Dare to Share: Rebuilding Trust Through Data Stewardship | IGF 2023 Town Hall #91

Kevin Luca Zandermann

Kevin Luca Zandermann has highlighted the global focus on data governance, particularly in privacy legislation. He emphasised the significance of important privacy laws, such as the General Data Protection Regulation (GDPR), which is being recognised as the gold standard globally. This reflects a growing recognition of the importance of protecting individual privacy and regulating the use of personal data in our increasingly digital world.

In addition to privacy legislation, Kevin emphasised the need for institution models that can effectively manage data stewardship. He pointed out that data is a non-rivalrous resource, meaning its use by one person does not diminish its availability to others. With the vast amount of data being produced by sources such as the internet of things, wearables, and cloud platforms, it is crucial to establish mechanisms to ensure responsible and ethical data management.

Kevin also highlighted the EU Data Governance Act as a significant step towards establishing an institutional framework for data stewardship. This act allows the reuse of data held by public sector bodies, enabling the efficient and responsible use of data for various purposes. Furthermore, the act certifies data intermediaries, ensuring they meet certain standards and promoting the responsible handling of data. The act also promotes the concept of data altruism, which involves individuals voluntarily sharing their data for societal benefits. This type of data sharing can be particularly valuable in the context of diseases such as rare diseases, where the sharing of data among researchers and medical professionals is vital.

Overall, Kevin’s arguments underscore the critical need for data governance and the establishment of effective institutional frameworks to protect privacy and ensure responsible data stewardship. The analysis also highlights the growing recognition of GDPR as a global standard and the potential value of data altruism in addressing complex societal challenges. These insights contribute to the broader conversation on data governance and the ethical use of data in our interconnected world.

Audience

Enforcement capacity plays a crucial role in supporting data sharing mechanisms, frameworks, and policies. In the US, there have been significant struggles in enforcing data protection laws, particularly in relation to medical data. These challenges highlight the need for stronger emphasis on enforcement capacity in data protection and data sharing.

One of the main points raised is the inadequate enforcement of existing data protection laws in the US. This suggests that, despite having legislation in place, there is a gap in effectively implementing and enforcing these laws. This is particularly concerning when it comes to sensitive data, such as medical information, where the need for protection is high.

The importance of enforcement capacity becomes apparent when considering its implications for data sharing mechanisms, frameworks, and policies. Without a strong enforcement mechanism, it becomes difficult to ensure compliance and accountability. This can lead to vulnerabilities and risks related to data privacy and security.

The argument put forward is for a stronger emphasis on enhancing enforcement capacity in the context of data protection and data sharing. By improving enforcement capabilities, it becomes possible to strengthen the overall governance of data practices and hold organizations and individuals accountable for their actions.

The analysis also highlights the relevance of this issue within the broader context of Sustainable Development Goal 16: Peace, Justice, and Strong Institutions. Effective enforcement of data protection and data sharing laws is vital for building strong institutions and promoting justice in the digital era.

In conclusion, the struggles faced in enforcing data protection laws, especially in relation to medical data, underscore the need for stronger enforcement capacity. Enhancing enforcement mechanisms can support data sharing mechanisms, frameworks, and policies, and contribute to achieving SDG 16. Ensuring the protection and privacy of data is crucial in promoting integrity, accountability, and trust in the digital landscape.

Thiago Moraes

The Ministry of Innovation in Brazil has faced criticism for creating an interoperability system that raises concerns about data protection and privacy. This is inconsistent with the Brazilian Data Protection Law, known as the LGPD. The Supreme Court is involved in ensuring that the decree aligns with data protection principles.

One major issue with the system is the creation of a vast database that encompasses citizen data from various governmental platforms. The potential dangers of such a database have been highlighted as it holds sensitive information that could be misused if it falls into the wrong hands.

In a positive development, a new decree was published in 2022 to rectify the issues arising from the previous data sharing rules. This new decree aims to make data sharing and handling more transparent. It is noteworthy that the committee responsible for drawing up this decree now includes civil society participants, making it more representative and diverse. The involvement of the Data Protection Authority has also been instrumental in ensuring that the new decree is compatible with the data protection law.

Despite concerns over data protection and privacy, the implementation of the interoperability system has brought efficiency and financial savings to the Brazilian public sector. The introduction of new interoperability services through data sharing has resulted in substantial cost savings of half a million dollars in recent years. These services ensure that information is shared only when necessary, thus minimizing unnecessary sharing of data across all agencies.

The importance of sharing knowledge about data protection and governance regulations has become evident. Before the enforcement of data protection regulations, it is crucial to raise awareness and provide education on these matters. This is particularly relevant in Brazil, where many people were previously unfamiliar with data protection and governance.

Empowering individuals about their data rights and educating data controllers about the regulations are vital for ensuring easy enforcement of the rules. When people are aware of their data rights and data controllers understand their obligations, compliance with data protection rules becomes easier, and privacy-compliant initiatives can be implemented effectively.

An important observation is that communication and knowledge sharing should be prioritized over enforcement or sanctions. Sharing knowledge has proven beneficial in guiding stakeholders in the right direction. It is also worth noting that only two sanctions have been enforced so far, with one being a warning to a public body. This highlights the importance of fostering a culture of compliance through education and communication rather than relying solely on punitive measures.

Finally, it is emphasized that the involvement of regulatory authorities in background processes is crucial for efficient governance. The role of regulators goes beyond merely enforcing sanctions; they play an essential part in sharing knowledge and information.

In conclusion, while the Ministry of Innovation’s creation of an interoperability system has raised concerns about data protection and privacy, the introduction of a new decree in 2022 aims to address these issues and improve transparency in data sharing and handling practices. The implementation of the system has brought benefits in terms of efficiency and financial savings to the public sector. Sharing knowledge about data protection and governance regulations is considered crucial, and empowering individuals and educating data controllers are necessary for effective enforcement of the rules. Communication and knowledge sharing should be prioritized over enforcement, and the involvement of regulatory authorities in background processes is crucial for efficient governance.

Alison Gillwald

The analysis focused on several key points raised by the speakers. One of the main concerns highlighted is the existence of asymmetrical power relations in data sharing, particularly in the context of the African continent. It is distressing to note that a staggering 80% of data flows outside the African continent, leaving the region at a significant disadvantage. Moreover, a large number of people in Africa still remain offline, further exacerbating the digital divide.

