Trusted Personal Data Management Service

8 Oct 2023 04:00h - 04:45h UTC

Event report

Speakers and Moderators

  • Natsuhiko Sakimura
  • Christian Reimsbach

Moderators

  • Naoya Bessho

Table of contents

Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.

Full session report

Audience

The analysis examines the challenges and benefits related to data portability. One important finding is that the General Data Protection Regulation (GDPR) in Europe contains an article on data portability. However, users find it complex and difficult to navigate, raising concerns about the usability and effectiveness of the regulation in promoting data portability.

Moreover, the analysis highlights the Digital Markets Act (DMA) which mandates gatekeepers to enable data portability. Nevertheless, there is ambiguity surrounding the implementation of this requirement, posing challenges in ensuring gatekeepers’ compliance with data portability regulations and hindering its full potential.

The analysis also addresses the current incentives for data holders to facilitate data portability, raising concerns in this regard. It argues that the existing incentives may not be sufficient to encourage data holders to enable the smooth transfer of data, questioning the effectiveness of the current approach and calling for re-evaluation and potential adjustments.

To fully unlock the benefits of data portability, the analysis concludes that a cultural change across markets is necessary. It emphasizes the need for most services used by individuals to allow for data transfer to achieve maximum value from data portability. However, the analysis also points out that smaller companies may not be subject to legislation like the DMA, creating an issue as their exclusion from regulations may impede widespread implementation of data portability.

Overall, the analysis provides insights into the complexities surrounding data portability. It highlights the challenges posed by the GDPR and the ambiguities in the DMA, while also raising concerns about the current incentives for data holders. It emphasizes the necessity of a cultural change across markets to ensure the widespread adoption and success of data portability. However, the issue of smaller companies falling outside the scope of legislation remains an obstacle that needs to be addressed.

Speaker

During the discussion, the speakers focused on the topic of consumer interest in utilising personal data held by companies. They highlighted the discrepancy between the digital data that most shops and services possess and the fact that individuals only have paper receipts as proof of their transactions. This raised the question of why individuals are not given the same access to their own personal data that companies have.

One of the main arguments put forth by the speakers was the efficiency of using personal digital data for personal housekeeping and everyday life. They emphasised the potential benefits of having access to this data, such as easier tracking of expenses, more accurate budgeting, and streamlined record-keeping. By harnessing personal data, individuals could enhance their overall financial management and gain a better understanding of their spending habits.

In addition to personal benefits, the speakers also expressed a desire for transparency regarding who has access to their personal data. They emphasised the need to know which companies are interested in their data and how it is being used. They argued that personal data is being exchanged in unknown places, and the establishment of a personal information bank would provide much-needed transparency in this regard.

Another noteworthy point raised during the discussion was the question of why personal data banks are not widely implemented despite their existence for over five years. The speakers expressed curiosity about the lack of progress in this area and called for more action to further the implementation of personal data banks. They questioned what the next steps should be to advance this concept and bring about its widespread adoption.

Overall, the speakers advocated for greater consumer involvement and control over personal data held by companies. They highlighted the potential benefits of utilising personal data for personal housekeeping and emphasised the need for transparency in data usage. Their arguments and inquiries aimed to prompt further discussion and action towards the implementation of personal data banks on a larger scale.

Natsuhiko Sakimura

The concept of Personal Data Trust Banks is an innovative approach aimed at securely managing personal data based on specific agreements and instructions with individuals. These banks serve as a middle ground between companies and individuals in terms of data control and management. By entrusting their personal data to these banks, individuals can ensure their information is kept safe, used ethically, and that their rights are protected.

To ensure data safety at Personal Data Trust Banks, the Information Technology Federation of Japan (IT Renmei) has established a certification scheme called TPDMS. This certification scheme ensures that data handling at these banks follows defined standards and ethical guidelines. Additionally, TPDMS includes a data ethics board that oversees the activities of the Personal Data Trust Banks, further ensuring the protection and proper management of personal data.

