A NEW GOVERNANCE
Standardization for data empowerment
Building a new governance for personal data
Building a new digital era
We believe that personal data is one of the most essential societal issues of the XXIth century. Its circulation is the condition for innovation, economic growth, scientific progress and digital sovereignty. Personal data is not about technology only as it encompasses Legal, Design, Social and Economical aspects. At the same time, in a technological world, Standards are key as they shape actual practices, so there is a need to ensure that the values we want to prevail in our society are actually well embedded in the technologies we create and use every day.
In this respect, we make a call for the creation of a new governance body for personal data mobility and protection that will coordinate all of the stakeholders of the Digital Society, including people, Governments, Regulators, Companies, Academics and any other interested party, in order to promote Technological Standards that fit the needs and requirements of all stakeholders at the same time as following EU key values of Digital Ethics. Join us in the design phase of the Governance Body !
We want a digital society that benefits people, businesses and society as a whole. A fair and efficient digital society requires personal data to flow freely under the strict control of individuals themselves. As the importance of personal data in society continues to expand, it becomes increasingly urgent to make sure individuals are in a position to control their personal data, but also to gain personal knowledge from them and to claim their share of benefits. Healthcare, smart cities, environmental protection count among many examples of tomorrow’s challenges requiring an optimal circulation of data between organizations and, at the same time,a use that is well understood, accepted and most of all put under the control of individuals.
What is the potential
The free flow of personal data under the individual’s control can « rebalance » the relationship between people and organizations that hold their data. It can shake up what seems to be a “de facto” monopoly for data holders, and simultaneously bring more transparency and trust in the ecosystem. People could acquire or develop their digital empowerment by promoting their autonomy with regard to a specific actor in the data ecosystem.
The free flow of personal data is also a source of development and growth, for better services, and improved wellbeing. A true disrupter. Markets will be more fluid and pro competition as they will avoid data “lock-in” strategies, they will also be more open and innovative as new entrants like startups will finally access data that was kept by incumbents. In 2016, Ctrl-Shift consultancy estimated the market size, for the UK only, would reach (when mature) £16.5bn or 1.2% of its economy. If we extrapolate roughly to the whole EU, the figure reaches €125bn. This figure will, of course, have to be refined, but we can be confident the impact on the global economy will be huge.
Transparency and the automatic exercise of rights are core principles of Data Ethics. The transparency of algorithms and the possibility to control the criteria of their decisions is a fundamental democratic requirement. At the same time technology is strengthening tremendously, we need strong citizens educated and in control so that this new power can be used in a durable and accepted way. The free flow of personal data based on individuals control will allow a healthier and more ethical development of Artificial Intelligence.
From GDPR and beyond
EU GDPR (General Data Protection Regulation) paved the way for this new era by defining a new legal framework for personal data, ahead of technology. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR strengthens trust in a Digital ecosystem that sometimes appeared as boundless.
A key to unlock the potential is to allow individuals to monitor how their data circulate in an informed and user-centric way. Thanks to GDPR, there are strong legal tools now that we can use to build upon :
- Data portability is today an enforceable right for every EU resident. It asks organizations to open-up their information system and allow individuals to get back their data in order to transfer such data to other organizations. The new portability right is a trigger for data circulation.
- There will not be trust in the ecosystem for data circulation if it does not come with the right protection. GDPR also provides structural elements for protection like privacy by design principals, the key notion of consent, minimization, transparency and so on.
But GDPR by itself is not enough. We need to translate GDPR values and principles into applicable and widespread technological standards for it to truly benefit society, following a top-down approach
We also need to help organizations that try to implement GDPR principles to be able to give feedback to lawmakers and regulators. As the pace of technology is rapidly increasing, we need to start a process of adaptive regulation, following a bottom-up approach.
Why do we need Standards?
Allowing the free flow of personal data under the individual’s control implies a complex and important work on interfaces between a huge number of heterogeneous systems (Companies and Administrations Information Systems) and end-users. Standards are one of the best means that could be used to achieve it.
Standards would have the following benefits:
- it would largely reduce costs for every company/organization and no ones want good practices to be limited to the richest companies only.
- it would be easier and more secure for individuals to be confronted to the same requirements & audits of processes. We need to reduce the cognitive effort and the time it takes for users to understand how to use and protect their data.
- if based on Digital Ethics values & principles, it would bring trust in the overall ecosystem with a more robust, secure and transparent approach.
We already identified key issues that require new standards :
- data transfer
- security protocols
- consent management
- data formats / ontologies
- users’ rights
- privacy by design
- business models
- data circulation liability framework
- non-personal reference data
- personal information management systems (PIMS)
Limits of existing standards initiatives
Many standardization initiatives all over the world aim at defining these kinds of Standards and there is a booming since GDPR: DTP, Solid, IPEN, Open Banking, etc. The energy and the will to build new standards is already there.
