What is the difference between data sovereignty and data ownership?
Data sovereignty is the right to self-determination over data. In an ideal world the data owner – whether a citizen or a company – has control or ‘self-determination’ over their data. Data sovereignty is an instrument based on a fixed set of agreements (technical, functional, operational and legal) that reinforces the rights of data owners and puts them in control of their data.
The definition of ownership is more difficult, because there is no legal basis for it. Personal data is covered, but that is not the case for non-personal data. And even personal data is open to debate, because what we currently consider non-personal data might be regarded as personal data in the future.
We have a successful GDPR. What could European or national governments do to allow individuals to execute their rights more effectively?
To bring more value to GDPR, we would need a ‘soft’ infrastructure: central agreements between public-sector and private-sector organisations to regulate access to data. Individuals and organisations that conform to such agreements can share data with each other effortlessly, and have the unified practical and safe tools to control who is allowed to access their data and under which circumstances.
Unless your data is encrypted by default and only you have the key, is it realistic that regulation/laws can indeed prevent its abuse?
Full prevention of abuse data is difficult as substantial e technical infrastructure would be required to eliminate all risks. However, legal action will be more straightforward when data sovereignty is a common right for everybody.
Should we not limit actual sharing to the bare minimum and instead work with Zero-Knowledge proofs as much as possible?
Yes, in some cases (e.g., personal data), exposing the bare data is not always wanted because technical guarantees of unauthorized resharing need to be stronger. Zero-Knowledge Proof / Multiparty Computation technologies can help there to reduce risk and increase possibilities.
How can I simplify this (technically, conceptually, philosophically, etc.) for my tech-adverse grandparents/parents? API-type approach going to be a practical enabler in data sovereignty?
Limit the conversion to ‘control over one’s data’. In other words, it is similar to having control over one’s money through payment cards, apps, and browsers. You can also mention the decentralisation aspect; since data isn’t centralised, individuals and companies are less vulnerable to data hoarding.
Big Tech will respond to demand, so how is broader market demand being generated?
Actually, Big Tech started due to entrepreneurship rather than demand. We do not expect Big Techs to lead the way in introducing data sovereignty but they will have to follow when it is mandated. In this case, it is a matter of European directives creating demand for data sovereignty and it’s unified, secure and interoperable functionalities.
Who is controlling the data governance? How can I protect who can access my data? Is it a centralised entity managing the access policies?
The question of governance is also crucial, of course. Ideally, the governance model represents both public and private stakeholders, and they pursue the goal of data sovereignty together. A lot of inspiration can be found in existing and proven governance models such as the internet, payments, securities, and GSM. The aim is central governance with decentralised and unified execution, so that data is not centralised, and the services are resilient and scalable.
When someone said that we require a “GSM-like standard”. Is that so, or does the complexity of data sharing mean that we should start with smaller domains to facilitate exchange instead of taking a more holistic approach?
The reference to ‘a GSM-like standard’ refers to cross-sectoral generic functionalities and blending of technical, operational, functional and legal agreements all into one standard with global governance – in other words -, a soft infrastructure
There is ample evidence that most data sharing has many functional, operational, technical, and legal commonalities, irrespective of sector or application. Over time we expect that all data sharing implementations in smaller domains will converge, except for domain-specific parts such as data semantics, metadata, and consent descriptions. Therefore, data sharing has both specific and generic details. The ‘GSM like standard’ is focused on the generic part; the rest cannot be harmonised and pertains to the sector-specific and application-specific approach.
How can we ensure data security and privacy in the context of data sovereignty?
Data security and privacy are design principles, and they too will be covered by the still-to-be-agreed standards for the soft infrastructure.
The digital world should build upon the already ongoing conversations that have been going on for the past century. Why should we reinvent the very basis of our civilisation just because of technology? Shouldn’t we look into how we can ensure that the digital world reflects the rights and principles we agree upon as a society, rather than the other way around?
In the physical world, the sovereignty of body, mind, and possessions has become organised over time. We now need to extend that to the digital world, starting with individual rights – and that’s precisely what data sovereignty is about.
Consent can give us control about data, but giving consent is often too much effort (think of cookies) and we will be tricked into giving consent. So what alternatives are there to gain sovereignty in addition to more consent?
An alternative to giving consent is a ‘soft’ infrastructure: central agreements between public-sector and private-sector organisations to regulate access to data. Individuals and organisations that conform to such agreements can share data with each other effortlessly, and have the practical tools to control who is allowed to access their data and under which circumstances.
As a result of these agreements, public-sector and private-sector organisations will need to technically adjust their software in order to give the data owner (whoever that may be) decentralised control over their data. The agreements are developed in a cross-sectoral co-creation process involving the public-sector and private-sector organisations themselves.
It will largely depend on the market itself how these practical tools for control take shape. Since data sovereignty will become a unique selling point, organisations will be keen to compete with each other to offer the most user-friendly interface.
Who is entitled to which data?
Who is entitled to which data depends on the context. Often, it is not a case of just a single party being entitled – and certainly not in the platform economy, because when it comes to information about a platform’s customers, those customers are at least equally entitled as the platform itself.
When it comes to company-related data that is not covered by trade secrets and IP rights, the question is which rights should be given to whom exactly?
In the B2B world, rights (e.g. trade secrets and intellectual property) are often laid down bilaterally. But there, too, the agreements are often determined by what is technically and practically possible.
A soft infrastructure – central agreements that regulate access to data – raises the bar in terms of what companies consider acceptable and possible. In other words, developing a soft infrastructure will motivate companies to better safeguard and exercise their rights.
How useful is it for consumers to give consent?
Society is in the early phase of learning more and more about ‘data management’. Consumers are becoming increasingly aware of the value of their data and are increasingly willing and able to manage their data. The availability of tools for exercising control in a simple, effortless and secure way will be a great help.
Banks already offer services based on different risk preferences (investment profiles) for people who do not want to actively manage their investments themselves. We could see these kinds of services emerging in the ‘consent’ market. Another good example is text messaging… nobody expected that, in addition to phone calls, people would want to use their mobiles to communicate by short text messages, and yet this has really taken off. And so too have social payment apps – so perhaps in a few years’ time we will have similar apps for exchanging data. Whatever the future scenario, awareness, information, education and adoption will all have to be given an essential role in order to realise the necessary changes in the digital economy.
Another dimension is the aspect of jurisdiction, which is where the term ‘data sovereignty’ was first applied. It relates to the matter of which legislative regime applies, when.
It’s true that the cloud world often has a narrower understanding of data sovereignty that is limited to the jurisdiction where data is stored. We mainly see this as complementary to the data sovereignty that schemes which are being developed by the Data Sharing Coalition, International Data Spaces Association, iSHARE and MedMij are aiming to achieve. Gaia-X seems to cover the full stack, i.e. both concepts of data sovereignty. You may also be interested in this video interview with Yvo Volman from a few months ago.