Despite these efforts, the lack of a mandatory data portability law in Japan presents a challenge for the success of Personal Data Trust Banks. Data portability, which allows individuals to transfer and control their data, is a critical aspect for entrusting sufficient data to these banks. Natsuhiko Sakimura, a proponent of Personal Data Trust Banks, emphasises the importance of resolving the data portability issue for the concept to achieve its full potential. Without proper data portability mechanisms, individuals may be hesitant to entrust their data to these banks.

One noteworthy observation is that the current system lacks a comprehensive approach to data portability. Natsuhiko Sakimura advocates for the implementation of data portability in Japan and believes it to be a missing piece in the current data management framework. By enabling data portability, individuals would have greater control over their data and the ability to change how it is treated over time.

In conclusion, Personal Data Trust Banks offer a secure and ethical solution for managing personal data. However, the success of these banks relies on the implementation of data portability mechanisms. The certification scheme provided by IT Renmei ensures the safety and ethical handling of data within these banks. As the discussion for data privacy and management continues, the concept of Personal Data Trust Banks presents an alternative approach that prioritises individual rights and data protection.

Christian Reimsbach

Japan has been at the forefront of implementing the concept of information banks, with discussions on this topic starting as early as 2010. Christian Reimsbach appreciates Japan’s leadership in this regard, acknowledging their commitment to establishing information banks. These banks serve as repositories of data, allowing individuals and organizations to securely store and share their information.

In Japan, the government has taken steps to enhance consumer trust in data intermediaries by implementing a certification system. This certification indicates that a data intermediary can be trusted, providing consumers with confidence in sharing their data with these institutions. Christian Reimsbach believes that government certification of data intermediaries can play a crucial role in building consumer trust and facilitating data sharing.

Data portability and individual control over data are also key considerations in the digital landscape. The European Union’s Article 20 provides every citizen with the right to data portability in a machine-readable format, ensuring that individuals have control over their own data. Australia’s Consumer Data Right also applies to both individuals and small businesses, allowing them to access and transfer their data. Christian Reimsbach raises important questions about data portability, data rights for businesses, and the level of control individuals have over their own data.

Moreover, data trusts have emerged as a promising approach to enable data sharing for machine learning. In the UK and Canada, data trusts are being promoted as a framework for facilitating collaboration and data sharing in the context of machine learning. Christian Reimsbach sees the potential in data sharing and machine learning within the framework of data trusts, but also raises concerns about individual control over data within this system.

Another aspect that Christian Reimsbach questions is the idea of transferring data from the original data holder to the information bank. He suggests the use of privacy-protecting technologies, such as federated learning, where the data remains with the original holder, but a federated control mechanism is used. This approach allows for data sharing and collaboration while still respecting the privacy and control of the data owner.

Additionally, efforts are being made to develop trustworthy data intermediaries and information banks. Christian Reimsbach expresses interest in learning more about information banks and their role in data management. These trusted institutions play a vital role in maintaining the integrity and security of data.

Notably, an upcoming OECD report is expected to feature information banks, highlighting their importance and potential impact on peace, justice, and strong institutions. This report will provide valuable insights and recommendations regarding the implementation and governance of information banks.

In summary, Japan’s leadership in implementing information banks and their efforts to establish government certification for data intermediaries demonstrate their commitment to data management and building consumer trust. Data portability, individual control over data, and the role of data trusts in enabling data sharing for machine learning are important considerations in the discussion. Privacy-protecting technologies and trustworthy data intermediaries play a significant role in ensuring data security and integrity. The upcoming OECD report on information banks is anticipated to provide valuable insights into their implementation.

