move those around to different platforms, so that they can apply and share their browsing experience or their purchase history with other platforms—it makes it incredibly hard for them to find new service providers. That portability of data—not just the simple act of being able to download them from one platform but being able to use them interactively to improve their experience, competitiveness and service requirement—is a critical component. It is about portability and interoperability.
Josh Smith: I am from the Centre for the Analysis of Social Media. To pick up the point that Steve made at the end about research, we conduct social research into the impact of social media data on societies, so this is obviously an area we are particularly interested in. One thing we found is that traditional safeguards and standards for market research and social research are not always applicable to research conducted using social media data, partially because of the enormous volumes of data involved and partially because of the new methodologies and technologies that are being used to conduct the research. Those technologies are also being used by private companies. We are working to develop new safeguards and best practices for this new form of research.
The Chairman: Can we go on to Baroness Donaghy’s question, which relates to consent?
Q138 Baroness Donaghy: There has been some reference to the consent model already. What are the limitations of the current consent model of personal data protection? Will providing more transparency solve this?
Michael Ross: The question in advance talked about cookie consent. Personally, I think it has been an absolute disaster. Why is it a disaster? Virtually every consumer just clicks “Accept” when asked about being given cookies. I went to the trouble of looking at the John Lewis website. When you click on “Tell me about your cookies”, you find that they are placing about 70-plus different cookies. I am deeply expert in e-commerce, and I have no idea what half of them do.
I do two things in my life. I look at what retailers are doing with all these data, and the first thing one observes is that virtually every consumer just clicks “Accept”. The notion that this consent is informed is flawed; it is just not what consumers do. The page about cookies is one of the least viewed pages on any retailer’s website. This is not content anyone is particularly interested in. The reality is that the internet does not work without cookies. You can try, but you will have a very disappointing experience. For me, they are the haemoglobin of the online world.
On the idea that we are asking consumers to give informed consent, I honestly think that there are two types of consumers: there are the ones who understand and do not understand this world, and there are the ones who care and do not care. I would say that the vast majority of consumers are very happy with their online experience. They do not really care. They presume that retailers and other businesses are doing sensible things with their data. I understand what they are doing, and I do not care. I think that most of what is happening is pretty good for humanity. If you both understand and care, there is plenty you can do about it. You can use anonymous browsers and you can hide in a cave somewhere. The challenge is that if the law is such that you need explicit consent, you will find that every website says, “Click here to say, ‘I have read my terms and conditions’”, and everyone will click “Okay”. No one will read it. If they read it, they will not understand it. If they click “No”, the internet will stop working for them.
I will add just a couple more thoughts. We sit at the beginning of a digital industrial revolution. Both the UK and the EU have a massive opportunity, but the risk of this sort of regulation is that it will make the UK and the EU uncompetitive versus businesses that are operating outside this regulatory regime. I have a feeling when I talk to potential investors in businesses that they do not want to invest in European businesses that are using data because they are very concerned about what might happen to regulation. Again, that is a huge benefit for businesses in the US or in Asia, which are able to take investment and are operating under a different regulatory regime.
The Chairman: Does anyone else want to come in?
David Alexander: Certainly. Without a shadow of a doubt, the approach to consent is way too complicated. The average citizen cannot possibly engage with the narrative. Some of the terms and conditions and consent requirements are longer than the Declaration of Independence, as we well know. The language is too dense and too complicated. It is defined and designed to confuse and confound and to get the response that my colleague has identified.
There is also no standardised way of alerting the average human being to the consequence or risk of sharing information. I disagree very strongly that people do not care. Ignorance is the issue. If people were given a choice and were told, “If you press ‘Yes’, your data will be used to spam you, your private medical information will be shared and you will be denied insurance and access to other services. Do you want to say yes now?”, they would say no.