Many domains and types of expertise are involved :
Many sectors are involved :
- Finance and insurance
- Job market
The main problem is that all those initiatives are partial, they mostly work :
- by country
- by sector
- by expertise
- through closed consortiums
Despite our energy and goodwill, we are recreating silos, which will be highly detrimental to the main goal. Personal data circulation and protection is a cross-sector issue and data have no boundaries.
Building a new governance body for personal data
The governance body we want to create is an independent and international standard supporting organization (SSO) where member organizations share and define technological terminologies, standards and guidelines in the purpose of allowing the free flow of data under the individual’s control. These technical tools will be produced through concrete portability use cases bringing direct value to stakeholders while respecting the principles of the manifesto (see below), the implemented solutions can then be shared with others.
The purpose of the governance body is to publish widely accepted iterative recommendations so that they can deploy and mainstream on the market. The approach will combine a transversal approach with expert workgroups on all the identified topics (technical, design, legal, business, etc.), and sectoral approach with sector hubs (mobility, finance, health, administration, retail, etc.). Hubs will work at defining sectoral standards through use cases while workgroups will help share, leverage & harmonise good practices. A Technical Board will be in charge of internal coordination and relationships with outside stakeholders (governments, regulators, etc.). As the goal is a user-centric control of personal data flows and uses, the recommendations will rely on user testing to ensure a swift understanding and use by the people.
The governance body does not aim at reinventing the wheel but it coordinates the multiple standardization efforts (by country, by sector, by group of actors, etc.) and tries to build the largest possible consensus. It works as a facilitator of the ecosystem.
As personal data is a global societal issue, we believe that the responsibility of defining technological standards does not belong to one particular actor of the ecosystem anymore, but has to emanate from global coordination of most of them. And that such standards should be based on self-assessment practices, reinforced by targeted audits mechanisms. Therefore the Governance Body promotes a mix of a top-down approach as it translates regulations into technological standards and a bottom-up approach as it gives market feedbacks to legislators and regulators (adaptive regulation). It also has to put a large effort as ensuring good representativeness of its deliverables (end-users, academics, incumbents, startups, etc.).
- mapping of standardization initiatives
- mapping of data circulation actual uses cases and ROI
- sectoral studies to identify key blockers
- ethical definitions
- good practices (do and do not)
- standard recommendations
This manifesto lays down 10 rules for the use and circulation of personal data under the control of individuals. They are extracted from the PrivacyTech White Paper co-written by more than 50 organizations from 14 different European countries and presented at the French Parliament the 10th of April 2019.
Those who adhere to these principles agree to take concrete steps to implement them. These principles will guide the implementation of the use cases the governance body will work on and be translated into technical standards.
1. The use and circulation of personal data will serve individuals and society as long as they are under the strict control of individuals and respectful of the environment.
Architecture & Security :
2. Data is encrypted end-to-end during circulation and locally during storage.
3. The organization that processes the data cannot be the one that guarantees and proves compliance with the authorizations and rights of individuals.
4. Information and transparency on the use of data should use techniques to make the information pleasant and be tested with the target audience to ensure their understanding.
5. Consent is personal data and must be able to be recorded, used and circulate in a standardized form.
6. Compliance with consents is ensured by technical means, which can be audited and proven by third parties; the same applies to the exercise of rights.
7. Portability is based on the consent of the data subject with a clear announced reuse.
8. Portability is ensured by standardized user-centric technical and automatic means.
9. The organization has put in place organizational measures to assess the ethics its data uses.
10. Open and tested technical standards developed in collaboration with a plurality of public, private, academic and associative actors must be created to ensure compliance with these rules and their evolution.
How do we get there
At this stage, we believe we need to build on existing Self Data and data protection initiatives as they effectively bring together universities, associations, startups, corporates and individuals toward the common goal. Timing is of the essence as the market won’t wait and we need to build on GDPR today. It is key we, as diverse but complementary European and International entities, translate today some of its guiding principles into value and concrete benefits for citizens and the economy. The aim of the governance body is to rapidly become global while spreading European values expressed in GDPR concerning individual rights through its standards. The Governance Body is therefore open to any player who transparently acknowledges as his our founding principles. The purpose is to contribute to an accountable set of practices for data sharing, porting and usage, be they personal or non-personal, is a cross-sectoral, multi-domain (legal, technical, design, business) international standardization body uniting public, private and academic actors.
We need to begin the design phase now and create the rules of the governance.
V0 for the beginning of August 2019
- General rules
- General Methodology
- Types of actors
- Funding Strategy
V1 of the governance body. Mid-September 2019.
- Precise methodology and governance rules
- Accepted values
- Different types of actors engaged
We need you.
Call for participants : Designing the new governance body
A few months to propose the first version.