The speakers also emphasized the importance of extending beyond first-generation rights when it comes to data governance. Currently, most regimes heavily focus on individualized notions of privacy and compliance. However, there is a need to recognise and prioritise economic and environmental rights in order to ensure a more holistic approach to data governance.

Advocacy for the African Union Data Policy Framework and data interoperability was another central argument put forth during the analysis. The establishment of a single data market within the African Union could provide leverage in terms of international markets. This Framework extends regulatory concerns beyond the scope of first-generation rights, ensuring a more comprehensive approach to data governance in Africa.

The lack of equitable data access for African researchers and institutions was also highlighted as a significant issue. It was pointed out that big tech companies, such as Google, currently provide limited data access to European researchers, while African researchers and institutions face barriers in accessing valuable data. It is argued that this situation hinders the ability of African researchers to contribute meaningfully to relevant fields and areas of study.

Furthermore, the need for effective enforcement of data governance, particularly in the realm of broader economic regulations, was underscored. Examples were provided where a data protection and information regulator in South Africa took strong action against WhatsApp and various groups. To handle the challenges of international regulation and obtain data from large operators, it was emphasised that global cooperation is essential.

The analysis also drew attention to the limited participation of civil society in many public processes across the African continent. In many countries, it is not required for civil society to participate in public processes as per administrative law or justice. The influence of private sector entities and telecom companies in these public processes was also noted. It was argued that enforcing public participation and providing resources for researchers to access critical information can help inform these processes and ensure more balanced outcomes.

In conclusion, the analysis highlights the need for broader data governance and the participation of civil society in public processes across the African continent. It emphasises the importance of global cooperation and maintaining a balance of interests to protect data and foster innovation. The African Union Data Policy Framework and data interoperability are presented as potential solutions to address the asymmetrical power relations in data sharing. Ultimately, it is crucial to prioritise equitable data access for African researchers and institutions, while also enforcing effective data governance and considering economic regulations.

Astha Kapoor

The current data regulation is criticised for primarily focusing on individual data rights and overlooking the importance of group dynamics. The lack of consideration for existing institutions, such as cooperatives, which historically facilitated collective decision-making, is seen as a limitation in the data economy. It is argued that group rights should be codified into existing laws to address collective and community rights more effectively.

Supporting this argument, some notable facts include the exploitation of group rights in bioethics related to data banks and biobanks. The mention of data cooperatives in the data governance framework of the European Union also emphasises the significance of collective data handling. Additionally, a government report from India explored the concept of community rights in data, further highlighting the need to incorporate group dynamics into data regulation.

However, establishing new data institutions faces challenges. While models like data trusts have been proposed for pooling data rights, their implementation encounters obstacles. Therefore, the argument suggests that existing organisations, like cooperatives, can be adapted and made competent for the digital age, presenting an alternative solution to address the challenges faced by new data institutions.

In the context of law enforcement and regulatory frameworks, the implementation of laws developed at a fast pace is found to be problematic. The lack of early consultation with stakeholders hampers smooth implementation. It is argued that early consultation is essential for better implementation and stakeholder buy-in. Increased buy-in enhances the understanding of implementation opportunities for different stakeholders. For instance, the Telecom Regulatory Authority in India was developed through private sector demand and consultation, demonstrating the benefits of early stakeholder involvement.

Moreover, building institutions through prolonged consultation processes, although potentially inefficient, can be advantageous for implementation and enforcement. Such processes ensure greater understanding and buy-in from the private sector and civil society, enabling them to work together effectively.

In conclusion, the current data regulation needs to consider the importance of group dynamics and collective decision-making. Codifying group rights into existing laws can help address collective and community rights more effectively. Additionally, existing organisations like cooperatives can be adapted for the digital age to overcome challenges faced by new data institutions. Early consultation with stakeholders is crucial for better law implementation and stakeholder buy-in. Prolonged consultation processes, while potentially time-consuming, can aid in building institutions and enhancing enforcement. It is important to foster collaboration and understanding among stakeholders to achieve successful data regulation and ensure the benefits of the digital economy are distributed equitably.

Moderator

The analysis focuses on various aspects of data sharing and data rights, exploring the need for a balanced approach between innovation and privacy when opening up the value of data. The session acknowledges that data is often referred to as the new oil, carrying great potential for innovation and progress. However, it also raises concerns about privacy and ethical use.

Different approaches to data sharing are discussed, ranging from collaborative ecosystems to individual donations, and even illegitimate methods such as hacking and theft. The Open Data Map by Open Data Institute illustrates these diverse approaches, including data exchanges, research access schemes, and personal data donation. It is noted that some approaches bypass regulations to gain access to otherwise closed data.

One notable argument proposed is that data sharing should be viewed as a collaborative effort, similar to a dinner situation with friends where everyone contributes. The preparation of dinner with friends, where everyone brings a dish to share, is used as an analogy for data sharing. While everyone enjoys the benefits of data sharing, the challenges and effort required to establish it are often overlooked.

The analysis highlights the importance of a more nuanced regulatory approach towards data sharing. Currently, regulations primarily focus on individual data rights and their relationship with platforms and governments. However, there are several group decisions that occur with regard to data, and existing institutions historically enable groups to make collective decisions. In the data economy, the existence of groups in the real world is often overlooked or misunderstood. Therefore, the idea of figuring out some kind of group rights in data interaction is necessary.

It is suggested that existing laws and legislative conversations need to be rethought to emphasize group/collective rights and consent, rather than solely focusing on individual rights and consent. Efforts are being made to consider group privacy and collective instruments, particularly in the field of bioethics. Some legislative conversations, such as the European Union’s Data Governance Act (DGA) and the Indian government report, discuss the concept of data cooperatives and community rights.

The concept of data stewardship is introduced as a potential solution for managing collective data rights. Different models, such as data trusts, are examined, which can help address the pooling of data rights. However, it is acknowledged that creating these new institutions or reforming existing ones remains a challenge.

The analysis also emphasizes the need for further research on practical applications of group rights in the context of data sharing. It suggests that policy development to regulate data rights and sharing is still in the early stages and requires more investigation. The complexity of the subject necessitates additional research to inform policy decisions.

Additionally, the importance of sharing knowledge on data protection regulation and governance before enforcement is emphasized. The analysis highlights that sharing knowledge steers things in the right direction and proves to be more effective than immediately enforcing sanctions. The approach of issuing warnings before suspension or sanctions in data governance is considered to be effective.