There is a fundamental issue with the customer experience. We have observed that the experience of consent is driven by a transaction somebody is in the middle of and that they want to complete. Human beings crave convenience and minimal effort. They are trapped halfway through a process, where they have to say yes. The cognitive skill and effort required to make a decision to say no is deliberately disguised to prevent them saying no. There is also no record of what they said yes to that is readily accessible for them to look back at or reflect on. Remember cooling-off periods in the Consumer Credit Act. You could actually have a look. You had 14 days to decide that it was not a good idea and you could go back and say, “I don’t want it”, whether it was taken up or not. The point is that once this consent is given, it is buried inside a corporate system—or it may be stuck in a Google Dashboard, which we will come to later—where you sort of said yes but did not really know why.
We need to raise the question of consent to a different level. There are broad policies that we would generally accept as human beings. I am quite happy for my bank to know where I am in order to keep me safe—to make sure that I am not in California buying weapons on my Barclaycard, which happened to me only a month ago. They blocked the transaction, correctly, and I was delighted. They did not know what my location was, but an algorithm worked out that it was probably unlikely that I was in California trying to buy a Kalashnikov or something. The bottom line is that I do not mind them using that to protect me. What I object to is when they say, “In order to provide you with a quality service, Mr Alexander, we are also going to spam you with mailshots, target you with advertising and sell your data to other people, just because you have a Visa card”. That is wrong.
There are different levels. Think of the Hippocratic oath: “Do no harm”. There is a broad set of policy that most people would be happy to set up for themselves once that said, “If it is in the normal course of servicing my insurance policy, providing me with energy or doing the everyday living of my life, such as council tax, I am happy for you to have this information”. As long as organisations were happy to comply with that basic use principle, which is about service delivery—and, if they wanted to step outside it, they had to ask—consent would be a much safer world for everybody, because of the assumption “Do no harm”.
We have alluded to the fact that most people do not worry. I think that they do not worry because they do not know. My 80 year-old mother uses comparison sites. Because she is solid, has a Good Housekeeping diary and has managed the household economy for many years, she looks at three comparison sites. She says, “Darling, I can’t possibly understand why I put exactly the same information into three comparison sites and I have five different answers. Why is that possible? If they are meant to be helping me buy a better outcome, why are they different answers?” I say, “The simple reason, mum, is that they are what are called tied houses. Their business model is that they are owned by insurance companies, so you get preference and priority”. She says, “Surely that must be wrong. Why do they not say that? Why do they not tell you that?” She thinks that it is unreasonable and unfair. She is just the average person in the street—“My son is in software”, is about all she could say—but the bottom line is that she is a consumer and does not want to pay too much. She wants to know what is going on and to understand that people are treating her fairly.
Lord Wei, earlier you asked whether there was a consumer organisation out there. There is not really. Which? was founded by the Young Foundation, and so was Mydex. We are a community interest company. Our mission is to make it possible for people to accumulate information about their lives and share it, with the appropriate consents, but not at that transactional level. Even Which? as an organisation, with the founding principles that it had, along with the Open University, is a consumer marketing organisation. It writes reports, but guess who pays its bills? The consumers. They have to pay a subscription, so it is just as interested as any other organisation in selling to the consumer. There is a conflict of interest. The challenge is genuine independence. We set ourselves up as a community interest company—asset-locked reinvestment in a core social purpose, to help human beings to become empowered. You will not do that unless there is a benefit for the brands, the public sector and the private sector. Everyone has to win out of this.
Michael Ross said that cookies were an unmitigated disaster, as nobody really understands them, but there is no one place where I can look at all the cookies I have ever signed up to. There is a firm called the Cookie Collective that will tell you what cookies do, if you really want to know, but it is a tiny outfit and is delivered out of social purpose. If you had a central record of all your consents and of all the cookies and what they were for, you would be empowered to make some choices and switch things off, but you are not. People want to get stuff done. They want convenience.
Q139 Lord Freeman: Perhaps I could ask Mr Alexander to address the third question on our list, because it will follow on naturally from what you have very helpfully been telling us. For the record, can I read the question? The CMA suggested that consumers needed more choice and control over their personal and non-personal data to improve competition, based on the quality of data protection standards. Is it possible to specify what needs to happen really to empower users? Google has told us that its Dashboard service gives users more control. Would you like to comment on whether you think that is a good example of how to empower consumers, or is something more radical, like the Disconnect app, needed?