Moderator

Japan has been a leader in the development of information banks and data governance since 2010. They have introduced the concept of certification for intermediaries, positioning themselves at the forefront of fostering data governance. However, there is room for improvement in the information bank system, with suggestions including the incorporation of data portability rights. This would facilitate the practical transfer of data, benefitting small and medium-sized enterprises. Christian supports this idea, citing the EU’s General Data Protection Regulation as an example. He highlights the role of intermediaries in enabling data portability. Christian also emphasizes the importance of data accessibility and utilization in acquiring potential clients. The ability to access and effectively use data enhances partnerships and innovation. Japan’s leadership in information banks and data governance is commendable, but there is scope for further strengthening their position through the incorporation of data portability rights and ensuring data accessibility and utilization.

Session transcript

Moderator:
It’s 1 o’clock, so shall we start? Thank you for joining our session, the session for the Trusted Personal Information Management System, TPDMS, shortly. I’m representing Information Technology Association Japan, Nihon IT Dantai Reimei, or ITREIME in short. My name’s Bessho, director of ITREIME and the head of its personal data bank promotion committee. I’m moderating this session today. ITREIME is providing certification for personal data bank. We call it Joho Ginko in Japanese. Joho means information and data, and ginko means bank. We use the word ginko because bank is a symbol of trust. I’m not sure today if people trust bank or not. However, traditionally, bank is a symbol of trust, especially in Japan. Today, Sakimura-san, he works for TPDMS project, and the specialist in this area will have presentation on TPDMS. He will explain what is personal data bank and function of certification and so on. Then, we’ll have comments, opinions, or questions from excellent commentators. We expect Sako-san, professor at Waseda University, to make comments on human-centric approach and information bank. And we expect Chris Johnson from OECD, information economist, policy analyst, directed for science, technology, and innovation, digital economy policy at OECD, to make comments on enhanced data access and trusted data intermediaries. And then, if we have time, I would like to ask participants in the hall questions or comments. So firstly, Sakimura-san, please start your presentation with a brief introduction of yourself.