In conclusion, the analysis delves into the intricacies of data sharing and data rights, highlighting the need for a comprehensive and balanced approach that considers both individual and group/collective rights. It discusses different approaches to data sharing, the challenges of establishing collaborative ecosystems, the importance of rethinking existing laws and legislative conversations, and the potential of data stewardship. The analysis also calls for more research on practical applications of group rights and emphasizes the effectiveness of sharing knowledge before enforcement in data governance.

Moderator:
I have been, until last week, a researcher and also coordinator of a project at the Center for European Policy Studies, in short, CEPS, which is a Brussels-based think tank. And I’m very pleased to moderate the session today on our town hall, actually, on Dare to Share, Rebuilding Trust Through Data Stewardship. I will also first thank the organizer, Kevin, who’s here also with us, and also the Tony Blair Institute for bringing us here together to discuss this very important topic. And I will also already introduce the online moderator, Taina Flor Bento-Mota, from the Data Protection Authority in Brazil. She would be also online with us. So about today’s session, this session will focus on, as you already know, exploring new ways to open up the value of data. In fact, as we all know, data is often referred to the new oil and also has become a double-edged sword, because while its abundance promises innovation and progress it also raises serious concerns about privacy control and the ethical use and reuse of data. And when I thought about the session, it came to my mind that data sharing is actually a little bit similar to a dinner situation with friends. We all love to be invited to a dinner at our friend’s place. The only thing we need to do is to find out how to get there. Maybe we can inquire what we can bring for dessert, but that’s about it, right? So really nice. But on the other hand, I assume everyone also knows how it is to invite friends over and how much effort it takes actually to prepare a dinner. You need to find a special recipe, you buy ingredients, you have to set the table, you have to do the dishes afterwards. So quite a lot of series of things that you actually need to do. And I think with data sharing, it’s quite similar. We all know about the value of open… and we think we need to improve the access and so on, but actually it’s challenging to get a functional open data ecosystem which also respects individual rights and is compatible or open to various forms of data and also to various sectors. So actually not so easy when you think about it twice. And this is also visualized in the wonderful data made by the Open Data Institute and that we’re now going to show on the slide and I will all invite you to actually check it out yourself online because it’s a wealth of knowledge that is in this data map. Let’s see if we can get it on screen. And then the link should open in just a second. Yes, and we can maybe also try to put the link in the chat later or you can also find the map online if you Google open data map, I think. Yeah, and here you can see what looks like a normal map, but if you zoom in a little bit and we can maybe zoom in in the collaborator big island that is in the center of the map, you can see that there are many descriptions, so to say, of what the collaborator island actually consists of. The collaborator island symbolizes, so to say, organizations or approaches that bring people together to collaborate around a shared component of data infrastructure. So for example, data marketplaces, data exchanges, data trusts, cooperatives, and so on. This is what we are also going to explore today. When we maybe go a little bit more up, can we zoom a little bit in? Yeah, perfect. Exactly, we see the shared biome, for example, and the small series of islands here. here at the north of the collaborator big island, which addresses approaches to research access schemes, for example, or also data philanthropies, basically models that enable people to share data and to really collaborate on them through ecosystems. And for example, when we go to the Isle of Human, to the bottom right of the map, the Isle of Human, you can also see, this is basically approaches that enable humans to share data amongst each other and that incentivizes people to open up, so to say, their data sets, for example, through personal data representatives, data lockers, individual data donation, and so on. And there are also some interesting other areas, for example, you have at the bottom left center, the private cove or the forbidden isle. So the pirate cove consists of approaches that actually are illegal, so hacking, theft, which is, however, also a form of data sharing, unfortunately. And you have also the side steppers, for example, which is a region that has legitimate means of gaining access to closed data. So that approaches that aim to provide people or organizations with ways of gaining access to data that the current data holder or steward would otherwise designate of limits. So yeah, I invite you to explore this map further. I think it’s a great piece of work and it’s also very nicely designed. So thanks again to the Open Data Institute. And with that, I think we’re already right into the topic. And so I will just maybe quickly say that this session is structured around three key policy questions. And I will introduce each of the policy questions before handing over to our distinguished panelists. We have pairs of two and then at the end of the panelists, we have 30 minutes more or less for question and answers. Okay, so the first key policy question that we would like to answer today or get an insight on is about the role of data governance stakeholders. So we would like to ask what should be the respective role of data governance stakeholders in promoting responsible data strength. For example, stimulating experimentation and innovation and data governance design, monitoring and evaluating different data governance approaches. And for that we have two distinguished speakers. Jack Hardius, who is, okay one. Okay, so sorry. So we have one speaker on site. Aastha Kapoor from the Apte Institute. And thank you so much for joining us at such an early hour. And the floor is yours.