David Alexander: I will start with the Google Dashboard, but it will not dominate my response. The fundamental challenge is about person-centred design. Google is a corporation predicated on generating return for its shareholders out of monetisation of your behaviour. The Dashboard is a salve to the threat of legislation. It says, “It is not our data; it is your data and you can export it”. My team has looked at the export routine. At best, the terms and conditions of the export allow you to download data on to a hard disk. I cannot imagine 95% of the population being even vaguely interested in downloading in CSV[2] file format on to a hard disk—I have already lost you. It is not a tremendously useful thing. It is designed to say that Google cares, but its business is about data. It is correct for it to be about that. It is transparent about what its business model is, but at the end of the day the individual needs the ability to have their own dashboard about their own life, and that has to be independent of the commercial agenda of Facebook or Google. In the world I live in, they call it GAFAT: Google, Amazon, Facebook, Apple and Twitter—the GAFAT alliance. “The walled garden” is another term. They are the feudal data barons who dominate the world, although I will not go on about that.
There is a simple answer to the question, “Is it possible for individuals to be better equipped?” Yes, of course it is possible, but they have to want to be. They might not think they need to be because it is way too hard for them to accumulate and organise information and that the apps and services available to them to organise it have an agenda, which is either targeted advertising or monetisation of the data. There is a growing movement around the creation of things called personal datastores. Mydex is an example. The Digital Catapult, which is funded with public money, is trying to set up an initiative around personal data and trust. MIT has an open PDS project. PAOGA is another. There are a lot of companies trying to say, “It must be possible for an individual to accumulate data, organise it and then be able to share it with whomsoever they want”. If they do not have access to it and cannot collect it from the brands, the public sector and the Government—whoever has it—they will do nothing about it. If collecting it is a complicated thing that requires you to understand technology, they certainly will not do it.
I wrote a blog post asking, “Do people care about personal data?” The first answer was, “No, unless something goes wrong”. We see that in the news. There were only 12 articles today about misuse of personal data, so it is a really quiet day out in the news world. The second answer to the question is, “Yes, they do care about it, if it is really easy to get hold of”. The point of it is the ability to understand your life and to make better decisions, is it not? The Government sponsored the Midata programme, which was meant to be about better decisions and better choices. That was all about forcing brands in the controlled sectors to give back their data, but of course they introduced it to them at the time by saying, “You will have to give back all your data to your consumers, so that they can leave you and go to your competitor”. It is not a great look. Actually, the value-add is about improving customer service and reducing effort. The tools and the technology are there. This is not a technology issue; it is about access. It is about getting hold of that data in a verified format that people will trust.
The Chairman: Do other colleagues wish to comment on that? Perhaps I will ask Lord Aberdare. I think your question has largely been answered, but do you want to go back in?
Q140 Lord Aberdare: It probably has, because it was about data portability. Should it be mandated, to reduce switching costs and increase consumer choice? What about the Google Takeout service, which is apparently meant to provide data portability? Is it as good as it is cracked up to be?
David Alexander: Portability is essential. Is it as good as it is cracked up to be? Certainly not. None of them is. They are not designed to be; they are designed to make people think that it is there. They are very hard to use, and there are legal limitations, in theory, on what people can do with them. It is a minefield, particularly with things like Facebook’s download, where you are downloading posts and comments made by other people. It is a very complicated issue and technically very difficult to process.
The Chairman: Would any of our other colleagues like to come in on that?
Josh Smith: I would like to respond. A key area of users’ control over their data is users being able to make an informed choice about what the data are used for. To take social media data as an example, it is very difficult for users to find out what the third parties who access the data intend to do with it. They may know that someone is interested in gathering their social media posts, but they are not entirely sure for what purpose. Those posts are being used by an increasing number of actors. There is a whole field of social media analytics companies that are gathering posts and displaying them to companies for all sorts of purposes—primarily marketing, but there are many other uses. We feel that it is not easy for a consumer at the point where they give those personal data away to work out how they will be used.
