Public Disclosure Authorized Public Disclosure Authorized Public Disclosure Authorized Public Disclosure Authorized WITH SUPPORT FROM: © 2020 International Bank for Reconstruction and Development / International Development Association or The World Bank 1818 H Street NW Washington, DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpre- tations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions This work is available under the Creative Commons Attribution 3.0 IGO license (CC BY 3.0 IGO) http://creativecommons.org/licenses/by/3.0/igo. Under the Creative Commons Attribution license, you are free to copy, distribute, transmit, and adapt this work, including for commercial purposes, under the follow- ing conditions: Attribution—Please cite the work as follows: The World Bank, 2020. “Unraveling Data’s Gordian Knot: Enablers & Safeguards for Trusted Data Sharing in the New Economy.” World Bank, Washington, DC. License: Creative Commons Attribution CC BY 3.0 IGO Translations—If you create a translation of this work, please add the following disclaimer along with the attribution: This translation was not created by The World Bank and should not be considered an official World Bank translation. The World Bank shall not be liable for any content or error in this translation. Adaptations—If you create an adaptation of this work, please add the following disclaimer along with the attribution: This is an adaptation of an original work by The World Bank. Views and opinions expressed in the adaptation are the sole responsibility of the author or authors of the adaptation and are not endorsed by The World Bank. Third-party content—The World Bank does not necessarily own each component of the content contained within the work. The World Bank therefore does not warrant that the use of any third-party-owned individual component or part contained in the work will not infringe on the rights of those third parties. The risk of claims resulting from such infringement rests solely with you. If you wish to re-use a component of the work, it is your responsibility to determine whether permission is needed for that reuse and to obtain permission from the copyright owner. Examples of components can include, but are not limited to, tables, figures, or images. All queries on rights and licenses should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; email: pubrights@worldbank.org. CONTENTS FOREWORD.........................................................................................................................................................................4 ACKNOWLEDGMENTS..................................................................................................................................................... 5 EXECUTIVE SUMMARY.................................................................................................................................................... 6 INTRODUCTION................................................................................................................................................................ 10 A Focus on Data Sharing................................................................................................................................13 RATIONALE AND CONTEXT FOR THE REPORT.......................................................................................................16 Rationale for the Report and the Trusted Data Sharing Opportunity ...............................................17 Addressing the Risks of Data Sharing.........................................................................................................24 INSIGHTS FROM CASE STUDIES................................................................................................................................30 Enablers and Safeguards for Trusted Data Sharing................................................................................32 The Challenges of Implementation ............................................................................................................40 CONCLUSION....................................................................................................................................................................42 Areas for Further Research and Learning..................................................................................................44 ANNEX: CASE STUDIES..................................................................................................................................................46 India: Data Sharing to Empower Individuals.............................................................................................47 Estonia: Data Sharing for Government Efficiency and Transparency.................................................54 Singapore: Data Sharing for Economic Growth and Individual Empowerment...............................61 Chile: Data Sharing for Government Efficiency.........................................................................................77 Mauritius: Data Sharing for Economic Growth.........................................................................................86 Uruguay: Data Sharing for Government Efficiency, Transparency, and Individual Empowerment.............................................................................................................94 Mexico: Data Sharing for Government Efficiency and Transparency............................................... 101 Spotlight on Open Banking: Data Sharing for Economic Growth and Individual Empowerment........................................................................................................... 111 Spotlight on Health Sector Data Sharing: The Promise and Perils of Data Sharing during COVID-19................................................................................................. 119 4 UNRAVELING DATA’S GORDIAN KNOT FOREWORD As countries around the world battle the COVID-19 pandemic, the importance of sharing and using data effectively has never been more apparent. Data collection and analysis tools for diagnostics, detection, and prediction are of critical importance to respond intelligently to this crisis and prevent more lives from being lost. An effective response requires data to be shared between institutions, across sectors, and beyond national borders. Because data is critical to understanding, anticipating, and respond- ing to the crisis, new approaches to share data are being tried, some which may have concerning consequences for individual data protection. It is an extraordinary moment where the use of personal data for helping society may potentially come into conflict with data protection norms. This report, Unraveling Data’s Gordian Knot, could not be more pertinent to the fight against COVID-19. In it we find that unlocking data for reuse need not be at odds with individual rights. Rather, data sharing has the promise to uphold data protections and even enhance individual agency and trust. With the right enabling environment, data can be freed for use by governments, businesses, and individuals while ensuring peo- ple’s agency and rights are central. For people, and particularly for traditionally disadvantaged groups, leveraging one’s data to access a service—using, for instance, a credit score, a land rights certificate, or medical history—without the burden of bureaucracy or corruption can be profoundly empowering. It can mean the difference between receiving health treatment in time or not. Or receiving a fairly priced loan or not. Demonstrating eligibility for social services or not. Perhaps more than the direct services themselves, it gives individuals who too often have been disenfranchised or oppressed, an intangible asset that helps them prove who they are and better their lives. As the World Bank continues to invest in digital infrastructure, digital public platforms, and the enabling environment that supports such infrastructure, it is critical that we also focus on the enablers and safeguards for robust data ecosystems that allow data to be harnessed by governments, firms, civil society, and individuals. Analytical pieces such as this report and the upcoming World Development Report are important frameworks that can help operationalize how to support countries around the world leverage data as an essential tool for development and ensure all people are able to actively participate in and benefit from the new data-driven economy. Dr. Boutheina Guermazi Director, Digital Development, The World Bank 5 Enablers & Safeguards for Trusted Data Sharing in the New Economy ACKNOWLEDGMENTS This World Bank report was drafted under the leadership of Vyjayanti Desai and was authored by Jonathan Dolan, Kay McGowan, and Priya Vora of Future State, together with a cross GP team of the World Bank, including Adele Barzelay, Prasanna Lal Das, David Satola, Sharada Srinivasan, and Vyjayanti Desai. The drafting team also comprised James Freymuth of the Bill and Melinda Gates Foundation and Elizabeth Renieris. The report was written with information from country case studies as of July 2020. At the decision meeting, chaired by Boutheina Guermazi (Digital Development Director), Vivien Foster (World Bank), Kai Kaiser (World Bank), Rory Macmillan (Macmillan Keck), James Neumann (World Bank), and Michael Pisa (Center for Global Development), served as peer reviewers. The team would also like to express their gratitude to all those who provided insights and gave their time to provide guidance and support at various stages of the project, including: • Jose Clastornik, Laura Rodrigues, Laura Amado, Gonzalo Sosa Barreto, Susana Dornel, Drudeisha Madhub, Rajnish Hawabhay, Jonathan Mendoza, Jesús Javier Sánchez García, Kellie Tan, Joseph Lee, Daniel Lim, Venkatesh Hariharan, Tanuj Bhojwani, Hannes Astok, Heiko Vainsalu, Uuno Vallner, Katrin Nyman Metcalf, Anette Forsindal, Dianne Hubbard, Jamie Leach, and Andrew Stott who participated in interviews or served as expert external reviewers of the report. • Other World Bank Group staff who offered periodic inputs into the report itself and facilitated introductions to government officials and other experts who contributed to this report including Julian Najles, Jonathan Marskell, Anat Lewin, Malarvizhi Veerappan, Audrey Ariss, Veronica Silva, Fredesvinda Fatima Montes, Tiago Carneiro Peixoto, Herini- aina Mikaela Andrianasy, and Lesly Goh. EXECUTIVE SUMMARY 7 Enablers & Safeguards for Trusted Data Sharing in the New Economy DATA-DRIVEN DEVELOPMENT: The report finds that the ability of data to be a force A DIGITAL GORDIAN KNOT for positive development is dependent upon how Data is more abundant than ever before and is increas- the value and control of data are distributed across ing in unprecedented ways, creating new industries and the data life cycle and getting that distribution right reshaping existing ones. In low- and middle-income requires new modalities for trusted sharing of data. countries—increased access to digital technologies, more time online, and increased ways to use digital FOCUS ON TRUSTED DATA SHARING products and services—are combining to dramatically This report asserts that creating a data sharing envi- expand the amount of data produced by individuals. ronment in which transactions between data providers Governments around the world are seeking to lever- and data users are trusted requires enabling the right age data to accelerate economic growth, improve the mix of laws and policies, institutional arrangements, efficiency and transparency of government, and tackle and technical architecture, as well as an informed and persistent socioeconomic development challenges. The engaged civil society. In other words, getting the right opportunities of data-driven development are compel- “enablers” and “safeguards” in place for data sharing ling and examples of positive outcomes abound. is of central importance to realizing the development potential of data, ensuring that the opportunities The use of data has the potential to underpin these offered by data accrue across diverse stakeholder new levers for development. However, it could also groups, and securing certain rights of individuals in limit competition and innovation by consolidating relation to their data. decision-making power among a limited number of powerful actors. Use of data could exacerbate exclu- The aim of this report is to highlight sion and inequality by undermining trust in critical emerging practices and interesting fea- institutions through data breaches and government surveillance and targeted disinformation campaigns, tures of countries’ current approaches and reinforcing biases through opaque algorithms. to establishing these safeguards and enablers of data sharing. Over the years, some have suggested that unlocking data in order to create value is at odds with the goal The report draws extensively from seven country case of protecting people from abuses and misuses of studies (India, Estonia, Singapore, Chile, Mauritius, data. Yet, adopting a robust policy, legal, and technical Uruguay, and Mexico), as well as two sector-specific regime of safeguards can support value creation from spotlights on data sharing in Open Banking (high- data by enabling individuals to benefit from clearer lighting the experiences in the United Kingdom and rights and greater agency over their data, while also Australia) and in health data sharing (highlighting the increasing the transparency and accountability in how current response to the COVID-19 pandemic) where data is used. Emerging technological and governance efforts have been made to establish such enablers and solutions can further support these objectives and safeguards. In selecting these countries and sectors, rebalance power asymmetries in favor of people and the report makes some normative assumptions about small and medium enterprises. The effective imple- what is needed, but then takes an iterative approach mentation of existing data protection regimes and to test and refine this assertion by examining the adoption of innovations in data governance enable experiences of the countries included in the case stud- trusted data usage and sharing, thereby helping ies and, ultimately, propose a framework for a trusted address the alleged tension between data protection data sharing ecosystem. and data flows. 8 UNRAVELING DATA’S GORDIAN KNOT Through this iterative process, it is apparent that enable individuals, entrepreneurs, or society to benefit an increasing number of countries are adopting a fully from the rich data histories generated online. rights-based approach to data protection. Under this It is also apparent that this legal and regulatory approach, in addition to regulatory duties applying to approach to building a trusted data sharing ecosystem organizations enforceable by a regulator, individuals by protecting the rights of individuals is insufficient have legal rights that they can enforce directly against on its own and validates the need for complemen- those organizations through a private right of action. tary investments. The countries profiled in this report It is also clear that government action to expand the have taken varied approaches to doing so. Neverthe- value of data to individuals and entrepreneurs man- less, there are a number of common characteristics ifest most visibly in jurisdictions that have adopted in place to maximize the value of data as a tool to effective data protection regimes in an attempt to shift achieve development outcomes. These characteristics some of the burden for data protection and security to together expand who can derive value from data and service providers. However, this approach is primarily ensure individuals’ rights are preserved even as data a legal solution that does not necessarily create the is shared more extensively. They can be organized other conditions (e.g., strong and responsive insti- around five main pillars and provide a framework for tutions, informed and engaged civil society) which governments seeking to support trusted data sharing: Pillar Purpose Practices and Features Policies, To clearly define rights 1. Clear and enforceable rights-based approach to data laws, and and obligations over data, protection policies and laws regulations including the rights of peo- 2. Investment in a whole-of-government approach to imple- ple to determine when and menting data governance in order to reconcile instances how personal data is col- where there are competing policy priorities across gov- lected, shared, and used ernment agencies 3. Iterative and adaptive approach to data policy making in order to continuously calibrate and refine the relationship between sharing data and keeping it safe and secure Pillar Purpose Practices and Features Robust Enabling institutions responsi- 1. Strong coordinating bodies within government that and ble for developing and imple- can harmonize approaches to data protection and data resourced menting strategies, policies, sharing institutions laws, regulations, standards, 2. Specific steps to engender trust in institutions and to and guidelines to enable effec- establish appropriate capabilities within institutions, tive data collection, processing, including, supervisory and oversight functions and clear and use. Safeguarding institu- redressal systems for individuals tions to monitor and oversee progress, enforce rules while also offering citizens respon- sive and effective redress 9 Enablers & Safeguards for Trusted Data Sharing in the New Economy Pillar Purpose Practices and Features Trusted To standardize 1. Investments in technology platforms that break down data silos technical data sharing within and facilitate the exchange of data in ways that create account- architecture government and ability (e.g., Singapore’s digital watermarks for tracing the origi- regulated institu- nator of documents) and transparency (e.g., Estonia’s State portal tions while giving that gives individuals granular insights into who is sharing their people more controls data and for what purposes). and transparency 2. Iterative and adaptive approach to introducing and continuously into data flows improving technical architecture to expand capabilities for the user and to strengthen data protection Pillar Purpose Practices and Features Capabili- To analyze and 1. Investments in reorganizing and strengthening the human ties within make use of data resources of government agencies in order to harmonize and in approaches to data governance and to ensure the proper capabil- support of ities to establish and implement effective data governance strat- government egies. Such efforts include programs to cross-train policy makers and technologists and to embed technical expertise across tradi- tional government ministries 2. Strategic collaboration between governments and private firms or civil society to share data in ways that are both secure and more broadly accessible Pillar Purpose Practices and Features Active civil To use data effec- 1. Well-resourced and sustained national programs to provide digi- society and tively and keep gov- tal skills training informed ernments and com- 2. Multistakeholder processes to develop open data policies and populace panies accountable other strategic planning related to data protection and data sharing Ultimately, when designed and implemented well, to promoting trusted data sharing, governments can these pillars—and the practices and features that help draw from the experiences profiled in this report and build them—can support an ecosystem in which data tailor these practices to fit their specific development sharing and data protection become mutually rein- objectives. forcing. While there is no one-size-fits-all approach INTRODUCTION 11 Enablers & Safeguards for Trusted Data Sharing in the New Economy Today there are more than 4 billion internet users Importantly, some of the regions where internet usage globally, an increase of approximately 1 billion has lagged historically are now seeing some of the since 2015, and global smartphone penetration has fastest growth rates. Africa, for instance, has recently increased by more than 40 percent in that same time enjoyed 20 percent year-on-year growth in internet as the cost of devices and data plans have dropped.1 usage5 driven by the rapid expansion of mobile inter- And yet, this growth is only part of the digital transfor- net and, along with the Middle East, it is expected to mation happening today. According to Cisco’s latest see the fastest growth in mobile broadband usage Visual Networking Index, there will be 3.5 networked over the next five years.6 Internet users in low and devices per capita globally by 20212 and some esti- middle income countries now outnumber internet mates suggest that connected devices could grow to users in developed markets by more than two to one, 125 billion by 2030—an annual average growth rate of and the difference is growing. It has been estimated 12 percent.3 that low- and middle-income countries will contribute approximately 900 million new internet users between As the World Bank’s 2018 Data-Driven Development 2018 and 2022, compared with approximately 80 mil- report noted, “even traditional industries, such as oil, lion from developed markets that are already highly automobile manufacture and financial services, are connected. In other words, if these projections hold, becoming data driven. We are undoubtedly experienc- more than 90 percent of all new internet users will ing a data revolution in which our ability to generate, come from low- and middle-income countries.7 process, and utilize information has been magnified many times over by the machines that we increasingly The expanding population of internet users, however, rely upon.”4 is only part of the data abundance story. Internet users in low- and middle-income countries are spend- Data is more abundant than ever before and is ing more time online each day and diversifying the increasing exponentially. The frequently cited 2016 ways in which they are using the internet. Consumers IBM report, “10 Key Marketing Trends For 2017,” noted in these markets, for instance, are increasingly using that 90 percent of all data had been generated in 2015 the internet for commercial purposes. E-retail reve- and 2016 alone, and recent estimates suggest more nues in the biggest emerging markets rose to $800 data was created in 2017 than in all previous years billion in 2017, a figure that represents 15 percent combined. These trends will only accelerate globally of all retail revenues in those markets. By 2022, it and low- and middle-income countries will become an is expected that almost half of all low and middle increasingly substantial part of this growth. income retail spending will reflect some type of digital 1 Howell, Jenalea. “Number of Connected IoT Devices Will Surge to 125 Billion by 2030, IHS Markit Says (2017, October 24, 2017). https://news.ihsmarkit.com/prviewer/release_only/slug/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says. Accessed March 2020. 2 Cisco Visual Networking Index (VNI): Forecast and Methodology, 2016–2021. (Updated 2017, September 15), https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.html #_Toc484813970. Accessed March 2020. 3 Howell, Jenalea. “Number of Connected IoT Devices Will Surge to 125 Billion by 2030, IHS Markit Says (2017, October 24, 2017), https:// technology.ihs.com/596542/number-of-connected-iot-devices-will-surge-to-125-billion-by-2030-ihs-markit-says. Accessed March 2020. 4 World Bank. “Data-Driven Development” blog, https://www.worldbank.org/en/topic/digitaldevelopment/publication/data-driven-development. Accessed March 2020. 5 Ericsson, “Ericsson Mobility Report, November 2019.” 6 Shapshak, Toby. “Africa Is Fastest Growing Region For 5G Mobile Broadband Uptake, Says Ericsson.” Forbes, https://www.forbes.com/ sites/tobyshapshak/2019/11/28/africa-is-fastest-growing-region-for-5g-mobile-broadband-uptake-says-ericsson/#7ad53c111c25. Accessed May 2020. 7 Jain, Nimisha; Walters, Jeff; Bharadwaj, Aparna; Niavas, Stefano; Azevedo, Daniel; and Sanghi, Kanika. “Digital Consumers, Emerging Markets, and the $4 Trillion Future.” BCG, https://www.bcg.com/publications/2018/digital-consumers-emerging-markets-4-trillion-dollar-future.aspx. Accessed March 2020. 12 UNRAVELING DATA’S GORDIAN KNOT Figure 1: The Data Life Cycle Source: WDR 2021 team. influence.8 And, in 2018, three of the top five app The following sections of this report examine these download markets were emerging economies—with development motivations in more detail with a spe- India increasing app downloads by 170 percent from cific focus on how data sharing helps underpin each. the previous year and Indonesia increasing by 60 per- Data has the potential to underpin these new levers cent over the same period.9 for development. However, it could also limit competi- tion and innovation by consolidating decision-making Together, these factors in low- and middle-income power among a limited number of powerful actors. countries—increased access, increased time online, Use of data could also exacerbate exclusion and and increased uses—are combining to dramatically inequality by undermining trust in critical institutions expand the amount of data produced by individuals. through data breaches and government surveillance, As data rapidly becomes more abundant, low- and targeted disinformation campaigns, and reinforcing middle-income countries are becoming more focused biases through opaque algorithms. on realizing its full potential through three main chan- nels: (1) driving economic growth through trade and Ultimately, the ability of data to be a force private sector and entrepreneurial activity, (2) creating for positive development is dependent more efficient, accountable, and transparent govern- ment, and (3) empowering people. upon how the value and control of data are distributed across the data life cycle. 8 Jain, Nimisha; Walters, Jeff; Bharadwaj, Aparna; Niavas, Stefano; Azevedo, Daniel; and Sanghi, Kanika. “Digital Consumers, Emerging Markets, and the $4 Trillion Future.” BCG, https://www.bcg.com/publications/2018/digital-consumers-emerging-markets-4-trillion-dollar-future.aspx. Accessed March 2020. 9 Sydow, Lexi. “Growth and Expansion Through Mobile in 2019: Mature and Emerging Markets.” App Annie, https://www.appannie.com/en/insights/market-data/mobile-2019-mature-and-emerging-markets/. Accessed April 2020. 13 Enablers & Safeguards for Trusted Data Sharing in the New Economy A FOCUS ON DATA SHARING Because of its nonrivalrous nature, data can be shared and ensuring that the benefit of data accrues across for the benefit of stakeholders across the private sec- diverse stakeholder groups. tor, government, and individuals. Repeated reuse can help harness the full potential of data to extract a wide Without adequate safeguards, data providers may range of insights. At the same time, however, greater be concerned about potential abuses, ranging from sharing of data can increase the risks of misuse. Creat- weak security of data transactions to the opaque ing a data sharing environment in which transactions collection and sale of personal data by third-party between data providers and data users are trusted data brokers. At the same time, without adequate requires the right mix of laws and policies, institutional enablers—including transparency, interoperability, arrangements, and technical architecture. and data portability—it may become prohibitively difficult to transfer data among different providers in In other words, getting the right “enablers” and “safe- an agile and seamless manner.10 guards” in place for data sharing is of central impor- tance to realizing the development potential of data OECD’S DEFINITIONS OF DATA SHARING The Organisation for Economic Co-operation and Development (OECD) 2019 report, Enhancing Access to and Sharing of Data: Reconciling Risks and Benefits for Data Re-use across Societies, provides a useful refer- ence in this respect, offering detailed data sharing definitions and the relationship between the primary categorizations of data. At a minimum, for the purposes of this report, it is worth noting the OECD’s defini- tions of data sharing and the relationship between public, private, and personal data. Definitions for Data Sharing “Data sharing” refers to the provision of data by the data holder, on a voluntary, passive, or mandatory basis. Certain types of data sharing agreements may be based on commercial or noncommercial contractual agreements (e.g., data philanthropy); other data sharing may be mandated by policy or law, such as Open Data or Access to Information, or data required for service delivery or identification. Voluntary data sharing is assumed to be based on common interests between the entities agreeing to share their data, including the interest and expectation that data holders can become data users and vice versa, but power asymme- tries (e.g., between firms, or between governments and individuals) and other political economy dynamics may affect the expectation of reciprocity among stakeholders engaged in data sharing agreements. “Enhanced access and sharing” refers to mechanisms and approaches aimed at maximizing the social and economic benefits from the wider and more effective use of data, while, at the same time, addressing related risks and challenges. The term does not cover cases where governments access private sector data either for law enforcement and national security purposes or for granting regulatory approval (e.g., for the marketing of pharmaceutical or agricultural chemical products). 