Privacy Enhancing Technologies or PETs allow you to implement privacy principles, but the same tools are useful to implement governance policies that guarantee trust and data sovereignty in a Data Space.The application of data protection policies, as well as data protection by design and by default, means the use of management, legal and technical tools that guarantee compliance with GDPR. These must be taken into account from the early stages of designing a Data Space. Privacy Enhancing Technologies or PETs allow you to implement privacy principles, but the same tools are useful to implement governance policies that guarantee trust and data sovereignty in a Data Space. Therefore, PETs can be, and should be, “dual-use” technologies to be efficient and effective, integrated into the core of Data Spaces, serving different purposes in the data access sharing economy.
“Data is the new oil” is a phrase that describes the importance of the data-driven economy. In this approach, data is no longer just an element necessary to implement processing, but rather an asset in itself that can generate benefits for each entity and society as a whole. Therefore, the data-driven economy goes beyond the limits of data holders, and aims to create a data access exchange market with different stakeholders: public bodies, companies, researchers, SMEs and individuals. .
As an asset, data has the same importance as any other asset in an entity. Any type of entity, from public organizations to SMEs, is defined by its assets: financial and human resources, assets, facilities and premises, processing and communication power, business knowledge, patents, market share, etc. All entities have the responsibility for proper management of their assets, since it is their duty to protect the interests of their shareholders, clients and citizens. It would be naïve to think that a company will give free access to its capital, facilities or know-how to anyone for any purpose without guarantees that it will not harm the company itself or society. Therefore, we should expect that a company, with respect to its data assets, will join data access sharing initiatives that keep its know-how, market share, intellectual property, trade secrets, competitiveness under its control. and compliance and ethical principles. This control will give the company enough confidence to become a player in the data access market.
The need for trust and control will be shared by all stakeholders in the data-driven economy. For example, let’s talk about research and data access. The research power of a country or entity is not evaluated by the number of researchers or their budget, but by the number of patents and intellectual property generated. The “patent race” is a race in which there can only be one winner, because it means obtaining legal rights to market new products and services. Researchers, to be willing to enter the data access environment, must trust that there are real guarantees that all their efforts will not be compromised. In short, they need guarantees that they can carry out their work in fair competition with other research centers, companies or countries that have access to more resources for data processing.
Likewise, States, and even the EU, must implement control tools in the data access market to obtain guarantees that ensure the sustainable industrial development of the EU. For example, guarantees are needed to allow economic growth without penalizing SMEs compared to large companies. Even at the national level, it is of utmost importance to maintain control of strategic information: on critical infrastructures, fake news, social manipulation, but it is also, among others, health data or the psychological profile of current and future leaders, representatives and members of the essential structures of the country.
Last but not least, “natural persons must be in control of their own personal data” (Recital 7 of the GDPR) in such a way that it is possible to comply with the GDPR to guarantee the rights and freedoms of data subjects.
That control, and the trust stakeholders need in the data access economy, is called “data sovereignty.” Sovereignty over data assets of companies, researchers, States (managing assets/data that belong to citizens) and individuals
Physical communications is the way to “create the trust that will allow the digital economy to develop throughout the internal market” (Recital 7 of the GDPR).
The way to achieve effective “data sovereignty” means implementing an open and federated infrastructure, based on governance, policies, rules and standards, that allows building trust in all stakeholders through effective control of their data assets through management, legal and technical tools. This is what is called Data Space.
Data Spaces must allow access to data, considering that access means “the use of data, in accordance with specific technical, legal or organizational requirements, without necessarily involving the transmission or downloading of data” (article 2.13 of the DGA ). Data access does not necessarily mean data dissemination and it certainly does not mean uncontrolled data leaking. Data access means implementing ways to extract information, useful for a specific context, from different data sources with the purpose of creating value.
A Data Space is implemented by management, legal and technical tools and must be implemented from design. Some examples of such tools are “secure processing environments” (article 2.20 of DGA), edge-computing, federated processing, differential privacy, SMPC, synthetic data, anonymization, pseudonymization, data minimization techniques, etc. . Other tools should provide control, for stakeholders and by default in the case of data dissemination, to implement data lifecycle management, data traceability and access control policies. Governance and policies are key elements of management tools and should start with a clear definition of roles and responsibilities between stakeholders, purposes, risk management from different perspectives, data breach management strategies and compliance with different regulations.
In the previous paragraph it seems that we are talking only about personal data protection tools by design and by default: management tools and “Privacy Enhancing Technologies” or PETs. However, these tools may serve additional purposes beyond data protection. Let’s look at the example of traceability tools, which are key to the implementation of the rights established in the GDPR and the consent lifecycle. However, traceability tools are also necessary in a Data Space to implement data monetization, intellectual property control, billing processes, patent management and everything related to the fulfillment of contracts in a Data Space. data access market. Another example comes from data protection by design such as secure processing environments or federated processing, among others. Of course, such strategies are very effective for implementing GDPR compliance, but they are also ideal tools for maintaining control of a corporation’s most valuable assets, such as its know-how, or for ensuring fair and ethical use of data. in case of investigation. The conclusion is that PETs can meet various governance requirements in a Data Space and function as “dual-use” tools: GDPR requirements and other requirements that derive from the interests of companies, public bodies, the sustainability of the EU market, EU research and state security.
There must be a single governance model in a Data Space, and it is not possible to implement a data protection policy as a separate layer. The integration of privacy and PETS tools into the governance model must be carried out from the design of the Data Spaces. In this way, they can function as dual-use tools that facilitate the implementation of data sovereignty and the confidence of stakeholders to participate in the data access market. Otherwise, if a Data Space is built by stacking tools, one on top of another, on the fly, for different purposes, in an unplanned manner, the result will be an inefficient and ineffective Data Space.
Privacy governance and PETs are tools that ensure and facilitate compliance with the GDPR. In addition, these tools also allow the principles of data sovereignty to be implemented in a Data Space and provide an answer to many of the concerns about data access. Data protection tools must be considered from the design of Data Spaces and must be fully integrated into the governance of a Data Space. Therefore, DPOs with deep knowledge of data management and Privacy by design tools must be involved in the design of Data Spaces to obtain what is established in GDPR: control of one’s own data, trust in the data-based economy, legal certainty for all interested parties.