Submission to the OPC’s Consultation on Consent under PIPEDA (Meeco)

Meeco

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

Summary

The primary purpose of this submission is to propose an answer to Consultation Question 2:

What solutions have we not identified that would be helpful in addressing consent challenges and why?

The PIPEDA Discussion Paper, although clearly outlining a definition, as well as various mechanisms, interpretations and possible solutions for improved consent models, does not explicitly highlight a model where individuals are in full control of their personal information, as well as the interactions that make use of their personal information.

This is the emerging market of Me to Business (Me2B) and Business to Me (B2Me), where citizens are the point of integration and the facilitator of all consent-based interactions with industry and government.

In 2012, research and analyst firm KuppingerCole introduced Life Management Platforms to the world. More recently, the MyData working group in Finland proposed the MyData model – a human-centric approach to personal data management and use. This type of thought leadership, combined with various studies from PwC, The World Economic Forum and the Boston Consulting Group, formed the basis for the tangible application of such a model for both individuals and organisations. The manifestation of this is Meeco.

Meeco is the world’s leading Life Management Platform. Having launched and been active in market since 2014, Meeco gives citizens, customers, students, patients and employees the ability to take control and make use of personal information from all parts of their life. At Meeco’s core is a consent management tool, enabling information to be exchanged explicitly on the terms of the individual with peers and organisations they trust through either ‘controlled push’, or ‘informed pull’ (more on these concepts later) interactions.

For organisations, Meeco provides an engagement layer to support privacy enhancing customer journeys. Through this model, individuals can use their existing data assets to reduce the time and friction associated with a wide range of digital journeys and transactions including applying for a bank account, updating their insurance or participating in a community research program. Meeco enables full data give back as well as explicit, unambiguous consent in each and every interaction.

Focusing on the balance of value creation for individuals and organisations, enabled through consent-based interactions, Meeco has been the recipient of a number of innovation awards over the past 12 months.

• 2015 EIC Special Award
• 2015 AMP Amplify Award
• 2016 Digital Catapult Personal Data Innovation Showcase
• 2016 IDentity Innovation Award

Meeco has been architected using Privacy by Design (PbD) principles. In addition, our founder and CEO, Katryna Dow, is an Ambassador of the Privacy by Design movement.

Through Meeco, and other similar person-first Privacy Enhancing Technologies (PETs), meaningful consent can drive value to both citizens and organisations in a compliant, economically viable and user-friendly manner.

The remainder of this submission will detail why and how.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

About Meeco

“Save, share and sync your data on your terms”

Meeco is a cross platform (web and mobile) Life Management Platform that enables the ‘API-of-Me’.

Through Meeco, individuals can bring data from various external sources, such as their bank, a fitness device and their social media accounts, into a simple interface they control. Once within their control, Meeco enables individuals to share data, with explicit consent and clearly defined rules, with their peers and the organisations they trust.

Figure 1: Meeco for iPhone, iPad and Web

Text Version

Visual Representation of Meeco platform on an iPhone, an iPad, and on the web

By providing this person-first technology, Meeco is enabling organisations to build trust-based relationships, where meaningful consent is critical to the overall customer experience and shared-outcome.

In this context, individuals and organisations are now participating in interactions on equal terms.

Meeco User-Controlled Consent Management

Meeco’s core value proposition is enabling Controlled Push and Informed Pull consent-based interactions.

Figure 2: Life Management Platforms: Control and Privacy for Personal Data, KuppingerCole 2012

Text Version

Controlled push: Customer provides detailed information about his car to the application of an insurance broker, which ensure privacy. Informed pull: Customer requests information from different insurance companies which an insurance calculation application of his Life Management Platform uses to calculate the best rate, ensuring confidentiality of the data provided by the insurance companies towards other insurance companies and parties.

Meeco enables individuals to share personal attributes, such as a phone number, or grouped attributes, such as their house address and home status, directly with peers and organisations.

