Short summary of the Profila app (as testing ground for the proposal POC) - Profila is a platform (consisting of both a mobile IOS and Android application for individuals and a web-based dashboard for companies, organizations, governments and other legal entities, we call "Brands") that enables individuals to communicate with various organizations in their lives, privately, one-to-one, and without supervision or surveillance. Organizations can be either private or public entities.
Consumers can manage their digital life in one location. They can sort all their personal information, product preferences and communication preferences and communicate with all the organizations they want to interact with in the same easy way (instead of on each individual organization's platform each time). The entire tool is design for people to (1) gain control over their personal data; (2) choose to ethically share (or not) they personal data with organisations, and (3) get compensated if they do. (see "Illustration 1 – Profila for Consumers" attached to this proposal).
Before going into the proposal, the concept of "data subject rights" needs some explanation.
1. The concept of data subject rights as a legal tool for individuals to start controlling their data
A first step to data control is knowing your rights in relation to your data and taking action against those who misuse your data. This can be done via "data subject rights", as explained briefly below.
Numerous national and regional privacy or consumer protection laws, regulations and jurisprudence provide private individuals – often called "data subjects" – with certain rights in relation to their personal data. Under certain conditions, these rights can be enforced against businesses that process personal data.
These rights are often called "data subject rights" or "data rights" and may include e.g.
- right to information - the right to be informed about how a business uses your personal data
- right to opt out - people can ask businesses to stop selling their personal information or using it for business benefit;
- right to access – ask access to personal data that is being processed by a business (e.g. ; hen you want to know just how much data a company has about you);
- right to be forgotten – ask a business to delete your personal data (e.g. when you don't want to receive any products anymore, and definitely no more marketing messages);
- right to rectification – ask a business to rectify personal information about you that is inaccurate or incomplete (e.g. they have your old address or there is a typo in your name);
We can find these rights in the European General Data Protection Regulation (GDPR); the California Consumer Privacy Act (CCPA); the Brazilian General Data Protection Regulation (LGDP) and many more.
The main goal of these rights it to GIVE CONSUMERS CONTROL OVER THEIR PERSONAL DATA. These laws (GDRP, CCPA; LGDP) include many obligations for companies; namely to (i) inform consumers of these rights; (ii) to help them exercise these rights; (iii) to timely respond to these rights, mostly within a reasonable period of 15 to 30 days; and (iv) to do this all in a transparent way, and no cost to the individual.
2. Privacy rights today – problems – lack of education and management
Today, you have no control over the use of your personal data. In order to control your data, you need to know what happens to it, and you need to be able to take action against those who misuse it. This is where DSRs come in very handy, as they can be used by each individual to (1) become aware of what personal data is collected; how it is used (=information) and – once you have this information – to (2) tell businesses what to do (different) (e.g. rectify; delete; opt out).
However, do you know what your rights are and how you need to exercise them? Today, there is no tool available that lets you learn about your rights and provide you with an easy way to exercise them. Some local websites of data protection authorities provide you with information and templates, but require you to download lengthy word documents, fill out 10-15 elements in these documents, upload them, send them by email or post to the Brand in question. This process is only available for those people who actually know what a data protection authority is (=what?), and who are willing to spend some hours to get the template filled out and send.
That is where Profila comes in.
3. Profila today - the existing consumer App – first step towards data control via privacy education and data rights management
The current Profila App has a consumer-friendly privacy education and data rights management dashboard (see "illustration 2 – Profila Privacy App").
Education – the App has 9 basic modules about your privacy rights, explaining to you in understandable terms and with examples "what is personal data", "what is a controller/processor", "what are your rights", what is e.g. "your right to be forgotten" (including GDPR in Europe, CCPA in California, LGDP in Brazil). They are tools that can be used by consumers to control their data.
Rights Management – the App then has a dashboard which allows you to manage your rights, e.g. use your "right to object" to tell Wholefoods to stop sending daily emails, or your "right to be forgotten" to ask Wholefoods to erase all personal data they hold about you. Profila has reduced this legally difficult process of exercising data subject rights to an easy 3-click step process, where you can (1) choose a company logo (recipient of the right); (2) click on one of the 8 data subject rights, and (3) include an identifier (email; phone). Profila then forwards an official legal template to the business. According to the law that applies to your relationship with this company (which is determined based on your country of residence/nationality), the company will be legally required to respond to you within 15-30 days.