10 Language from World Bank 2021 WDR draft. 14 UNRAVELING DATA’S GORDIAN KNOT Domains of Data: Understanding Public, Private, Personal, and Open Data The creation or collection, processing and use of personal and nonpersonal data by public or private sector actors give rise to a number of typologies and governance domains. The personal versus nonpersonal data domain, which relates to the identifiability of the data. Personal data can be volunteered, observed, or inferred (WEF 2011). Recent technologies and analytical techniques, such as those based on Artificial Intelligence (AI) or Internet of Things (IOT), are creating new categories of “mixed” data that erodes the binary distinction between personal and nonpersonal data. The public versus. private sector domain, which relates to the entity or actor (government or private sector) which controls the relevant data. Public sector and private sector data are controlled by governments and firms respectively. Both types of data may be proprietary, but may be permitted for reuse or sharing under specified terms. Access and control rights over data may be determined by governments and firms: in the public sector, these are often specified through data classification policies, depending on their sensitivity. In the private sector, data may be protected via intellectual property rights, and licensed to specified users. Openly available vs. restricted data, which relates to the manner in which proprietary data sets are made available for use and reuse by public or private sector entities, often through data sharing agreements or licenses. At one end of the spectrum, data may be completely restricted on proprietary, security, or sensitivity grounds. Proprietary data is typically protected by IPRs (including copyright and trade secrets) or by other access and control rights (provided by contract and legal requirements, e.g., cybercrime law), reflecting the fact that there is typically an economic interest to control or limit access to such data. On the other side of the spectrum, public and private sector data can be made openly available (through licenses and publication in specific formats and on a user-facing platform) for free access, use, and reuse according to the terms of a sharing friendly license. In between, access to data sets can be restricted by data sharing agreements, along terms agreed by the parties. These domains are overlapping and dynamic, and the underlying type of data does not necessarily deter- mine how they might be treated legally or governed across the data life cycle. It is more accurate and helpful to determine how such data are used or processed. For example, restricted “public sector” and “personal data” (e.g., a household survey or education data aggregated and shared) might end up being treated as “private sector” and “nonpersonal” data when de-identified and integrated into an application developed by a private sector company. Similarly, proprietary company data collected by IOT sensors might become “public sector” and “open” data if shared with a local government under a Public Private Partnership (PPP) and published (after being de-identified) on their open data platform. Source: OECD (2019), Enhancing Access to and Sharing of Data: Reconciling Risks and Benefits for Data Re-use across Societies, OECD Publishing, Paris, https://doi.org/10.1787/276aaca8-en. 15 Enablers & Safeguards for Trusted Data Sharing in the New Economy The aim of this report is to highlight emerging prac- tices and interesting features of countries’ current approaches to establishing these safeguards and enablers of data sharing. While there is no single authoritative typology of data, there are various approaches to classifying data, with significant overlap among them. The intent of this report is not to develop a new or singular typology of data nor does it attempt, given the significant overlap between types of data, to create definitive boundaries around which data are part of this analysis and which are not. Rather, this report attempts to convey the opportunity for a data ecosystem that broadly creates trusted data sharing and specifying, where necessary, the type of data being addressed. Complexities of data sharing—both in terms of type of data and the mechanics of how that data is shared— present policy makers in low- and middle-income countries with important strategic questions related to their national development strategies: How do national development objectives align with data pro- tection and data sharing policies? What are the incen- tives of different actors to share data and how can the government promote trusted data sharing? How can data protection be achieved in environments of low human, institutional, or technological capacity? What are the most effective levers for creating systems of trusted data flow within and across borders? RATIONALE AND CONTEXT FOR THE REPORT 17 Enablers & Safeguards for Trusted Data Sharing in the New Economy RATIONALE FOR THE REPORT AND THE TRUSTED DATA SHARING OPPORTUNITY A 2019 survey of digital policy makers conducted in When establishing governance regimes over data, collaboration with Oxford University’s Pathways to countries can draw from experiences of governing Prosperity revealed that “Data Sharing and Interopera- other resources but there are no exact parallels. bility” and “Privacy and Data Protection” are increasingly Unlike other factors of production, data is, in theory, among the top policy priorities of emerging market abundant, reusable, nonrivalrous, and typically cre- policy makers. In the survey of over 100 emerging ated by the interaction of at least two parties. market policy makers and their advisers, one-third of all respondents identified one of these two issues as their With such a resource, the value of data is driven top priority, followed by “Telecommunications Infra- less by natural scarcity and more by scarcity and structure” (25 percent) and “Jobs and Skills” (24 percent). restrictions imposed through rights and obligations, whether imposed by legislatures, regulators, contracts We mention here two broad trends that are shaping or other sources of law such as tort liability. Determin- the answers to these strategic questions: ing who can access and process data, as well as when, is critically important to determining how and to Trend #1: A growing recognition of whom the benefits of data-driven insights accrue and data as a valuable factor of produc- are distributed in an economy. tion and powerful lever of influence. For example, property right limits on data that is the lawful intellectual property of a firm that has devel- Decision-makers at all levels—from governments to oped the data as a form of copyright pose restrictions business to individuals—increasingly recognize the on others using it. This is particularly so with propri- value of data as a factor of production and as a tool to etary commercial data, which may often be mixed be leveraged for better decision-making and greater with personal data. Contractual obligations between influence. The UN Sustainable Development Goals organizations, public and private, that impose restric- (SDG)11 depend on the effective exploitation of data tions and responsibilities on use of data that is shared- across numerous sectors. further refine the productive use to which it may be put. Regulatory requirements imposed by cyber secu- The nature of data, the uses for which it may be rity and data protection laws in general, or sectors deployed, and the challenges to which these give rise, of particular importance such as health and finance, now make data governance a vital dimension of eco- restrict further what can be done with data. Rights of nomic development policy. For example, Japan placed individuals to access personal data held about them, data governance squarely on the international agenda have errors corrected, have data ported to other for the 2019 G20 summit.12 As recognized in the World entities (including formatting requirements) shape Bank’s 2018 Data-Driven Development report,13 stake- the economic opportunity further. Prohibitions on holders are increasingly seeking to establish access to outputs that perpetuate or effect bias among different and rights over data. 11 WDI: Sustainable Development Goals, World Bank Group, https://datatopics.worldbank.org/sdgs/sdg-goals-targets.html (last visited Dec. 27, 2019). 12 Resolved: Japan Could Lead Global Efforts on Data Governance, Center for Strategic & International Studies, (Jun. 27, 2019), https://www.csis.org/analysis/resolved-japan-could-lead-global-efforts-data-governance. 13 World Bank. 2019. “Information and Communications for Development 2018: Data-Driven Development.” 18 UNRAVELING DATA’S GORDIAN KNOT population groups affect how artificial intelligence data into sharper focus than the COVID-19 Pandemic. may be used for commercial and public administrative These efforts, some of which are addressed later in decision-making. this report, include contact tracing efforts (e.g., using cellphone call data records or CDRs), to ramping up The business models of some of the world’s most public health data surveillance and more recently, veri- valuable companies are now predicated on collecting fying vaccination status (e.g. vaccine certificates) and vast amounts of data about individuals, their behav- immunity. iors and preferences, resulting in a wider industry of data collection and trade through third party data The COVID-19 pandemic has also shown that the risks brokers. Firms whose business models increasingly of allowing control over these data and their benefits rely on data insights not only include technology com- to concentrate in the hands of a powerful few is pres- panies but also mobile network operators, banks and ent in many countries. Data inequities arising from other actors from traditional industries. By design, these concentrations of power are exacerbated by commercial service providers not only offer products phenomena such as (1) data deficits—instances where but capture data usage which can be used to target data is relatively scarce—emerging in economies or ads, improve the platform’s services, or profit from communities that have low purchasing power leading selling insights. In turn, many consumer products are to disparities in the data-driven services that can be offered free of charge or heavily discounted. Despite tailored to meet their needs, (2) weak institutions that this immediate value to consumers, there are con- are not well equipped to keep up with rapid changes cerns among policymakers, activists, rights advocates in technology related to an increasing dependence on and others that such data-reliant business models can data, or (3) the inability of otherwise competent regu- erode trust, expose personal data to potential com- lators to effectively address the imbalances resulting promise, threaten competition, stifle innovation, and from the lack of regulatory reach – given that the juris- constrain distribution of the economic value of data. dictional home of many of the Big Tech and Big Data firms are in developed countries. The resulting regula- There are emerging examples of private firms explor- tory lacunae is particularly prevalent in lower- or mid- ing ways to pool or transfer data securely between dle-income countries where governments and private technology platforms. This includes Microsoft’s Open service providers have limited bargaining power thus Data Initiative, Google’s Private Join and Compute, and directly affecting their ability to establish guardrails a consortium of technology companies introducing between infrastructure and application layers in order the Data Transfer Project. to foster a local innovation ecosystem. Of course, private sector actors are not the only entities seeking to leverage data. While governments Additionally, consumers in developing countries are have always sought ways to benefit from the value of structurally more vulnerable to data capture and over- data — for instance, China’s emerging Social Credit consent as they often have fewer choices in services, System14 or the United States’ use of mobile phone must provide consent to receive certain benefits, or data for immigration and border enforcement15 – because of a lack of awareness or digital skills. Free nothing has put governments’ interest in harnessing services that collect vast amounts of data on usage 14 Creemers, Rogier, China’s Social Credit System: An Evolving Practice of Control (May 9, 2018). Available at SSRN: https://ssrn.com/abstract=3175792 or http://dx.doi.org/10.2139/ssrn.3175792 15 The New York Times Editorial Board. “The Government Uses ‘Near Perfect Surveillance’ Data on Americans”. The New York Times, February 7, 2020, https://www.nytimes.com/2020/02/07/opinion/dhs-cell-phone-tracking.html. Accessed April 2020. 19 Enablers & Safeguards for Trusted Data Sharing in the New Economy patterns are particularly prevalent in low-income Perhaps most importantly, low- and middle-income communities, where the risks of data sharing are less countries are seeing faster digitization than economic well known. Additionally, the convenience of a mobile advancement. In the words of Nandan Nilekani, device, coupled with the cost of computers and scarcity individuals in developing countries are becoming of reliable power, has led to people accessing the inter- data-rich before they become economically enriched.16 net through a mobile device than through a desktop. In It is therefore a critical moment in time to explore India, 80 percent of users access the internet through ways of converting this data wealth into a lever of a mobile channel. In Africa, where internet usage is development. lower, 64 percent of users rely on a mobile device for internet access. The mobile revolution has led to a user There are numerous examples of positive develop- interface dominated by applications (“apps”). Apps such ment outcomes underpinned by data sharing includ- as Alibaba, WhatsApp, and Facebook have become por- ing examples from the countries profiled in this report tals through which a user can access a variety of ser- (see annexed case studies). Two ways in which govern- vices generating further data for the parent company. ments in particular are commonly seeking to leverage Many of these apps collect and transmit data without data as a factor of production are: user knowledge even when not in use. First, to drive economic growth through trade and private sector and entrepreneurial activity: INTERNET ACCESS Some governments are developing data policies to THROUGH A MOBILE CHANNEL establish consistency with trade partners and facilitate e-commerce and digital businesses. Other govern- 80% ments seek to create more opportunities for entrepre- IA neurs to leverage data to design products and ser- IND OF USERS vices for consumers. Of the countries profiled in depth later in this report, a number of examples emerge where efforts to create a trusted data sharing ecosys- tem have helped increase economic activity and more RICA inclusive growth: 64% AF 1. Mauritius has contributed to its strong economic OF USERS growth by, among other things, establishing itself as a regional leader in the financial services indus- try and a gateway to doing business in the sector throughout Africa. This leadership role has been possible because the country has put into place both a strong data protection regime in line with international practices and because of its efforts around Open Data policies. Together, these ele- ments have enabled the country to effectively support financial sector regulatory sandboxes 16 Nilekani, Nandan. https://blogs.worldbank.org/voices/giv- ing-people-control-over-their-data-can-transform-development. 20 UNRAVELING DATA’S GORDIAN KNOT and underpin institutions like the Mauritius Africa enables (1) better-informed policies, (2) more effi- FinTech Hub, which provides an ecosystem where ciency and efficacy of public service delivery, and entrepreneurs, corporations, governments, tech (3) more inclusive and participatory government. A experts, investors, financial service providers, and number of governments profiled in this report have researchers can collaborate to build financial ser- prioritized creating a transparent and secure way vices products for the African market. for the government to share data in order to achieve these goals. For example: 2. In India, business-to-business company ShopX is processing half a million transactions daily via 1. In Chile, the integrated social information sys- its digital platform, which connects fast-moving tem (RIS)—which comprises the Social Registry of consumer goods (FMCGs) companies and traders Households and the Intended Public Beneficiaries to small retailers throughout the country. The registry—contains data shared by 43 state agen- platform enables suppliers and retailers to use data cies at all levels of government, covering nearly on consumer behavior and preferences to improve 75 percent of Chile’s population. This intersectoral sales and to facilitate the entry of lower-income database determines eligibility for about 80 social Indians into the digital economy. protection programs and collects self-reported 3. Morocco’s data protection Law n° 09-08 (February data, administrative data, and geographic data 2009) closely mirrors the EU’s 95/46/EC Directive from different sources. (the precursor to the European Union’s General 2. In Andhra Pradesh, a state in India with 50 million Data Protection Regulation (GDPR)), and was people, the government can access and analyze intended to enable convergence with EU law to detailed statewide reporting data, in real time and incentivize foreign direct investment (FDI) and across thousands of delivery points, to monitor the leverage Morocco’s competitivity in data offshoring provision of rations to poor beneficiaries. They can and outsourcing and its geographic proximity to detect transaction failures almost immediately and European markets. Morocco’s request for an ade- facilitate rapid follow-up and remediation.17 quacy recognition from the European Commission in 2009 is still pending, but the country became a signatory to Convention 108 (the sixth country Trend #2: A growing convergence glob- in Africa to accede) in May 2019. Since 2018, the ally, including in middle- and low- Moroccan data protection authority (CNDP) has income countries, around legal frame- collaborated with the Council of Europe under the works for personal data protection. Neighbourhood Partnership 2018–2021 to work towards progressively revising the 2009 law and This trend has been driven both by efforts to align aligning it to GDPR, while considering local specifi- with GDPR for the purposes of trade and by increased cations, to maintain its competitiveness. pressure on policy makers by citizens who have started to demand more protections for their data Second, to create more efficient, accountable, and and more transparency in light of high-profile data transparent government: breaches and a growing awareness of data misuse. For example, countries like Mauritius (see annexed Similarly, the availability of data, paired with the ability case study) have actively sought to update their data to harness data for decision-making by government, protection laws to attract foreign investment from 17 Gelb, Alan, Mukherjee, Anit and Navis, and Kyle Navis. “Citizens and States: How Can Digital ID and Payments Improve State Capacity and Effectiveness?” Center for Global Development, March 31, 2020. 21 Enablers & Safeguards for Trusted Data Sharing in the New Economy businesses working with European countries, creat- personal identity, and physical security, among other ing a legal regime that enables safe and secure data guarantees, which form the underpinnings of modern transfer. On increased awareness and demand by data protection schemes. individuals for more protection, a recent CGAP study of the financial services sector found that consumers Among the earliest attempts to apply these founda- care about the privacy and protection of their data tions to data stored in computer systems, or data- and are willing to pay more and wait longer for a loan bases, was a legislative proposal by the U.S. Depart- product with strong data privacy and protection. In ment of Health, Education and Welfare (HEW) in 1973, Nairobi, 64 percent of 220 customers surveyed chose which resulted in the adoption of the Fair Information a loan with a 10 percent fee and strong data privacy Practices Principles (FIPPS). In 1980, expanding on rather than a loan at half that rate. In Bangalore, FIPPS, the Organisation for Economic Co-operation results were similar: 66 percent of 197 customers and Development (OECD) issued its “Guidelines on chose the loan with strong privacy at a 10 percent rate the Protection of Privacy and Transborder Flows of versus one at 9 percent.18 Personal Data.” These were the first internationally agreed upon data privacy principles. While not man- Governments of many low- and middle-income coun- datory, the OECD guidelines outlined a set of eight tries are currently developing laws and policies to principles to guide the protection against human respond to these trends questions, defining both how rights abuses by member states, such as the abuse data is protected and how data can be shared securely. or unauthorized use of an individual’s personal data. UNCTAD’s most recent data finds that 132 out of 194 These principles are: (a) collection limitation; (b) data member countries have some legislation in place to quality; (c) purpose specification; (d) use limitation; address privacy and data security.19 Outside the EU, (e) security safeguards; (f) openness; (g) individual Asia and Africa are experiencing the most rapid change participation; and (h) accountability. in data privacy laws, but significant developments con- tinue in Latin America and the Caribbean as well. The first legally binding international instrument to address data protection followed shortly thereafter The foundations of data protection are rooted in the in 1981 with the Council of Europe’s (CoE) Convention deep history of individual rights and rule of law. As for the Protection of Individuals with regard to Auto- early as 1948, the Universal Declaration of Human matic Processing of Personal Data or “Convention 108” Rights (UDHR) provided a right to protection of the law as it’s more commonly known. Convention 108 has against arbitrary interference with one’s privacy, fam- wide reach as it is open for signature by any country, ily, home, or correspondence. Similar rights were cod- whether CoE member or not, and has influenced the ified in subsequent international instruments, includ- development of data governance frameworks around ing the International Covenant on Civil and Political the world including, most notably, Europe’s most mod- Rights (ICCPR) in 1966 and the European Convention ern data protection law—the General Data Protection on Human Rights in 1950, as well as national consti- Regulation (GDPR) (EU) 2016/679, which was adopted tutions and other legal instruments. Through such in 2016 and entered into full force in 2018. legal instruments, governments have afforded people certain rights to privacy, free personality development, 18 Fernandez Vidal, Maria and David Medine. 2019. “Is Data Privacy Good for Business?” Focus Note. Washington, DC.: CGAP, https://www.cgap.org/sites/default/files/publications/2019_12_Focus_Note_Is_Data_Privacy_Good_for_Business.pdf. Accessed April 2020. 19 United Nations Conference on Trade and Development. “Data Protection and Privacy Legislation Worldwide,” https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx. Accessed July 1, 2020. 22 UNRAVELING DATA’S GORDIAN KNOT Like its predecessor, the European Data Protection to comply with the GDPR’s requirements in order to Directive 95/46/EC of 1995 (the “Directive”), the GDPR do business in Europe or engage with European data sets out principles for processing personal data, data subjects. Governments around the world have looked subject rights, obligations of data controllers and pro- to GDPR to inform their own rules around data pro- cessors, and outlines penalties for failures to comply, tection and responsibilities of data processors. This among other things. As such, it is known as a “compre- broad influence has also inspired the CoE recently to hensive” data protection law. modernize Convention 108 to align more closely with the GDPR (known as “108+”). Indeed today, the GDPR While data protection has existed as long as data is often the benchmark against which other personal has ever been managed by organizations seeking to data governance models are compared. use it for gain, the introduction of GDPR has been an important accelerator of the rights-based legal Additionally, the convergence around a rights-based approach to data protection, establishing various approach to data protection has motivated an increas- specific rights and obligations of different actors in ing number of countries to seek an approach to data a data transaction. Unlike its predecessor, the Direc- governance that directly empowers individuals and tive, which required member compliance but was an tackles persistent social and economic inequities. indirect mechanism for implementation (as it required People have long been seen as beneficiaries of good transposition into national law and resulted in varia- data usage practices on the part of government and tions across the various EU Member States), the GDPR the private sector but, by enabling people with more as a regulation took direct effect across the EU and direct control over the data they generate, the nascent was designed to harmonizes data protection across efforts in these countries seek to (a) ensure data is all Member States to ensure even application of the used in accordance with the specific preferences of law. This also facilitates the free flow of movement of each person no matter how those preferences may data across European borders, a core objective of the change over time, and (b) more directly available to GDPR. individuals to use in order to express preferences and access life-enhancing commercial and public services. The impact of GDPR has been significant and goes well beyond the geographic boundaries of the Euro- For people, and particularly for traditionally disadvan- pean Union. Through its extraterritorial scope, com- taged groups, the notion of having access to one’s panies and entities around the world are required to data—such as a credit score or land rights certificate comply with the GDPR’s requirements in order to do or medical history—and the ability to share that data business in Europe or engage with European data in a trusted environment can be profoundly empow- subjects. Governments around the world have looked ering. In Rwanda, for instance, personal data histories to GDPR. The impact of GDPR has been significant and such as transaction records and consumer behavior goes well beyond the geographic boundaries of the are now helping people demonstrate their credit- European Union. Through its extraterritorial scope, worthiness and gain access to loans to start or grow companies and entities around the world are required businesses. 23 Enablers & Safeguards for Trusted Data Sharing in the New Economy KEY FEATURES OF THE GDPR THAT SUPPORT TRUSTED DATA SHARING A general exposition about the many features of the GDPR is beyond the scope of this Report. This Side- bar focuses on some of its key features that support “trust” in data sharing. The GDPR is one of the more recent expressions of these features - many of which are also found in other laws and approaches to data protection, as well as GDPR’s predecessor instrument, the ’95 Directive. Amongst its many features, following are some key aspects of GDPR that serve as the pillars of trusted data sharing: 1. Agency. GDPR facilitates data sharing by giving individual data subjects rights and agency over their per- sonal data. These rights limit the ability of third parties to collect, process, or sell personal data without consent of the data subject. A key aspect of this agency is the ability of data subjects to have to agree to “automatic processing” (referring to AI systems) of their data. Another is data portability, that facilitates and encourages the sharing of personal data across data controller organizations. 