Natsuhiko Sakimura:
Thank you very much for the introduction. Good afternoon, everybody, and good morning, good evening elsewhere for the online people. I’m Natsu Sakimura, and I’m going to take like 20, 25 minutes to explain what this TPDMS information trust bank or personal data trust bank means and what kind of scheme we are running in Japan. Hopefully, it’s going to be informative for you guys, and we would probably have a good discussion about those as well. So data-free flow with trust. Do any of you guys have heard of this word, DFFT? Like half, yes. So it was one of the keywords mentioned in G20 Osaka leaders’ declaration back in 2019. It was the clause 11. I’ll just read it out. Cross-border flow of data, information, ideas, and knowledge generates higher productivity, greater innovation, and improved sustainable development while raising challenges related to privacy, data protection, IPR, and security. By continuing to address these challenges, we can further facilitate data-free flow and strengthen consumer and business trust. I’ll skip. And such data-free flow with trust will harness the opportunities of the digital economy. And what we call as Personal Data Trust Bank, or Joho Ginko, we believe is one of the very useful facility to enable this DFFT. So today, there are three sections in this session. First, I’ll talk about information bank, quote-unquote, that’s Joho Ginko. And then I’m going to explain about certification of information bank done by IT Renme. And then we will get into the discussion. Now, about the information bank. A lot of data right now is in locked in the corporate context in the CRMs, Customer Relationship Management. Do you guys know CRM, the word CRM, Customer Relationship Management? Not so much, right? Customer Relationship Management is a scheme that the corporations, enterprises, capture the personal data of ours and use that to contact us or market towards us, sending the emails and things like that, to enable pseudo one-to-one marketing. That’s called CRM. So that’s Customer Relationship Management. And what’s on the right-hand side in orange is VRM, Vendors Relationship Management. This is the flip of that. It’s one of the concept which was proposed by Doc Sals, who is in the Harvard Berkman Center, that instead of corporations making guests work on to what we want, we as an individual should express what we would like to get, what kind of things we want to get. So instead of just being receptive, we transmit our information at our will to express our desires. That’s VRM, and that’s very, very person-centric. But at the same time, the individuals, the users, have to bear its consequences as well. So the responsibility lies, a lot of responsibility lies into the individuals. And for many people, that’s a little bit too much, we felt. And in Japan, we were seeking a third way, which would enable individuals, but don’t put too much responsibility onto them. So in a sense, the consumer protection considered into VRM kind of things. And that’s how we came up with this idea of trusted personal data management system, or information bank. Here, on your left-hand side, personal data is captured in company A, B, C, and they are stored there. They are the data holders. And we, the individuals, are at the centre. But instead of controlling those data sources directly, there will be a data intermediary called personal data trust bank, into which we entrust our data. So the personal data trust bank can draw data from the data sources and store in the personal data trust bank, and can provide those data for the use by company X, Y, Z, on the right-hand side, according to our wishes. We don’t have to manage the relationship directly, but it’s a trust relationship between the data intermediary and individuals. And the data intermediary, or the personal data trust bank, is going to make sure that the data is going to be kept safe, used ethically, and for the purpose, and the user is protected. So that’s the main concept. The legal structure on the scheme is soft law or co-regulation-based. It’s a public-private initiative. The main… There are two legal factors in this, the number one and the number two in this slide. Number one is basic acts on advancement of utilising public and private sector data, which was enacted in 2016. It promotes appropriate utilisation of personal data by multi-stakeholder under participation of individuals. So that’s one of the basic legal premises. And number two, interim report by working group for data utilisation in artificial intelligence and IoT era. That’s from National ICT Strategy Office of Cabinet Secretariat and came out in February 2017. And it says, personal data trust bank as effective framework to promote personal data utilisation and the participation of individuals. With those in mind, the regulators and the private sectors are working together to form this co-regulation scheme. On the left-hand side, it’s regulator side, there’s an interim report by ICC and MIC, Ministry of Internal Affairs and Communications, on the voluntary certification scheme by private body to socially acknowledge qualified personal data trust bank. This is necessary because individuals won’t be able to find out whether the company is actually safeguarding our data or using our data ethically. So this kind of certification scheme was conceived. And in response, ITRMA made the policy recommendation for TPDMS certification at working group of ICC in April 2017. And in that, we proposed the mandatory data ethics board and clear privacy notice as binding standard contracts and other requirements for operators. Also, with the interim report, the MIC and METI created guidelines on certification of personal data trust bank, version one, back in 2018. And it set out qualification, model terms of conditions and governance for individuals’ controllability and trust. And based on that, ITRMA created guidebook version 1.0 for TPDMS certification application. And based on the guideline, we started TPDMS certification program for safe and secure services and operators. So to sum up, personal data trust bank is a service to utilize systems, including PDS, and manage personal data based on entrustment agreement on the data utilization with the individuals. And a service to provide such data on behalf of the individuals to third parties in accordance with the instruction of the individuals or pre-specified conditions. And a service to judge the appropriateness of the processing of the data. Now, this is in a small font. I’m not sure if you can read it. But it’s a summary of the guideline version 1.0 on certification of personal