Astha Kapoor:
Yeah. Thank you for this and thank you for the audience too for coming at this very early hour. I guess to start off with the policy question, I think that we’re trying to understand what we want to do here. And what we want to do here is to make sure that the value of data is realized at several different levels. One is between individuals or at the individual level. The second one is between individuals. So, you know, if you want to share data with like almost like a P2P transaction. The third one is within communities. So if members of a community want to share data between each other, then that should be possible. And then, you know, you sort of build up, do that. And at the moment the regulation actually looks at at individual data rights in their relationship with platforms and government. And so, as we think about the systems that need to be built both from the policy perspective but also from the institutional perspective, I think that we need to think about it more from a bottom-up mechanism and to understand how individuals interact with data when it comes to interactions with each other as well as in the groups that we occupy. So just as an example, we do a lot of work with cooperatives and what we’re trying to understand as women who occupy these cooperatives is a couple of things. The cooperative, for instance, in the context of India, will incur agricultural labor together. They make decisions on agriculture also together. They will distribute benefits from the board to all the members, and those are all collective decisions and collective governance. But when it comes to banks seeking data from members of the cooperative, they break down these institutional boundaries and they interact with the individual only because financial institutions that are defined by the individual access to finance and individual data can only deal with them at the individual level. So the bank will then aggregate all of this and say, okay, fine, you as a group can get this loan or that loan, et cetera, and invariably it doesn’t reflect the meaning of the entire group. So we’ve been trying to, and also in return what you get is products that are not meant for you, you get interest rates that are much higher than what you’d be willing to pay, or what you also get, and this is an example that we’ve seen very many times, is that women also don’t understand the data that they need to make certain kinds of decisions. So a cooperative that we work with needs to procure seeds, but they don’t understand. what the amount of seats that they need, et cetera. So they have no way of pooling demand from their members as well as a data question. So the point I’m trying to make is that there are multiple group decisions that happen with regard to data, and there are existing institutions that also have historically enabled groups to come together and decide. What we are seeing in the data economy is that it has been completely blindsided by the existence of groups in our real world. And these groups are not just offline groups like the ones that I mentioned, but whether it’s Facebook, and everyone uses that example, but whether it’s Facebook, what they also do is they put us into groups that we don’t even understand. So there are groups of women with dark hair or women with light hair, and then they put out products for us on our platforms in the same, as a group, they are not interested in individual level data. They’re also organizing us in certain kinds of groups. It’s just that we don’t know how the algorithm has defined us. So as we start to think about data rights and what policy changes are required, I think that the idea of straddling some kind of group rights is definitely necessary. There’s a lot of work that has happened on group privacy. There’s a lot of work that has happened on, particularly in bioethics around ideas of data banks and biobanks, because those are collective instruments and they need to be. But I think what we really need to think about is how do we codify this in existing laws? And you’ll see it in the GDPR, I can speak for the India context, and several other legislations are looking at individual rights and they’re looking at the idea that individuals will consent and that will be the end of that. However, there are some legislations, or at least legislative conversations that are coming up. I know that in one of the alphabet soups of the EU, I think it’s the DGA, mentions data cooperatives. In the context of India, there was an interesting government report that came out a year and a half or two years ago. non-personal data, which had a problematic definition that all data that is not personal is non-personal. But what they were trying to do is also think about community rights, and to say that communities can be both harmed and helped with the use of data, and so how do we define communities? But unfortunately, while this island has very nice segregations, the human life is quite messy, and so we don’t have clear segregations around where communities end, begin. The individuals in this room are a community of individuals in this room, but then could also, all the tech that we have here impacts us in some way. Voices are being recorded, faces are being recorded. But we also occupy multiple different communities at the same time, and so I, as an individual, might want to have a huge amount of control on the school community of my kid, which is, you know, because I’m also a guardian for her data, whereas I may not want to be as involved in other kinds of data that I need. And in this context, different models of data stewardship become interesting, because what we are trying to solve for is greater pooling of data rights, and then the next step is thinking about what those institutional mechanisms that allow for pooling of data rights are, and also allow for a change of mind. Today I want to be involved, tomorrow I don’t want to be involved. And there are some models that have been, you know, discussed over time. There’s data trust, which we’ve looked at quite extensively, and I think that, you know, setting up of new institutions is potentially hard to do. But I think the next set of questions is, how do we think about existing institutions, and, you know, I like cooperatives, that… that can be made more resilient, that can be made more able to understand what these group dynamics are and how they can be actualized in the context of the digital economy. I think policy is a little way off because I think this is a complex question and what we know from policy documents so far is that everyone goes after the easiest, least terrible thing to say. And so I think that we need to, at least in the couple of years that we have before this conversation really blows up, is actually start to see what those instantiations of these group rights are and how we can actualize them.

Moderator:
Thank you, thank you so much. That was super, super interesting and already gave us a great insight into, sorry, into the current challenges that we see that the reality poses to a system that maybe is not fit for the current developments in data and how quickly it’s produced and shared and then repurposed eventually. Okay, moving on to, you had already mentioned policy is a little bit off. So I think this fits perfectly to the next speaker who joins us online. His name is Thiago Moraes, I hope I pronounced it correctly. And he will answer to a second policy question which is, there we see you, hi. Good to see you. And then we will answer, I will ask you to address the second policy question which is how different regulators could or should approach challenges related to data sharing. And Thiago is from the Brazilian Data Protection Authority, also if I get it right. So we will be looking forward to hearing your insights. on this topic. Thank you. Thank you. Can you hear me?

Thiago Moraes:
Yes. Okay, so thank you, Rosana, and I would like to first of all thank the Tony Blair Institute for this partnership on organizing this session. Data sharing is definitely a very relevant topic, more than ever, considering all the developments that we have been having with not only in terms of technological innovation, but also these new trends for regulation that are coming over from different regions. And to answer this question, which of course it’s a very complex question, it would take way more than the six, seven minutes that I have, I decided to go with a specific use case that we had in Brazil regarding data sharing in the context of GovTech. So I prepared a very small PowerPoint presentation. Maybe you could share it on the screen? Is that possible? Is it already shared? Luca, you, Kevin, you said… Yeah, okay. It’s shared, yeah. It’s shared. But I think it’s not yet shared, because we don’t see it on the screen, so I think… Should I share the one that I have with me, or the one that was sent out to the organization?

Moderator:
We have the presentation here, so we’re just trying to set it up now, Does it work? One moment, please. If that would make… easier? I can try to share from my zone screen as well. I don’t know if that makes things easier or not. I think you can definitely try at least if you have, I don’t know if you have the correct rights, but if you, ah, okay. That was great. Is it working now? Yeah, thank you so much. That looks great. Yeah, you can see the presentation.