2. Transparency. Both the rights of data subjects and the obligations of data controllers and data proces- sors create transparency in how individuals’ data is used and processed, contributing to the overall trust ecosystem. 3. Accountability. Just as importantly, GDPR establishes mechanisms for redress in the event of interfer- ence with these rights. These rights include the right to information about data collected, its intended purpose(s) for processing, and other information; rights of access, rectification, the restriction of pro- cessing, and erasure, for example. The GDPR provides broad exemptions for personal data that are “processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.” This enables a variety of data sharing and open data-style projects and research, particular public sector uses of data that might improve service delivery, urban planning, scientific or medical research, and a variety of other ends. 24 UNRAVELING DATA’S GORDIAN KNOT The countries profiled in the report provide further illustration of how a trusted data sharing ecosystem ADDRESSING THE RISKS underpinned by effective data protection cannot only OF DATA SHARING improve delivery of services to people as beneficiaries but also equip them with new capabilities that contrib- As the examples above illustrate, the benefits of data ute to individual empowerment: compound when data is “unlocked” and shared beyond the original data holder. When insights from one data 1. In India, easy access to trusted digital records such set are combined with another, the outcome can be as school degrees and transcripts—paired with the transformational. Insights generated through data ability to share that information in a verifiable and have been powerful drivers of growth and innovation. transparent way—enables people to prove their The diverse national responses to the COVID-19 pan- readiness for jobs. Not only does this offer the demic have served to illuminate both the varied ways opportunity for employment among people who in which governments access citizen data and the sys- otherwise have few proof points of their skill level, tems in place to unlock it for public benefit. The early it minimizes corruption through the issue of false observations and interesting features and challenges certificates emerging from these responses, especially in China, are examined more closely in the case study on health n Uruguay, the commitment to Open Government, 2. I data sharing included as an annex to this report. paired with civil society efforts to connect govern- ment data sets, resulted in the A Tu Servicio plat- Yet, as compelling as it may be to broaden access to form, that enabled citizens to make more informed data, there are challenges and risks to data sharing. decisions when selecting their health care provid- In addition to the broad concerns described early of ers. The program has introduced greater patient misuse and consolidation of influence that can charac- choice into Uruguay’s health care sector, enabling terize the data economy, there are a number of other citizens to navigate through a range of options specific challenges which are, in many instances, more and has helped improve the quality of data—e.g., acute in low- and middle-income countries. errors were discovered by users, providers, and the Health Ministry itself—and helped to lower These face risk of security breaches due to the high prices for consumers by creating more competition costs of security relative to economic resources, among providers.20 inadequate administrative systems and lack of exper- tise to manage such risk. Furthermore, the uptake of the digital economy depends on achieving and sustaining widespread trust in and legitimacy of access to and use of personal data by governmental agencies and service providers. The relevance of such legitimacy was illustrated in recent court cases sus- pending aspects of important national data-driven 20 Sangokoya, David, Clare, Ali, Verhulst, Stefaan and Young, Andrew. “URUGUAY’S A TU SERVICIO: EMPOWERING CITIZENS TO MAKE DATA- DRIVEN DECISIONS ON HEALTH CARE.” GovLab, January 2016. 25 Enablers & Safeguards for Trusted Data Sharing in the New Economy development initiatives (in this case, national digi- Algorithms trained on data from past experience may tal identification systems) in India,21 Jamaica,22 and also reflect and perpetuate the biases embedded Kenya23 for want of effective data governance protec- in historical differences among ethnic, religious, or tions for privacy. gender groups—differences that are very significant in many low- and middle-income countries. Thinner and Weaker digital literacy and awareness of risk of treat- less reliable data sets may result in poor training data ment of personal data and weak consumer protec- for machine learning systems, resulting in less robust tions leave individuals potentially even more exposed decision-making (whether automated or derived from to the asymmetry of knowledge and bargaining power data analytics), with inadequate systems for recourse when dealing with large organizations processing for individuals. data. These asymmetries are exacerbated where accumulation of data gathered through direct sharing Perhaps the most important consideration when eval- from individuals or through market intermediaries uating data sharing strategies is the strength of safe- enables firms to build effective monopoly power and guards in place to address such risks and challenges. exclude rivals. Without safeguards, data sharing can exacerbate infringements on data protection and privacy rights Competition concerns may also arise from increas- which, at best, undermine public trust and, at worst, ing use of algorithms for business pricing and other strengthen authoritarian regimes and exacerbate strategies, including by facilitating the implement- discrimination. The next section examines how a num- ing, monitoring, and policing of cartels, or reducing ber of countries, as well as the health and financial competition through industrywide adoption of pre- sectors, are working to strengthen those safeguards dictable reactions to changing market conditions.24 while cultivating rich data sharing environments. Lack of deep expertise in such complex matters leaves low- and middle-income countries vulnerable to risk of exploitation by savvy companies. 21 Justice K.S. Puttaswamy (Retd.) v. Union of India, Writ Petition (Civil) No. 494 of 2012, 1 (Sup. Ct. India Aug. 24, 2017). 22 Robinson v. Att’y Gen. of Jamaica [2019] JMFC Full 04 (Sup. Ct. Jamaica Apr. 12, 2019), available at https://supremecourt.gov.jm/content/robinson-julian-v-attorney-general-jamaica. 23 Nubian Rights et al. v. Attorney General of Kenya (High Ct. Kenya Apr. 1, 2019), available at http://kenyalaw.org/caselaw/cases/view/172447/. 24 Stucke, M.E. and Ezrahi, A. (2016) Virtual Competition: The Promise and Perils of the Algorithm-Driven Economy, Harvard University Press. 26 UNRAVELING DATA’S GORDIAN KNOT INNOVATIVE MODELS FOR DATA MANAGEMENT AT-A-GLANCE While the case studies included in this report focus on what governments are doing and can do to create an environment for data sharing, it is important to acknowledge that data sharing arrangements need not be designed and overseen by governments. In fact, widespread data sharing exists already through private agreements. Bilateral data sharing contracts are the dominant form of data sharing. This can be, for example, when an internet service company shared insights about user preferences for the purposes of targeted advertising. Some arrangements have been criticized for the opaque nature of these private contracts, particularly where the data being shared through these contracts is collected and used in ways that data subjects might not have anticipated or wanted. Tracking the rights, consents, and restrictions applicable to data that has been collected and transferred through potentially several intermediaries is complex and often not done. Due diligence by organizations as the provenance of data they acquire may not be as diligent as it should be. The result is a data environment in which vast amounts of data are transferred without care- ful attention to the privacy of data subjects, and sometimes without necessary security. New models are emerging that generate and share opportunity from data sharing while managing, miti- gating, and allocating risk transparently with accountability. These are secured under a robust framework of legal rights and obligations (some by law, some negotiated by contract, some by standards given the force of contract) according to the various roles involved. Data collaboratives are entities which govern the sharing of data between entities and, sometimes, individ- uals based on pre-established rules. Highly functioning data collaboratives will specify: • Scope: purpose for the data collaborative to exist • Data assets: types of data to be shared, standards for describing data • Participants: rights and responsibilities of data requesters and data holders admitted into the data collaborative • Risk management: security protocols, liability, jurisdiction in which the collaborative is operating • Access: mechanisms for data to be shared, permissions, and usage rules • Retention: where data is stored, how frequently it is updated, and duration of the agreement • Individual rights: the extent to which individuals have control or transparency into how and when data is shared With these characteristics in place, there are a number of forms that a data collaborative can take. New York University’s GovLab has started an extensive catalogue of data collaboratives and has identified a few key models, including (1) data pooling, (2) research partnerships, and (3) trusted intermediaries. One example of a research partnership data collaborative highlighted by the GovLab is 23andMe Patient-Centric Research Portal, which can be used for medical studies initiated by partner institutions, 27 Enablers & Safeguards for Trusted Data Sharing in the New Economy like the Mount Sinai Asthma Health and Stanford Medicine’s MyHeart Counts projects to access 23andMe research services using a new ResearchKit app, through which customers can choose to share data. Cus- tomers of 23andMe’s services can also choose to participate in other surveys to aid medical research, and provide data to 23andMe’s industry, academic, and nonprofit partners. An example of a trusted intermediary model includes Beeline Crowd Sourced Bus Service, launched by Sin- gapore’s GovTech and the Land Transport Authority (LTA) with a number of private and nongovernmental organizations lending support, Beeline acts as a matching service between people using the Beeline app and the city’s private bus services. Beeline collects consolidated bus transportation and user data collected via their app, which can then represent “community demand.” In doing so Beeline crowdsources transpor- tation insights directly from passengers using the service. These “user suggested routes” are created when there is enough demand for a particular route. Beeline attempts to close the gap between commuters’ needs and the services offered by private bus companies by providing a feedback mechanism within the app. The service has also led to the creation of GrabShuttle in 2017, a fixed-route shuttle service that allows users to track the buses in real time. And, finally, BBVA’s “Measuring People’s Economic Resilience To Natural Disasters” collaborative is an example of data pooling: In partnership with UN Global Pulse, BBVA’s Data and Analytics team analyzed financial data prior to, during, and after Hurricane Odile hit Baja California Sur in 2014. Using anonymized data on sale payments and ATM cash withdrawals, the partners measured the resilience of communities following a natural disaster. The researchers found economic recovery time was 2 to 40 days depending on location. They also found income levels and gender differences play a role in recovery time. Data trusts are a form of data collaborative with an inbuilt accountability mechanism based in Trust Law that imposes a fiduciary duty on a third party trustee legally responsible for implementing the purpose and policies under the agreed trust framework. Importantly, data holders placing data into a data trust no lon- ger control the data. It is instead being held by the third-party that manages the access and usage of the data in service of the stated legal purpose and beneficiary. The beneficiary can be specific (an individual or a set of users, for example) or broad (the general public, for example). Beneficiaries have the legal right to challenge the third-party’s performance and seek redress. UK BioBank is an example of a data trust. It aims to improve the prevention, diagnosis, and treatment of a wide range of serious and life-threatening illnesses by following the health and well-being of 500,000 vol- unteer participants and provides health information, which does not identify them, to approved research- ers in the UK and overseas from both academia and industry. Personal data stores are a technical tool whereby individuals can store and permission access to personal data. Some personal data stores permission data to be used by developers to create new applications whereas other PDSs permission data for use by academics, brands, and nonprofits. Personal data stores compete on the basis of helping individuals understand their data assets and make use of them through new analysis or profit generation. Digi.me is an example of a personal data store that permissions data to be used by developers to build apps. 28 UNRAVELING DATA’S GORDIAN KNOT METHODOLOGY AND PURPOSE to outline a more complete framework, the report The following section examines how different coun- intentionally sought to profile countries that have tries are approaching data governance in order to taken steps to support trusted data sharing that go realize these benefits and mitigate the risks, drawing beyond policies and regulations. Together these on seven country-specific experiences (India, Estonia, selection criteria necessarily ruled out certain coun- Singapore, Mauritius, Chile, Uruguay, and Mexico) as tries and focused the report’s attention on coun- well as the experiences of governing open banking tries that are both taking a rights-based approach in the financial sector (drawing extensively from the to data protection and investing in institutions, experiences of the United Kingdom and Australia) and technical architecture, and capacity building to health data sharing (drawing from a range of govern- support trusted data sharing. ment responses to the COVID-19 pandemic). In ana- lyzing these experiences, the paper surfaces emerging 2. Iterative approach to learning about each country: practices and interesting features of trusted data The countries profiled each have their own priori- sharing from across the world which are intended to ties and own experiences in supporting a trusted inform other governments as they develop their own data sharing ecosystem. This makes detailed data governance posture. direct comparisons more challenging (e.g., those governments that have prioritized data sharing The report has been developed through interviews as a means to improving government efficiency with current and former government policy makers compared with supporting trade). However, the from the countries profiled in the case studies and iterative approach to analyzing each country— draws upon a 2019 survey of more than 100 emerging through interviews with policy makers and sec- market policy makers and their advisors conducted ondary research—elicited the emerging practices in collaboration with Oxford University’s Pathways for and interesting features that policy makers in the Prosperity Commission. Additional inputs come from respective countries identified as most important a wide range of World Bank staff and partners, as well for trusted data sharing. as extensive secondary sources. 3. A focus on “success” stories: The practices and While the report benefits from significant inputs from features examined in this report remain nascent each of these contributors, it is important to acknowl- in most countries and, as such, evidence of devel- edge that the case study methodology used to anchor opment impact remains scarce. The intent of this the report does create certain parameters for the report is to frame the opportunities for govern- analysis, namely: ments to foster a trusted data sharing environ- ment. With this in mind, the authors made the 1. Normative approach to country selection: The intentional decision to focus on illustrative “suc- countries profiled in the case studies for this report cess” stories and used extensive consultations with were selected based on a number of criteria that World Bank staff, other global data experts, and would offer diversity in geography, size, and pri- numerous policy makers to identify countries that mary motivations for investing in trusted data shar- are widely perceived to be on a successful path ing. However, all of the countries had one thing in towards a trusted data sharing environment. While common: they acknowledge that data sharing and the extensive consultative process provided a high data protection need not be at odds, and they have degree of confidence in the successes of the coun- each taken intentional steps to create a virtuous tries profiled, it also highlighted two challenges of cycle between the two. Additionally, in an attempt this methodology: (1) without strong counterfactual 29 Enablers & Safeguards for Trusted Data Sharing in the New Economy examples (i.e., profiling countries that have strug- gled to create a trusted data environment or have succeeded by means other than the five pillars), the report cannot assert more definitively that each of the five pillars is required for success nor can it make conclusions about the relationships between the five pillars, and (2) the lack of an existing moni- toring and evaluation (M&E) framework leaves the definition of “success” somewhat subjective, and makes tracking progress towards a trusted data sharing environment difficult for any country. This report is meant to stand alone as a focused look at trusted data sharing and provide a resource for gov- ernments grappling with the associated strategic ques- tions. It will also serve as an input into the World Bank’s 2021 World Development Report, which will explore a wider range of data governance issues including, but not limited to, cybersecurity, tax policy, access to data infrastructure such as cloud services and internet exchange points, and the economic value of data. INSIGHTS FROM CASE STUDIES 31 Enablers & Safeguards for Trusted Data Sharing in the New Economy The case studies (annexed) examine instances in sev- 2. Robust and resourced institutions capable of enforc- eral countries and sectors in which the government ing the rules while also offering citizens responsive has taken intentional steps to consider the relation- and effective redress. In the countries profiled in this ship between data protection and data sharing—in report, this has been achieved both by identifying some cases, it has been part of a broad vision for strong coordinating bodies within government that national digital transformation and in others as part of can harmonize approaches to data protection and a response to global trade aspirations. data sharing, as well as investing in a whole-of- government approach to implementing data gover- In the end, despite these varied reasons, each country nance, which can help reconcile instances where profiled has taken an active role in promoting trusted there are competing policy priorities across govern- data sharing. In all cases, policy makers have identi- ment agencies. Furthermore, governments have fied specific value propositions for data sharing and sought to take specific steps to engender trust in have taken bold actions toward creating enablers and institutions and to establish appropriate capabil- safeguards in data sharing arrangements. ities within institutions including supervisory and oversight functions and clear redressal systems for Examining the contours of a trusted data sharing eco- individuals. system that begin to emerge from the country case studies helps to validate the initial assertion of this 3. Trusted technical architecture to standardize data paper, that policies and laws, dedicated institutions, sharing within government and regulated institutions and secure technology architecture are interdepen- while giving individuals more control and transpar- dent and mutually reinforcing. ency into data flows that use their data. In the coun- tries profiled in this report, this has been achieved Ultimately, the experiences of the countries profiled by investments in technology platforms that break point to a number of specific characteristics that, down data silos and facilitate the exchange of data together, help maximize the value of data as a tool for in ways that create accountability (e.g., Singapore’s development outcomes. These both expand who can digital watermarks for tracing the originator of derive value from data and help preserve individuals’ documents) and transparency (e.g., Estonia’s State rights even as data is shared more extensively. These portal that gives individuals granular insights into characteristics can be organized around five main who is sharing their data and for what purposes). pillars: Like data policy making, creating trusted techni- cal architecture requires an iterative and adaptive 1. Laws and regulations that clearly define the rights and approach to expand capabilities for the user and to obligations over data, including the rights of people to strengthen data protection. determine when and how personal data is collected, shared, and used. In the countries profiled in this 4. Capabilities inside and alongside government to report, this has been achieved both through a clear analyze and make use of data. In the countries pro- and enforceable rights-based approach to data filed in this report, this has been achieved through protection policies and laws, as well as through an investments in reorganizing and strengthening iterative and adaptive approach to data policy mak- the human resources of government agencies ing in order to continuously calibrate and refine the in order to harmonize approaches to data gov- relationship between sharing data and keeping it ernance and to ensure the proper capabilities to safe and secure. establish and implement effective data governance strategies. Such efforts have included, in some instances, programs to cross-train policy makers 32 UNRAVELING DATA’S GORDIAN KNOT and technologists and, in other instances, effort to embed technical expertise across traditional ENABLERS AND SAFEGUARDS government ministries. This has also been achieved FOR TRUSTED DATA SHARING through strategic collaboration between govern- ments and private firms or civil society (e.g., Uru- guay’s A Tu Servicio initiative) to share data in ways that are both secure and more broadly accessible. Pillar 1: Policy and regulatory environment that defines and enacts rights over data 5. Active and participatory civil society and informed populace who can keep governments and com- 1.1 Laws and regulations panies accountable. In the countries profiled in the report, this has been achieved both through Laws and regulations are the foundations of data well-resourced and sustained national programs to rights and, within that, how data can be shared. provide digital literacy training and through multi Among the countries evaluated, there is a conver- stakeholder processes to develop open data pol- gence around legal attributes fostering trust in data icies and other strategic planning related to data sharing, namely: protection and data sharing. • Laws related to data protection are supported by Through the intentional steps each of the countries fundamental rights enshrined in a national con- profiled has taken to unify the goals and the imple- stitution or similarly high-level legal instrument, mentation of data protection and data sharing, they which provides a stronger basis for defending and have emerged as regional and global leaders in the asserting them, including in face of changes in use of data for development, and have collectively leadership or political climates. helped to illuminate the enablers and safeguards nec- • Laws related to data protection have limited excep- essary for trusted data sharing. tions and avoid broad carve outs for categories of data, certain uses of data, and certain actors (such The descriptions in the following section are not as the public sector). intended to provide a comprehensive review of all • The laws are based on a clear set of core data pro- aspects of each country’s data protection and data tection principles such as transparency, fairness, sharing approaches. Rather, they are meant to data minimization, purpose limitation, storage emphasize areas of each country’s approach that may limitation, and accountability, among others. be illustrative to other countries grappling with how • The laws clearly articulate a broad array of individ- to create the enablers and safeguards necessary for ual rights in respect of personal data, as well as creating the five pillars for trusted data sharing. clear mechanisms for exercising those rights. • The laws clearly articulate the obligations of entities who collect, store, and otherwise process personal data, as well as rules for how those entities engage third parties in furtherance of those processing activities. • The laws establish clear accountability mechanisms for entities who collect, store, or otherwise process personal data. 33 Enablers & Safeguards for Trusted Data Sharing in the New Economy • There are clear enforcement mechanisms to protect 1.2 Coordinated and iterative policy environment and defend individual rights, including penalties sufficient to deter noncompliance by entities who Several of the countries instituted a whole-of- collect, store, or otherwise process personal data. government approach to ensure the legislative • There is a readily identifiable entity in charge of requirements are effectively implemented. Such a supervision and enforcement, with convenient whole-of-government approach is essential given the modes of accessibility to the public. cross-cutting nature of data and the myriad interests • There are clear rules for cross-border transfers of and issues involved. ICT ministries and telecommu- personal data, including a supervisory mechanism nications regulators play a formative role in setting a for those transfers and local redress in the event of country’s telecommunications agenda, but the rele- breaches or abuses of data transferred. vance of data is far more expansive, involving every • Laws related to data sharing, including open data sector of a country’s economy and, as a result, involv- rules, focus on enhanced transparency with respect ing departments across government. to the flows of data, authorization and access mechanisms, and accountability. Additionally, the fast-moving nature of technological • Laws related to data sharing, including open data advancement makes iteration in digital policy making rules, aim to realize the benefits of data sharing essential. While many countries commonly have in while also protecting individual rights. place three- or five-year national digital strategies, a • Laws that enable access and use of data, includ- trusted data ecosystem requires additional iteration ing open data policies or laws, access to infor- in policy making and support for more agile institu- mation legislation, and mechanisms to support tions. This is, in part, because many models for trusted the interoperability of information systems, and data sharing are only just now emerging and there datasets to enable portability and reuse of data. are opportunities for regular learning and continu- Mechanisms can include clear data classification ous improvements, but also because the relationship policies, unified standards for data taxonomies between data sharing and data protection