BLOG

Opinion of the European Data Protection Supervisor on Personal Information Management Systems (PIMS)

This Opinion explores the concept of technologies and ecosystems aiming at empowering individuals to control the sharing of their personal data (‘personal information management systems’ or ‘PIMS’ for short). Our vision is to create a new reality where individuals manage and control their online identity. Our aim to transform the current provider centric system into a hiucmsaynstecmentwr here individuals are protected against unlawful pro­cessing of their data and against intrusive tracking and profiling techniques that aim at circumventing key data protec­ tion principles.

The full text of this Opinion can be found in other languages at the EDPS website

Executive Summary
This Opinion explores the concept of technologies and ecosystems aiming at empowering individuals to control the sharing of their personal data (‘personal information management systems’ or ‘PIMS’ for short).

Our vision is to create a new reality where individuals manage and control their online identity. Our aim to transform the current provider centric system into a human centric system where individuals are protected against unlawful processing of their data and against intrusive tracking and profiling techniques that aim at circumventing key data protection principles.

This new reality will be facilitated by the modernised EU regulatory framework and the possibilities offered by vigorous joined-up enforcement by all relevant supervisory and regulatory authorities.

The recently adopted General Data Protection Regulation (GDPR) strengthens and modernises the regulatory framework so that it remains effective in the era of big data by strengthening individuals’ trust and confidence online and in the Digital Single Market. The new rules, including those on increased transparency and powerful rights of access and data portability, serve to allow users more control over their data, and may also help contribute to more efficient markets for personal data, to the benefit of consumers and businesses.

Most recently we have issued an Opinion on effective enforcement of fundamental rights in the age of big data. This highlights current market conditions and business practices that create obstacles for effective exercise of individuals’ rights to the protection of their personal data and other fundamental rights, and calls for stepping up concerted and consistent enforcement of competition, consumer protection and data protection laws. We hope that this increased enforcement will serve to create market conditions in which privacy-friendly services can thrive. The approach in this Opinion aims at strengthening fundamental rights in our digital world at the same time as opening new opportunities for businesses to develop innovative personal data based services built on mutual trust. PIMS promise to offer not only a new technical architecture and organisation for data management, but also trust frameworks and, as a result, alternative business models for collecting and processing personal data in the era of big data, in a manner more respectful of European data protection law.

In this Opinion, we briefly describe what PIMS are, what problems they are intended to solve, and how. We then analyse how they can contribute to a better protection of personal data and what challenges they face. Finally, we identify ways forward to build upon the opportunities they offer. For new data protection business models to thrive, additional incentives for the service providers offering them may be necessary. It should be explored, in particular, which policy initiatives could motivate data controllers to accept this way of data provision. Furthermore, an initiative by public services to accept PIMS as a data source instead of direct data collection could add critical mass to the acceptance of PIMS.

The emerging landscape of PIMS, aiming at putting individuals and consumers back in control of their personal data, deserves consideration, support and further research with a view to contributing to a sustainable and ethical use of big data and to the effective implementation of the principles of the recently adopted GDPR.