Thiago Moraes:
So yeah, uh, well, that was the question that was asked for me to answer, right? And, uh, as I said, I cannot answer for all kinds of regulators, but I can share a little bit of, uh, the experience that we had as a data protection authority, uh, following supervising a case, uh, regarding, uh, GovTech in Brazil. Uh, so what we have, uh, and the executive branch, we have several ministries and one of those ministries is currently engaged if innovation for the public sector. So GovTech, uh, initiatives and so on, and to support this idea of creating an interoperability system that would share data between public entities, because that was the main idea of the project that they were developing. Uh, they, uh, this ministry, the ministry of, uh, innovation, public sector, uh, provide this, these rules in this decree that is mentioned here in this in 2019, right? And by the time it was published, uh, the LGPD was still not yet enforced. The LGPD is the Brazilian data protection law. Uh, but as soon as it came in force, it was very clear that there was a lot of inconsistencies, uh, with this decree regarding with the data sharing rules that was required for the Brazilian data protection law. It’s very similar to the European model of the GDPR. So, because of that, and several other issues that were related with this decree, because it’s provided, for example, for this database, which supposedly was a huge database of all citizen data collected from very different government’s platforms, and for everyone who knows a little bit of data protection history, we know that many of the data protection laws and authorities have asserted due to the fact that having all the data, of citizens’ data, with just one single entity, is very, very dangerous. So this, of course, caused a lot of tension, and some entities, private entities, required to enter into a constitutional action, proceed with a constitutional action at the Brazilian Supreme Court, and this was a case that followed from 2020 until 2022, and it’s important to say that this only came in 2020, because that was also when the Brazilian data protection law came into force, so it gave a lot of room for getting the discussion up to the Supreme Court, and the background case was a data sharing that was happening in this platform that was being created between our intelligence agency and a transportation agency, and in the next slide, I’ll make it more clear what were the details of this case, but just so you know, we had here several discussions that resulted in the, in the end, a manifestation of a court that there was… several obligations that needed to be changed in this decree because it was not fit to the purpose of specification principle of the Brazilian data protection law. It didn’t also provide for data minimization rules. It was not transparent of how this data share operations were happening. So because of all this that was missing, the court decided that a new rule should be updated so it could attend for all these requirements. And that’s also the same time there was a committee that was supposed to manage all these data governance rules, right, between this data sharing platform. And one criticism of this structure is because it was only composed by agents of the government. So this gave no room for civil society to pledge their interest. So what happened is that with this new decree, these transparent rules and also rules that were fit to the purpose specification principle and data minimization principle came into force in 2022. And also there was a restructuring of this committee. So this multi-ministerial committee, so before we only had like members from the government, they also added a layer for some civil society participants to be part of. So this committee is the one that has the role of deciding which questions regarding the integrity, the quality and consistency of all this data that was being collected, how it would work, so all the data governance mechanisms, and also which kind of data might be included in this database. So, basically, they assume the role of a data steward here, right? As I was mentioning, this concept of data stewardship is very relevant in this in this ecosystem of data sharing. And this committee was the one supposed to doing this job. And by now, we have also members from civil society that can interview. It’s still a bit uneven, I would say, how it’s the composition, but at least now there is room because the members of the civil society, they can represent voice of several civil society organizations that exist in Brazil. We even have a very strong coalition that you probably might see in other panels of IGF, because there are several members of this civil society organizations at the IGF. And because of that, they have a voice to discuss and help supervising what is happening on the decisions regarding how this data is being shared. And the Data Protection Authority, although it was not, did not have an active role in all of that because we were still growing maturity in the background. We assisted the Ministry of Innovation, Public Sector to approve this new decree that I mentioned that came with all these new rules. So we were helping them in the background to make all these rules more compatible with all that the protection law. With that, we can see, of course, there’s a lot of possibilities and opportunities that we can bring from this interoperability. That’s why it’s something that we couldn’t just prohibit. That’s why the Supreme Court decided that it was not going to. private data sharing, but making it happen in a compatible way with data protection principles and rules. And as we can see here, just this G2G APIs that exist in the context of this platform has saved half a million dollars in this last years because of the business, how data is being shared and the economy, the savings that it comes for having this interoperability services running. And at the same time, of course, it’s very important for attending to the principles of data minimization because this avoids that all the information is being shared with all the agencies. So what we have right now in Brazil is that different ministries, when they require certain information, we have this committee acting as a steward and they’re going to see if this sharing is happening following all these principles that I just mentioned and guaranteeing that only the necessary information is being shared. Of course, this is still a work in progress in the sense that there’s still need to check how the committee is doing its work. But it’s interesting to see that the case was so relevant that it reached the Supreme Court and it came with the decision quite fast for what we used in Brazil because of the relevance of these activities of data sharing for creating more efficiency to the public sector, but at the same time, of course, needing to respect all the data protection principles and fundamental rights. And that’s it for my presentation. I hope I didn’t take that long, but. And if you need me for the second round, I’ll be here.

Moderator:
Thank you so much, Tiago. That was super insightful. And yeah, it seems that you found actually an interesting new way how to handle the data that is requested by the government from citizens. And this actually brings us already to the next policy question, the third one, and which looks a bit more at institutional models, so innovation. And we heard already one, but there are many, many other ones. And the two next speakers will be explaining a bit more their research and their views on which new institutional models are best suited to support innovation around data, while also at the same time ensuring the protection of fundamental rights, such as privacy. And for that, I will invite first Kevin from the Tony Blair Institute to give us his insights. And then I’ll pass it on to Dr. Allison Gilwald, who is joining us online. But first, Kevin, the floor is yours.