is not a and machine-readable formats, establishing access specific end-state but rather a dynamic relationship through bulk download and APIs, and ensuring that requires regular recalibration. Countries profiled that the appropriate licenses are in place to sup- in this report have looked to iterate in different ways— port reuse of data (e.g., Creative Common licenses some through regulatory sandboxes, others through or OdBL). processes for continual technological improvements, • In cases where emergency legislation is passed to and others through flexible institutions. enable data collection, processing, and use of data in exceptional circumstances (e.g. the COVID-19 The following examples offer ways in which five coun- pandemic), it is essential that these laws be subject tries have approached iterative whole-of-government to robust procedural safeguards to limit their scope data governance: and ensure they are not misused. These include ensuring proving that these laws are lawful, nec- 1. Uruguay: By recognizing the challenges of coor- essary, and proportionate to meet government’s dination and by aiming to reduce institutional intended objectives to justify their adoption. They fragmentation, the Uruguayan government has must also include strict sunset clauses and renewal expanded the mandate of Agencia de Gobierno requirements, as well as provide for independent Electrónico y Sociedad de la Información (AGE- judicial review and redress, to reassess efficacy, SIC) to better coordinate implementation of data necessity and safety over time. protection, access to information, cybersecurity, 34 UNRAVELING DATA’S GORDIAN KNOT and open government initiatives across national subnational governments. While the registry is government agencies, as well as with local govern- centralized and operates as a virtual social registry, ment. These provide clear and consistent processes tasks such as data collection are completed by local and help harmonize goals. In its initial phases, municipalities. AGESIC’s biggest challenge was interagency coor- dination. Originally, it was set up to create the 4. Singapore: The creation of the Smart Nation and necessary infrastructure for digital transformation Digital Government Group (SNDGG)—which is and considered a producer of technical knowledge well-resourced and has a strong mandate—has and policy but did not have a mandate to drive helped ease intragovernmental data sharing by implementation of e-government initiatives, relying allowing a strong government coordinating body instead on other ministries and agencies to imple- to focus on developing shared digital infrastructure ment e-governance programs. Many of these other (e.g., data transfer platforms), enforcing common government agencies were wary of the costs of standards (e.g., for data security), and ensuring introducing new technologies, were sensitive to the interoperability of applications. Specific government new processes entailed, and had limited human agencies remain domain experts in front-line data capacity to execute new initiatives. In addition, collection and in management and use of specific a lack of interoperable databases and platforms databases. Furthermore, Singapore’s experience made it difficult for the ministries and agencies across the Smart Nation implementation, open to collaborate and develop standardized e-gov- banking initiatives, and both Public and Private ernment services. In July 2015, the government Sector Data Security efforts, policy changes must be issued a decree which required “putting central complemented with the appropriate organizational government procedures and services, and those of structures and technical infrastructure to achieve other public entities, online.” The decree entrusted the changes that the government hoped to see. AGESIC in the “directing, organizing, structuring, executing, and monitoring the initiative,” thereby 5. United Kingdom (Experiences from Open Banking): In empowering it to issue relevant technical standards the United Kingdom, a single standard setting body and regulations. provided regulatory certainty for open banking and helped drive private sector investment and adop- 2. Mexico: A National Digital Strategy Office was tion in comparison to the roll out of PSD2 in the created under the Office of the President to coordi- rest of Europe. nate the Digital Strategy, which addresses five key elements necessary for the country to maximize the development potential of data: infrastructure, dig- Pillar 2: Robust and resourced insti- ital skills, interoperability of government data, the tutions capable of enforcing the legal and regulatory environment, and open data. rules while also offering citizens responsive and effective redress 3. Chile: Chile’s social information system was housed under the Ministry of Planning, which has since There are a number of institutional functions that then become the Ministry of Social Development need to be established in order to ensure trust in data and Family. This provides key benefits. In particu- sharing processes including government units with lar, the institution housing the integrated registry clear mandates and aligned incentives, appropriate has the capacity to coordinate and sign data use capabilities, supervisory and oversight functions, agreements across sectors and in the central and and clear redressal system for individuals. Building 35 Enablers & Safeguards for Trusted Data Sharing in the New Economy government capacity in these areas requires invest- sensitive noncritical data from other data that can ment in people and institutions. The following provide be shared with ease, enabling better public service two examples of countries that have invested in the delivery while protecting rights. necessary institutional capabilities to support trusted data sharing: Pillar 3: Technical architecture to stan- 1. Estonia: The citizen portal enables transparency into data access and data use including time and dardize data sharing within govern- date stamping of data access, who is requesting ment while giving people more controls the data and why. Additionally, Estonia has a long and transparency into data flows history of specific steps to building trusted insti- tutions. The leaders of Estonia’s digital transfor- The underlying hardware and software are critically mation prioritized building trust in new forms of important to ensuring data flows in accordance with communication between government and citizens. the law. In addition to establishing the policy environ- For example, the government’s decision to use ment and institutional capabilities in place to maxi- e-mail communications—which was emerging mize the value of data, tools, and protocols that make as a legitimate means of communications at the the exchange of data and the user experience intuitive time—as a key building block of a trusted digital and safe are key. As the case studies reveal in further society—helped to “slowly take down the institu- detail, these types of technology investments range tional barriers impeding communications to be as from interoperable databases that are accessible to easy and relaxed as possible. As a result, ‘people and used across government agencies for sharing trust digital interactions because we intentionally data, e-services portals that allows citizens to access built digital nonformal forms of communication government services, and individual data portals that which people are used to employing, and that is allow people to aggregate, store, and share data, and something which contributes to making the social inclusive digital platforms such as digital identification components of trust.” that ensure all people are participants in the digital economy, but if designed with key elements in mind, 2. Chile: Given that the RIS registry is centralized but can enable data sharing and data security. data collection is carried out locally and in a distrib- uted manner, intensive coordination among all rele- The following provide four examples of countries vant stakeholders is necessary to seek their buy-in, that have invested in technology platforms to enable and formalizing relationships between them within trusted data in various ways: the government has become essential for suc- cessful implementation. The mechanism that the 1. India: DigiLocker is a platform for the issuance and Ministry of Social Development and Family currently verification of electronic documents, thus eliminat- utilizes to formalize these relationships is one of ing the use of physical documents. A public version interinstitutional data sharing arrangements. These of services like DropBox, DigiLocker account users agreements, signed between public sector agen- get a dedicated cloud storage space linked to their cies and the ministry, determine the nature of data Aadhaar ID number. The Digital Locker Technology shared as well as protocols around when the data is Framework establishes standards and tools for updated within the registry. This enshrines pro- users to gain access to and manage their data. This tection for individuals’ data as well—in negotiating platform, paired with the technology layers of Data interinstitutional agreements, agencies delineate Empowerment and Protection Architecture (DEPA), 36 UNRAVELING DATA’S GORDIAN KNOT allows individuals to have more control of their data Pillar 4: Capabilities inside and alongside and share it in a more transparent and trusted way. government to analyze and make use of data 2. Estonia: Data access permissions are included in X-Road, the country’s data exchange layer, to Data can only be utilized within government for effectively automate compliance with data sharing smarter, agile policy making when there are the sys- policies. Furthermore, the transparency by design tems and human capacity to analyze data and, impor- features of X-Road enable citizens to understand tantly, respond to data insights. This requires new when and why their data is being accessed, cre- incentives to attract new talent and upskill existing ating a key data protection safeguard by not only workforces in data analysis skills and disruptive tech- providing individuals’ insights into the movement nologies, and a significant change management effort and use of their data, as well as mechanisms for to create an atmosphere of data-informed operations. recourse in the case of errors or misuse. Singapore and Mauritius respectively offer examples 3. Singapore: Singapore’s Vault.Gov.SG provides of governments to have made intentional efforts to a platform for civil service officers to explore a build these capabilities. catalogue of widely-used government data sets and download sample data sets to understand the 1. Singapore: To draw more interest and provide data better. Once a civil service officer has found a more compelling offering to highly-sought the necessary data, they can submit a request to after data talent, compensation packages were the appropriate authority for review. Review of the revamped to ensure market competitiveness with request takes no more than seven working days the global tech sector. The government actively and if approved, data is digitally watermarked marketed Singapore as a hub for international and encrypted with project and officer IDs before talent and made a variety of overtures to try to dissemination, deterring leaks and providing clear repatriate Singaporeans working in data overseas. traceability. The civil service officer can then upload To better retain those talents, HR policies have the data into Singapore Government’s central been restructured which included the creation of analytics platform, Analytics.gov, which has specialist career pathways that recognized highly commonly used analytics tools, and incorporates all skilled individual contributors and enabling data the requisite data security controls and measures. and digital tech specialists to gain exposure and Analytics.gov also allows data scientists to share broaden their experience through job rotations code with other public sector data users to acceler- across government. Programs have also been ate the deployment of data and AI models. set up to facilitate employee exchanges with the 4. Mexico: InteroperaMX, modeled after Estonian’s private sector providing for industry professionals X-Road, allows public institutions to share reliable to share their experience with government teams and trustworthy data, with clear identification of and government employees to gain experience in the source and certification of the information. As private companies. Additionally, to best utilize this in Estonia, InteroperaMX supports efficient delivery rebuilt bench of data skills, a variety of efforts have of public services, including through a once-only been made to better integrate traditional policy policy whereby citizens only have to provide per- and operations knowledge and skill sets with the sonal data to a single, appropriate government technical skills these new talents offer. agency and then that data is shared through a set 2. Mauritius: Following best practice guidance for of defined permissions. successful open data implementation, the National Open Data Policy created a Central Open Data 37 Enablers & Safeguards for Trusted Data Sharing in the New Economy Team (CODT), which reports to the Chief Technical and share their data, as well as protect themselves Officer of the Ministry of Technology, Commu- against misuses. Estonia, Singapore, and Uruguay are nication, and Innovation (MoTCI). The CODT is other examples of specific digital literacy investments responsible for steering Open Data work across that have helped underpin a trusted data sharing government ministries and departments, including environment: establishing and reviewing standards for Open Data and setting up and administering the National 1. Estonia: In 1996, the government launched the Open Data Portal. The CODT is also responsible “Tiger Leap” initiative, which continued massive for setting the standards for Privacy Compliance investments in internet connectivity and introduced Assessments to be carried out at the level of Minis- computer skills in all secondary schools starting tries and Departments prior to the release of data at the age of seven to ensure future generations sets as Open Data. Importantly, in addition to the would be digitally literate. Another initiative, Look@ centralized team, each ministry was compelled by World, done in partnership with banks and tele- the National Open Data Policy to create an Open coms provided computer training to 10 percent Data team to support the CODT. These ministry- of the adult population who represented the least level teams are expected to have at a minimum digitally literate segments of society, including a permanent secretary, a program manager, a blue-collar workers and retired individuals. Pro- systems analyst, and a statistician—a team drawn grams in digital literacy continue even today with from different government agencies and embed- efforts like Targalt Internetis which promotes inter- ded into each ministry. The creation of the minis- net safety and awareness of data rights. In looking try-level teams builds upon existing practice within to Estonia as a model, it is critical to acknowledge the Government of Mauritius to have embedded both the specific and sustained efforts to build statisticians from the National Statistics Office in trust in public institutions and the institutional each ministry. investments that were made to build a highly digi- tally literate populous. Pillar 5: Active and participatory civil soci- 2. Singapore: The country introduced its Digital ety and informed populace who can Readiness Blueprint to ensure all Singaporeans effectively use data and keep govern- can access technology to enhance their lives. The ments and companies accountable government established a digital readiness working group, with participants from the public, private, 5.1 Investing in the digital literacy of people to and civil society, tasked with ensuring access to enable active and informed participation inclusive digital infrastructure, building digital liter- acy, and driving participation in digital communities Even in a policy environment with strong protections and usage of technology. The blueprint outlines for individuals’ data, people must also have the req- recommendations around improving cyber security uisite skills and awareness to actively and responsibly and data awareness skills, providing access to basic engage in the data ecosystem. A number of coun- digital enablers, and driving interaction with data- tries profiled in the report have invested in sustained driven technologies which are key to maximizing efforts to have an informed population, ranging from the benefits and containing the risks of data. how to access and use digital technologies, to ways to stay safe online, and behave in ethical and effec- 3. Uruguay: Uruguay has not only prioritized digi- tive ways on digital platforms. These efforts enable tal skills acquisition as a foundational element of individuals to both understand their ability to access 38 UNRAVELING DATA’S GORDIAN KNOT an inclusive digital government but has been a 1. India: India has introduced new, regulated entities leader in normalizing the concept of the digital that have a responsibility to help translate indi- citizen—i.e., a set of skills that enables citizens to vidual consent preferences into how their data is access, retrieve, understand, evaluate and use, to shared and processed. With the creation of this create as well as to share information and media in new class of regulated entities, called “account all formats, using several tools, in a critical, ethical, aggregators” in the financial sector where the and effective way to participate and engage in per- model is first being rolled out, Reserve Bank of sonal, professional, and social activities. India is spearheading a new means of establish- ing trust in the data economy by separating con- sent collection from data processing. While many 5.2 Equipping individuals with means for protect- countries have established DPAs to serve as griev- ing and controlling their data ance and redressal mechanisms, India is unique in having created a new class of licensed institutions The rights-based approach introduced above confers with the competitive incentive to serve and inform on individuals specific and extensive rights related to individuals. These entities ensure people can personal data. The following is not intended to cata- make informed decisions about data sharing and, logue again each of these rights in detail, but rather because the regulated entities do not have access highlight emerging practices and interesting features to the underlying data, they compete on the basis identified through the case studies that enable individ- of developing customer-facing trusted services. uals to avail themselves of those rights. These exam- ples highlight that enablers of trusted data sharing 2. Mauritius: Institutional innovations like the DPA of must go beyond the legal framework. In particular, Mauritius are intended to create efficient meth- two areas related to rights and capabilities emerged ods for complaints by individuals of data misuse through the case studies: redressal mechanisms and and redressal of misuse. Importantly, the DPA has models for consent. strengthened consumer trust, by improving the level of data protection of relevant products and The ability for consumers to seek redressal when their services, while also enhancing data subjects’ rights, data rights have been violated is essential to maintain- thereby providing individuals greater control over ing trust in an ecosystem of data sharing. Consumers their personal data. should have access to independent redressal mecha- nisms that allow them to correct problems quickly and efficiently. Similarly, most individual consent frame- 5.3 Civil society engagement works are generally a one-size-fits-all model, i.e., as a consumer you have little to no ability to exert prefer- To strengthen trust in a data sharing environment, ences. However, new policies, institutional practices individuals’ interests must be represented by a robust and technologies are emerging that have the potential civil society that can advocate on behalf of the interests to change this paradigm—creating the possibility of of people and societies, hold governments account- more tailored consent frameworks where consumers able, and safeguard against government overreach— can determine the scope, time limit, and revocability particularly in light of the common carve-outs in laws of consent to use their personal data. Examples of for government access and use of personal data. In these new types of individual controls and capabilities the last four years, for instance, the Government of over personal data include: Jordan has led notable efforts to implement reforms to promote the use of Open Government Data (OGD). 39 Enablers & Safeguards for Trusted Data Sharing in the New Economy This process has gone beyond the technical and legal Assessments while the Australian Competition and aspects of reform by publicly consulting with civil soci- Consumer Commission (ACCC) rules frameworks ety, academia, and civil servants throughout the public and accreditation processes for the Consumer Data sector. This approach in opening public sector data Right have gone through public drafting and con- sparked a wider national discussion around open data sultation processes. and introduced newly-proposed reforms on govern- ment’s data classification and the right to access infor- 2. Uruguay: Each iteration of the Digital Agenda for mation, while opening the door for the exploration of Uruguay (ADU) has been a product of a multistake- new data-driven local technological innovation and holder process with representatives from govern- economic growth. These efforts at instilling good gov- ment, academia, the private sector, and civil society ernance norms and practices into the policy process organizations. Importantly, the implementation have been one of the drivers of change for a broader and monitoring of the ADU is carried out by the reform of Jordan’s public administration. Public entities National Council for the Information Society which that were typically perceived as cautious of releasing includes representatives from all sectors. This data have since embraced a more open approach to approach has led to high degrees of public trust. publishing open data sets. Capacity-building activities The current 2016–2020 ADU continues to empha- piloted by the Minister of Digital Economy and Entre- size the importance of the trust ecosystem in order preneurship (MoDEE) have contributed to standardiz- “to promote full participation in the information ing data classification schemes within the public sector society,” including an effort to expand the use of and have resulted in 35 public entities releasing over secure digital identity mechanisms for authentica- 200 datasets in the second half of 2019. These figures tion purposes. are expected to increase significantly as these change management and capacity building efforts are insti- 3. Mexico: Mexico views their open data systems as tutionalized, and a further 70 entities are expected to strategic infrastructure for the country’s develop- participate this year. ment. The infrastructure (open data portal, data- sets, etc.) was built based on a citizen consultation The following highlight four examples of civil society through the one-stop government portal, Gob.mx/ engagement that has prompted government action or participa. In this consultation, more than two thou- held government accountable in the cases profiled in sand participants from civil society, private sector, this report: and citizens participated to prioritize and propose the data they considered central to public concerns 1. Australia (Experiences from Open Banking): The and helpful in identifying solutions to the country’s legislation and implementation of the Consumer development challenges. Data Right has been notably supported heavily by consultation with the general public and specifi- 4. Health Data Sharing (Experiences from COVID-19 cally with relevant private sector firms. The most Response): As the COVID-19 pandemic has high- important precedents to the CDR, the Productivity lighted, data protections are relaxed in times of Commission Report on Data Availability and Use crisis which can amplify both how governing bodies and the Treasury Review into open banking in Aus- intend to govern data and the extent to which civil tralia, were both the result of open consultations society has the ability to meaningfully engage on and open comment periods. The Consumer Data these complex issues. Right legislation underwent two rounds of con- sultation and two rounds of open Privacy Impact 40 UNRAVELING DATA’S GORDIAN KNOT THE CHALLENGES OF IMPLEMENTATION Governments are increasingly aware that the policies those promising features—not out of ignorance of the and practices for data protection and data sharing persistent challenges with which every country still must be complementary. In Singapore, for instance, grapples (e.g., government override of rights in the government officials acknowledged in consultations for name of national interest), but rather in the hope that this report that the increased focus on data protection these promising features might serve as an example and improved data security in recent years did not con- to other countries. strain the data sharing environment, but rather sup- ported increased integration and sharing of data for It is also important to note that the starting point for better delivery of public services. Several data incidents every country varies significantly—some, like Estonia, uncovered in recent years highlighted the need to have designed their approach to trusted data sharing review the government’s information security policies in a near-greenfield environment, while others have and practices, and strengthen the data security regime had to revisit and amend existing policies to align against current and future threats. To do so, the Prime with national development strategies or in the face of Minister convened the Public Sector Data Security data breaches. Further, it is important to emphasize Review Committee (PSDSRC) to conduct a comprehen- that the pace and sequence of change for each coun- sive review and inspection of ICT systems and make try differs. While the alignment of laws, institutions, recommendations to address existing gaps, and build a architecture, and human capacity is desirable, the case strong data security regime that enables trusted flows studies suggest that it may not always be possible to of data by protecting data and detecting and respond- expect alignment of these factors simultaneously. The ing to incidents.25 Similarly, in Uruguay, the decision to legislative process often lags behind technological consolidate within AGESIC the authorities for data pro- developments and political priorities. Additionally, tection, public sector data interoperability, and open given the concentration of power in the data economy government is recognized as a key part of the country’s mentioned early in this report, methodical multistake- successful digital transformation. In both instances, the holder consultations that include active engagement connection between these two led to increased confi- from civil society and represent the interests of people dence in the ability to share data securely. are critical in this process. It is important to note that in documenting the expe- Furthermore, while this report intentionally chose to riences of each country and sector profiled above, profile countries that that have rejected the notion this paper emphasizes promising approaches to that data sharing and data protection are necessarily both enablers and safeguards for sharing data. in tension with one another and, in doing so, is able Many countries are seeking to align with the growing to identify the contours of a trusted data sharing convergence around a rights-based approach to data environment, the framework proposed above is only protection, driven by both commercial and geopolit- a starting point. Implementing each of the five pillars ical forces. Each country profiled continues to evolve is challenging on a number of levels—not least of and address challenges in its approaches to data which are the complexities of power dynamics, vested sharing. As such, this paper intentionally focuses on interests, varied risk appetite within bureaucracy, and 25 Dolan, Jonathan. Notes from meeting with Singapore’s GovTech team, January 9, 2020. 