4. Profila tomorrow – the Catalyst project - POC under fund 5 –> second phase fund 8
What did we create as POC under the fund 8 Challenge?
Issue - "centralized DSR management" - Each data subject right (DSR) that is exercised by an individual using Profila (including the specific terms like which DSR, data, company recipient, specific content and request), is only saved by Profila in our IT environment, and can only be enforced by Profila or its existence proven by Profila. Profila is therefore guaranteeing that the legal request/transaction happened, what terms it contains, whether terms are abided by (e.g. did the business actually respond to the request in time, as they are legally obligated to do).
This is a liability for both contracting parties, who would need to trust Profila. Profila, as a commercial company, would have to actively step in as arbitrator/mediator, and guarantee this level of trust that a transaction took place + terms thereof. However, we only want to provide consumers with the tools to control their data. The trust and consensus that a transaction took place or contract was made needs to come from the community of users.
Under the Catalyst project (fund 5), we want to tackle this issue by making available on Cardano a ledger for all privacy interactions that you as an individual exercised via the Profila privacy rights management platform: each user that exercises a data subject right with a brand will be able to easily access each such request, including the brands' response.
E.g. You exercises your right to object to the processing of direct marketing messages to Wholefoods, after receiving 15 mails per week with advertising. If several months after this request, Wholefoods doesn't abide by this request and again starts using your personal data to send you direct marketing messages, you can use the ledger entry as immutable proof of the right you exercised. This way, you can show Wholefoods they breached your right and hold them accountable (unlike the "unsubscribe" buttons you click 10x times, with no proof thereof, and with no effect because mails keep on coming). You can even use the information in the ledger to file a complaint at a national data protection authority, showing them what you agreed to, and how the company actually (mis)used your data. You will be able to check forever, every legal right you send to a business concerning the use of your (personal) data. Nobody would be able to tamper with this information. This is control.
We presented this finished proposal on the Catalyst townhall of 3 March 2022 -
<https://www.youtube.com/embed/GqT9TYwsPW0>What are we improving under this fund 8 challenge?
After successful metadata project (fund 5) "control your data - privacy ledger" where we implemented metadata from a DSR into the Cardano blockchain (from a central Profila node/wallet), we are now proposing to implement the DSR and reaction by a company in the form of a smart contract on Cardano (option 1) or additional metadata entry (option 2), to demonstrate/prove not only that a DSR was exercised, but also to demonstrate the companies response. If a company responds to the email, this response is updated in the smart contract. If no response within the 30 day period set by law, then the smart contract will automatically update with a "no response" by the brand. We will also ask the individual to validate the reaction of the company and include this in the ledger. This way, when you go to the regulator with a complaint for misuse of your personal data, the ledger doesn't only show that you initially shared a DSR with a brand (and the content thereof), it will also provide immutable proof whether a brand did (or did not) respond within its legal deadline. Having this piece of information is very crucial.
In addition to the new ledger entries, we will also improve the design of the app experience (now we have to add the private key - +250 characters, that people receive upon registration, which is not very user friendly) and lateron add the use of the zero knowledge token (ZKT) to offset blockchain entry fees.
The challenge is as follows: "what applications will provide the most value for end users in 2022"?
We are confident that our proposal addresses this challenge because we are expecting many users onto our platform in the next months, who will benefit from the functionality we develop under this proposal
- We are onboarding 100.000+ users onto the App in the next months, as part of a pilot with a large multinational.
- All of these people will be able to use these privacy functionalities to better understand how to take control of their data with brands. This is something that doesn't exist today on the internet, and will revolutionize the way we think about data ownership.
Challenges
- Scalability and speed of Cardano blockchain for high volume transaction if millions of people would use the privacy ledger to exercise their rights with multiple brands.
- Cost of high volume transaction ledger/record of all blockchain entries (we'll have to work with batching rights together instead of 1 right-1entry).
Risks
- Cardano blockchain speed and cost might be prohibitive to project success/adoption
- Privacy on the blockchain (even if hashed) forms a risk. Workaround to be researched under this proposal