- Much of the technology necessary to enable consent and trust in data marketplaces currently exists and is scalable.
- Opportunities remain to innovate using 4IR technologies to better support citizens' control over how their data is used.
- As we move beyond the concept stage we must design a robust governance structure that builds trust.
As the power source for today’s businesses and technologies, data has the potential to ignite unparalleled progress for people and the planet – from innovations in digital identity to informing pandemic response and even getting us closer to net-zero climate goals.
Yet, while both supply and demand for data are at an all-time high, we are missing out on opportunities to use data for better outcomes. Why? Because the data ecosystem is a complex, fragile network of relationships and stakeholders, and like any strong relationship, these connections require trust.
Have you read?
Building an ethical and secure data sharing ecosystem
Right now, confidence in data sharing is lacking globally, and people are not inspired to participate in the data-driven economy. However, there are opportunities to build trust into the data-sharing ecosystem – one of these is data marketplaces.
Data marketplaces (i.e. data exchanges) correctly constructed, can accelerate responsible exchange and use of data to solve critical challenges and fuel innovation for society. With thoughtful applications of emerging technologies like blockchain and privacy enhancing techniques, public and private- sector operators of data marketplaces can empower people to grant permission willingly and knowingly for their data to be used.
Earlier this year, in the report, Data-Driven Economies: foundations for our common future, the Data for a Common Purpose Initiative (DCPI) established five requirements for leveraging data for the benefit of society. Data marketplaces, which counter to traditional siloed data-sharing, allow data to be leveraged for broader sets of social outcomes. These requirements can be directly applied to designing data marketplace infrastructure and from the perspective of an individual whose data is collected, stored and shared in a data marketplace, they can be leveraged to build trust.
Most regulation requires individuals to provide direct permissions – in other words, consent – for their data to be collected, stored or shared. Although not all data is generated by an identifiable individual; therefore, not all exchanges of data will require direct permissions (e.g. government-owned traffic light sensors sharing traffic volume with a retail developer). Although, pieces of the framework for building trust with individuals through permissioned data sharing, coupled with the right technology enablers, can also be applied to the relationships between organizations participating in a data marketplace.
Last summer, the World Economic Forum published a paper, Redesigning Data Privacy: Reimagining Notice and Consent for human technology interaction. The paper described how the current global regime on data permissions is disconnected and, in many ways, broken. Fourth Industrial Revolution (4IR) technologies aim to reimagine consent and permissioning mechanisms in different ways, some innovators are even looking at ways to ensure privacy and bypass it all together. There are still many outstanding questions in the ongoing policy development surrounding individual permissions for data sharing.
Two areas where 4IR technologies are reaching new heights are in improving the predictability of outcomes using smart contracts and enforcing the scope of processing through pseudonymization.
- 1. Predictability of outcomes using smart contracts
In cases of decentralized processing among numerous parties who may not know one another, but still need to trust each other, distributed ledger technology (mainly blockchain) together with other techniques, can be used to increase the likelihood of predictable expected outcomes. One of the instruments may be smart contracts that automatically execute, control or document specified actions, according to the terms of an agreement.
Using blockchain allows the parties to determine which information they share and with who and for what purpose. Given that all parties agree on a shared source of truth and can independently monitor the process with no party changing the rules of the platform or ledger, they can ensure predictability of – and therefore increased trust in – the outcome. As a result, the potential need for intermediaries responsible for brokering data exchanges between different parties is minimized, reducing the cost of enforcement and the risk of fraud.
How can responsible data collection inspire trust?
The pace and volume of data collection and sharing has accelerated, demonstrating the need for better mechanisms to protect citizens' rights and inspire trust.
To that end, a new whitepaper explores a potential approach to tackling this issue and forging trust. The whitepaper, Data-driven economies: Foundations for a common future, identifies key enablers that can build multistakeholder data sharing frameworks.
It recommends creating new data governance models that combine data from various origins, including personal, commercial and/or government sources. It highlights use cases from industries and jurisdictions around the world to illustrate the possibilities data sharing unlocks for multiple stakeholders and the public good.
The paper was created in connection with the Data for Common Purpose Initiative, a first-of-its-kind global initiative formed to design a governance framework to responsibly enhance the societal benefit from data. The initiative aims to find ways to exchange data assets for the common good, while protecting individual parties' rights and the equitable allocation of risks and rewards.
- 2. Scope of processing through pseudonymization
Inspiring trust requires that data use be limited to permissioned purposes and not used for further unauthorized processing. Compliance measures restricting the scope of processing can be expanded beyond traditional contractual and organizational measures by leveraging advanced 4IR protection technology. This protection technology can travel with the data wherever it goes to ensure a trusted scope of processing to enable distributed data sharing, combining, analytics, artificial intelligence or machine learning.
Privacy enhancing 4IR techniques overcome the limitations of earlier techniques for data privacy and protection, the efficacy of which is limited to centralized processing by functionally separating information value from identity to enable trusted distributed processing. This is done by technically enforcing policies that allow the gradation of the types of data processed, allowing organizations to share everything from no data to a lot of data, any volume or level of identifiability of data.
The EU General Data Protection Regulation (GDPR) excludes data that can be anonymized. Therefore, techniques such as pseudonymization, have been recognized in Article 25 of GDPR as a measure for implementing data protection principles. Pseudonymization functionally separates information value from identity, which requires a new outcome-based “state” of data, that:
- Protects direct, indirect, and quasi-identifiers, together with characteristics and behaviours.
- Protects at record and data-set level versus only the field level so that the protection travels wherever the data goes, including when it is in use.
- Protects against unauthorized re-identification by generating high entropy (uncertainty) levels by dynamically assigning different tokens at different times for various purposes.
The combination of these protections prevents the re-identification of individuals without the use of additional information kept separately to ensure that data is “anonymous” (in the strictest sense of the word on a global basis) “but for” the additional information which is held separately and made available only under controlled conditions for authorized purposes.
Support as data marketplaces move beyond the concept phase
These 4IR technologies, such as those illustrated above, preserve predictability of outcomes and scope of processing to ensure sustainable trust in the data-driven economy. These are promising examples of the emerging technology required to realize the vision of programmes like the C4IR India’s data exchange. “Protect” is one of the foundational principles in the whitepaper’s approach to developing a governance framework, requiring “privacy-by-design,” protection against data misuse and the auditability necessary to provide individual or organizational recourse in the event of a dispute.
The C4IR Japan, in coordination with DCPI, is creating frameworks – Towards a Data Economy: An Enabling Framework and Developing a Responsible and Well-designed Governance Structure for Data Marketplaces – to define the roles and responsibilities of Data Marketplace Service Providers (DMSPs), a key infrastructure component for successful data marketplaces. A deep understanding of the different capabilities and potential combinations of the emerging technologies available as DMSPs will help ensure a comprehensive governance structure is in place to secure neutrality and impartiality.
The work of DCPI aims to bring a global perspective and forge a common path forward by examining the technological implications of policies across jurisdictions and connecting the dots between government-led data marketplaces in India, Japan, Colombia and others.