41 Enablers & Safeguards for Trusted Data Sharing in the New Economy mismatched incentives for different stakeholders. 2. Links to specific use cases: Like other cross-sec- While the report does not attempt to tackle these toral development efforts, trusted data sharing issues of political economy directly, it is important to solutions not only require political leadership but acknowledge they play a formative role in how data is also specific use cases to mobilize stakeholders. shared and with whom—just as they would for distri- In introducing its Consumer Data Right (CDR), the bution of any asset. Australian government acknowledged this point, outlining key use cases for the data that would be For all of these reasons, it is impossible to prescribe made more widely accessible in the scheme and the particulars of a top-down trusted data sharing outlined its vision for the customer journey. Inter- strategy. In the end, however, the countries assessed estingly, initial use cases appear to have important for this report—despite having markedly different implications for how and whether individuals par- data governance journeys—reveal the need for two ticipate in data sharing. Open Banking Standards, things to help drive implementation and overcome for instance, are facilitating data sharing in the these challenges: financial sectors with the goal of stimulating com- petition and enhancing money laundering controls. 1. Sustained, high-level political will: In Uruguay, In countries with Open Banking, FinTechs and chal- many initiatives that have emerged from the lenger banks, for example, can more easily gain national digital plan are intentionally designed as access to transaction histories in order to compete joint efforts between AGESIC, the country’s cen- on loan products. tralized authority for the information society, and other government agencies and line ministries. AGESIC is under the Office of the President, and even as administrations have changed, presidents have reiterated their support for AGESIC and have defended the importance of data as a tool for serv- ing the country’s citizens. Chile’s MINSEGPRES is yet another case in point, serving as a line ministry that coordinates the digital agenda between legislative and administrative arms of the government. CONCLUSION 43 Enablers & Safeguards for Trusted Data Sharing in the New Economy As low- and middle-income countries experience to catalyze trade, while others have taken a more unprecedented growth in data, governments are proactive approach to equipping individuals with new grappling with how to leverage data for development. rights and capabilities: India’s DEPA enables citizens In particular, three main development motivations are to create consent profiles for how their data is used, emerging: Estonia’s State portal allows citizens to manage how their data is shared at a granular level (e.g., which doc- 1. Driving economic growth through trade and tors can request which aspects of their health data), private sector and entrepreneurial activity and Uruguay has invested heavily in creating digital citizens who have “skills that enables (them) to access, 2. Creating more efficient, accountable, and retrieve, understand, evaluate and use, to create as transparent government well as to share in a critical, ethical, and effective way.” 3. Empowering people Despite the markedly different motivations and rela- tive prioritization of development objectives, the expe- However, in the absence of an intentional approach riences of the countries profiled in this report make to maximizing the value of data, the competing policy it clear that data sharing is a lynchpin for extending priorities of different government agencies can make the value of data beyond big tech firms—whether the it difficult to harmonize data protection in a manner goal is to enable individuals to exercise more control that enables the sharing of data to expand its value. and derive more benefit from their data, or to enable Furthermore, the extent to which governments prior- entrepreneurs to leverage data to innovate or to break itize these distinct opportunities within their national down government data silos to provide more efficient development strategies has important implications for and effective government services. However, regard- how data governance policies and laws, institutions, less of which of these goals most motivates data and technical architecture are designed and imple- sharing, the case studies suggest that data sharing mented. For instance, among the country case studies policies, laws, and mechanisms can be designed and highlighted, data interoperability platforms are a com- implemented in ways that do not jeopardize individual mon investment in more efficient government but, rights or erode social norms through data breaches, depending on a country’s emphasis on transparency targeted disinformation campaigns, and other abuses. or individual empowerment, may or may not be paired with a portal where citizens can follow how and why In other words, data protection and data sharing can their personal data is being accessed and shared. be complementary—instead of competing—elements in a country’s approach to governing data, thereby Similarly, even as many governments converge supporting a trusted ecosystem in which data is around a rights-based approach to governing per- shared more extensively, specifically because it can be sonal data, the steps countries are taking to ensure done securely and in ways that provide clear protec- citizens are actively engaged in and understand tions for individuals. Fortunately, through the deliber- how their data is generating value varies. In some ate actions of an increasing number of governments, instances, governments have focused with aligning the contours of this complementary approach are with international norms for data protection in order starting to emerge. 44 UNRAVELING DATA’S GORDIAN KNOT AREAS FOR FURTHER RESEARCH AND LEARNING Although there is an emerging picture of what govern- to recognize the need for a person or institution ments can do to foster a trusted data sharing envi- charged with safeguarding the interests of people ronment, most countries globally—including many of in their interactions with technology platforms. those profiled in this report—are in the early stages of This could result in other “fiduciary” models or the their data governance journey and must continue to creation of learned intermediaries tasked with adapt to a rapidly evolving landscape. Countries are representing or advising consumers. In addition grappling not only with technological advances but to government efforts, there are a number of also with changes in consumer behavior and con- private sector-led initiatives, including Inrupt, Digi. sumer expectations with respect to how their data is me, and The Data Transfer Project that are seek- shared and who derives value from it. ing to reimagine how consumers consent to share their personal data—even in environments where Given this evolving context, a number of areas will national standards for data sharing are not yet in require ongoing research and testing before the place. As governments and companies experiment impact of current efforts are fully understood and with different models and as these efforts mature, before specific best practices for trusted data sharing there will be important opportunities to learn can be asserted with greater certainty. Among others, about the challenges and opportunities of different the most notable areas include: approaches and better understand how each align with national development objectives. 1. Creating metrics for tracking progress towards a trusted data sharing environment: As described in 3. How costs and benefits of data governance should be the methodology section, the lack of clear metrics weighed: Some of the policy dilemmas in designing for assessing investments in the five pillars is a key a data protection framework revolve around the limitation in defining success and evaluating prog- opportunity costs of introducing stronger data ress towards a trusted data sharing environment. protection measures. While many data protection Creating such a monitoring and evaluation frame- measures are intended to equip the individual, work will deepen the understanding of the relation- some involve greater costs than others. The costs ship between the five pillars, help identify if there to a given organization (public, private, or civil are gaps in the framework proposed in this report, society) of accommodating timely data subject and further illuminate for governments the path to access requests and data portability, for instance, maximizing the value of data for their development might be weighed against the intended benefits objectives while also cultivating trust in the data of correcting the quality of data held or improved ecosystem. citizen/consumer choice. When is transparency enough to impose a quality discipline, as opposed 2. How models for consent evolve or are replaced by to a more onerous portability requirement? Do the other data protection mechanisms: As described lessons differ between situations where the key above, India’s emerging efforts to decouple con- purpose of sharing is to equip individual consum- sent collection from the data request represent an ers to make market choices (e.g., competition in important innovation in protecting personal data financial services) and situations where the sharing and equipping individuals with greater agency is intended to enable generation of insights for pol- over their data, and other countries are starting icy decisions by governments? Such questions may 45 Enablers & Safeguards for Trusted Data Sharing in the New Economy be driven by market policy considerations, such as applicable to all organizations collecting and pro- lowering barriers to switching providers, but these cessing data or only certain ones for the purpose of are typically very context specific both in terms of achieving particular economic and social goals, or the time and manner of their introduction and the for the purpose of enabling greater competition? effort and cost to be effective (one of the UK and Australian lessons has been that open banking is 6. How consumer demand will evolve in response to the very specific to the type of data and APIs that are data sharing models that are emerging today: GDPR involved). Further research would be helpful to has helped catalyze some convergence around understand the costs of remedies and assess when a rights-based approach to data governance. A the anticipated benefits of sharing would justify the number of the countries profiled in the report are remedies introduced. experimenting with models for equipping citizens with new rights and capabilities to manage their 4. How the principles and practices that are starting own data. At this time, the extent to which individu- to emerge apply to rapidly emerging technologies: als will want to manage their personal data and the As a number of the cases studies in this report capabilities they will need to do so in an informed demonstrate, data sharing when designed and and responsible way are still not yet fully under- implemented well can give transparency into who stood. The extent to which individuals will want accesses data and why, thereby reinforcing data direct control over their data versus simply wanting protection and increasing trust. However, as the more transparency in how their data is being used current response to the COVID-19 pandemic has will remain an important area for investigation as highlighted, there is another layer of transparency data sharing models expand and evolve. Answering needed in terms of how algorithms and machine these questions will require not only understanding learning technologies use data to affect decision- individuals’ preferences and capabilities but also making. How can policies adequately ensure the understanding how different data sharing models opportunities of this data can serve public and create new forms of risks. private players? How can governments handle a future in which personal and nonpersonal data are 7. The nature of trust in data protection: The CGAP increasingly mixed? How can governments put in study (mentioned in the report) that found Kenyans place responsibilities over algorithmic decisions? and Bangladeshis ready to face inconvenience or pay more for stronger data protection argues 5. The medium- to long-term impact of data sharing that data protection is good business. Further requirements on business: While there has been a research would be helpful to understand better convergence around a rights-based approach to what it is that data subjects are valuing when they data, driven in part by the enactment of GDPR, it are offered a system geared towards greater trust. remains too early to project its full impact on busi- How much are they concerned about data security ness. This area of investigation will have to con- and personal financial risk (e.g., of the individual sider the incentives of the private sector to collect facing fraud from identity theft or lower credit ref- and share data. What data sharing is beneficial and erence rating) as opposed to privacy concerns (e.g., what is not? When to require and when to prohibit about autonomy and liberty)? The answers to these data sharing? What means of data sharing are questions may be culturally contingent, but if so, most effective, for instance requiring interoperabil- it would be useful to policy makers to understand ity, data portability, or full access to datasets? On this as it can help them choose where to put their what basis should obligations apply, for instance, attention and the regulatory burden. ANNEX: CASE STUDIES 47 Enablers & Safeguards for Trusted Data Sharing in the New Economy INDIA: DATA SHARING TO EMPOWER INDIVIDUALS BACKGROUND turbocharged internet subscriptions and data con- sumption, which quadrupled in both 2017 and 2018 The Republic of India is the world’s most populous and is helping bridge the country’s digital divide; inter- democracy, covering most of Asia’s southwestern net infrastructure and subscriptions in India’s lower- landmass. With more than 1.3 billion people across income states are growing faster than in higher- 28 states and eight territories, India’s scale and income states. Based on current trends, the number of diversity rival those of continents rather than most internet users is projected to increase by about 40 per- other countries. While the constitution recognizes cent to 800 million and the number of smartphones 22 official languages, in fact nearly 20,000 languages to double to 700 million by 2023.28 Demographically, and dialects are used throughout India. The people of some 65 percent of the population is below the age of India are socially and culturally varied, and contend 35, and 100 million Indians are expected to enter the with significant inequality. Despite impressive gains workforce over the next decade.29 in economic growth in recent years, some 114 million Indians still live in severe poverty,26 and less than four To address the aspirations of India’s increasingly percent of the population had income high enough to connected, youthful population and the imperative to be subject to tax in 2019.27 expand economic opportunity, over the past decade the government has made major investments in Despite these complexities, digital uptake has accel- digital infrastructure and related enablers, which are erated rapidly in recent years. India is a large and reshaping government service delivery and fueling fast-growing digital market, with over 1.2 billion commercial innovation. This common technology mobile phone connections and 560 million internet framework, known as the “India Stack” because of subscribers in 2018, second only to China. Compet- the ways in which the various solutions can be com- itive offerings by telecommunications firms have bined for a multitude of uses by entrepreneurs and 26 UNDP. “Human Development Reports: Population in severe multidimensional poverty (%), http://hdr.undp.org/en/indicators/101006. Accessed March 2020. 27 Economic Times Online. “Two crore Indians file returns but pay zero income tax,” https://bit.ly/2x2LvFN. Accessed March 2020. 28 Kaka, Noshir; Madgavkar, Anu; Kshirsagar, Alok; Gupta, Rajat; Manyika, James; Bahl, Kushe; and Gupta, Shishir. “Digital India: Technology to transform a connected nation,” McKinsey Global Institute, March 27, 2019, https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/digital-india-technology-to-transform-a-connected-nation#. Accessed March 2020. 29 Census of India 2011. Accessed March 2020. 48 UNRAVELING DATA’S GORDIAN KNOT governments alike, is rapidly changing India’s data Given the scale and scope of the interrelated prob- landscape and prompting the Government of India to lems of financial exclusion and massive inefficiencies consider how data produced by Indians can be lev- in the welfare system, in 2009 India began to create eraged to empower people, advance socioeconomic digital infrastructure to close gaps in identity systems objectives, and fuel the domestic innovation economy. and the banking sector. This infrastructure, the India Stack, is a set of loosely coupled technologies and pro- THE INDIA STACK tocols, bolstered by policies, regulations, and/or laws, as relevant. Each API or standard may have its own The various platforms or “layers” of the India Stack “owner” within the GoI or public trust entities, and its were created over time to address long-standing gaps own distinct licensing nuances. Importantly, all com- in the basic systems that enable broad-based par- ponents of the Stack are based on two foundational ticipation in the formal economy. These gaps, which design principles: (1) creating digital platforms as overwhelmingly impact the poor, women, and minori- public goods so both government and private sector ties, left some 400 million adults and other marginal- participants are able to develop technological innova- ized populations outside of the formal economy and tions; and (2) incorporating data privacy and security often beyond the reach of key government assistance in the design of digital public goods. programs. In 2008, only one in 25 people in India had formal identification and only about a quarter of the Because of the shared design principles, each layer adult population had a bank account. The extreme contributes to lowering the costs of transactions on financial exclusion coupled with inefficiencies in India’s both the supply side and the demand side by eliminat- vast network of welfare programs meant that prog- ing paper documents, enabling remote transactions, ress was slow and uneven. This wasn’t due to neglect; reducing the use and thus cost of cash handling, and progress was slow despite decades of government-led simplifying compliance with government regulations. efforts to raise living standards among the poor. In This effect is expanding the addressable market, the early 2000s, an acute federal budget challenge making it easier and less expensive to deliver public sharpened focus on the fact that public assistance and private services to lower-income Indians. It also expenditures were outpacing government revenue creates efficiencies across the broader economy and growth. The GoI’s federal and state-level social pro- systems of public administration. tection programs accounted for more than one-sixth of the government’s annual budget, and as such, the Understanding the two most mature layers of the well-documented “leakages” in the multilayered supply India Stack—identity and payments—is central to chain of the social safety net became an obvious target understanding India’s emerging approach to data for reform. At the heart of the problem was the inabil- sharing, known as the Data Empowerment and Protec- ity to ensure benefits, whether subsidized commodi- tion Architecture. Because the identity and payments ties or cash transfers, made it into the hands of eligible layers are currently enabling more than 800 million recipients without diversion, loss, or duplication. transactions per month, Indians across income seg- ments and small businesses, once “invisible” are now generating rich data histories online. 49 Enablers & Safeguards for Trusted Data Sharing in the New Economy AADHAAR: FOUNDATIONAL DIGITAL IDENTITY while complying with anti-money-laundering regula- tions. e-KYC also enabled the GoI to begin transferring In 2009, a new government agency, the Unique Iden- welfare benefits and targeted subsidies directly to tity Authority of India (UIDAI), was tasked with creating bank accounts. The impact of e-KYC has been sub- a population registry that could serve government stantial. According to one estimate, banks that use needs including more efficient benefits distribution. e-KYC lower their compliance costs for new accounts UIDAI designed a nationwide population registry from about US$ 13 to less than US$ 1.31 As of the end scheme that assigns a unique, randomly-generated of 2019, an average of three million Aadhaar-based twelve-digit number to every individual. The system e-KYC requests were processed daily. collects minimal personal and demographic data (name, gender, date of birth, and address), as well In the years since it was introduced, Aadhaar has been as biometric data (fingerprints, iris scan, and a facial deeply embraced by the private sector and many photo). Linking an email address and/or mobile tele- government agencies. As of 2019, 95percent of adults phone number to one’s profile is optional. in India were enrolled and reported using the system at least once per month. In 2018 the Supreme Court Aadhaar, or “foundation” in many Indian languages, is ruled that private entities cannot refuse to provide ser- a foundational rather than functional identity manage- vices to someone for lack of Aadhaar enrollment. The ment system in that the biometric profiles are used high court further held that children cannot be denied only to confirm identity and authenticate transactions. education for lack of Aadhaar.32 Despite these rulings, Aadhaar participation does not confer any specific a 2019 survey found that some 65 percent of people rights or privileges such as citizenship, eligibility to mistakenly believe that providing Aadhaar is mandatory vote, permission to drive, etc. Other, domain-spe- by law for opening bank accounts, obtaining SIM cards, cific identities such as India’s tax ID—the Permanent and even school enrollment. In fact, Aadhaar is only Account Number (PAN)—use Aadhaar to deduplicate legally required in order to receive public benefits dis- its registries. tributed through federal and state welfare programs. This linkage to subsidies and social protection pro- A verifiable identity is the bedrock of a modern econ- grams, combined with the cost savings and efficiency omy in large measure because it enables participa- gains for accessing commercial services, makes Aad- tion in the formal economy by ensuring financial haar participation effectively (if not legally) mandatory institutions and other regulated enterprises comply for individuals and businesses to function in India.33 with national and global standards to mitigate illicit finance. In 2012, the Reserve Bank of India authorized UPI: INTEROPERABLE DIGITAL PAYMENTS Aadhaar identities to fulfill KYC30 requirements via the e-KYC component of the India Stack. Digitalizing the The Unified Payments Interface (UPI) is a real time, manual KYC process allows banks and other com- fully interoperable retail payment system devel- panies to handle the process paper-free, drastically oped by the National Payments Corporation of India reducing the costs of onboarding new customers (NPCI) and deployed in 2016. UPI is the layer of the 30 Know-Your-Customer (“KYC”) is the process of verifying identity and assessing if the customer is suitable for a business relationship. Before opening a financial account, banks are required to conduct a KYC check for regulatory compliance requirements, to prevent fraud, money laundering, and terrorist financing. In India, KYC also is required for activating a mobile phone connection. 31 https://www.livemint.com/Industry/0S81b1kQmceoP1OAaligcK/Is-the-banking-system-overlooking-key-challenges-in-its-rush.html 32 Gelb, Alan, Mukherjee, Anit and Navis, Kyle Navis. “What India’s Supreme Court Ruling on Aadhaar Means for the Future,” Center for Global Development, September 26, 2018. 33 State of Aadhaar Initiative, https://stateofaadhaar.in/index.php. Accessed March 2020. 50 UNRAVELING DATA’S GORDIAN KNOT India Stack that enables seamless money transfers Accessibility Policy in 2012, requiring the Government between accounts, regardless of the type of financial of India to make all nonsensitive data be available in provider. UPI creates a single interface between all machine and human readable forms. To facilitate this, bank accounts, effectively granting everyone with a the Ministry of Electronics and Information Technol- smartphone access to the payment system and allow- ogy (MEITy) has taken a number of steps to introduce ing financial transactions to take place instantly, on efficiencies in government sharing of data, including a demand, and in fiat money inside the formal financial Policy on Open Application Program Interfaces (APIs) system. NPCI, a not-for-profit utility capitalized by which prompted all arms of government to publish 56 banks and closely regulated by the Reserve Bank of APIs and adhere to the same API standards, the India, oversees and maintains UPI. DigiLocker platform for the issuance and verification of electronic documents, and the India Enterprise UPI has made payments simpler by removing the Architecture Framework (IndEA Framework) which need to enter lengthy bank account numbers and IFS aims to create a consistent model for Enterprise codes. To make a UPI payment, the user has to know Architectures across the national, regional, and local only the recipient’s virtual payment address (VPA), governments and their agencies in order to provide or use QR codes. The VPA is a simple combination of more integrated e-government services.34 username and bank name that looks similar to abc@ xyzbank. UPI is a modern, mobile-first system that KEY FEATURES OF DATA GOVERNANCE does away with the need for physical cards. In a coun- try like India, with its low literacy levels, this kind of LEGAL DECISIONS AND LEGISLATIVE ACTION simplicity is essential for financial inclusion. It is important to note that the first layer of the India As of late 2019, the two most mature layers of the Stack, the Aadhaar identity system was introduced India Stack—identity and payments—are being used before a legal and regulatory framework was enacted. for more than 800 million transactions per month This led to intense debate and culminated in legal each. These transactions, combined with growing challenges to the constitutionality of the system that usage of commercial tech applications, are enabling went all the way up to the Indian Supreme Court. millions of Indians, many of them still poor, to gener- Concerns of government overreach led in 2012 to a ate rich data histories about themselves. The oppor- raft of lawsuits challenging the legality of Aadhaar on tunity to translate this emerging “data wealth” into a number of grounds. Most notably that the collection meaningful benefits for individuals and SMEs inspired of biometric data violates civil rights and that the Aad- the design of the India Stack’s newest layer, which haar Act of 2016 did not provide adequate statutory enables consent-based data sharing. This effort, called basis for the identity system. Eventually these chal- the Data Empowerment and Protection Architecture, is lenges reached the Indian Supreme Court, which, in discussed below. separate rulings in 2017 and 2018, found that privacy is a fundamental right for citizens protected under the In parallel with the growth of the India Stack, the country’s constitution; that Aadhaar system’s collec- government promoted inter- and intra- government tion of biometric data does not violate the constitu- data sharing to facilitate e-government services. The tion; and placed limits on the GoI’s ability to mandate Union Cabinet passed the National Data Sharing and Aadhaar. The Court found that while the government 34 Government of India, Ministry of Electronics and Information Technology (MEITYy). “IndEA Framework,” https://www.meity.gov.in/writereaddata/files/IndEA_Framework_1.0.pdf. Accessed Nov. 3, 2020. 