Building a Governance model

Why do we need governance for Personal Data Sharing?

Sharing data across organizations is a complex matter. For this to work efficiently and at scale, we need to build standards for many sectors (health, mobility, finance, etc.) and many expertize (business, legal, technical, etc.). When we are talking about Personal Data Sharing it gets even more complex since we have to think cross-sectoral from the outset as people can move data around from one sector to another. Personal Data Sharing also involves privacy concerns and specific regulations like GDPR that need to be taken into account. This is why Personal Data Sharing requires an unprecedented coordination effort!

In fact, Personal Data Sharing has been there for years already, thanks to the Big Tech platforms for the most part (Google, Facebook connect, etc.). But the Big Tech model is platform-centric and incumbents define by themselves the rules for sharing personal data. Technically speaking… it works well! And it is obviously easier for a few big incumbents to impose a ‘de facto’ standard than for millions of organizations worldwide to cooperate. The problem today is also that network effects have made certain platforms so strong that we live in a ‘winner takes all’ moment. Those platforms cannot represent by themselves all the stakeholders of the ecosystem, organizations as well as individuals, and it is not in their best interest by the way, contrary to popular belief. We now need governance to build a human-centric model for personal data sharing.

 

Platform-centric

Human-centric

How is the EU strategy helping?

In February 2020 the European Commission published its Data Strategy, with data sharing as the main goal. The EU will create sectoral ‘Data Spaces’ (health, finance, skills, mobility, etc.) where stakeholders will have to define standards for sharing data (data models, legal standards, etc.). Concerning Personal Data Sharing the EU validates our model and mentions directly the MyData movement we belong to. It also stresses the fact the GDPR has to be the main building block for Personal Data Sharing. possible to identify the most appropriate data circulation standards and norms.

Building a cross-sectoral Personal Data Space

The EU will create sectoral ‘Data Spaces’ (health, finance, skills, mobility, etc.) where stakeholders will have to define standards for sharing data (data models, legal standards, etc.). Concerning Personal Data Sharing the EU validates our model and mentions directly the MyData movement we belong to. It also stresses the fact the GDPR has to be the main building block for Personal Data Sharing.

In May 2020, with Sitra (the Finnish Innovation Fund), we published the paper: 35 proposals to make the European data strategy work. Our main proposition was to build a cross-sectoral Personal Data Space that would handle all personal data related aspects of data sharing and that would make the link with all sectoral Data Spaces.

A governance body for Personal Data Sharing

We believe a governance body is needed for the personal data space, aNewGovernance unites organizations to propose this governance. We believe this body should have as missions :

  1. Promoting Human-centric values
  2. Building the Personal Data Space
  3. Building a personal data sharing infrastructure
  4. Creating a Governance body for personal data sharing
  5. Fostering and coordinating personal data ecosystems

 

We cannot define standards for personal and non-personal data separately as personal data sharing involves non-personal data.  Moreover, it should be noted that most data sharing projects involve mixed-data, both personal and non-personal. Concerning the Data Spaces, the personal data space’s governance goals should be:

  • Defining the governance & infrastructure for personal data sharing at a sectoral level
  • Coordinating the sectoral work with the cross-sectoral levels

Guiding principles

The human-centric architecture we propose is based on fundamental principles:

  • Data regulations: e.g., the GDPR and its international equivalents
  • Ethical charters: digital human rights charters (work of the Institute for Digital Fundamental Rights in progress)
  • Sectoral charters: e.g. the Eurocities charter for digital city platforms and other sectoral charters (finance, mobility, health, etc.)
  • The MyData architecture principles

The MyData Declaration describes six principles for building a human-centric architecture:

  1. Human-centric control of personal data
  2. The individual as the point of integration
  3. Individual empowerment
  4. Portability (access and reuse)
  5. Transparency and accountability:
  6. Interoperability
  7. aNewGovernance adds a 7th principle: the Separation of Powers

The Separation of Powers Principle (SPP)

To ensure a true human-centric Personal Data Sharing architecture, we promote the separation of powers principles which work as follows:

 

The individual must be able to manage his data flow independently of his services/organizations:

  • Organizations may store and process data but have to allow Personal Data Operators representing individuals to manage consents/permissions for cross-organizations data flow
  • Personal Data Operators have the sole purpose of allowing the management of consent/permissions for data flow, therefore they do not store and process transferred data.

 

With this principle either organizations and individuals benefit from their own means of representation and protection:

 

A top-down and bottom-up approach

The governance model we are building coordinates all stakeholders of the ecosystem from the global to local levels with the following approach:

  • Top-down: Translating sectoral and cross-sectoral regulations into common technology standards shared across countries and industries, applicable to both large and small organizations.
  • Bottom-up: Deriving standards from practical experimental projects, financing experiments, and enabling stakeholders and users to provide feedback to regulators and legislators (adaptive regulation process).

 

Different governance levels

Governance can encompass different meanings following the context. The top-down and bottom-up approach takes into account each level and all of them can influence the others:

     

    Different kinds of expertize

    The governance body coordinates stakeholders of the Personal Data Sharing ecosystem from various expertizes in order to co-build a global network involving ….

       

      Let us take an example

      To make sure the rules of this governance and the rules (standards) that the government decides to respond to the needs and plurality of the involved stakeholders, this governance should be decentralized, open, and democratic. Meaning that each organization that has an involvement can have a say in the governance. The precise rules of how decisions are made can be inspired by open-source decision making and stakeholders should have more or less weight in the decision making regarding the impact of the decision on them.

      To make sure the rules of this governance and the rules (standards) that the government decides are human-centric, the individual should be represented in this governance and make his voice heard and counted.  Several concepts and architectures are proposed to put the individual in charge (data trusts, data cooperatives, trusted third parties, etc). 

      The global and general human-centric data governance we are describing should allow for all those models to co-exist and be interoperable.

      This is possible through an alignment of the very bottom level of the governance with the topper level.

      Let’s take an example. 

      The SITRA Rulebook defines a governance model for the ecosystem level. Where each member of a data network is part of the governance (the steering committee) that decides the rules through sub-committees (business, legal, technical, UX, ethical) of the network. Members are divided into end users (organizations or people using the services), service providers (organizations providing services on the data), data sources (organizations providing the data), and infrastructure providers (organizations the infrastructure for the data network as consents, data exchange, identity management, etc). 

      Now if we want a general human-centric data governance data should flow freely and under individual control from one ecosystem to another, from one sector to another, from one governance model to another. The general human-centric data governance we are describing should provide mechanisms for the data to flow between those.

      At the cross-ecosystem level, ecosystems share a steering committee and subcommittees to define the rules (business, legal, technical, UX, ethical) of how data flows between them.

      At the cross-sectoral level, sectors share a steering committee and subcommittees to define the rules (business, legal, technical, UX, ethical) of how data flows between them.