data trust bank. The certification service sets the criteria for individuals to choose safe and secure personal data trust bank. And the voluntary certification focuses on the flow of personal data and the individual’s participation and securing reliability and trust from individuals. And so it’s a combination of certification criteria and model terms and conditions and governance structures. Certification criteria encompass management system, information security, specification of collection method and purpose and utilization of personal data. Functions for individual controllability such as user interface. So we make required user interface components. And governance systems such as data ethics board organized by multi-stakeholders is also there as a requirement. And liability for damages against individuals has been borne by those personal data trust bank. We also set out model terms and conditions. We provide concrete conditions for contractual agreement for entrustments such as scope of operations, effective consent under the protection of personal data, sorry, personal information for providing personal data to third parties. and other obligations. So it’s not free for the organizations who subscribe to this information bank scheme to set their own terms, but the terms and conditions actually have to include all those terms which is included in the model terms. And the governance aspect covers eligibility of certification body and the method of examination, measures for breach of certification criteria, contractual agreement with certified personal data bank, and governance systems of certification body. And those corporations or organizations who got the certification will be granted the TPDMS mark. TPDMS mark could show to the individuals that the organization is safe keeping the personal data as a personal data trust bank. And international standards for privacy protection and information security such as ISO 29100 and 2701 is being followed. And TPDMS formally stands for Trusted Personal Data Management System, but we use catchphrase as a third way for personal data ecosystem, participation of individuals, data free flow with trust, multi-stakeholder governance, and soft law as well. All right, now let’s get to the second point, the certification as an information bank by IT Renbei. Now IT Renbei or Information Technology Federation of Japan was established in July 2016. The president is Mr. Kawabe, Kentaro, who is a representative director of Yahoo Foundation. And one of the largest federation, IT Renbei is one of the largest federation of IT industry in Japan. Over 60 associations and around 5,000 companies and around 4 million employees are covered. IT Renbei is association of association, so the companies are actually not directly members of the IT Renbei. In the current landscape of data flow, the data flows from data sources to data destination without much clarity. In this picture, I have put the black box into it, but we really don’t have too much visibility onto what is happening on our data within the flow. And even if there is not black box data intermediaries, information asymmetry abounds and not enough trust was formed for data to freely flow by the FFT. That is, individuals may wonder, is my data treated fairly and are they not misused? And then from the data source, they cannot know if receivers are good or not. And from the data receiver’s point of view, they cannot know if the data has been given lawfully or not. We need to improve the transparency, accountability and participation and control to cope with this situation. And TPDMS, also known as Personal Data Trust Bank, is a mechanism that reduces this information asymmetry. So it will provide transparency, accountability, participation and control so that individuals will say, okay, transparency is good and control rocks. And from the point of view of the data providers, they now know that the data receiver follows good practice and from the data receiver’s point of view, they can say that we can now use the data as it was collected and released legitimately. And to achieve that, we have created a new trust service, TPDMS certification scheme. A new trust service, Trusted Personal Data Management Services, also known as Personal Data Trust Banks or Information Banks, acts as hubs to provide standardized contractual relationships. So it improves transparency, ensures user participation and control, greatly reduces number of contracts, enforces legal entity KYC, ensures the use of data will be ethical, and enforces that the recipient follows good practice or standards for privacy and security and provides assurance to individuals. And the TPDMS certification scheme ensures that handling of data at Personal Data Trust Banks are following standards and ethical and proper oversight of its processing as well as that of the source and the destination data is implemented. There are many requirements, but to cite a few, the service has to provide easy to operate user interface for controlling the data processing and controllability such as traceability, like viewing history of provision of data to third parties, and ability to suspend third party provision. We also call it as withdrawal of consent and request for disclosure of personal data person to Article 28 of APPI is there. And the mechanism to achieve that is provided by Personal Data Bank. That’s going to realize the easy to use interface. So during the certification scheme, we check the user interface as well so that even from the consumer point of view, it’s deemed to be easy to be used. TPDMS certification, there’s another example that I want to cite. That’s Data Ethics Board. It oversees the activities of the Personal Data Trust Bank and make sure that all the processing of data is in accordance to ethics, I mean ethical standards. We also have relationship with ISO standards. Current certification scheme is based on security management and privacy enhancement standards. For the security management, we are looking at ISO IEC 27001 and 27002, commonly known as ISMS. And for the privacy enhancement, we are basing on ISO IEC 29100 privacy framework, 29134 privacy impact assessment guideline, 29184 online privacy notice and consent, and 27701 extension to ISO IEC 27001 and 27002 for privacy information management. It was good if they could cover everything that we wanted to, but it actually didn’t. On top of that, we also put some additional requirements and controls. And that’s how we are operating TPDMS certification scheme. All right, so that’s general description of TPDMS. Perhaps we can get into the discussion on that.

