The boom in internet-enabled mobile phones, apps and other high-tech gadgets in recent decades has led to an explosion of personal data that firms now harvest, process and sell.
The Bank for International Settlements (BIS) paper published on Thursday said while most countries already have some laws around data use, most individuals still were not aware of what was at stake, or their rights over their data.
Authorities should therefore adopt new data governance systems to “level the playing field between data subjects and data controllers,” the paper said.
They should require firms to get clearer consent to collect data, better explain how it was being used and make it easier to be accessed by those from whom it was harvested.
“When data are shared between data providers and data users, the data governance system should specify which data are requested for sharing, how long they will be retained by data users, and who will process them,” the paper said.
Discover the stories of your interest
The BIS’s role as hub for top central banks underscores just how broad-based the clamour for stricter data rules now spreads.
Current controls differ widely. While the European Union’s General Data Protection Regulation (GDPR), which took effect in 2018, is generally seen as the most comprehensive, it is still seen as having issues.
Other parts of the world are far less advanced. The United States, for example, where most Big Tech firms are based, still has no overarching consumer privacy laws, instead relying on a patchwork of state and sector rules.
The paper said data subjects also lose out because their information often becomes locked in firms’ silos or platforms after using an app, website or service.
In turn, the companies can then combine that data with other attributes such as income and education to derive insights and predictions, thus creating “derived data” often seen as more valuable.
Young and less well-off people also tend to be denied loans due to a lack of previous credit history, whereas if they had full access to their online data, that could be used instead.
“The young take time to accumulate tangible collateral and the poor may never acquire sufficient collateral,” the paper said. “These low-margin, high-risk consumers are uneconomical to reach in the traditional system without access to digital datasharing.”
It added any new governance system should meet the following five standards.
(i) purpose limitation – ensure that the purpose for which data is being shared is described in clear and specific terms.
(ii) data minimisation – share only as much data as is strictly necessary.
(iii) retention restriction – ensure that data is not shared for longer than required.
(iv) use limitation – ensure that data is used only for the purpose for which it was shared.
(v) operational resilience – ensure that data is secure.