Michael Ross: David Alexander made a number of points about the potential scary side, where I click a “Yes” button and suddenly I have given away my medical records. The challenge when we talk about data is that data comes in lots of flavours and there are lots of shades of grey. When you transact on a retail website, there is a set of information that you are obviously giving the retailer—you are giving them your credit card details and your delivery address. The reality is that a huge amount of data processing then goes on in the background. They are building profiles of you and looking at all the things you search for on their website that you do not buy. They look at what you click on, how you behave and what marketing you are looking at. They are building profiles to work out how they can target you with better offers and build a range that is more attractive to you. Is that a bad thing? It is a fantastic thing. The retail world is horribly complicated and competitive at the moment, with retailers going bust all the time, as we can see. They need all the help they can get. For me, retailers trying to make sense of the tsunami of data to which they have access is the competitive battleground of retailing at the moment. It is a battle for insight.
You then start to say, “Where do you draw the line? What is a reasonable use of that data?” I do not think that the average consumer would understand what building statistical profiles of customers looks like. If one tries to regulate that and say, “You cannot profile customers individually”, you will have unintended consequences, because you will just encourage businesses to build statistical profiles that are not particularly linked to an individual. There is too much money involved for people to say, “Okay, we’ll down tools”—you will just move the battleground somewhere else. The problem with talking about data as one thing is that they are lots of different things. Some of them are scary. It is hard to argue that people’s medical records being sent to insurance companies would be a good thing. At the other extreme, using data so that you can be profiled to deliver you a better marketing experience is generally a very good thing. As a consumer, if I am served an irrelevant advert or a highly relevant advert, it is hard to argue that there is any damage. It is probably very preferable that I have something that is targeted to me. You are not asking credit companies to spam you.
A lot of this is self-policing. When businesses do stupid things with data—when they target you with irrelevant advertising, spam you and call you with annoying offers—you stop doing business with them. The ultimate sanction that you as a consumer can lay on a business is to stop doing business with them.
I am slightly troubled that we are trying to create regulation. For me, the next 30 years of the business world will be a battle for insight and how people will make sense of data. If businesses spend the next 10 years trying to work out what the regulation means and what they are able and not able to do, there will be lots of happy lawyers and lots of bankrupt businesses, because they will have been wiped out by competitors outside the EU.
David Alexander: I would like to respond to your assertion that I am scaremongering. I am absolutely in favour of personalisation, frictionless experiences online and cutting down the amount of time I have to spend filling in forms or to get exactly what I am looking for online. I use online marketplaces myself. I am a digital native, albeit at 55, but I have taught myself to be. I am really in favour of making sure that my profile is absolutely correct and up to date.
What I am talking about is the ability to set some boundaries. It is simply not practical for me to sit there and to have to unsubscribe every time someone decides to start spamming me, because the cognitive and physical effort of time to empty my mailbox is just unacceptable. I should be able to set some rules. We have had a telephone preference and a mail preference service for many generations already, and they do not work. They do, to some extent, for people who comply, but self-regulation without penalty is not working. The suggestion is that people have all the time in the world to sit there and decide to stop dealing with the credit card company their entire life is built on, because it has spammed them, and that they have the time to complain. I used to lecture on this subject. I have case studies coming out of my ears of brands that made bad choices about how they treated their customers, because it was convenient for them to do so. I want a frictionless economy. I want a digital economy. I do not want to have to fill out forms. I do not want to have to go down to the bank with proof of my identity. I want people to trust me and to be able to get stuff done, but I want to be able to control that experience by saying, “Here are some rules”, and I want them to stick to them.