Kevin Luca Zandermann:
Thank you very much, Rosanna. Can I share the presentation on Zoom? Okay. I think it says that it’s disabled. I also want to thank Thiago. I think at the Institute, we were called, your last slide, the proactive public services or in the context of the strategic state, meaning to exactly avoid this kind of waste of time for most citizens when we have to constantly fill forums. So good, lucky that Brazilian citizens are quite lucky that you guys are clearly on the right track. And as a side note, I will reach out to you. you to kind of have, OK, a more in-depth understanding of it. I’m not able to share it. Apologies to you. Thank you for your patience. OK, wonderful. OK. Can people see it? No? I’ll try again, sorry. Uh, yeah. OK. One sec. I mean, one second, sorry. Yeah, I’ll just speak. OK. So OK, I’ll speak in the meantime. So what we’ve been trying to do at the Institute is to essentially make sense of the past 10 years in the data governance space. And at the beginning, like, two elements became quite clear. And I’m sure most people, you know, both in the online audience are aware of, are, first of all, the global proliferation of data localization laws, and then the passing of very important privacy legislation, with GDPR gradually becoming the gold standard all over the world. But at the same time, we also quickly realized that that was only one part of the data governance story, and that. whilst these data localization laws were being passed throughout the globe, and whilst very important privacy legislation was being passed, a series of grassroots initiatives, such as the ones that Asta was describing, or Jack, unfortunately, couldn’t join, but a series of pioneering institutions that the Open Data Institute began theorizing were also taking place. And we’re not necessarily, especially around the early 2010, we’re not actually getting the right attention from these policymakers. But throughout the last decades, we gradually got there. There’s been a sort of process of sedimentation where these grassroots initiatives have gradually got more and more attention. And since we are in Japan, I think a very important milestone has been the Data Free Flows We Trust initiative, which was part of the Osaka G20 summit in 2019, and was then repurposed for the G7. That’s part of the Hiroshima process. So what we’ve been trying to do is to engage with, on one side, policymakers, data protection authorities, and on the other with pioneering, I would say, leading thinkers, such as Asta and Jack, that have begun this kind of work, have begun to actually theorize and formalize, experiment with the notion of data institutions. And by data institutions, we mean data stewardship in the looser sense that one can imagine. And we then try to systematize these kind of reflections in a tube map, which I think you should be able to see on the web. I don’t think it’s on the website yet. So I guess we can just use it. Can people see it like this? I think we’ll just do it like that, because otherwise we’ll waste too much time. But anyway, we’ve been trying to systematize our reflections in this tube map that you see here. So we’ve basically looked at all the data strategies throughout the globe. We’ve systematized the series of stakeholder engagements that we’ve had, and we’ve put them on the map. And the reason, you know, there’s a reason for that, and it’s that, my personal view, is that mapping, in many ways, helps visualize something like the data sphere that can be quite arcane. So we see here like five different layers or lines, depends how you want to visualize it. The technology one, the regulatory one, the data infrastructure one, the physical one, and institutional one. Now, like, this is by no means exhaustive, and it’s, again, we had to simplify it by economy of time. But what’s kind of come out very clearly is that the institutional component is the one that actually requires most of the work, like particularly in terms of conceptualizing what these data institutions can mean. I mean, like Asa was referring to, like data cooperatives, we know that, and again, sometimes we have forgotten it as policymakers. There’s a long tradition in the study of commons. One can think of, for example, Nobel Prize winner like Eleanor Rostrom that has dedicated her whole life to the study of commons, and like the management of commons, like completely sort of demystifying the myth of this so-called tragedy of the commons. And it is quite different in the data space, because in many ways, we are not dealing with finite resources. Data is a non-rivalrous, that is non-rivalrous, and that’s why the sort of earlier narratives around like equating data as oil, have been profoundly damaging because they have been obscuring, again, these grassroots initiatives. And in general, they have been obscuring a potential different model. And at the same time, I think that as part of this sedimentation process, the conversations that Asta was talking about and was referring to gradually got to the policy level. It did take quite some time. I know some of my friends in Brussels, in reference to the EU Data Governance Act that you were referring to, I remember one time we did have a debate about whether the EU had arrived there too early or too late. And I definitely think it got there too late. But I think the Data Governance Act is a very important step in terms of actually giving prominence to an alternative way of providing an institutional framework to steward data. We need to, the context that we’re dealing with now is that the way data is produced is very different. We can have far more agency. Data is now produced by internet of things. If we wear wearables, by items such as wearables, by the cloud on the edge, there is a huge part of the data ecosystem that actually doesn’t necessarily have to go through large tech companies. And we do need institutional models that empower people and give agency to people to use this data for the aims that they deem suitable or that they deem closest to their sensitivity. And I don’t want to go too much into detail about the EU Governance Act, but you see here the four main elements that I think are really important. The first one is the reuse of data held by public sector bodies, which will be. really important, especially for AI development, being essentially, again, this covers a policy vacuum because the Open Data Directive of the EU was covering, was legislating very thoroughly about essentially known personal data. But at the same time, public authorities have a lot of personal protected data, and which could not be reused. And with the Governance Act, we will see how it goes. It will actually, it will start to be applicable from this month onwards. So the panel is in quite good timing. We’ll see how that’s gonna go. And then the point two and three, actually certifying data intermediaries and data altruism, giving them the prominence that they haven’t had in the past. So, and in particular, I wanna concentrate on data altruism, which has been the result of a lot of advocacy work, particularly, like I can think of the European Association of Rare Diseases, because rare diseases are like a classic textbook example where data sharing is proportionally valuable because it’s very difficult to build a data set that is large enough for a disease, for it to actually be significant and useful for research. So they’ve been at the forefront in terms of advocacy work for the EU to actually provide a mechanism that can empower, like, for example, like people that suffer from rare disease to actually, with their consent, to being able to share the data for research purposes. So the fact that we now have this institutional framework, which, again, can be debated, we can debate like how effective it’s going to be. My, the concern that I have in particular with data altruism is that it’s so, like particularly in Europe, it’s so associated with. with contact tracing apps like during COVID. So there is an element, I think there’s a political element because obviously those apps became extremely politicized, but also I think there’s almost a psychological element because COVID in many ways has been such a psychological trauma for most people. And I do think that we are in a sort of phase of almost like denial about it where we don’t wanna talk about it. And my fear is that these emotions will affect quite a lot these actually the effectiveness of like this framework for data altruism. So I do think we need quite a political campaign to promote data altruism given the broader context. But these are just like few thoughts about like the work that we’ve been doing. Like we’re very much open to engage with again, grassroots initiatives, data protection authorities and think tanks. And I do invite the online audience to reach out because it’s very much work in progress. And thank you for your attention. And now I think we can move to Alison for the concluding remarks.

Moderator:
Yes, exactly. Thanks, first of all, to you, Kevin, for your insights and also giving us a bit the policies to say perspective of what already happens in Brussels and also elsewhere. And actually also I will invite everyone to consult the map. I think it’s on Twitter. It’s not published yet, as you said, but the tube map so to say of data is also a great way of again, visualizing the many, many ways in which data can be shared also in a privacy friendly way. Okay, with that, I’ll hand it over to Alison Gilwald. I hope I pronounced your name correctly. You will be joining us also online and you are with the Research ICT Africa. So Dr. Alison Gilwald, the floor is yours.

