It is a well-known fact that Europeans are generally more concerned about privacy than some other countries. Indeed, we’ve had a history of major privacy breaches that had such catastrophic consequences that it is now part of our culture that personal data should be treated as highly sensitive — something the U.S. is now catching up to in the wake of the Facebook/Cambridge Analytica scandal. The culmination of this is the new EU-wide privacy regulation, the GDPR, which will come into effect on May 25, 2018, and was a hot topic during the recent Zuckerberg testimony.
One key article is the right to personal data portability. In a nutshell, it states that users of a service can request their personal data to be transferred to another provider, without hindrance (read: in the format the other provider requests). This means that if you are no longer happy using a social network, you can switch to another one and have all of your personal data (profile, pictures, messages, posts, likes…) sent to the new provider. It’s the same idea as being able to keep your phone number when you change carrier, but applied to all of your personal data.
Although the definition of what constitutes your personal profile is still being debated (is it just the data you uploaded, or all the data that was derived from it? Does it include metadata?), it is safe to say that a big part of your online identity will soon be transferable across multiple providers.
As a user, I would decide who gets access to what and for what.
As these data transfer requests become more and more common, companies will necessarily want to minimize the effort it takes to comply. The only logical thing to do to avoid having to convert data into each provider’s format is to eventually agree on standardized formats for personal data and APIs used to access them. Our messages, social networks, location data, images, purchase history, music listening history and everything else will become standardized, just like our email or calendars have been for decades.
Consumers will eventually realize that the profiles they spent time creating can be reused without effort elsewhere. They will start treating their profiles as a shared resource amongst all providers that need similar information. For example, if you uploaded your ID on a website to be verified, you would be able to reuse that already verified profile elsewhere, removing the need to resend your info and wait for confirmation (if you tried to get your account validated on a crypto exchange recently, you know what I am talking about!).
Having a single, transferable user profile would be very similar to what Facebook does with the Facebook Connect button, but with one huge difference: Facebook would have no say into which company can or cannot access the user profile, and what they can do with it. There would be no more personal data lock-in, and no more legal terms and condition shenanigans. As a user, I would decide who gets access to what and for what.
As this Universal Digital Profile (UDP) starts becoming mainstream, an entire new economy will emerge, from personal data clouds to personal identity aggregators or data monetization platforms. All those ideas that have been floating around for years but couldn’t be scaled due to a lack of interoperability will finally come to life.
This is a major deal for the internet, and for European citizens. It’s by far one of the most profound impacts of the GDPR on our digital lives and on our digital freedom of movement. Let’s just hope that it won’t be limited to Europeans, and that companies across the globe will adopt this idea so we can Make Internet Great Again!