Q141 Lord Wei: I want to ask a question that links the conversation right at the beginning, which was about fines, and this conversation, which in some way is about empowering consumers, whether or not there is new regulation. Is there a way in which the Commission or those imposing the fines could direct those fines to fund stronger digital consumer action or innovation? Are there are precedents for a mechanism like that working—ultimately, you have to decide how those fines are allocated—or do they just end up in a general EU pot somewhere that funds something else?
Steve Wood: I will answer initially on how it will work. The notices for the fines will be served by the data protection authorities themselves. Where it is a company established in the UK, we as the Information Commissioner’s Office will serve the notice demanding the fine on the organisation, so the fine will go to us, in the sense that we have to collect it. At the moment the ICO does not keep any of the fines it receives. We can currently fine up to £500,000 under the Data Protection Act. Under that system, all the money goes into the Consolidated Fund at the Treasury. It is an interesting concept. We have certainly been interested in exploring whether we could keep at least a portion of the fines and use that, for example, to reinvest in different areas of our activity as a data protection regulator, whether that is consumer education or funding further areas of our enforcement work. At the moment, there are different models across Europe; for example, the Spanish data protection authority is allowed to keep the fines that it receives. There may be a difficulty with that, which we very much recognise, with regard to how the regulator may feel incentivised, but there is probably merit in considering the model of how the revenue from fines is used in the area to which they have been directed in the first place.
Josh Smith: It is obviously not for us to say where the money can or should come from, but we feel that there is space for a voluntary organisation, potentially, along the lines of the Market Research Society, that establishes strong guidelines not only for social media research but for use of social data by third parties.
David Alexander: The Market Research Society has already set up something called fairdata.org, with 10 principles on how personal data should be used. It extends the Data Protection Act and has a certification programme that is external and independently done. At Mydex, we took ourselves through that, along with ISO 27001, for security. External accreditation and certification around intent and behaviour is an important part. I would love to see fines being channelled into countering abuse, misuse or lack of awareness. It is a great idea.
The Chairman: Could I ask Lord Green to put his question on the value of data?
Q142 Lord Green of Hurstpierpoint: Thank you, Lord Chairman. I will come at this from a slightly different direction. Consumers get a free service—at least, a service free at the point of use—in return for giving their information. They do not understand very clearly what is done with that information, how it is packaged and whether it is on-sold; they are unclear about that. We have talked a lot about transparency as a means of addressing that. Another way of looking at it is that those data have value, and they do not know what the value is. They have had a service, which has value, and they have not paid for it, so the market is not working on either side. You have a free service, which is plainly not costless, and you have given data, which plainly have a value, for which you are not gaining any recompense. The German Monopolkommission said that users ought to be “awarded undisputed, absolute rights” over their data. It has also been suggested to us that consumers ought to receive some form of micropayment, so that users get some value for the data they have given, in return perhaps for paying for some of the services they use. Is that a feasible concept, or is it just economics textbook stuff?
Michael Ross: This is my immediate thought. Let us take news sites. In the old days, you paid for newspapers, but now we are all used to having wonderful access to news sites around the world. Obviously they are selling advertising, profiling our behaviour and selling our cookies to other businesses. If you visit a certain basket of websites, they will profile you and identify you as a highly valuable cookie and then those data will be sold. If you look at the economics of media businesses, they are not in great shape; they need all the help they can get, so on top of trying to eke out an existence selling advertising, will they now have to make micropayments to consumers as well? Maybe. As you said in your question, it feels more like an interesting economic textbook case study than something that is practical in the real world.
As regards the value of data, I am not sure that the data are valuable in and of themselves. Let us take the example of credit agencies. There is a whole set of personal data about you, your credit cards and your credit balances. I am not sure that that has any value. When the credit agencies take that, aggregate it and build a model of your propensity to default on a loan, it is suddenly an incredibly valuable bit of data, but it is the intermediary who is adding the value to your data. Presumably, therefore, they deserve to profit from that. I am not sure that paying consumers for that is practical in any sense.