Alison Gillwald:
Thank you so much. I suppose my answer will cut across all those three very interesting questions and not focus only on innovation. innovation, partially because a lot of the kind of lobbying around data extractivism and getting unprotected kind of access to data has really been around this kind of commercial experimentation and innovation and the kind of dominance that certain groups have to these. I think issues of data sharing are really significantly about these asymmetrical power relations that we have between North and South, different countries and of course within countries themselves. I think we want to set up a policy framework and environment that allows for the benefits of shared data and as I said, in policy there are expounded benefits of public data and the value of public data and Tiago has spoken very interestingly about the Brazilian stewardship that’s happened around public data. But I think speaking specifically from the African context, the first thing we have to do is just acknowledge the complete lack of access to data. So a lot of the frameworks that are being used across, we’ve been sort of cutting and pasting in many other parts of the world, assume that we have large numbers of people online, the majority of people online, that there is universal access to services, to government services and data. So I think the first important thing about data sharing is acknowledging that the asymmetrical power relations that go with that. If you’re in a position to hold lots of data, you’re in a much stronger position to negotiate how that’s used or negotiate that it’s not used at all, you don’t have access to it at all, which I will come back to in a moment. just referring to both what Asta has said and Thiago, that the current regimes, which are important to ensure data protection and privacy of personal data, need to be understood also in the context of broader data governance, and that the current sort of negative regulation that we have, basically compliance regulation, quite individualized notions of only first-generation rights as Asta said, really need to be understood in terms of the development imperatives of collective or more public common good kind of rights that you might need in your data policy frameworks. And I’m referring specifically to the kind of data justice frameworks that we’ve been trying to develop within the Global Partnership on Artificial Intelligence, but also that we carry through in the work that we’ve supported, the technical assistance we’ve provided to the African Union Data Policy Framework, which unlike GDPR or even some of the later legislation that’s coming out at the moment, but it tries to extend the regulatory concerns or the policy concerns from simply those first-generation rights, concerns primarily with privacy to second and third-generation rights. So actually ensuring economic and even third-generation environmental rights are collectively enjoyed while those first, very important privacy and first protection, first-generation rights are ensured. And this really goes to an important part of managing data within a particularly in an African context, but I think globally too. which is not only about ensuring the redress of the uneven distribution currently of harms from these data-driven technologies, but also the uneven distribution of opportunities. So basically what we’ve got are these enormously asymmetrical data flows out ahead of the continent, 80% of data flows outside the continent, and roughly proportion 20 in. And then of course, within countries, as I said, large numbers of people simply offline. So ensuring that there is an environment that can benefit Africans and citizens, and also in terms of engaging internationally, that we might have a bigger influence if we can get the kind of economies of scale and scope that you need for data. Within the African continental free trade area, there is a big area in the context of the African Union Data Policy Framework. There’s a big push for us to at least ensure flows and interoperability of data for research, for sharing, for public purposes, for finance transactions, et cetera, at least on the continent. And this would allow us some sort of leverage in terms of international flows and international markets, quite honestly. So these are sort of important considerations that I think we were speaking a little bit about how at the moment it’s a kind of governance framework and it’s quite difficult to regulate. It’s obviously very difficult to enforce, but the potential of harmonization through the African continental free trade area would provide the kind of interoperability that would allow for flows of data. And of course, specifically shared data that currently Africa has very uneven access to and could really… promote, which we do very strongly within the African continental, sorry, within the African Union Data Policy Framework, the idea of, you know, a greater interoperability, a single market, and the use of the data for development, and very strongly the idea of, of course, unleashing data for commercial value creation, but very importantly also for public value creation, but a lot of the data that does exist in Africa is, is bound in public, you know, in public entities. And, you know, firstly digitizing that, a lot of that is not digitalized in Africa, and that’s a big problem. But secondly, enabling this data to, to flow for, you know, public value creation, as well as, you know, commercial value creation is a quite important aspect of this. And so there are aspects of open data requirements, for example, within a protected environment in the, in the framework that are, that are proposed. And also the acknowledgement that we also need to access the public data that is available in, held by private companies. And in this regard, one can, you know, in terms of data sharing, we also have another project through the Action Coalition on Transparency, GNI, which is also trying to get equitable access for African researchers in the first instance to the kind of requirements that the Digital Services Act makes of big tech companies for European researchers. And I think, you know, the importance of extending these kinds of rights is critical to not perpetuating the fact that we, you know, to access resources, to access knowledge systems, African researchers and intellectuals have to, you know, work through European or Northern Hemisphere. hemisphere researchers with access to data, even the informal system set up by Google for accessing data is set up through Michigan University with a number of accredited people throughout the world, very few in Africa, two in Ghana and three or four in South Africa, to get that kind of access. So at the moment, calls for kind of just opening up data out of kind of very unregulated environments, just allowing the free flow of data, in our view, would very much perpetuate the status quo, would allow those with already dominant positions in markets, in research institutions, in various things, to gain that access, whereas others may not. So these are various mechanisms, these are various institutional arrangements, these are various regulatory interventions that we believe are necessary, not to just, you know, not to have a sort of compliant safeguards regime, but actually would ensure not only safe outcomes, but actually just outcomes. And I think that’s a really sort of important part of looking at this, that of course these alternative data stewardship models are very important because the big, you know, kind of informed consent kind of models aren’t working, but we’re not going to solve the scale of the problems with, you know, micro-solutions, you know, for different kinds of communities. We really do need, you know, strong regulation of these digital public goods and global, you know, governance and cooperation on ensuring enforcement of the, you know, big tech companies that are holding a lot of this data, ensuring that we’ve got enabling environments in our regional jurisdictions or in our countries to safeguard citizens’ opportunities, but also to create local opportunities through entrepreneurial access to public data, through the better use of public data by governments, more effectively servicing their citizens, and then enabling us to create viable data economies and data markets by having a not only, as I said, safe and secure data economy, but also having ones that are more just. Thank you.

Moderator:
Thank you so much, Alison. That was super insightful and also, I think, has taught us a lot about how open data and data access is actually quite still unequal around the world if we say, well, the EU already has a wonderful framework in place, but then if you look at Africa, there’s a completely different ecosystem and also conditions that need to be respected when people or governments think about how they can enable or increase access to data sharing. Okay, that brings us to the end of the speakers’ presentations. We have three minutes left for questions, so I will also check online if you have any questions at all from the online audience. I will also ask the online moderator to flag if there are any questions regarding Lee, and if not, I will also look around the room and see if there are any questions that people would like to ask. Yes, the microphone, please. Yeah.

Audience:
So my question is just kind of – Could you quickly also please introduce yourself? Sorry, yes. I’m Pete Furlong. I’m a colleague of Kevin at the – Tony Blair Institute, but my question is kind of, you know, there’s a lot of focus on the mechanisms and frameworks and policies that need to be in place to support like, you know, effective data sharing. But I think something that’s like maybe often missed is kind of the enforcement capacity that’s sort of needed to support that. I look to like the US as like maybe a good example of kind of a place where we’ve struggled with that. You know, we do actually have some data protection laws in the US, especially when it comes to things like medical data, how well enforced those things are is, you know, kind of maybe in question. So I think, you know, maybe just a question for the panelists in terms of how they think about, you know, the importance of enforcement and kind of what that should look like. Yeah.