51 Enablers & Safeguards for Trusted Data Sharing in the New Economy could embed Aadhaar in welfare schemes, it could not some of the data they generate online. The aspiration, mandate private sector use or require citizens to use as described in the Srikrishna Report, is to enable their Aadhaar number to open a bank account, get Indians to access and use their data for their own a phone connection, or in school admission. It also benefit, and to ensure that data can be made avail- determined that an Aadhaar holder’s data cannot be able for innovation beyond the platform on which it is disclosed on the grounds of national security. produced. DEPA, some argue, can enable Indians to translate their “data wealth” into improved socioeco- While these court rulings defined fundamental rights nomic opportunities. and limitations on Aadhaar related to data protection, the broader legal environment for data governance At the broadest level, MEITy has introduced national remained woefully outdated. The prevailing Infor- guidelines to standardize consent for data sharing mation Technology Act of 2000 provided norms for so as to ensure individuals are consenting to every data collection and usage but no guidelines for data instance of data sharing rather than “pre-authorizing” storage, user consent, or general processing require- data processing/sharing at the point of collection. ments. To address these gaps, a commission led by The standardized consent artefact requires each retired Supreme Court Justice BN Srikrishna produced transaction specify the parties involved, data to be a report and framework for data protection, which shared, purpose of data sharing, and time-stamped formed the basis for the draft Personal Data Protec- signatures. By standardizing consent in this manner, it tion Bill (PDPB) pending before parliament. The draft becomes possible to audit data flows to ensure users’ legislation grants Indians many of the same rights authorization matches the subsequent data transfer. over data as GDPR does for EU citizens. The bill, if passed, will give individuals the right to access and The Reserve Bank of India became the first to intro- port personal data. It would also place the respon- duce these standards across the entire financial sibility on data holders to be accountable to people sector with the issuance of the Account Aggregator regardless of consent obtained. In other words, data Master Directive in 2016, which was updated in 2019 holders must put in place structures that will minimize with technical specifications.35 RBI is adopting DEPA harm to individuals, even inadvertent harm, when in order to foster competition in the heavily con- processing personal data no matter what consent was centrated banking sector and to fuel the innovation granted by the user. While the PDPB does promise needed to deepen financial inclusion by “unlocking” to codify this rights-based approach as an umbrella data from silos held by dominant private and public standard for data collection and processing, there are sector providers. With the creation of this new class of concerns that exemptions granted to the government regulated entities, called “account aggregators,” RBI for data collection and use in the national interest is spearheading a new means of establishing “trust” (Section 35 of the draft PDPB) are too broad and risk in the data economy by separating consent collec- undermining citizens’ right to privacy. tion from data processing. In other words, account aggregators effectively serve as “data fiduciaries” that DATA EMPOWERMENT AND PROTECTION ARCHITECTURE request and verify consent from individuals. In parallel to this legislative action, MEITy and Reserve Bank of India (RBI) have introduced efforts to oper- ationalize the right of citizens to access and control 35 Reserved Bank of India Notifications, https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10598&Mode=0. Accessed March 2020. 52 UNRAVELING DATA’S GORDIAN KNOT Figure 2: Account Aggregator Model Source: Sahamati. “Account Aggregator Frequently Asked Questions,” https://sahamati.org.in/faq/. Accessed March 2020. According to the newly formed industry association To encourage participation by financial providers in for account aggregators, Sahamati (meaning con- emerging DEPA solutions, the Goods and Services Tax sent, in Hindi), no financial information of the user Network (GSTN), under the supervision of the Ministry can be retrieved, shared, or transferred without the of Finance, is making available all goods and services explicit (and digital) consent of the user. Thus account tax (GST) data available through the established con- aggregators act as a “data-blind” conduit between sent mechanisms. Access to this vast data repository entities requesting the data and the providers of the of consumer and business data is expected to drive data, and do not process the data. The data that flows integration with the shared consent framework across through an account aggregator is encrypted and can the financial services sector. As of February 2020, be processed only by the entity for whom the data is RBI had issued three account aggregator licenses in intended. This structure limits the business case of the full, four in principle, and anticipates an ecosystem of account aggregators to fairly intermediating consent, more than one dozen fully licensed aggregators by which will operate on a utility model of charging trans- the end of the year.37 action fees.36 In addition, account aggregators do not and cannot store data, thus mitigating the potential To bolster the data empowerment strategy, two insti- for leakage and misuse. Importantly, this model also tutional innovations have been developed to ensure prevents the data holder from knowing the identity of that data sharing conforms to the consent provided the data requestor. and protects privacy. These include the forthcoming 36 The consumer technically bears the cost of the account aggregators. However, it is expected that consumers in India will likely receive a voucher from the financial information user that is redeemable at any account aggregator. In this arrangement, the consumers have the freedom to choose their account aggregator and costs are borne by the data requestor. 37 Sahamati. “Account Aggregators in India,” https://sahamati.org.in/account-aggregators-in-india/. Accessed March 2020. 53 Enablers & Safeguards for Trusted Data Sharing in the New Economy Data Protection Authority described in the draft PDPB. While the exact role and resources for the DPA are still being finalized, it is expected to be a mediator of com- plaints from individuals who believe their data rights have been violated. In parallel, Sahamati is working with market players in the financial sector to establish norms for data exchange given the government has only specified requirements for consent collection. Sahamati also serves as a forum for adjudicating dis- agreements when a data request is not fully met.38 Ultimately, the goal of the DEPA framework is to establish a governance model for transactional data that balances the rights of individuals with those of the state. The policy and regulatory efforts are com- plemented by technical efforts to craft systems that safeguard privacy while unlocking data to empower individuals and small businesses. This effort is still in process and there is a vibrant public debate about how personal data should be treated by the law. How- ever, the emerging approach appears to be two-fold: (1) establish individual rights related to personal data, while also asserting rights for the state, and (2) put in policy technology standards and protocols that enable consumers to actively assert the rights they are afforded by law. 38 Sahamati. “Sahamati—Collective of the Account Aggregator Ecosystem,” https://sahamati.org.in/. Accessed March 2020. 54 UNRAVELING DATA’S GORDIAN KNOT ESTONIA: DATA SHARING FOR GOVERNMENT EFFICIENCY AND TRANSPARENCY BACKGROUND newly independent country had in the run up to acces- sion to the European Union, manifested in several Estonia is a small, Northern European country of 1.3 ways in the first decade of independence: million people nestled along the Baltic Sea. Following the restoration of the country’s independence from 1. Massive investment in internet connectivity: Imme- the Soviet Union in 1991, the country quickly set about diately following independence, the government creating a parliamentary democracy and shifting privatized the national telecommunications monop- toward market capitalism. Two early priorities were to oly and invested in fiber optic cables to connect the conduct a comprehensive review of its citizenry and academic centers in Tallinn and Tartu. By the end to establish an independent currency. To achieve both of the 1990s, all schools in Estonia were connected objectives simultaneously, the government estab- to the internet. lished a system whereby citizens could self-register in a national database and, in doing so, exchange Rus- 2. Focus on digital skills: In 1996, the government sian rubles for Estonian kroner. This effort allowed the launched the “Tiger Leap” initiative, which continued country to start afresh with a clean, digitized registry massive investments in internet connectivity and of its citizenry. Unbeknownst to the policy makers at introduced computer skills in all secondary schools the time, it was an important foundation for efficiently starting at the age of seven to ensure future gener- introducing a digital identity solution a decade later. ations would be digitally literate. Another initiative, Look@World, done in partnership with banks and Estonia had been home to leading Soviet technical and telecoms provided computer training to 10 percent scientific universities including the Tallinn Polytechnic of the adult population who represented the least University and Tartu State University. Several scien- digitally literate segments of society. including tists, engineers, and academics were at the center blue-collar workers and retired individuals. Pro- of the (peaceful) independence movement and then grams in digital literacy continue even today with moved into government upon sovereignty in 1991. efforts like Targalt Internetis which promotes inter- This meant that Estonia had a number of key leaders net safety and awareness of data rights. who had been using the internet and its precursors, and recognized the potential of digital technologies 3. Digitizing core registries to serve as the foundation even then. Their instinct to use technology to “leap- of a modern government and economy. In addition frog,” combined with the regulatory flexibility the to the first population registry, which later led to 55 Enablers & Safeguards for Trusted Data Sharing in the New Economy the national digital identity system, the govern- successful implementation of a government data ment created national land and business registries. sharing regime that enables better delivery of public To ensure all Estonians could identify themselves services. In fact, Estonia has a number of other spe- in order to access government services online, the cific characteristics that were critical to successfully government initially allowed people to use bank deploying X-Road and implementing a successful data credentials. Once ready, however, the government sharing regime, most notably: launched a new digital identity solution in 2002. ID numbers of people are not kept secret—the idea is • A high degree of trust in public institutions, reinforced that because there is a secure digital ID and secure by the use of digital technologies. After the fall of the systems, knowing someone’s number won’t allow Soviet Union, the leaders of Estonia’s digital trans- you to do anything with that information (unlike a formation prioritized building trust in new forms of social security number in the US, for example). The communication between government and citizens. ID card looks like a normal ID card, but contains One of those leaders, Linnar Viik, cites the govern- on the chip two digital certificates, one for identity ment’s decision to use email communications— authentication and the other for digital signature. which was emerging as a legitimate means of com- Rollout started in 2002 and was complete in 2012. munications at the time—as a key building block of a trusted digital society. As he describes, that Thus, although the average Estonian was still rela- decision helped to “slowly take down the institutional tively poor and less than 10 percent of households barriers impeding communications to be as easy and owned a computer in 1999,39 by 2016 approximately relaxed as possible. As a result, ‘people trust digital 90 percent of the population had become active users interactions because we intentionally built digital non- of the internet. formal forms of communication which people are used to employing, and that is something which contributes Importantly, in 1999-2000 the government under- to making the social components of trust”40 took a pilot to connect three separate administrative databases without using a costly central solution. These types of early investment in building trust The experiment tested the security and efficacy of in public institutions have been maintained and using the public internet to send queries to different strengthened by the government’s efforts to provide databases, each originally built using different tech- a high degree of transparency in its use of data and nologies. By 2001, Estonia was ready to roll-out a provision of services. fully scaled X-Road system for data exchange across government systems. As described in more detail • The ability of a small number of public and private below, X-Road allows government agencies to develop sector leaders to coalesce into an agile network that their own ICT systems and policies but also ensures shares a vision of digital transformation and was able interoperability between them—a critical innovation to cultivate quick and lasting political support. This that has enabled significant efficiency gains for the network enabled many of the policies and practices public sector and resulted in improved government that have led to a successful X-Road implementa- services for citizens. tion to take root without a centralized office for digital transformation, unlike many other countries It is important to note, however, that investments that have created a restrictive, privacy-protect- in the X-Road technology alone did not enable the ing data sharing environment. Instead Estonia 39 Krull, Andre. “ICT Infrastructure and E-readiness Assessment Report: Estonia” Praxis, 2003. 40 E-Estonia. “The cornerstone of e-governance is trust” May 2018, https://e-estonia.com/cornerstone-governance-trust/. Accessed March 2020. 56 UNRAVELING DATA’S GORDIAN KNOT developed a number of design principles that were entered into force on March 15, 2019, to implement reinforced by strong public-private networks and the PDPA, which is now in force in Estonia. movement by members of these informal networks between sectors. These principles included the The Estonian data protection authority, known as the once-only policy that enables citizens and busi- Data Protection Inspectorate (DPI), fulfills the duties of nesses to provide information to the government an independent data protection authority as required only one time and the focus on secure interopera- by the GDPR and represents Estonia on the European bility of decentralized databases.41 Data Protection Board. The DPI sits within the Minis- try of Justice but acts independently with the right to KEY FEATURES OF DATA GOVERNANCE monitor the application of data protection in all public and private contexts, including governmental data The proof-of-concept for decentralized data shar- processing. It issues guidelines, handles complaints ing launched Estonia’s holistic approach to data from citizens and issues legally binding decisions.43 exchange within government and among people. This is achieved through a coherent set of technologies, The GDPR is directly applicable and thus binding law.. regulations and laws, and institutional responsibilities The specific elements of the GDPR relevant for Estonia that enforce and support the policy goals of control are that, as set out in recital 151 of GDPR, the Estonian over personal data. legal system does not include administrative fines, so in Estonia fines are imposed by the supervisory CREATING THE POLICY AND REGULATORY authority in the framework of a misdemeanor proce- ENVIRONMENT FOR DATA SHARING dure instead. PDPA does not mandate the appoint- ment of data protection officers, and the age of con- Data governance in Estonia is based on core constitu- sent is 13 under the PDPA (which can be from 13 up to tional rights and provisions in a selection of relevant 16 under the GDPR). legislation, which applies to data regardless of its form. It is a conscious choice not to create specific Relatedly, the PDPA can be viewed in relation to the legislation for digital data or for e-governance, in Estonian Penal Code, which treats some data-related order not to create parallel systems. Article 26 of the offenses as criminal offenses. For example, the unau- Estonian constitution provides that “everyone is enti- thorized disclosure of personal data obtained in the tled to the inviolability of his or her private and family course of professional activities by law enforcement life” and prevents state interference absent specific and the unauthorized granting of access to such circumstances enumerated by law.42 This constitu- personal data are both misdemeanors under the law. tional right, in part, forms the foundation for Estonia’s More severe offenses, including the illegal disclosure Personal Data Protection Act (PDPA), which entered of sensitive personal data are crimes subject to impris- into force on January 15, 2019. The PDPA covers the onment. In an effort to provide more protections, the elements of the GDPR that are left for national law. PDPA Implementation Act tightened the restrictions The Personal Data Protection Act Implementation Act on public access to criminal records. 41 Kattel, R. and Mergel, I. (2018). Estonia’s digital transformation: Mission mystique and the hiding hand. UCL Institute for Innovation and Public Purpose Working Paper Series (IIPP WP 2018-09). https://www.ucl.ac.uk/bartlett/public-purpose/publications/2018/sep/estonias-digital-transformation-mission-mystique-and-hiding-hand. Accessed January 2020. 42 Constitute Project. “Estonia’s Constitution of 1992 with Amendments through 2015,” https://www.constituteproject.org/constitution/Estonia_2015.pdf?lang=en. Accessed January 2020. 43 Jackson, Eric. “The right mix: how Estonia ensures privacy and access to e-services in the digital age.” Estonian World, January 13, 2015, http://estonianworld.com/security/right-mix-estonia-ensures-privacy-access-e-services-digital-age/. Accessed January 2020. 57 Enablers & Safeguards for Trusted Data Sharing in the New Economy In addition to these domestic enforcement mecha- CREATING A TECHNICAL ARCHITECTURE FOR DATA SHARING nisms, Estonia is also a party to the Council of Europe’s Convention 108 for the Protection of Individuals with Part of facilitating data subject rights in Estonia are Regard to Automatic Processing of Personal Data, technology-enabled solutions that make public the first binding international law concerning individ- sector-held data more accessible. In particular, uals’ rights to the protection of their personal data. X-Road—the data exchange solution that safely offers Importantly, Estonia has also signed the Amending citizens access to personal data and visibility into Protocol to modernize Convention 108 (known as government use—creates a data sharing environment “108+”), which imposes new and heightened obliga- that is trusted and value-creating. X-Road builds upon tions on data processing and transborder data flows. the pilot effort to link decentralized databases. It This could make Estonia’s legal protections stronger allows linked public and private databases and infor- than GDPR-only jurisdictions in the long run, thereby mation systems to automatically share information. further enabling data sharing with partners outside the EU. X-Road is an open source data exchange layer solution that enables organizations to exchange information Perhaps just as important as the laws themselves is over the Internet. X-Road is a centrally managed the way in which Estonians embrace their right to distributed data exchange layer between information privacy. After decades of oppression and first-hand systems that provides a standardized and secure experience in violations from occupying forces, Esto- way to produce and consume services and a com- nians have maintained the right to privacy as a core mon set of protocols and security mechanisms that topic throughout policy decisions related to economic allow members’ information systems to recognize stability.44 each other. Importantly, each government ministry or agency maintains its own database of information In practice this right to privacy requires the govern- but common reference metadata ensures that the ment to take measures to (1) protect the security of federated databases can exchange data, reducing the data on its citizens while also (2) offering means by ability for one entity to hoard data and eliminating which people have control over their data and trans- the possibility that one entity has entire control over parency into government use of data.45 citizens’ data. In this way, X-Road cultivates confidentiality, integrity and interoperability between data exchange parties. 44 Priisalu, J., and Ottis, R. Personal control of privacy and data: Estonian experience. Health Technol. 7, 441–451, June 15, 2017. https://doi.org/10.1007/s12553-017-0195-1. 45 Kivimaki, Petteri. “X-Road as a Platform to Exchange MyData,” August 31, 2018. Nordic Institute for Interoperability Solutions, https://www.niis.org/blog/2019/10/30/x-road-as-a-platform-to-exchange-mydata. Accessed March 2020. 58 UNRAVELING DATA’S GORDIAN KNOT Figure 3: X-Road Data Exchange Layer Roles and Components Source: Kivimaki, Petteri. “X-Road as a Platform to Exchange MyData,” August 31, 2018. Nordic Institute for Interoperability Solutions, https://www.niis.org/blog/2019/10/30/x-road-as-a-platform-to-exchange-mydata. Accessed March 2020. X-Road is released under the MIT license and is avail- The identity of each organization and technical entry able free of charge for any individual or organization. point (Security Server) is verified using PKI certificates Nordic Institute for Interoperability Solutions (NIIS) is that are issued by a trusted Certification Authority (CA) responsible for the development of the X-Road core when an organization joins an X-Road ecosystem. The and managing the community of interested persons identities are maintained centrally, but all the data is and experts. Technical and implementation support exchanged directly between a consumer and provider. is provided by the private ICT companies. X-Road Message routing is based on organization and service implements a set of common features to support and level identifiers that are mapped to physical network facilitate data exchange. X-Road provides the follow- locations of the services by X-Road. All the evidence ing features out of the box: regarding the data exchange is stored locally by the data exchange parties, and no third parties have • information system identity management access to the data. Time-stamping and digital signa- • message routing ture together guarantee nonrepudiation of the data • access rights management sent via X-Road.46 • organization level authentication • machine level authentication It is important to note that X-Road did not come • transportation layer encryption about using a new technology but, rather, existing • time-stamping technologies were adapted to facilitate data sharing • digital signature of messages across many government systems. In fact, since its • tamper proof logging launch in 2001 there have been six major versions47 • error handling of X-Road released, indicating an ongoing effort to 46 Kivimaki, Petteri. “X-Road as a Platform to Exchange MyData,” August 31, 2018. Nordic Institute for Interoperability Solutions, https://www.niis.org/blog/2019/10/30/x-road-as-a-platform-to-exchange-mydata. Accessed March 2020. 47 NORDIC INSTITUTE FOR INTEROPERABILITY SOLUTIONS. “X-Road History,” https://x-road.global/xroad-history. Accessed March 2020. 59 Enablers & Safeguards for Trusted Data Sharing in the New Economy refine and adapt as the needs have changed, adding, are enshrined in code.49 Each institution as data for example, security features and a web manage- controller determines what information is available ment interface. and who has access to it. Looking at an individu- al’s data without a reason is a criminal offense.50 A X-Road functions well because the rules of data shar- number of key principles govern the system of data ing and use are established in law, software code, and permission: practice without removing essential responsibilities from data controllers. Specifically, – Confidentiality principle—only authorized insti- tutions has access to data. Each institution • “Once-only” data capture. A Databases Act was will authorize officials from institutions or adopted in March 1997 to regulate the creation organizations with a data usage agreement and maintenance of digital databases and create a to have access to the data in the databases or state register of databases. The Act was repealed exchanged via X-Road. in 2006, with core principles now in the Public – Autonomy principle—X-Road member itself Information Act, as part of the strategy to avoid defines which data services it wishes to provide specialized e-governance legislation. By authorizing and to whom to grant the access rights of the the central government, the Estonian Informa- service usage. tion System Authority specifically, to oversee the – Integrity principle—X-Road also ensures that creation of all new databases, the government is data exchanged by the means of data service assured that information is captured only once. reach relevant members without leaks and as From the perspective of businesses and citizens, it a whole (without deviations and with evidential means they only have to supply government agen- value). Deviation of data between members can cies and participating businesses their information be identified. once. X-Road-enabled data interoperability coupled with the digital ID card enables personal data to be • Data transparency. Citizens and residents can securely and accurately pre-populated in advance access nearly all of their own data online through of need provided that there is a legal basis for the the State Portal (www.eesti.ee) or other specialized use of data, so that “Instead of having to “prepare” portals (e.g., Patient Portal). There are over 2,600 a loan application, applicants have their data— services integrated through X-road, more than income, debt, savings—pulled from elsewhere in the 1,200 connected organizations, public registries, system. There’s nothing to fill out in doctors’ waiting and databases and ca. 52,000 organizations as rooms, because physicians can access their patients’ indirect users of X-tee services. Estonians can log in medical histories.”48 to the portal, using their identity cards or other eID tools to view all personal data and correct mis- • Data permissions. To ensure appropriate govern- takes.51 Furthermore, X-road enables data owners ment access of personal data, strict permissions to determine what information is available and have been established for accessing X-Road data. which organizations have access to it. X-Road eco- To achieve this, permissions of data access and use system has two-level authorization. Authorization 48 Heller, Nathan. “Estonia, the Digital Republic.” The New Yorker 18 & 25 December 2017. Digital. 49 European Union: European Regional Development Fund. “Security Server User Guide’’ https://x-tee.ee/docs/live/xroad/ug-ss_x-road_6_security_server_user_guide.html. Accessed March 2020. 50 Heller. “Estonia, the Digital Republic.” 51 Herlihy, Peter. (2013, October 31). ‘Government as a data model’: what I learned in Estonia [blog post], https://gds.blog.gov.uk/2013/10/31/government-as-a-data-model-what-i-learned-in-estonia/. Accessed January 2020. 