Lord Green of Hurstpierpoint: It may not be practical, but it is not true that the value is provided only by the intermediary who goes on to use the data. The litmus test is: could you, at least theoretically, sell your data? Plainly you could, because there are examples of platforms selling data.
David Alexander: I may surprise a few people, but I think the issue is one of transparency. If somebody chooses to use a service like Hotmail, Gmail or any number of other services in which they receive value back—free services, free email, et cetera—the transparency of that offer is the issue. Chris Graham famously said that it is time to stop brushing the offer under the carpet. If you are trying to value a tech start-up, the value of data is calculated to a very fine precision—$720 per person, per year is Google’s estimate when they are talking to investors over time. If they are talking internally, the cost of the raw material of the data is nothing. If I were a manufacturer making cars and I did not have to pay for the steel or the copper that went into the car, I would make a lot more money, would I not? Experian processes all these data, which it largely collects for free from banks and various other organisations and then processes, so there is an interesting concept around the value of the raw materials—your data and behaviour.
I would put my hand up for public services. Here we are, pressed with the comprehensive spending review, trying to improve front-line services and cut costs. I do not want to be paid for the data that I exchange with my health provider, my local authority or a third-sector organisation; I just want to cut the time that it takes for my father to get an appointment at the Royal Free. I would hate the idea that we start to think that every data transaction has a financial figure that goes with it, but I think that it is possible for people to participate in a data market about themselves, whether they wish to gift their data for research, better personalisation, experience, et cetera, or to begin to understand what a combination of data about themselves is worth. Technically, it is possible to do it; I just do not think there is one commercial model. We need a free market, where you can explore different commercial models, but transparency of the commercial model is the prize that we should be seeking, so that people can make an informed choice. If you want to pay £700 a year for your email service so that nobody monitors your behaviour or targets you with advertising and it is completely secure, notwithstanding current plans for the IP Bill—if it is genuinely private—that is your choice, is it not? It is the decision you will make. If that was the case, you would find that more service providers would charge a small fee for provision of service.
Q143 Baroness Randerson: My question fits in with the last point but relates to something that Michael said. He referred to the fact that newspapers now come free and we get our information largely on websites, rather than by buying the newspaper as such. The problem that newspapers have come across in the last year is that the majority of people now access their websites on mobile devices, which can block the advertisements that they have been using to pay for the website and for gathering the news. I can sit at home, having recorded a television programme, and fast-forward through the adverts, because technology now enables us to avoid the things we have been talking about. Does that not suggest that the whole model is a little precarious, because the technology is overtaking the whole structure that we have been discussing this afternoon?
David Alexander: I totally agree. Look at the explosion in things called ad blockers. People are downloading and installing technology when they are least able to understand what it does, apart from the result that it gives them, which is an ad-free browsing experience or some form of protection. People are choosing security or privacy. They make those choices. There is time-slipping of adverts. That is why the price of an advert on television has dropped through the floor. It is not the explosion of thousands of channels that has done that; it is the ability of people not to pay attention, at the end of the day.
Ultimately, some of the media—the papers that publish online—choose still to be free. They do not have a lot of adverts, because they are funded by a different agenda. The trust that runs the Guardian has a different model. It is a challenging economic model, let us say, in some respects; God bless them for their continued endeavours. The Financial Times has a really wonderful “try it” model, where you get to look at a bit of the article, they suck you in and then say, “It is only £1 and you can look at it”. I have seen other media organisations now saying, “If you want to read just that article, we will charge you a small fee, in cents or pence”. You will find new commercial models to create. Advertising is not the panacea. Personalisation is the route forward. People want what they want. They want convenience, ease of use and rapid access to the information that they need, in just the format they want. People are prepared to do things to get it in that way. You are right: it is a very precarious model.
The Chairman: Lord Wei, we have partly covered your question. Do you want to come back?
Q144 Lord Wei: We have heard concern expressed by various parties about clarity on how algorithms work. We would love to hear any examples that you know where lack of transparency about algorithms is happening and how that could be remedied.
