Dream here

In a previous post, I talked about my endeavours through the ehealth data portal of the Belgian government. Somewhat related is another journey I recently started, during which my end goal is to consult the data my favourite supermarket collects about me.

tl;dr

This post is a first one in a series describing my experiences regarding a request to consult the data gathered by the Belgian supermarket Colruyt about me as a natural person. After making a first ‘official’ request via email (signed letter + copy of my passport to prove my identity). I got a snail mail reply stating that they only have data about me as a legal entity, I called BS and re-requested my data specifically stating that I want to get insight into my purchase data they use to send me personalised advertisement. (aka my purchase history linked to my loyalty/bonus card) Current status : waiting for a new reply (4 weeks and counting).

Why bother?

People have been asking me why I go through all this hassle, to set that clear once and for all – I want to actively contribute in generating awareness of where and how data is collected. I took on this active stance after hearing Estelle Massé (Access Now) and Prof. Preneel (K.U. Leuven) talking about the lack of understanding of data privacy & ethics and the emerging cry for cryptopolicy. The flurry of thought that emerged in my head was a willingness to understand this better – and what can be a better way to learn than to actually figure it out while doing it?

Towards the personal API

Regarding privacy, ethical data policies and related ‘whatevers’ I’m an utter n00b, n44b, newbie. The more that I think about this though, the more I feel the need for governments, companies and organisations to actively think about a data policy and the protection thereof. The increasing interest of Blockchain technology is just one indication that having access to (personal) data will become a very important part of how the economical systems of tomorrow will work. Actually being able to access that data, and act upon it, seems to still be the missing link.

Regarding public data (weather, traffic, pollution, demographics,…) I have the feeling we will eventually get to some kind of addressable ‘API’. The worldwide open data initiatives are a good example of this, and some cities are taking a forerunner role in this already (London, Ghent, Helsinki amongst others).

When it comes to personal data, I’m still very much in doubt how we will or can evolve to a ‘personal API’. In my previous post on ehealth, I had some doubts regarding the accessibility of my own health data. I clearly could not access everything, which is (still) very confusing to me. I know that governments are doing a lot of efforts to demystify the data available, when I’m speaking for Belgium I’m always surprised (and happy) to see the correctness of the prefilled fields on my tax application. However, at the same time I realise that the process to actually ‘find’ this data is so cumbersome very few people actually make the effort to consult it.

That being said, I didn’t mention anything about all data available that is scattered throughout a variety of privately owned services. Social media profiles, online photo archives, webshops, data linked to loyalty cards at small or large stores, etc. For the moment, I assume that the governmentally controlled data will become available in a usable format at some point. It will probably still take a couple of legislations, but we’ll get there.

Why the supermarket?

When it comes down to privately owned companies who hold on to a significant amount of data about me as a natural person, I believe that supermarkets probably top the ranks. In the case of Colruyt, I actually do not have any substantial comments about the usage of my data. I enjoy receiving targeted advertisement from them, as it gives me extra discounts on groceries I would buy anyway. Since Colruyt even has a section on data privacy in their privacy charter, I figured it wouldn’t be a real problem to request a copy of my data from them. So that is what I set out to do …

Contact customer service!

The first things I did (on March 29, 2016) was email the customer service of Colruyt, refer to the article in their privacy charter and request a copy of my data. I got a very swift reply asking me to send a copy of my passport to prove my identity and send a more formal, signed, letter. I followed all advice, got a confirmation that everything was going to be processed and that I would receive a printed copy of my data anytime soon. Although that I found it a little odd that they were going to send me the data on paper, I was actually really happy at that point. A smooth transaction, sound and clear.

Their reply letter …

A couple of weeks later, I find a (printed) letter in my mailbox from Colruyt. After reading it, I was flabbergasted and furious at the same time. The letter stated that they could not share the data because they only have data about me as a legal entity. At that point, I really wondered why I sent a copy of my passport and a signed letter in my own name. I never mentioned any legal entity, let alone that I ever bought any groceries on my company name.

After showing the letter to a couple of friends, we all concluded that this very much felt like they were trying to find reasons not to share the data. After receiving that letter, and regaining a sane state, I sent a friendly reply mentioning that I never made any mention of a legal entity and always had the intention to request my own purchase data (as a natural person).

Progress?

Since then, I was in contact with Colruyt customer support about two times – requesting a status update. Each time, they replied in a very friendly way that they were working on it and would get back to me shortly. Since the last communication dates from June 1st, I figured that after four weeks it was time to take a next step.

Future plans

Short term, I’m very much looking forward to the new response from Colruyt. I’m starting to get a little worried whether a new reply will follow at all, it would be very unfortunate having to take more formal steps in this request.
I have sent out a registered letter to their customer service today, referring to all previous communication as well as a clear request to receive all stored data about my purchases. (ie. the data they use to create targeted advertisement). In that letter I made reference to some articles of the EU privacy law, as well as to their own privacy charter. I find it a pity to take this step, but I’m not going to let go right now.

The longer term plans originate from a talk over lunch with @nielshendriks @karinslegers and @liesbit about 5 years ago. The idea brought to the table then was to create a website that would automate the data requesting process for a selected amount of companies. That would mean that after entering all required data, letters would be generated and sent out to the companies automatically. This ‘service’ would ideally take out the hassle of carrying out a person’s right to access personal data and could be an intermediary step towards the personal API.