Moderator:
Thank you, Sakimura-san. Although, as you understand, TPDMS scheme is a little bit complicated, we much appreciate if Sakimura-san’s explanation will be helpful or useful to understand the TPDMS to everyone here. So, Sakimura-san, could you make comments regarding personal data bank structure and certification system, especially from human-centric approach point of view? And if any, please give us other questions or comments from various points of view. Before your comments, please introduce yourself briefly. Okay, thank you.

Speaker:
My name is Kazumi Sakawa. I’m teaching at Boseto University. And I’m a researcher in security and privacy. And, well, as a consumer, I would be very interested in this activity because nowadays, all the shops or all the places where I do consume services, they all have my data digitally. But what I have is only paper receipts, right? So I only have paper receipts, and this was what I was doing this morning. So I have to type in again, looking at the paper receipts, and do my own personal housekeeping books, right? But in reality, there are already data about me in all these companies’ database. So how can I not use that? And that will be very convenient for me to do housekeeping and also to have these data empower myself. How can I leverage my everyday life if I know more data about me? So therefore, I really expect information bank to gather all the information about me that I might not know, and so that I can use it for myself. And I would be also interested in knowing which company is interested in my data because I don’t know them. And currently, I think, all these data are exchanged in places where I don’t know. So having this information bank, that would give me more transparency in seeing who is interested in my data. Having said that, this activity has been in Japan for more than five years, and I’m not using any information bank so far. What is the reason? So this is going to be my question. What is the reason it’s not there yet? And what would be our next step forward to make this really happen?

Natsuhiko Sakimura:
It’s a very good question, and there are several reasons for that, I think. But one of the main reasons is that there doesn’t seem to be a lot of data available for entrusting to the personal data bank, right? In Japan, unfortunately, we don’t have mandatory data portability. We can, in principle, as of April last year, access the data, but if you try that, it’s really hard. And the data you are going to get is likely to be PDFs, which is not reusable. So it’s not useful in this context. So unless that kind of thing is solved, it might be difficult to get it flying. Well, that’s my take.

Moderator:
As you explained, there is a kind of guideline with respect to TPDMS. From your point of view, the guideline should be suitable for the Japanese industry or not? Which guideline? The guideline just for the jouhou ginkou. So, again, I guess we need, well, this is just my personal opinion, but I guess we need a little bit more incentive or sticks for the corporations to actually adhere to good practices. Thank you. So then, Christian-san, could you please introduce yourself and make a comment, especially from AI? data access and trusted data intermediary point of view. In addition, if you could explain OECD’s