Michael Ross: I spend my life designing algorithms for retailers and businesses. I would love to have more time explaining them to people, but I rarely find an audience interested in listening to how algorithms are designed. For a typical retailer, there may be 20 or 30 algorithms powering their business. The sort order in which products are returned to you when you search for something on a website, the product that is recommended to you when you click on a product and the additional offers that people make to you when you go into a shopping basket are all driven by algorithms. Many of the algorithms on a typical retail website are powered by third parties. If you look at a website, it will be powered by 15 or 20 third parties, many of whom will tell you that their algorithms are proprietary and are their IP. If you get underneath and really want to understand what the algorithm is doing, it is maths—it is equations. Exactly how that information is being processed would be way beyond the vast majority of the population.
It is an interesting question. Part of the way I think about it is that you either like the outcome or you do not. If you shop on Amazon, you either like the products they recommend to you and you click on them or you do not and do not click on them. It is hard to see that any harm is done. Do I think that good will come from making the algorithms transparent? I cannot see that any good would come of it and that anyone would really understand.
Lord Wei: I need to clarify. It is, in the case of potential discrimination or non-provision of service, based on presumptions made by the algorithm. The owners, or the third parties, may not know that it is happening and therefore may not be able to respond logically.
Michael Ross: Transparency is very interesting here, particularly relating to things like fraud algorithms. It is often the case that you place a transaction and it will be rejected because the retailer has some algorithm that is determining that you are a bad risk. Transparency trumps actually understanding of what the algorithm is doing. You get into territories that are both probably too hard to understand and potentially owned by sets of third parties, where you start to infringe on property rights.
David Alexander: There are three underlying pillars of this conversation that need to be expressed. Most of the algorithm technology and intellectual property has been paid for from the public purse, through research grants. Even Google started as a research grant. Those people may have created the algorithms and produced the maths, but we are paying for the algorithms to be written.
The second thing is that we are feeding them—every one of us in this room. Every time we say, “I don’t like that”, we rate something or ignore something, we do not stay on a page for an acceptable period of time, or we decide not to answer a question or withhold information, we are feeding those algorithms and making them more efficient; I would not describe it as necessarily better. They may be delivering a better outcome for the retailer, the insurance company or whoever it may be, because the accuracy of that information is being made clearer.
In the analogue world, the exposure of transparency is already there. You have the right to see a decision about why credit was refused. You can make a request under the Freedom of Information Act or do a subject matter access request. There are lots of ways in which decisions about you were made that you are entitled to see. I am not sure that explaining the maths of the algorithm is necessarily the point—I take Michael Ross’s point, which is well made. The issue is the outcome and why that outcome has been reached. This algorithm, based on these input parameters, decided not to give you life insurance—that is what it should tell you. If you have an issue with that and wish to appeal it, because you believe that the underlying data used to make those assumptions were in error, it is a human right to correct inaccuracies.
It is like credit reports. It is the old joke: “How do you get yourself off the Reader’s Digest mailing list?” “I am not that good”. It is that point about the algorithms that are working. You have the right to get your credit report corrected, if it is wrong; it is just really hard to do. Again, transparency is the key point. Even I, as smug as I sometimes like to think I am about technology, will sit at an algorithm and say, “I do not know whether that made the right decision”. It is about how you audit algorithms for delivering the outcome they were intended to deliver, and how you report on the outcomes they got and whether or not you think that they were right. For that, you have to know what the input parameters were for the raw data that were fed in and what the corporate objective of the algorithm was. If the corporate objective of an algorithm was to minimise the risk in the policies that it wrote within a set of parameters, they are input parameters. The transparency relates to the data points that they decided to use to make that assessment, whether it is for a loan, for insurance or whatever. When it comes to how the maths actually worked and what percentage of outcome it got, you could benchmark people’s algorithms. We see people offering to benchmark algorithms even now, to say, “My algorithm is faster, better or more accurate than yours”. It is about knowing what goes in and what comes out. To me, that is the core of it.
