Data Spaces, sovereignty and privacy by design

Unsplash

Data protection policies, like data protection by design and by default, mean the implementation management, legal and technical tools that guarantee compliance with GDPR. They should be devised in the early stages of the design of a Data Space. The Privacy Enhancing Technologies or PETs allow to implement the privacy principles, but the same tools are useful to implement the governance policies that guarantee the trust and data sovereignty in a Data Space. Therefore, PETs can be, and should be, “dual-use” technologies to be efficient and effective, integrated in the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy.

“Data is the new oil” is a sentence that describe the importance of the data-driven economy. In this approach, the data is no longer just an element necessary to implement a processing but an asset by itself that can generate profit for each entity and the society as a whole. Therefore, data-driven economy goes beyond the boundaries of the data holders, and it is aimed to create a data-access sharing market with different stakeholder: public bodies, enterprises, researchers, SME and natural persons.

As asset, data has the same significance than any other entity asset. Any kind of entity, from public bodies to a SMEs, is defined by its assets: financial and human resources, goods, facilities and locals, processing and communication power, business knowledge, market share, etc. All entities have the responsibility of a proper management of its assets, and the duty to protect the concerns of their shareholders, clients, and citizens. It would be naïve to think that an enterprise will give free access to its capital, facilities, or know-how to anybody for any purpose without guarantees that it won’t harm the own enterprise or the society. Therefore, we should expect that an enterprise, regarding its data assets, will be willing to join to data-access sharing initiatives that keep under control its know-how, market share, intellectual property, business secrets, competitiveness and the compliance and ethical principles. That control will give the enterprise trust enough to be an actor into the data-access sharing market.

The need of trust and control will be shared by all stakeholders in the data-driven economy. For example, let’s talk about research and data-access sharing. The research power of a country or entity is not assessed by the number of researchers or their budget, but by the number patents and the intellectual property generated. The “patents race” is a contest with only one winner, because it means to get legal rights to deliver new products and services, or to trade with them. Researchers, to be willing to go into data-access sharing, must trust that exist real guarantees that their job is not compromised. Researchers need guaranteed that they can carry out their job in fair competition with other research centers, enterprises or countries that have access to more resources regarding data processing. 

In the same way, National States, and even the EU, must implement control tools in the data-access sharing economy to get guarantees that ensure the EU industrial sustainable development. For example, guarantees are needed to allow a sustainable growing of the economy without penalize SME regarding great enterprises. Even, at National level, it is of the utmost importance to keep the control of strategic information: regarding critical infrastructures, the fake news, the social manipulation, but it is too, among others, the health data or psychological profile of the current and future leaders, representatives and member of the essential structures of a country.

Last but not least, “natural persons should have control of their own personal data” (Recital 7 GDPR) in such a way that it is possible to fulfil compliance with GDPR to guarantee the rights and freedoms of the data subjects.

That control, and the trust the stakeholders need in the data-access sharing economy, is called “data sovereignty”. The data sovereignty of the enterprises, the researchers, the States (that manage assets/data that belong to the citizens) and the natural persons is the way of “creating the trust that will allow the digital economy to develop across the internal market” (Recital 7 GDPR).

The way to get an effective “data sovereignty” means to implement an infrastructure open and federated, based in governance, policies, rules and standards, that allows to generate trust in all stakeholders by an effective control of their data assets by means of management, legal and technical tools. This is called a Data Space.

Data Spaces must allow access to data, considering that access means “data use, in accordance with specific technical, legal or organizational requirements, without necessarily implying the transmission or downloading of data” (Article 2(13) DGA). Data access doesn’t mean data dissemination, and of course, it doesn’t mean uncontrolled data leaking. Data access means to implement ways to extract information, useful for an intended context, from different data sources with the purpose of creating value.

A data space is implemented by management, legal and technical tools and they should be implemented by design. Some examples of such tools are “secure processing environments” (Article 2(20) DGA), edge computing, federate processing, differential privacy, SMPC, synthetic data, anonymization, pseudonymization, data minimization techniques and so on. Other tools should provide control, for the stakeholders and by default in the case of data dissemination, to implement the management of the data life cycle, the traceability of data and access control policies. Governance and policies are key elements of the management tools and should start with a clear definition of roles and responsibilities among stakeholders, purposes, risk management from different perspectives, data breach management strategies and compliance with the different regulations.

In the previous paragraph looks like we are talking only about personal data protection tools by design and by default: management and Privacy Enhancing Technologies or PETs. However, those tools can fulfil additional purposes beyond data protection. Let’s see the example of traceability tools, that are key for the implementation of the GDPR-rights and the consent life cycle. However, Traceability tools are needed in a Data Space to implement data monetization, control of the intellectual property, billing processes, patent management and all regarding performance of contracts in a data-access sharing market too. Another example comes from data protection by design strategies like the secure processing environments, or federate processing among others. Of course, such strategies are so effective to implement GDPR compliance, but are ideal tools to keep a control of the most valuable assets of an enterprise, like its know-how, or to guarantee a fair and ethic use of the data in case of research too. The conclusion is that PETs can fulfil several requirements of governance in a Data Space and work like “dual use” tools: GDPR requirements and other requirements that derive from the concerns of enterprise, public bodies, EU market sustainability, EU research and State security.

There must be a single governance model in a Data Space, and it is not possible to implement a data protection policy like a separate layer. The integration of Privacy tools and PETS in the governance model should be done by design of the Data Spaces. Such a way, they can work like “dual use” tools that facilitate the implementation of data sovereignty and the trust of the stakeholder to join the data-access sharing. Otherwise, if a Data Space is built by piling tools, one over another, on the fly, with different purposes, in an unplanned way, the result will be an inefficient and ineffective Data Space. 

Privacy governance and PETs are tools that guarantee and facilitate GDPR compliance. In addition, these tools allow too to implement the principles of data sovereignty in a Data Space and give an answer to many of the data-access sharing concerns. The data protection tools must be considered by design of the Data Spaces and should be fully integrated in the governance of a Data Space. Therefore, DPOs with a deep knowledge about data management and privacy by design tools must be involved in the design of Data Spaces to get what is laid down in GDPR: control of the own data, trust in data-driven economy, legal certainty for all stakeholders.

This post is related with other material released by the AEPD’s Innovation and Technology Division, such us:
•    Approach to data spaces from GDPR perspective
•    AEPD-ENISA event on data spaces