60 UNRAVELING DATA’S GORDIAN KNOT of organization has been realized by core X-Road X-Road’s distributed nature has made it far less tools, authorization of end-users is the responsibil- costly and more secure than other e-government ity of front end systems. For example, an individual data exchange systems around the world. The entire can make a particular medical file accessible to X-Road data exchange system—including mainte- some of his or her doctors while keeping it private nance, salaries, and investments—is roughly from others, if desired. Additionally, each time an $3 million per year, exponentially less than what some authority figure like a police officer or doctor or other countries spend for lower quality e-government government official looks at an individual’s secure platforms. data online, it is recorded and visible to the person concerned. Ultimately, Estonia’s model for data sharing has cul- tivated two key aspects of agency—trust and control. • Data security: Estonia became the first country The successful provision of e-government services to develop a solution on the principles shared has been built upon citizens’ trust in the government’s with blockchain at the national level. X-Road uses intent and ability to keep their information secure. cryptographic chaining technology, where each With online tax declaration and medical services institution can make decisions based on data in reaching near universal adoption in Estonia, it is clear a private ledger. X-Road ensures that no data that the steps the government has taken—technically could be changed or manipulated by anyone and (X-Road), legislatively (Personal Data Protection Act), that authenticity of data can be verified.52 X-Road and behaviorally (transparency in instances of security facilitates more than 1.5 billion transactions per breaches)—has helped build that trust. While each year (as of 2019), none of which have a supporting of these factors have contributed significantly to the traditional paper trail. The ability to deploy strong environment of trust that Estonia enjoys today, they cryptographic algorithms or similar technologies to have not developed in an entirely planned or linear increase verifiability of data has contributed signifi- way. Laws and technical solutions were developed cantly to overall trust in the system. step by step. • Data availability: Estonia has also taken steps to X-Road includes tools against inside misuse of data create backup systems for added security, cre- by officials. All queries of officials are logged. Orga- ating a “data embassy” in Luxembourg in 2017 nizations, and, in some cases even citizens can check that follows the same international laws as phys- queries of officials. If an official has misused the data, ical embassies.53 This innovation is only possible they will be punished or fired. because of legislative amendments that enable cloud-based data storage in the government cloud. The transparency created by the State Portal and the The Estonia Government Cloud is developed in ability of individuals to see how their data is being accordance with the national IT Security Standard used and access, correct, and manage it virtually (ISKE), to ensure the compliance with safety and has helped reinforce—rather than create—the trust quality requirements, including, for instance, the environment. handling of sensitive personal data with confiden- tiality and integrity. The cloud-based data storage solution enables the creation of e-embassies.54 52 E-Estonia. “Security and Safety,” https://e-estonia.com/solutions/security-and-safety/ksi-blockchain/. Accessed January 2020. 53 E-Estonia. “Data Embassy,” https://e-estonia.com/solutions/e-governance/data-embassy/. Accessed January 2020. 54 E-Estonia. “E-Governance: Government Cloud,” https://e-estonia.com/solutions/e-governance/government-cloud/. Accessed January 2020. 61 Enablers & Safeguards for Trusted Data Sharing in the New Economy SINGAPORE: DATA SHARING FOR ECONOMIC GROWTH AND INDIVIDUAL EMPOWERMENT BACKGROUND The initial strategy, led by the Smart Nation Pro- gramme Office in the Prime Minister’s Office, helped Singapore is a small island nation with a reputation surface meaningful opportunities for this phase of for pro-business adaptive regulation and a historical the country’s digital transformation, but met signif- emphasis on trade and the financial sector. In 2014, icant headwinds in implementation, leading Prime Singapore introduced its Smart Nation initiative, a Minister Lee Hsien Loong to acknowledge in 2017 digital transformation effort that has been thoroughly that “for all our pushing, we are not really going as planned and driven by the government. This initiative fast as we ought to.”57 The Smart Nation Programme has reinforced the country’s position as a regional Office identified challenges in its efforts to implement leader in digital transformation55 and established Sin- the initiative. Most notably, it found that the high- gapore as a global data hub. At the time of its launch, level aspirations underpinning the initiative were the Smart Nation Initiative was seen as the next in a not well-connected to specific opportunities and use series of “successful whole-of-nation transformations cases. Instead, an iterative process of identifying in response to digital disruption.” It built upon the needs from bottom up and setting requirements and National Computerization push in the 1980s and ear- standards from the top down would be more effective. ly-1990s and Intelligent Island and Intelligent Nation With that finding in mind, an updated strategy was initiatives that developed the country’s information published in 2018, envisioning “a Singapore where and telecommunications (ICT) industry starting in the people will be more empowered to live meaningful mid-1990s.56 The Smart Nation Initiative set forth a and fulfilled lives, enabled seamlessly by technology, vision for improvements to internet access and mobile offering exciting opportunities for all.”58 connectivity, e-government services, and IT training to modernize Singapore with a central focus on how data The Smart Nation Initiative is now organized around could enable an innovation ecosystem and modernize three foundational strategy documents and identifies the delivery of public services. three key enablers that cut across the country’s vision of the digital future (see figure below). 55 The Economist Intelligence Unit. “Singapore,” January 2017, http://connectedfuture.economist.com/wp-content/uploads/2016/11/Connecting-Capabilities_SINGAPORE_v6.pdf. Accessed, March 2020. 56 Tan, Belinda and Yimin, Zhou. “Technology and the City: Foundation for the a Smart Nation.” Centre for Liveable Cities Singapore, Urban Systems Studies, 2018, https://www.clc.gov.sg/docs/default-source/urban-systems-studies/uss-technology-and-the-city.pdf. Accessed December 2019. 57 The Straight Times. “PM maps out way ahead for S’pore in tech, trade and trust between people,” February 28, 2017, https://www.straits- times.com/opinion/pm-maps-out-way-ahead-for-spore-in-tech-trade-and-trust-between-people. Accessed December 2019. 58 Smart Nation Singapore website, https://www.smartnation.sg/docs/default-source/default-document-library/smart-nation-strategy_ nov2018.pdf. Accessed December 2019. 62 UNRAVELING DATA’S GORDIAN KNOT Figure 4: Smart Nation Framework Source: Civil Service College Singapore (A Singapore Government Agency Website), https://www.csc.gov.sg/articles/digital-government-smart-nation-pursuing-singapore’s-tech-imperative. Accessed December 2019. 1. The Digital Economy Framework for Action out- 2. The Digital Government Blueprint articulates the lines a plan to make Singapore a leading digital vision for making Singapore’s government “digi- economy that will attract foreign investments and tal to the core.” This entails utilizing connectivity, provide opportunities for Singaporeans. Published data, and computing to enable citizens, businesses, by the Infocomm Media Development Authority and public officers. The digital government plan (IMDA) in May 2018 with strategic priorities around includes a five-year roadmap, which outlines how accelerating digitization of existing industry sec- the government should use digital technologies tors, improving the competitiveness of Singapore’s when serving the public, including a National Digi- digital ecosystem, preparing the economy for tal Identity (NDI) system for Singapore businesses digital disruption, and transforming the InfoComm and residents. This system will facilitate secure Media sector itself to be a leader for other indus- and effective digital communication between the tries.59 The plan highlights “Policy, Regulations, and private sector and the government. The blueprint Standards” and “Physical and Digital Infrastructure” also emphasizes the importance of data shar- as key enablers for such a transformation.60 ing and management in creating an effective e-government.61 The six strategies in place to build 59 INFOCOMM Media Development Authority (A Singapore Government Agency Website), https://www.imda.gov.sg/infocomm-media-landscape/SGDigital/Digital-Economy-Framework-for-Action. Accessed December 2019. 60 Along with Talent and Research and Innovation. Ibid 61 Smart Nation Singapore. “Digital Government Blueprint (Summary): A Singapore Government that is Digital to the Core, and Serves with Heart,” https://www.tech.gov.sg/files/digital-transformation/dgb_summary_june2018.pdf. Accessed December 2019. 63 Enablers & Safeguards for Trusted Data Sharing in the New Economy a digital government, “building common digital and base to meet the demands of a data economy, and data platforms,” “operating reliable, resilient and hiring many software engineers, data scientists, prod- secure systems” and “strengthening integration uct managers, and others with the necessary skills to between policy, operation and technology”—all ensure it does not fall behind the private sector. The speak to the critical nature of appropriately using government has also restructured in a number of and safeguarding data to improve government ways since the launch of the Smart Nation including, service delivery and rectify major implementation most notably with respect to data governance. The issues of the initial Smart Nation Vision.62 government: 3. The Digital Readiness Blueprint was created to • Brought together separate agencies in the con- ensure all Singaporeans can access technology to verging media and infocommunications sectors to enhance their lives, every day. The government provide a single, leading interface on digital and established a digital readiness working group, with data to the private sector.65 The new entity, IMDA, participants from the public, private, and civil soci- was launched in August 2016 and tasked with the ety, tasked with ensuring access to inclusive digital responsibilities of cultivating the digital economy infrastructure, building digital literacy, and driving and ensuring public engagement in it, responsi- participation in digital communities and usage of bilities that would later be reflected in the Digital technology.63 The blueprint outlines recommen- Economy Framework for Action and Digital Read- dations around improving cybersecurity and data iness Blueprint, respectively.66 IMDA included an awareness skills, providing access to basic digital industry group to plan and execute private sector enablers, and driving interaction with data-driven development efforts around data and digital topics, technologies which are key to maximizing the ben- the Personal Data Protection Commission charged efits and containing the risks of data.64 with administering and enforcing Singapore’s comprehensive Personal Data Protection Act, and a community outreach and engagement team to REIMAGING GOVERNMENT FOR provide local content and educate the public on the THE DIGITAL FUTURE use of technology. To help realize the Smart Nation vision, the Govern- • Elevated the authority of the Government Tech- ment of Singapore has invested deeply in its own nology Agency (GovTech), empowering it to build capabilities, retraining and reskilling its employee deep ICT and engineering expertise to transform 62 Along with “Integrating services around citizen and business needs,” “Raising our digital capabilities,” and “cocreating with citizens and business, and facilitating adoption of technology” which are important enablers and outcomes of good data governance. See: https://www.tech.gov.sg/media/technews/6-things-you-need-to-know-about-the-digital-government-blueprint?utm_medium=rec- ommender_1&utm_source=aHR0cHM6Ly93d3cudGVjaC5nb3Yuc2cvZGlnaXRhbC1nb3Zlcm5tZW50LWJsdWVwcmludC8=&utm_con- tent=aHR0cHM6Ly93d3cudGVjaC5nb3Yuc2cvbWVkaWEvdGVjaG5ld3MvNi10aGluZ3MteW91LW5lZWQtdG8ta25vdy1hYm91dC10aGUtZGl- naXRhbC1nb3Zlcm5tZW50LWJsdWVwcmludA==. 63 Civil Service College Singapore (A Singapore Government Agency Website), https://www.csc.gov.sg/articles/readying-singapore-to-be-a-digital-society. Accessed December 2019. 64 Ministry of Communications and Information. “Digital Readiness Blueprint” https://www.mci.gov.sg/-/media/mcicorp/doc/mci_blueprint-report_final.ashx. Accessed December 2019. 65 INFOCOMM Media Development Authority (A Singapore Government Agency Website), https://www.imda.gov.sg/news-and-events/ Media-Room/Media-Releases/2016/imda-to-empower-businesses-workers-and-communities-to-seize-opportunities-in-a-digital-future. Accessed December 2019. 66 INFOCOMM Media Development Authority (A Singapore Government Agency Website), https://www.imda.gov.sg/-/media/Imda/Files/About/Media-Releases/2016/Annex-A--About-IMDA.PDF. Accessed December 2019. 64 UNRAVELING DATA’S GORDIAN KNOT Figure 5: GovTech Singapore Source: GovTech Singapore (A Singapore Government Agency Website). “Our Role,” https://www.tech.gov.sg/who-we-are/our-role/. Accessed December 2020. government.67 The 1,800 strong group of data sci- • Created only a few months after the initial restruc- entists, technologists, and engineers is tasked with turing, the Smart Nation and Digital Government efforts across application development, govern- Group (SNDGG), a new guiding body to marry ment digital infrastructure, data science, geospatial the planning and policy skills needed to tackle data, sensor technology, and cybersecurity.68 This such projects with the necessary implementation restructuring also served to clarify responsibili- expertise.69 ties in government on cross-cutting topics such as data protection and technology adoption while Ultimately, these institutional reforms enabled elevating the importance of data talent and provid- SNDGG—which is well-resourced and has a strong ing a central group able to drive implementation mandate—to focus on providing shared digital infra- of whole-of-government and national level data structure (e.g., data transfer platforms), enforce com- projects. mon standards (e.g., for data security), and ensure interoperability of applications. Concurrently, specific government agencies remain domain experts in 67 Ministry of Communications and Information. “Launch of the Government Technology Agency: SPEECH BY DR YAACOB IBRAHIM, MINISTER FOR COMMUNICATIONS & INFORMATION,” October 7, 2016, https://www.mci.gov.sg/pressroom/news-and-stories/ pressroom/2016/10/launch-of-the-government-technology-agency?=page&page=15. Accessed December 2019. 68 Tham, Irene. “GovTech launched to lead digital transformation in public sector,” The Strait Times, October 7, 2016, https://www.straitstimes.com/tech/govtech-launched-to-lead-digital-transformation-in-public-sector. Accessed December 2019. 69 GovTech Singapore (A Singapore Government Agency Website). “Formation of the Smart Nation and Digital Government Group in the Prime Minister’s office,” March 20, 2017, https://www.tech.gov.sg/media/media-releases/formation-of-the-smart-nation-and-digital-government-group-in-the-prime-minister-office. Accessed December 2019. 65 Enablers & Safeguards for Trusted Data Sharing in the New Economy front-line data collection and in management and use Information Security Officers, often in addition to CIOs of specific databases. Ultimately, SNDGG has helped and Chief Digital Strategy Officers.73 Within organiza- ease intragovernmental data sharing. tions, individuals are given opportunities and encour- aged to cross-train data skills while projects are often With these institutional changes in place, the Singa- assigned to cross-functional cross-agency teams, or at pore Government turned its attention to the individ- least have other domains represented in planning and uals and processes within those agencies and minis- testing sessions.74 Matrixed teams, a digital experi- tries, identifying the need to rebuild government data mentation unit, and other principles of “Agile Develop- talent, ensure better communication between techni- ment” have also been adopted to facilitate the govern- cal experts and policy makers, and improve the way ment’s “policy-ops-tech integration” goal, leading to the government delivers development projects. more iterative project planning and changes to how To draw more interest and provide a more compelling budgets are allocated and progress measured. offering to highly-sought after data talent, compen- sation packages were revamped to provide salaries These shifts in processes, culture, and ways of work- more comparable to the private sector.70 The gov- ing have had a profound effect on the SNDGG and ernment actively marketed Singapore as a hub for other ministries. GovTech, for instance, has been able international talent and rolled out a series of initiatives to expand its number of data scientists and software to attract Singaporeans working in data overseas. To engineers from approximately 400 to 600 in the last retain these talents, HR policies have been restruc- few years.75 tured to allow employees with data and digital skills to more easily switch between ministries and agencies, broadening their exposure and ensuring talent isn’t KEY FEATURES OF DATA SHARING siloed in the SNDGG.71 Programs have also been set up to facilitate employee exchanges with the private The updated 2018 Smart Nation strategy recognized sector, providing for industry professionals to share data as “a key resource in Smart Nation” and “a key their experience with government teams and gov- foundation” with value across the public and private ernment employees to gain experience in private sectors and of central importance to achieving the companies.72 Additionally, to best utilize this rebuilt Smart Nation vision. The strategy outlined the need bench of data skills, a variety of efforts have been to develop “the systems, process, and capabilities to made to better integrate traditional policy and opera- maximize the value of data” across its life cycle and tions knowledge and skill sets with the technical skills the aspiration to “be a global hub for data, akin to these new talents offer. At the management level, new [their] world class airport and seaport.” To achieve this leadership positions have also been created to ensure foundational goal, the strategy tasked the government technical expertise is included in senior conversa- in leading the way, shifting government data strategy tions about data and digital transformation. Minis- to ensure an “Integrated Data Management Frame- tries are now staffed by Chief Data Officers and Chief work, including reviewing legislation, implementing 70 Khern, Ng Chee. “Digital Government, Smart Nation: Pursuing Singapore’s Tech Imperative,” Issue 21 Ethos: A Publication of Civil Service College Singapore, July 2019, pg. 15. 71 Khern, Ng Chee. “Digital Government, Smart Nation: Pursuing Singapore’s Tech Imperative,” Issue 21 Ethos: A Publication of Civil Service College Singapore, July 2019, pg. 15. 72 Khern, Ng Chee. “Digital Government, Smart Nation: Pursuing Singapore’s Tech Imperative,” Issue 21 Ethos: A Publication of Civil Service College Singapore, July 2019, pg. 15. 73 Khern, Ng Chee. “Digital Government, Smart Nation: Pursuing Singapore’s Tech Imperative,” Issue 21 Ethos: A Publication of Civil Service College Singapore, July 2019, pg. 15. 74 Khern, Ng Chee. “Digital Government, Smart Nation: Pursuing Singapore’s Tech Imperative,” Issue 21 Ethos: A Publication of Civil Service College Singapore, July 2019, pg. 15. 75 Freymuth, James. Interview notes. 2019. 66 UNRAVELING DATA’S GORDIAN KNOT policy and building capabilities and shared services” to It has published a large number of detailed strategic reduce the time necessary to source, clean, verify, and plans to transform industries, government functions, use data, improve integration of data to build fit-for- and parts of society. It has made large investments to purpose datasets and ensure ease of access “to data incentivize adoption from funding technology devel- and analytics capabilities for policy analysis, opera- opment to driving awareness of applicable capabilities tions, service delivery, and private sector facilitation.” to shaping the necessary enabling environment. In opening remarks at the 7th Personal Data Pro- The country’s leadership in implementing open bank- tection Seminar in July 2019, Mr S Iswaran, Minister ing has been illustrative of this approach (see Spot- for Communications and Information of Singapore, light on page X for further details on how Singapore’s reinforced this vision for data, highlighting the need commitment to trusted data flows has helped drive for evolving the country’s data governance in accor- open banking). dance with a changing data landscape—that building a strong digital economy requires both “strengthening Despite this pro-innovation and iterative approach data protection capabilities and growing trusted data to regulating the innovation sector, Singapore has flows.”76 This belief, that increased data flow and better increasingly recognized the need to take a more data protection will build a strong digital economy, is explicit position on legal protections for data as a lever foundational to Singapore’s approach to data sharing. for creating a more trusted system. In other words, the evolution of the policy and regulatory environ- CREATING THE POLICY AND REGULATORY ment has evolved over the last few years to have an ENVIRONMENT FOR DATA SHARING increased focus on data protection and data security as a means to increase accountability, including spe- In line with its historical approach to regulation, Sin- cific efforts to build confidence in the sharing of data. gapore has taken an open and iterative approach to This evolution started with the introduction of the regulating data, choosing to err on the side of mini- Personal Data Protection Act of 2012 (PDPA). mizing regulatory intervention as new technologies and markets develop, while closely monitoring that Prior to enacting PDPA, Singapore did not have an development, as well as global experiences to under- overarching data protection law. Rather, the collection, stand when additional action may be necessary. They use, disclosure, and security of personal data were advocate for learning through participation, opening regulated to a lesser degree by a patchwork of laws sandboxes in a variety of different sectors, to encour- including sector-specific data protection frameworks, age collaboration with the private sector and setting such as the Banking Act in respect of the financial sec- aside large sums for the investment in domestic firms tor, which continue to operate alongside the PDPA.77 exploring new technologies or use cases. The PDPA was implemented in three phases: Despite this restrained approach to nascent markets, 1. In January 2013, setting out the scope and inter- Singapore has also been a strong advocate for the pretation of the Act, and establishing the Personal adoption of technology, once it is convinced of its Data Protection Commission (PDPC) and Data Pro- viability, by both the private sector and government. tection Advisory Committee (DPAC). 76 Ministry of Communications and Information. “Opening Remarks by Mr. S. Iswaran, Minister for Communications and Information, at the 7th Personal Data Protection Seminar,” July 17, 2019, https://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2019/7/opening- remarks-by-mr-s-iswaran-at-7th-personal-data-protection-seminar-on-17-july-2019. Access 2019. 77 The PDPA sets a baseline standard for personal data protection across the private sector, alongside existing laws and regulations. This general data protection framework does not affect any right or obligation under existing laws, and that in the event of any inconsistency, the provisions of other preexisting laws will prevail. For example, the banking secrecy laws under the Banking Act govern customer infor- mation obtained by a bank, and the Telecom Competition Code governs end-user service information obtained by a telecommunications licensee. 67 Enablers & Safeguards for Trusted Data Sharing in the New Economy 2. In July 2014, the Act’s main data protection provi- deciding whether to commence an investigation the sions came into effect, setting out the obligations PDPC considers a variety of factors, including whether of organizations with respect to the collection, use, the organization may have failed to comply with all or disclosure, access to, correction, and protection of a significant part of its obligations under the PDPA, personal data. whether the organization’s conduct indicates a sys- temic failure to comply with the PDPA, the number of 3. Finally, the Personal Data Protection Regulations individuals who are or may be affected by the conduct, (the Regulations) were also enacted in 2014 to sup- and public interest considerations. The PDPC is also plement the PDPA in respect of the requirements empowered to review complaints in relation to individ- for transfers of personal data out of Singapore, uals’ access and correction requests. procedures related to requests for access to or cor- rection of personal data, and rules for exercising The PDPC may enter into cooperation agreements rights in relation to disclosure of personal data of with foreign data protection authorities for data deceased individuals.78 protection matters such as cross-border coopera- tion, including information exchange, or to assist the International best practices on data protection were enforcement or administration of data protection laws. incorporated into the formulation of the PDPA and the Regulations. Upon its enactment, the then-Min- Scope of Law ister of Information, Communications, and the Arts The PDPA covers all forms of “personal data,” elec- referenced influential data protection frameworks in tronic or nonelectronic. “Personal data” is broadly jurisdictions such as Canada and the European Union, defined as data about an individual who can be identi- as well as the OECD Guidelines on the Protection of fied from that data, or from that data and other infor- Privacy and Transborder Flows of Personal Data and mation the organization has or is likely to have access the APEC Privacy Framework. to. While the PDPA does not distinguish between the types and sensitivities of personal data, the PDPC has The PDPA is administered and enforced by the PDPC imposed more stringent guidelines with respect to and established the Data Protection Advisory Commit- National Registration Identity Card (NRIC) numbers tee (DPAC), which advises the PDPC on matters relat- and other national identification numbers.79 In general, ing to the review and administration of the personal organizations may not collect, use, or disclose NRIC data protection framework, such as key policy and numbers and other national identification numbers enforcement issues. Currently, the DPAC is headed by unless such collection, use, or disclosure is required the Senior Advisory/Director General of International by law (or an exception under the PDPA applies), or Affairs of IMDA. necessary to accurately establish or verify the identity of the individual to a high degree of fidelity. The PDPC may initiate an investigation to determine whether an organization is compliant with the PDPA, The PDPA applies to all organizations in Singapore, upon receipt of a complaint or on its own motion. In regardless of size or scale that collect, use or disclose 78 The PDPA and the Regulations were also accompanied by a set of related regulations, including the Personal Data Protection (Compo- sition of Offences) Regulations 2013, Personal Data Protection (Enforcement) Regulations 2014, and Personal Data Protection (Appeal) Regulations 2015. The PDPC has issued substantial guidance to clarify the Act’s interpretation, including sector-specific guidelines for telecommunications, healthcare, and education, among other sectors. 