Q145 The Chairman: We are running short of time. I have four questions down for my colleagues. With apologies to them, I will have to wrap them all up in one big question. At the end of the day, we have to take a view on whether regulation is required. Can you give us an indication of what kind of regulation we should focus on, or indeed whether self-regulation and industry standards are an alternative to regulation or any form of new regulator? I am sorry to cut across, but we have only five minutes left. You have a maximum of two minutes each. Steve, do you want to go first?
Steve Wood: I have commented before, so I will be brief. We are supportive of the GDPR and are looking towards that new form of data protection regulation coming in. We can see the benefits that will bring. We have highlighted some of the areas where we think that the regulation could be improved, but, ultimately, there is a positive development coming. Obviously we will need to get to grips with that as a piece of regulation that will be here fairly soon.
Ultimately, we would talk about a mixed model. We need a good, strong regulatory model as regards the clarity of the law and a strong regulator with the right powers and resources—a data protection regulator like the ICO—but we recognise that there can be a mix of market-based mechanisms and co-regulatory mechanisms, such as privacy seals and certification, that can sit and work with that. There can be mechanisms that try to raise the bar and to get the idea of privacy being a differentiator. We heard Michael say that consumers will go elsewhere, but I think that we are not quite at the point where people will genuinely switch supplier because of privacy. There are some other mechanisms that we can use to make that happen, while having a strong regulatory regime sitting on top of it.
Josh Smith: At the top of our wish list for any future regulator that is devised is that it establishes strong guidelines for how third parties use personal data. For example, how do you handle data provided by under-16s? Do you allow users to remove their data from caches? We believe that that could be the key to increasing public trust in how parties use their data and could be of general use.
David Alexander: Regulation is important and has to be appropriate. I do not think that consumers necessarily think about it. Standards are not standards. There are many standards that try to do the same thing, so interoperability is appropriate. Rating systems are great, if they are independent and transparent about who is driving them. Whether it is a market search engine, a comparison site or a review system is important. There are many standards out there that can be combined. ISO 27001, on information security management, is a standard that is well-respected, used and independently certified. There is Fair Data, from the Market Research Society. There is tScheme, which runs the trust services list for the UK. At the heart of this, we need transparency. That is the key thing. Ultimately, we need consumer communication, so that they understand risk. It is not a science. This is about humanity and feeling safe.
Michael Ross: As I said at the beginning, we are at the beginning of a digital industrial revolution. The opportunity for the UK to be at the forefront of that is fantastic. I am very concerned that we do not create regulation that pushes us back and puts us at a competitive disadvantage. I am also concerned that we avoid unintended consequences of well-meaning regulation that simply catalyses businesses to avoid things, whether it is pseudo-anonymous or statistical models that will just take the industry in a different direction and will not achieve the intention of the regulation.
Finally, I agree with David that transparency trumps consent. As I said before, I am concerned about explicit consent. Again, I do not think it achieves the objective that is intended. If businesses were transparent and you could find what they were doing with your data and do something about it, if you so chose, that would be a much better situation than getting people to spend their time clicking an “Okay” button that had no impact on the world.
David Alexander: I have one final point. There is now an endeavour under way called a data usage report, which expressly requires organisations to be transparent about the data they have, how it is used and who it is shared with, as a standard format that any consumer could request from any organisation, across any sector. It is starting in health and will run through government. There are increasing demands for it across other sectors. There is work under way now on that transparency, through the data usage report.
The Chairman: That is on primary public services, is it not—the quality of public services?
David Alexander: No. It is across all sectors. The proposal is that it becomes a standard that is adopted everywhere, so that people can literally press a button and get a report on how their data have been used, who they have been shared with and for what purpose.
The Chairman: Thank you very much for all your contributions. There are a few more questions that we have not touched on. If you have any issues on which you wish to provide us with further information, please do so. Meanwhile, thank you very much. It has been a very interesting session and has set a lot of thoughts going for us. We will aim to complete our report in the early new year, as they say.
[1] General Data Protection Regulation
[2] Comma Separated Values