Additionally, through the assertion of binary attributes or through a de-identified persona, Meeco supports progressive disclosure. Through this model, personal information can be disclosed in a way that is appropriate to the stage of the process or relationship, thus enhancing privacy for the individual and reducing the risk for the organisation or institution of collecting and storing personal information.

Meeco also supports bi-directional, and multi-directional consent-based data exchange, where an organisation may request information from an individual for a specific purpose and in the context of the existing relationship. The individual may then explicitly consent to permission this information to the organisation—based on the rules they define—and also allow the organisation to share that information with explicitly defined third parties for the purpose of achieving an outcome.

A practical example is change of address. A customer of a Telco may update their address through a Powered by Meeco^TM service the Telco provides. The Telco may then offer to exchange that updated address with other organisations the customer already has an existing relationship with. This is all managed through explicit informed consent.

Through this model, the individual can share the data once, with explicit consent rules, and it can be used to create value many times over.

Meeco’s Consent Management Tool

Figure 3: Meeco’s Consent Management Tool

Text Version

A visual representation of Meeco’s Consent Management Tool

The Meeco Consent Management capability is based on a business (rules), legal (governance) and technology (enabler) framework. It is the combination of the BLT approach that provides increased agency and transparency in the sharing of personal data, and granting of consent.

When an individual chooses to share their data, a peer or organisation that receives that data acquires a view of the data, rather than access to the raw data, which is governed by the consent capability in the Meeco Platform.

The Meeco Consent Management Tool enables the individual to specify the following levels of consent and permission:

1. Duration of share:
   • Until the user deletes the share
   • For a set period of time in hours and minutes
   • Until a set date
2. Terms of share:
   • Data can not be passed onto or shared with any third parties without the users permission
   • Data can not be sold or traded without the users permission
3. Custom Terms:
   • User can also include explicit terms that govern the purpose of the exchange and the use of that data once it has been shared.

The individual is also able to save and recall a set of default permissions for all data shares to reduce the need to set individual consent settings for every exchange.

Conscious of the evolving regulatory landscape, Meeco’s Consent Management Tool complies with the European Union’s General Data Protection Regulation (GDPR), as well as the Payments Services Directive 2 (PSD2), which requires the provision of machine-readable customer data to be given back to customers.

A Working Model

When combined with leading open standards, and emerging initiatives such as the Kanatara Initiative’s Consent Receipts, a holistic approach to Me2B and B2Me consent can be enabled utilising Meeco. Such an approach would go a long way to resolving many of the privacy, consent and related trust challenges of today.

Meeco is putting this into practice by engaging with leading global organisations to co-design timely, relevant and valuable consent-based customer journeys, all of which are enabled by the Meeco Platform.

Meeco enables this through the Meeco Me2B Labs Methodlogy. Meeco Labs is a program for organisations to test hypotheses and prove economic and societal value prior to making substantial investments in new technologies or strategic initiatives. Each program is unique, providing a process and pathway towards new products, services, experiences and business models.

Utilising the Meeco Platform and API suite, consent exchanged customer or citizen data is mapped directly to internal CRM, ERP or organisational systems. Collaboratively with customers, this data is used to help create mutual customer and business value.

Meeco Labs is the first step in a journey towards new models of value for citizens and organisations.

In addition, Meeco consistently releases new capability to the consumer market, providing individuals with the tools to save, sync and share their data on their terms.

With Meeco enabling the customer to become the single point of integration, organisational silos are being broken down, unveiling new models for societal and economic value.

In their report, The Value of our Digital Identity, The Boston Consulting Group estimated that by 2020, 1 trillion euros of new economic value could be realised in the European Union alone. However, this value could only be realised if trust and transparency were established with associated data practices.

The citizen, customer, student, patient and employee as the platform, or true person first technology, is the answer to realising similar economic value globally.

Recommendations

1. Explore citizen-first consent journeys through a proof of concept program to validate the technological and legislative feasibility, the commercial viability, and the human desirability of person-first consent models

Appendix

1. Life Management Platforms: Control and Privacy for Personal Data
2. MyData – A Nordic Model for human-centered personal data management and processing
3. The Value of Our Digital Identity
4. Digital Identity 3.0