Moderator:
Thank you. I don’t see at the moment any other questions from the online audience. So I would hand this back to the speakers, both in the room and also online. I don’t know if there’s anyone online that would like to quickly intervene. If not, maybe we can go first and then we can see if there’s one online.

Astha Kapoor:
I mean, this is a conversation I was having outside yesterday as well is that I think what we are realizing is that so many laws are being developed and such a breakneck speed that we haven’t really thought about implementation. And I think to your point of did it come too soon or too late, it’s likely also too late. And what we’ve been also thinking about at Aapti is that how do we build processes of consultation early on in the development of the laws so that there’s increased buy-in, so that you can, you know, understand what the implementation opportunities are for different stakeholders. We’ve learned this from GDPR that actually implementation is a real nightmare. The companies that have the big lawyers can work around it, but the ones that don’t actually have to leave the EU. So I think that what we’ve seen, and this is an example from India, is that our telecom regulatory authority was built on the back of private sector demand and incredible. amounts of consultation. And what ended up happening is that all of these values are then coded into the institution itself that has been set up for success in some ways. So because the private sector was bought in, civil society was bought in, because people understood how they needed to work together through the process of building out. And I’ve become a big votary of building institutions through these possibly inefficient and prolonged processes. But what it helps do then, and we’ve done this analysis across different regulatory authorities, is that it makes implementation and enforcement much easier because of that multi-stakeholderism from the very beginning.

Kevin Luca Zandermann:
I think, considering we have an actual regulator as part of the panel, I guess, like Tiago, you would like to answer about on enforcement?

Thiago Moraes:
Yeah, sure. Although I’m not part of the enforcement team, I know a lot about the work. And what I can tell is that, first of all, before even enforcement comes, it’s very important to have this sharing of knowledge, right? Besides the data sharing itself, sharing how data protection regulation, data governance regulations in general work. I think it’s a very important first step. And we can give our case as an example, because in Brazil before the LGBT, not many people had heard. And I would say that even today, there’s still not as many as we would like to. I’m aware about what are the data subject rights, what are the data protection principles, et cetera. So, sharing this with the regulatory, with the citizens, data subjects, etc. is very important. So, people can be empowered about their rights and the data controllers, processors are aware of what are their obligations, how they should comply to. After this happens, the work for enforcement, it gets way more easier, because after this knowledge is shared about how rules on data protection works, we have more easiness to guarantee compliance, for example, for notifications of the braids, for coming initiatives, receiving initiatives that are already privacy compliant. So, just like the example I was giving, there was a huge difference after the authority was created for this GovTech experience, because even though we are not part of the committee that I mentioned, we have worked in the background, and it’s important to explain why we are not part of the committee, because the committee are data controllers, because they are the stewards in this case, so we could not be part of that committee, right? But we were working in the background, and sharing information with them. So, instead of trying to enforce sanctions, or any kind of more traditional role of regulator, adopting this approach of sharing knowledge first was a way of making things, steering things to the right way, let’s say like that. And that’s the experience that we have been having here in our authority. Actually, so far we only had two sanctions, one was just enforced like last week. And since it was for a public body, and it was not a very grave case, it was just like, I forgot how to say, a warning. It was a warning, because it was a way of calling attention. And it’s a first step, because if what the public body was doing was not corrected, then of course we can suspend the data sharing, the activities, the data processing they were doing. Thank you.

Moderator:
Thank you for your insights, Iago. Two very, very good points already on the point of enforcement. I don’t know if anyone else would like to add anything.

Alison Gillwald:
Perhaps I could just, if I could just on the enforcement issue. I think it’s a very important question, and I was raising it as a challenge for us currently in the broader data governance environment that we’re in. I think as Iago points out, I think many of us have some of the data protection regulation enforcement, which can happen at the national level under control. What we don’t have is this broader data governance issue. So I think we certainly on the continent, for example, we have a very strong data protection and information regulator in South Africa, also responsible for access to information, which is a very nice balance to have in terms of balancing rights, who’s acted strongly against WhatsApp and various groups. So I think a strong, informed, democratically institutionalized data protection can operate effectively. I think what we’re really struggling with is the broader concept of data governance that I was speaking about before, in terms of who actually creates the, you know, who’s actually going to be doing some of the economic regulations. So there’s some obvious like competition regulation, et cetera, that happens within the competition authority and some, you know, underlying issues in various other regulators. But actually combining that in terms of, you know, creating, you know, an enabling environment for local innovation, creating an environment for access to public data, for entrepreneurs, et cetera, that I think these big economic justice issues or economic regulation issues are far more challenging. And then, of course, I think the biggest challenge is actually the international regulation and getting the big data that we all want from, you know, from the big operators. And as I said, I think the only way we can address this is through global governance and global cooperation around, you know, equitable access to that data, not the preferential decisions being made by the tech companies themselves of who gets, you know, who they share their data with. So I think that’s really the challenge for us is that global cooperation. And perhaps just to add one other thing to Asta’s point on, you know, trying to build multi-stakeholder public participatory processes for these, which I think, you know, Brazil, India, South Africa have all been quite committed to and have a history of in the telecommunications sector. Firstly, don’t translate it certainly across the African continent. There’s a little absence of civil society participation in many of the public processes. And it’s not required in terms of administrative law or justice in many of those countries. So it’s very, very absent. And I think I think Asta would agree. And I think it was implicit in what you were saying while it had opened up these institutions that were theoretically autonomous anyway and, you know, able to get multi-stakeholder participation in them. In fact, the private sector, the telecom companies have been so powerful as the tech companies have been in these public processes that it. you know, very often their interests are they are the outcomes that we see in these processes. So really trying to enforce, you know, public participation and resource, you know, researchers in order to access that information, they can inform these processes, you can have multiple views on this that are enjoyed in many of the more mature economies around these public processes would be an important part of accessing that data and sharing that data in the first place. Thank you.

Moderator:
Thank you, Alison. Yeah, that would have also been one of my questions, but unfortunately we’re already eight minutes over time. So I think that just says that we had a very good discussion and very insightful, yeah, points that we were able to exchange today. So I would like to thank everyone, especially again to the Tony Blair Institute for hosting us and to all the speakers both on site and online for joining us. As I also said, we have shared a lot of resources. Please do access them and also please do get in touch with all the speakers if you would like to discuss this topic further. And yeah, for those present, see you around at the IDF and for those online, see you the next time. Thank you so much and have a wonderful evening slash day. Bye. Bye. Bye. Bye. Bye. You You