World central bank group denounces Big Tech data harvesting

A paper published by the world’s main central bank umbrella group said that while many countries already have some laws around data use, most individuals are still not aware of their data rights or the risks that come with the unregulated use of data.

The advent of smartphones, digital technologies, software applications and network connectivity has led to a dramatic expansion of consumers’ digital footprints, turning data into a valuable commodity. In this context, social media giants, Big Tech firms and banks have been able to harvest, process and sell user data with little oversight.

In order to ”level the playing field between data subjects and data controllers," authorities should adopt new data governance systems, the paper said.

These would include requiring firms to get clearer consent to collect user data and improving communications with users about the use of their data, as well as allowing customers to easily access the information harvested by the company.

"When data are shared between data providers and data users, the data governance system should specify which data are requested for sharing, how long they will be retained by data users, and who will process them," the paper said.

The BIS's role as hub for top central banks underscores just how broad-based the clamour for stricter data rules now spreads. While the European Union's 2018 General Data Protection Regulation (GDPR) is generally seen as the most comprehensive regulation on the issue, it is now considered by experts to be insufficient to ensure internet users’ rights and fair competition in online markets, underscoring the EU’s efforts to pass a new piece of legislation on the subject, the Digital Markets Act (DMA). 

Meanwhile, other parts of the world are still catching up to the European data privacy standards. For instance, the United States, where most Big Tech firms are based, still has no overarching consumer privacy laws, relying instead on a patchwork of state and sector rules.

“Consumers often do not know the benefits of the data they generate, and find it difficult to assert their rights regarding the collection, processing and sharing of their data,” the BIS stated.

The paper proposed the establishment of a new data governance system that “restores control of data” to users, by replacing broad and sweeping consent with granular consent provided on digital basis. As an example of a successful model, the BIC referred to India’s Data Empowerment and Protection Architecture (DEPA) and the way the system manages data flows to the financial sector.

The model would benefit both consumers and companies, as the former will have access to their own data, and be able to use it for processes such as showing proof of credit history, while the latter could combine that data with other attributes such as income and education to derive insights and predictions, thus creating valuable "derived data”.

"The young take time to accumulate tangible collateral and the poor may never acquire sufficient collateral," the paper said. "These low-margin, high-risk consumers are uneconomical to reach in the traditional system without access to digital data sharing."

However, to achieve success, the new governance system should follow several standards including purpose limitation, data minimisation, retention restriction and use limitation. It would need to be open, secure and interoperable, to ensure that user’s rights and fair competition standards prevail in the current global digital economy.