Christian Reimsbach :
projects or plan regarding TDI. Yes, thank you. Thank you very much and also thank you very much for inviting me and giving me the opportunity to talk to you, linking the OECD work with the discussion happening here on information banks. So my name is Christian Reimsbach. I’ve been working for the OECD now for 15 years, a little bit more than 10 years on data governance issues where we have explored basically the role of different kind of mechanism from legal to technical to organizational mechanisms to facilitate data sharing. And maybe one point, a little caveat, that what I’m basically now about to say and comment on is not the official view of the OECD, but essentially my point of view as an expert who haven’t worked, as I said, more than 10 years on data issues. The very first point that I wanted to make is in terms of information banks is that I wanted essentially to congratulate you, congratulate Japan for basically taking leadership in this area. Because having looked at the TDI standing for Trusted Data Intermediaries, you will note that the concept of information banks is actually something relatively new compared to when looking at what is happening around the world. I mean essentially discussion on information banks started already 2010, right, and by that time there weren’t really a lot of countries talking about similar things. Nowadays we have other concepts that are comparable. For instance, some of you may have heard about data trusts, may have heard about personal information management systems, may have heard about data stalls and so on. So there are many similar concepts that have now emerged that are similar. Now some of you may argue that what about data brokers, because that concept has been a long time out. But there’s obviously a fundamental difference between a data broker and information bank, which is essentially that the information bank is still acting on behalf or in the interest of the data subject, right, which is not necessarily the case of a data broker who is essentially controlling and commercializing the data for its own benefit. And that’s an important difference. Now another point where I also would like to congratulate you, is the concept of certification. Because a lot of our work has shown that when it comes to those kind of, let’s say, actors and institutions, as a consumer in particular, you face a problem that you don’t necessarily know who to trust. Because if you look at the market, there may be a lot of personal information banks and then the question, can I trust my data? And it’s very obviously difficult for a consumer to do the assessment of the quality of such an institution, which is why we definitely, definitely looking at this, welcome this kind of approach. And the government also stepping in and providing the certification, and when you know the government has certified something, basically you can trust it. So that’s definitely a good thing. Now I would like now maybe to point to some, I wouldn’t say criticism, but let’s say questions that I have. Knowing also, or noting that I don’t obviously know a lot about information bank, we are essentially now studying this in depth in our work. And the very first one is indeed, what you mentioned on the right, the question about data portability. A lot of interesting initiatives are happening in other countries, like for instance, some of you know, the Article 20 of the EU GDPR that gives you a right to data portability. So in the EU, every citizen has a right to have his data be ported, transferred in machine-readable format. So it doesn’t refer necessarily to PDF, which is maybe digital, but it’s not necessarily machine-readable in that sense. And this is one of the point that we have observed, when you’re looking, when you’re looking particularly at the EU, is that the problem there is that citizens have a right to data portability, but it’s also not picking up really. And one thing that the European Commission, among others, are considering is indeed to look into how should we maybe have intermediaries step in. So some of you are maybe familiar that there is now in the EU a Data Governance Act, and in the Data Governance Act there is actually provisions that refer to intermediaries, to data intermediaries. So there seems to be the recognition that you, a data portability right is not enough, you need to have something that makes it actually practical, operational. And maybe this is indeed something that is eventually missing here, where you have the information bank, but you don’t necessarily have a data portability right that gives people a kind of a mechanism to really ask, a right to basically ask the data to be transferred to a third party, so it can be reused. Maybe a few other questions that I have, is the question about to what extent do you also companies, potential clients of the information banks? Because I’m referring also to this, I’m thinking about data portability in Australia. There is in Australia, as some of you know, there is a consumer data right. And what is interesting about that, from a data portability perspective, which is essentially a data portability regime, is that this right is a right that is not only granted to individuals, but also to small and medium-sized enterprises. So some small enterprises have a right to data portability. And so the question is, is it also something possible here in Japan, where as a small business, I may also have an interest in having my data that is stored, let’s say, in a cloud. And if I want to transfer my data from one cloud provider to another, that kind of thing may be also useful. So this is also something to raise as a question. Another one, and this will be my last one for now, I don’t want to talk too much, is the question about how much control do you have as an individual. Meaning, for instance, there is a concept of data trust that is out there, and that has raised a lot of interest, in particular in the context of AI, where you see countries like the UK or Canada promoting this as a way to basically enable data sharing and make it available for machine learning. And the question that is often to be not really considered is, or an issue eventually, is that once the data is essentially in the control of the data trust, it is assumed that the trust will always act on behalf of the consumer. There is also no granular control mechanism that I have as a consumer to say, I don’t want to have that data now shared with that. It’s basically, it’s now, you can revoke your rights and so on, but you don’t have granular control. And so my question would be, when it comes to the information banks, how much control do I have as a data subject? Is it once it’s out there that I have to assume that the information bank will act on my behalf, essentially like a data trust? Or is there some kind of mechanism where I can control? So thank you very much. Thank you very much, Christian-san. So Christian-san, I’ll say

Moderator:
three questions. So the first one, the second one is, how do you think about data portability and data DDI? I believe data portability is the missing part in a system. So we need it. You are thinking that in Japan we should have such a system? Yes. I’m really hoping that it’s

Natsuhiko Sakimura:
going to be implemented. How about Sako-san’s opinion on that point? So data portability? Yes.

Speaker:
I really want that, because that will be necessary to do my housekeeping. Thank you very much. So the

Moderator:
second point, the potential clients. So Sakimura-san, do you think we’ll be able to get success to get more potential clients in our scheme? So that depends on how much data we can actually access and utilize. So that must be deeply related to the data portability, right?

