Data flows within Europe—free or restricted?
The European strategy for data refers to Europe becoming a data-driven economy and society. In this vision, data flows across sectors and borders to generate economic opportunities and support social goals. At the same time, Europe’s various data protection officers have been tasked with fostering a “data protection culture”, which at face value, would seem to run counter to the idea of data flowing across borders.
In our recent talk with Hans Graux, privacy protection expert from Timelex, and Marko Turpeinen, CEO at 1001 Lakes, we discussed how to overcome this paradox and enable the free flow of data in practical terms.
Data ownership and GDPR rights
The image of free-flowing data runs up against (at least) two realities around data in Europe. First, article 5(1)(b) of the General Data Protection Regulation (GDPR) makes clear that data collected for a specified purpose cannot be further processed for other reasons without explicit permission from the data owner. Second, and related to the first point, some of the collected data can be particularly sensitive, such as around health or education.
Data spaces cannot have uniform rules
Given these obligations, governance around data sharing models needs to include the idea of retained ownership. Data sharing is not the equivalent of releasing data into the wild, and once released, losing control of it. A starting point of data sharing can—and in some cases must—be that the provider of information retains control and can withdraw ownership. This also means that different data sets may have different rules around how they can be used and shared within a network. This is not to say that all datasets need to be limited by specified rules, but rather that the option exists for datasets that contain private or sensitive information.
A rule book with My Data for Helsinki as an example
When looking at data sharing, having a common rule book by which all stakeholders follow can help to clarify the use of data. The City of Helsinki and MyData for Cities initiative is an example of how to deal with personal data and facilitate data exchanges. In Helsinki, given data privacy concerns, it could actually be quite difficult to move data on students moving from one school to another. Some parents were going so far as to print vital information about their children, and then physically take it to another school. The principles and the rule book developed for the city meant that mechanisms were developed where parents could easily provide permission for data to move between protected silos.
Principles for the rulebook
In Helsinki, in creating this rulebook, the developers have four principal goals in mind, namely:
- To ensure consent comes voluntarily and with data holders understanding what that permission actually means. Giving permission needs to be more than a box tick that users provide without thinking. They need to understand in plain language the potential consequences of providing their data.
- To ensure all data users adhere to common ethics.
- To ensure that the rules are exact enough to satisfy legal and ethical needs while giving enough flexibility to organisations to innovate.
One example of how one of these rule books can look comes from the Finnish think tank Sitra, produced in cooperation with 1001 Lakes. This template contains includes codes of conduct and checklists for organisations working with data sharing.
Complexity is the heart of the challenge
Data spaces are about principles of governance, but at the heart of the problem is the complexity, a complexity that is enhanced by different technical norms across borders as well as different cultural norms in what is acceptable from a data sharing perspective. In Belgium, for example, not a lot of interoperability is imposed and a lot of data is being held by private companies. Even on services that are public in nature, any data sharing agreements here would require getting cooperation from competing parties on how data should be shared, and then also getting alignment with the Belgian legal framework.
Data sharing across sectors even more complicated
Further adding to the complexity is the fact that it can be easier to think about data from a sectoral or thematic perspective, but of course, data leaks across these borders. When speaking with an education expert, one tends to speak about education data; however, these kinds of isolated silos are not the reality in which people work and expect to receive services. In an education environment, for example, children need to be transported to schools, and in some jurisdictions, meals need to be prepared. Children in schools may interact with social services or even the justice system. What happens when data needs to be shared across different data spaces, and they have different rule books for interaction? One can imagine a web of rule books that either stifle innovation or fail to protect user data.
Complexity and informed user consent
Further complicating the picture is how to turn these high-level principles into operational guidelines. This can be particularly tricky when it comes to informed consent of users, where requests for permission to use data can either be too brief, and as such, fails to help a user understand what data rights they are giving up, or be too detailed, so users give up and tick a consent box without having a proper picture as well.
Data sharing across spaces: a mirror for global trade?
As data spaces continue to develop, rule books that provide models and principles for how information sharing can be accomplished within data spaces will proliferate. These gaps in specific “good practice” will be filled. But given that each data sharing space will need a unique set of rules and ways of interacting with users, it remains to be seen how easy it will be to maintain borders and paths across data spaces. One can imagine similar challenges to how our current system of global trade has developed over the decades, with efforts to lower borders through agreements between data spaces met with challenges over the reasons for different rule sets within specific data spaces.
|Context||Data sharing across cities, and across sectors is challenging. A large part of the difficulty comes from turning high-level principles into operational guidelines. The 1001 Lakes rule book is a step towards achieving that.|