Natsuhiko Sakimura:
Correct, yeah. Thank you. So further questions, how much and to what extent the individual should have the control using the TPDMS? So TPDMS is actually making it mandatory to have fairly granular control on what you can do with the data. In the beginning, you are going to set up the general rule, right? But after a while you may change your mind, right? So you should be able to go into that and tweak how the data is going to be treated. So that’s what we are doing.

Christian Reimsbach :
I have a follow-up question, because it’s indeed very interesting. Because when I saw one of the slides, it actually suggested that there is a, because all the data essentially start at the original data holder, which can be a company, a commercial entity and so on. And if I understood, I mean, one thing that I didn’t understand is if the idea is also to transfer the data from the data holder, original data holder, to the information bank. And I’m asking this question following what you just said, because as you do know, there are mechanisms like, you know, what we refer at the OECD as privacy enhancing technologies, where you can do something like federated learning, where you keep the data essentially there. So I wonder if when you talked about the mechanism, does it include that as well? These kind of mechanisms where you basically don’t have to download the data and control it, but you basically have some kind of federated control mechanisms.

Natsuhiko Sakimura:
Potentially, but right now it’s old-fashioned data download and control.

Moderator:
Do you have any other questions or comments? I definitely just wanted to follow up to say that this is, I don’t know if I mentioned this,

Christian Reimsbach :
I briefly was mentioned that we are working on trusted data intermediaries, but one of the reasons also why I was very excited to be here is actually to learn about information banks so that we can study this in more detail. So for the people in the room, stay tuned, you will see your OECD report basically coming out next year, where we’ll feature also information banks, but also other intermediaries. Thank you very much. So we just have a few minutes, but if any, I would like to

Moderator:
have a question or comment from the floor of this hall. So anyone? So please use that microphone. Thank you. My name is Christopher Wilson, I’m the Executive Director of MyDataGlobal. I was

Audience:
hoping you could unpack a little bit more of the incentives for data holders to enable data portability. I think we all agree that’s kind of a holy grail, no one would argue against that, but there’s a whole host of assumptions about what might make it possible. We could talk about the sticks, and I think even in Europe where we do have the GDPR article, it’s largely not actionable. It’s just too complicated and difficult for users to use, and there have been some important developments, notably the Digital Markets Act now requires data portability, in any case, of gatekeepers, but it’s unclear how that’s going to play out. So it’s easy to think that for regulation to incentivize that, it might take quite a bit of time, especially in countries and regions where initial legislation hasn’t been started. One might also think about the carrot, the positive case. What’s your feeling on the ability to make a business case to data holders to enable data portability, either by facilitating it or opening up for other services or users to do it? And then lastly, I think it’s reasonable to assume that if we think about the relationship between the number of data holders that provide data portability and the amount of value that provides to users, it’ll be a hockey stick graph, right? If I have just one or two services that I use that are providing me with data, it’s really not worth very much. If I have 80% of the services that I use within one sector, then that starts to give value, but it really gives value if almost everything I use is providing that. But if a lot of those are small companies, not affected by legislation like the DMA today, how do we incentivize that? Does that require a kind of culture change across markets and how do we get there in places like Japan? Thanks.

Moderator:
So, unfortunately our time is over, so it’s time to close. Yes, so we would like to continue your question outside of this room. So, thank you very much for attending today’s session. We’re so happy if our experience on TPDMS in Japan will be useful and beneficial to everyone here. Thank you very much. Thank you very much.

Audience

Speech speed

195 words per minute

Speech length

343 words

Speech time

106 secs

Christian Reimsbach

Speech speed

176 words per minute

Speech length

1587 words

Speech time

541 secs

Moderator

Speech speed

111 words per minute

Speech length

714 words

Speech time

388 secs

Natsuhiko Sakimura

Speech speed

108 words per minute

Speech length

2700 words

Speech time

1501 secs

Speaker

Speech speed

136 words per minute

Speech length

335 words

Speech time

147 secs