79 See PDPC, ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR NRIC AND OTHER NATIONAL IDENTIFICA- TION NUMBERS (31 August 2018), https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guide- lines-for-NRIC-Numbers---310818.pdf. 68 UNRAVELING DATA’S GORDIAN KNOT personal data in Singapore, regardless of whether protection officer(s) (DPO)81 and to make their business they are formed or recognized under Singapore law contact information known to the public. DPOs are or whether they are resident or have an office or place responsible for ensuring an organization complies with of business in Singapore. An “organization” is broadly the provisions of the PDPA, although the designation defined as any individual, company, association or of a DPO does not relieve an organization of its obli- body of persons, corporate or unincorporated, and gations and liabilities in the event of noncompliance. whether or not formed or recognized under the law Although there are no strict requirements to apply of Singapore, or resident or having an office or place a data protection-by-design approach or carry out of business in Singapore. Notably, the PDPA does not impact assessments, DPOs are encouraged to conduct apply to regular data protection impact assessments (DPIAs) to assess and address organization-specific risks. • individuals acting in a personal or domestic capac- ity, employees acting in the course of their employ- Public Sector Data ment, and public agencies or organizations acting Public agencies in Singapore are not governed by the on behalf of a public agency in relation to the PDPA, but under the Public Sector (Governance) Act collection, use, or disclosure of personal data. and the Government’s Instruction Manual. The need for two different legislations governing data manage- • “Data intermediaries” are also exempt from most ment in the public and private sectors arises because of the PDPA’s provisions and only have to com- the public has different expectations of the services ply with the rules relating to the protection and provided by the government and the private sector. retention of personal data. A “data intermediary” The public expects the government to deliver services is an organization that processes personal data in an integrated manner across agencies, but they do on behalf of another organization, the principal not expect this of the private sector. For example, citi- organization, pursuant to a written contract (similar zens would expect the Ministry of Education to obtain to a “data processor” under the GDPR). They are personal data of children at the compulsory school only required to make reasonable security arrange- age from the Immigration and Checkpoints Authority ments to protect personal data in their possession to ensure that they are enrolled in a primary school. A in order to prevent unauthorized access, collection, citizen would not expect a tuition center to know what use, disclosure, copying, modification, disposal or other tuition centers his child is enrolled in. similar risks, and to anonymize or cease retaining personal data as soon as it is reasonable to assume Public officers who are involved in data incidents are that retention no longer serves the purposes for held accountable in the following ways: which the data was collected or is no longer neces- sary for legal or business purposes. A data inter- 1. They may be liable to fines up to $5,000 and/or mediary that surpasses the processing required up to 2 years’ imprisonment for the following acts by their contract would no longer be deemed an prescribed in the PSGA: intermediary and would be subject to the full reach a. Reckless or intentional disclosure of data with- of the PDPA.80 out authorization. b. Improper use of data for a gain. The PDPA specifically requires that organizations c. Reckless or intentional attempt to reidentify designate one or more individuals to act as data anonymized data. 80 This is akin to a data processor exceeding the scope of its authority becoming a de facto controller per the GDPR. 81 See Section 11(3), PDPA. 69 Enablers & Safeguards for Trusted Data Sharing in the New Economy 2. Disciplinary measures set out in the Public Ser- data flows, and the use of password protection and vice (Disciplinary Proceedings) and administrative encryption; measures set out in the Public Service Division’s accountability frameworks. These measures 2. Enhanced measures to detect and respond to data include: incidents, including by establishing a central point a. Counselling, warnings, or reprimands; of contact for the public to report government b. Stoppage of increment, fines, adjustments in data incidents, designating the Government Data bonus payments; Office to monitor and analyze security incidents, c. Redeployment, reduction in rank, retirement, and implementing a standard process for incident dismissal. postmortems; Last March, following several high-profile breaches 3. Enhanced data security-related competency and involving government entities, the government training, including clarification of roles for manag- acknowledged the need to review the government’s ing data security and building a culture conducive information security policies and practices, and to reporting incidents; strengthen the data security regime against current and future threats, particularly as the government 4. Increased accountability for data protection, includ- was driving more pervasive sharing and use of data to ing the introduction of organizational KPIs for data improve service delivery and policy making. security and amending the PDPA to cover vendors and nonpublic officers who mishandle personal As a result, Singapore’s Prime Minister announced the data; and appointment of a Public Sector Data Security Review Committee (the Committee) to review data security 5. Introduce and strengthen organizational and practices in the public sector.82 Led by then-Deputy governance structures to build a resilient public Prime Minister and Coordinating Minister for National sector data security regime that can meet future Security, the Committee included private sector needs, including the appointment of the Digital experts in data security and technology, as well as Government Executive Committee, chaired by the ministers from Singapore’s Smart Nation initiative. The Permanent Secretary of SNDGG, to oversee public Committee was also tasked with reviewing the role of sector data security and the establishment of a new vendors and third parties engaged by the government Capability Centre in GovTech to deepen the govern- and recommending technical measures, processes, ment’s expertise in data protection technologies. and capabilities to improve the protection of citizens’ data and the government’s incident response capabil- The Government accepted these recommendations ities. In November, following a comprehensive inspec- and promised their implementation in 80 percent tion of 336 systems in 94 agencies, the Committee of systems by the end of 2021 and full implementa- made five recommendations: tion by 2023. For now, government agencies remain exempt from the PDPA. 1. Enhanced measures to protect data and prevent its compromise, including data minimization and stor- age limitation measures, the use of digital water- marking and other forensic techniques to monitor 82 Prime Minister’s Office (A Singapore Government Agency Website). “Appointment of Public Sector Data Security Review Committee” March 31, 2019, https://www.pmo.gov.sg/Newsroom/Appointment-of-Public-Sector-Data-Security-Review-Committee. Accessed February 2020. 70 UNRAVELING DATA’S GORDIAN KNOT Lawful Bases for Processing Other Laws The PDPA provides for consent as the primary basis Various other general and sector-specific legislation for collecting, using, and disclosing personal data, For in Singapore sets out specific data protection rules, consent to be valid, the individual must be informed of including the Banking Act (on the disclosure of cus- the purposes for which his or her personal data will be tomer information by a bank or its officers), the Com- collected, used, or disclosed, and such purposes must puter Misuse Act (on computer system hackers and be what a reasonable person would consider appro- other similar forms of unauthorized access or modi- priate in a given context. Fresh consent is required to fication to computer systems), the Cybersecurity Act use personal data for a different purpose than the one (establishing a legal framework for the oversight and for which consent was obtained. Consent may not be maintenance of national cybersecurity in Singapore), conditioned on the provision of a product or service the Private Hospitals and Medical Clinics Act (relating (beyond what is necessary to provide the product or to the confidentiality of information held by private service). Where false or misleading information is hospitals and other licensed health care establish- provided, or deceptive or misleading practices are ments), and the Telecommunications Act (safeguard- used, consent is not valid. Consent may be implied ing end-user service information). where an individual voluntarily provides personal data to an organization for a particular purpose and The Monetary Authority of Singapore (MAS) is empow- it is reasonable that the individual would do so in that ered under the Monetary Authority of Singapore Act circumstance. and other sectoral legislation to issue data protection- related rules for the financial sector. Examples include There are many exceptions to the requirement to the Notices and Guidelines on Technology Risk Man- obtain consent under the PDPA, including where the agement, Notices and Guidelines on Prevention of collection of personal data is necessary for any pur- Money Laundering and Countering the Financing of pose that is clearly in the interest of the individual Terrorism (AML/CFT), and Guidelines on Outsourcing. and consent cannot be obtained, the personal data is publicly available, the disclosure is necessary for any Accountability investigation or for the provision of legal services, the Accountability is a fundamental principle of the PDPA, personal data is collected by an individual’s employer which requires organizations to ensure and demon- for employment purposes, and for law enforcement strate responsibility for personal data which it has purposes. Two new bases for processing without collected or obtained for processing, or which it has consent are under review. Per the “notification of pur- control over. The PDPC notes that organizations today pose” basis, an organization could process personal operate in an increasingly connected and compet- data without consent, where its collection, use, or itive digital economy where individuals’ online and disclosure is not expected to have any adverse impact real-world activities generate a large and growing on the individual.83 Per the “legitimate interests” basis, amount of data. As such, a box-checking approach organizations could process personal data without towards the handling of personal data is increasingly consent where economic, social, security, or other impractical and the PDPC undertook a pivot towards benefits to the public outweigh any adverse impact to an accountability approach to managing personal the individual, and reliance on this basis is disclosed. data that will help organizations strengthen public trust, enhance business competitiveness, and provide 83 Organizations that wish to rely on this basis must provide the individual with appropriate notification of the purpose of the collection, use, or disclosure of the personal data, and information about how the individual may opt out, where applicable. Also, organizations must conduct a risk and impact assessment, such as a data protection impact assessment, as an accountability measure to identify and mitigate any risks when seeking to rely on the ‘notification of purpose’ basis. 71 Enablers & Safeguards for Trusted Data Sharing in the New Economy greater assurance for customers. Singapore’s shift personal data for legitimate interests and business towards accountability is already underway. In the first improvement purposes; (iii) providing greater con- stage, the PDPC has introduced accountability tools sumer autonomy through the introduction of a data such as guides to data protection by design (“DPbD”), portability obligation to facilitate data flows to support Data Protection Impact Assessment (“DPIA”) and Data innovation that benefits consumers; and (iv) strength- Protection Management Programme (“DPMP”). As ening the effectiveness of PDPC’s enforcement pow- part of the second stage, in January 2019, the IMDA ers. The amendment of the PDPA will complete Sin- launched the Data Protection Trustmark (DPTM) gapore’s strategic shift to an accountability approach scheme as a badge of recognition for organizations to personal data protection. These amendments were that demonstrate accountability in meeting data pro- read and passed by the Parliament on October 5, 2020. tection standards. This voluntary certification scheme for enterprises incorporates elements of the PDPA, Other than changes in regulation, Singapore also international benchmarks (e.g., APEC CBPR/PRP) and promotes adoption of good data governance and other best practices, and aims to help organizations accountability practices through the Trusted Data increase their competitive advantage, build consumer Sharing Framework to give businesses a common trust, and demonstrate sound and accountable data frame of reference when exploring data sharing part- protection practices. Organizations may apply to IMDA nerships. The framework guides businesses to share for approval to participate in the DPTM certification consumer data in a trusted and transparent way to scheme, and an independent assessment body will reduce abuse and misuse. As for organizations who assess whether its data protection policies are aligned have specific use cases in mind and wish to explore with the DPTM’s requirements The DPTM certification and pilot innovative data uses with their data partners, is valid for three years and organizations may apply for they can also use the Data Regulatory Sandbox to con- recertification at least six months before the date of sult PDPC. This helps to reduce business uncertainty expiry. In the third stage, PDPC is reviewing the PDPA in compliance to current and planned policies while to reflect this shift towards an accountability approach. informing regulators of how businesses are using data of consumers. Updates and Trends The PDPA has been under review since 2017 through a As a practical example of how the Trusted Data series of public consultations led by the PDPC, with the Sharing Framework and Regulatory Sandbox can be latest being the public consultation on the Personal applied, Singapore’s Infocomm Media Development Data Protection (Amendment) Bill published in May Authority (IMDA), Personal Data Protection Commis- 2020. The proposed amendments to the PDPA under- sion (PDPC) facilitated data sharing between public score Singapore’s shift towards an accountability- and private sectors to build innovative data-driven based approach to data protection, to strengthen solutions focused on bettering health outcomes and public trust, enhance business competitiveness and financial well-being, that can address the UN Sustain- provide greater organizational accountability and able Development Goals. The learnings from this data assurance to consumers. Key areas of proposed sharing collaboration was also published in the form amendments include (i) strengthening organizational of a Practical Guidance, allowing the wider industry accountability through the introduction of a manda- to understand that data sharing can take place within tory data breach notification requirement; (ii) enhanc- a trusted governance framework and in accordance ing the PDPA’s framework for the collection, use, and with the relevant regulations. disclosure of personal data, to enable wider use of 72 UNRAVELING DATA’S GORDIAN KNOT CREATING A TECHNICAL ARCHITECTURE FOR DATA SHARING commonly-used government data sets, review the metadata and data dictionary, and download sam- The technical architecture that Singapore has created ple data sets (based on synthetic representative for data sharing unsurprisingly mirrors its Smart data). Once a civil service officer has found the nec- Nation Framework, with specific investments made in essary data, they can then submit a request to the platforms that enable data sharing for government appropriate authority for review. Officer requests efficiency, individual participation or engagement, and require sign-off from their Agency’s Chief Data to cultivate a vibrant digital economy: Officer that the data is necessary for the stated pur- pose. The request is submitted to the appropriate 1. Infrastructure for Government Efficiencies: SNDGG’s authority and reviewed within seven working days. shift to more “Agile” modular product development If approved, data is digitally watermarked and has imposed new requirements and opened up encrypted with project and officer IDs, before distri- more opportunities for common data infrastruc- bution to the officer, deterring leaks and providing ture. The Government Tech Stack was created to clear traceability. provide agencies with key building blocks to incor- porate into digital services to reduce development Vault.Gov.SG is the result of an entrepreneurial effort and time-to-market while easing mainte- effort by a team of Open Government Products nance and interoperability.84 As Digital government engineers and the Government Data Office. Kicked “means recognizing that data is a strategic asset off in 2018, the team endeavored to provide a that underpins digital transformation, and purpose- proof-of-concept that data sharing between agen- fully organizing the business model of government cies could be done in days instead of months. Vault around data,” data is a fundamental piece of the .Gov.SG was officially launched in November 2019. Stack necessary to power digital services.85 This Officers who obtained data from Vault.Gov.SG could ambitious goal required the government to build a also make use of Analytics.gov, the Singapore Gov- coherent data architecture based on its Integrated ernment’s central analytics platform with significant Data Management Framework (IDMF), which processing power and commonly-used analytics included data infrastructure and new organiza- tools, to analyze the data and develop models. Ana- tional constructs to support and scale data sharing. lytics.gov, also allows data scientists to share code with other public sector data users to accelerate the The Vault.Gov.SG platform is one key piece of data development of analytics and AI models. infrastructure that enables the Government to manage data effectively across the data life cycle The Government Data Architecture is one of the stages. The Vault.Gov.SG platform, a collaboration initiatives under the Core Operations Development between the Government Data Office and the Open Environment and eXchange (CODEX), launched by Government Products team,86 provides a platform Prime Minister Lee Hsien Loong in 2018.87 CODEX for civil service officers to explore a catalogue of provides a central set of reusable digital services 84 Khern, Ng Chee. “Digital Government, Smart Nation: PURSUING SINGAPORE’S TECH IMPERATIVE,” Issue 21 Ethos: A Publication of Civil Service College Singapore, July 2019, pg. 15. 85 Mao, Daniel Lim Yew. “Bringing Data into the Heart of Digital Government” Civil Service College Singapore (A Singapore Government Agency Website), July 30, 2019, https://www.csc.gov.sg/articles/bring-data-in-the-heart-of-digital-government. Accessed December 2019. 86 Mao, Daniel Lim Yew. “Bringing Data into the Heart of Digital Government” Civil Service College Singapore (A Singapore Government Agency Website), July 30, 2019, https://www.csc.gov.sg/articles/bring-data-in-the-heart-of-digital-government. Accessed December 2019. 87 GovTech Singapore. “Engineering Digital Government, MakingLives Better,” Annual Report 2018/19, https://www.tech.gov.sg/files/media/corporate-publications/FY2019/GovTech-AR-2019-Main-min.pdf. Accessed January 2020. 73 Enablers & Safeguards for Trusted Data Sharing in the New Economy across the Government Technology Stack to shift The trusted data layer of the Government Tech public agencies from siloed or outsourced devel- Stack is served by MyInfo, a personal data and opment approaches. CODEX comprises hosting consent manager. MyInfo was initially built to serve platforms and micro services supported by a data a “tell-us-once” use case for government e-forms, layer to help agencies reduce development time allowing users to automatically populate certain and expense and ensure a common data platform fields while processing government transactions.90 across agency applications. The platform was then successfully piloted with the banking sector to provide high fidelity gov- 2. Infrastructure for equipping people with new capabil- ernment data to streamline the account or loan ities: One of the Strategic Nation Projects identified application process, with average application times in the Smart Nation vision update was the National decreasing up to 80 percent and approval rates Digital Identity project. The National Digital Identity increasing up to 15 percent due to improved data project, focused on building the necessary infra- quality.91 It has since been integrated into “almost structure to ensure that individuals and organiza- 200 private sector and more than 150 government tions can interact digitally with both the public and digital services.”92 The MyInfo Business platform is private sector, has trusted data sharing at its core.88 piloting the same consent and data management The project encompasses efforts to build trusted capabilities to accelerate digital transactions for the digital data repositories, unique digital identities, private sector93 and has onboarded over 220,000 federated authentication, and a set of key digital SMEs as of February 2019.94 The MyInfo platforms services that can be embedded in wider public or are enabled by the SingPass and CorpPass identity private sector applications.89 In conjunction with applications. SingPass, which was initially released e-payments, these layers mirror elements of the in 2003, provided access to a secure online por- India Stack. tal to transact with government agencies.95 It has been more recently complemented with SingPass Mobile,96 a new password-less mobile application which had 420,000 users in its first ten months,97 88 Smart Nation Singapore, https://www.smartnation.sg/what-is-smart-nation/initiatives/Strategic-National-Projects/national-digital-identity-ndi. Accessed December 2019. 89 NDI {API} (A Singapore Government Agency Website), https://www.ndi-api.gov.sg/library. Accessed December 2019. 90 GovTech Singapore (A Singapore Government Agency Website). “MyInfo,” https://www.tech.gov.sg/products-and-services/my-info/. Accessed December 2019. 91 GovTech Singapore (A Singapore Government Agency Website). “Businesses can tap on MyInfo to offer faster transactions for citizens,” November 10, 2017, https://www.tech.gov.sg/media/media-releases/businesses-can-tap-on-myinfo. Accessed December 2019. 92 Lee, Kendrick. “GovTech’s ‘tell-us-once’ platform eliminates tedious form-filling for citizens,” National University of Singapore: Institute of Systems Science, https://www.iss.nus.edu.sg/community/newsroom/news-detail/2019/08/05/govtech-s-tell-us-once-platform-eliminates- tedious-form-filling-for-citizens. Accessed December 2019. 93 Smart Nation Singapore, https://www.smartnation.sg/docs/default-source/press-release-materials/media-factsheet---myinfo-business. pdf. Access December 2019. 94 Smart Nation Singapore, https://www.smartnation.sg/docs/default-source/press-release-materials/infographic---serving-citi- zens-and-businesses-better-through-technology.pdf. Accessed December 2019.. 95 Smart Nation Singapore, https://www.smartnation.sg/what-is-smart-nation/initiatives/Strategic-National-Projects/national-digital-identi- ty-ndi. Accessed December 2019. 96 GovTech Singapore (A Singapore Government Agency Website). “5 National Projects For 1 Smart Nation,” August 7, 2018, https://www.tech.gov.sg/media/technews/5-national-projects-for-1-smart-nation?utm_medium=recommender_4&utm_source=aHR0cHM- 6Ly93d3cudGVjaC5nb3Yuc2cvbWVkaWEvdGVjaG5ld3MvZ2l2aW5nLWV2ZXJ5LWNpdGl6ZW4tYS11bmlxdWUtZGlnaXRhbC1pZGVudGl0e- Q==&utm_content=aHR0cHM6Ly93d3cudGVjaC5nb3Yuc2cvbWVkaWEvdGVjaG5ld3MvNS1uYXRpb25hbC1wcm9qZWN0cy1mb3ItMS1zbW- FydC1uYXRpb24=. Accessed December 2019. 97 GovTech Singapore. “Engineering Digital Government, MakingLives Better,” Annual Report 2018/19, https://www.tech.gov.sg/files/media/corporate-publications/FY2019/GovTech-AR-2019-Main-min.pdf. Accessed January 2020. 74 UNRAVELING DATA’S GORDIAN KNOT and CorpPass, a private sector equivalent with the Moments of Life initiative. The Moments of 350,000 business switched over,98 to use advanced Life mobile application “integrates and provides authentication technologies to provide digital relevant information and services to citizens based identity for residents and businesses.99 Together, on their needs at key moments of their lives.”104 SingPass and MyInfo or their business equivalents, Using government data from various ministries allow for an entirely digital onboarding process by and a trusted digital identity, citizens are able to providing proof of identity and verified government register significant life events with relevant agen- data to meet KYC or other compliance require- cies (for instance, registering a newborn at birth ments.100 The National Digital Identity API Portal while seamlessly applying for government child provides application developers and partners benefits and a library card for the young one) or access to the technical specifications to integrate access personalized government services (such as these digital services into their applications and researching and registering interest in preschools offers supporting tools and environments to ease or accessing retiree programs and benefits).105 experimentation and development.101 The future of the National Digital Identity project focuses on 3. Infrastructure for open banking: The first step in building a federated authentication ecosystem creating open banking infrastructure was publish- with a number of private sector Authentication ing an API playbook with guidelines for API usage Service Providers working alongside the govern- in the financial sector, both collaborative efforts by ment within a common trust framework and across MAS and ABS.106 The nearly 500 page playbook pro- a variety of authentication forms (including QR vides a comprehensive framework for API selection, code and facial recognition),102 providing additional implementation, usage, interpretation, and gover- enabling digital services like digital signing and pri- nance with data, security, and API standards, and a vate sector consent collection, and encouraging the list of recommended APIs that “set the gold stan- adoption of the project APIs to reimagine digital dard for regulatory advice on the topic in Asia.”107 user journeys.103 The playbook covers nearly all the topics of similar “open banking” legislation but with its lack of spec- Together, a trusted interface for digital govern- ificity and focus on commercial use cases indicates ment service interactions and standardized data MAS reluctance to guide the market’s development. architecture across government enable another While the playbook espouses the value of adoption of the Smart Nation Strategic National Projects, and the wisdom of standardization, even going 98 GovTech Singapore. “Engineering Digital Government, MakingLives Better,” Annual Report 2018/19, https://www.tech.gov.sg/files/media/corporate-publications/FY2019/GovTech-AR-2019-Main-min.pdf. Accessed January 2020. 99 Smart Nation Singapore, https://www.smartnation.sg/what-is-smart-nation/initiatives/Startups-and-Businesses/corppass. Accessed December 2019. 100 NDI {API} (A Singapore Government Agency Website), https://www.ndi-api.gov.sg/library/trusted-data. Accessed December 2019. 101 NDI {API} (A Singapore Government Agency Website), https://www.ndi-api.gov.sg/about. Accessed December 2019. 102 NDI {API} (A Singapore Government Agency Website), https://www.ndi-api.gov.sg/library/trusted-access, Accessed December 2019. 103 NDI {API} (A Singapore Government Agency Website), https://www.ndi-api.gov.sg/library/trusted-services, Accessed December 2019. 104 Smart Nation Singapore, https://www.smartnation.sg/what-is-smart-nation/initiatives/moments-of-life/faq. Accessed December 2019. 105 Smart Nation Singapore, https://www.smartnation.sg/what-is-smart-nation/initiatives/Strategic-National-Projects/moments-of-life-initiative. December 2019. 106 Monetary Authority of Singapore. “Singapore’s FinTech Journey—Where We Are, What Is Next”—Speech by Mr. Ravi Menon, Managing Director, Monetary Authority of Singapore, at Singapore FinTech Festival—FinTech Conference,” November 16, 2016, https://www.mas.gov.sg/news/speeches/2016/singapore-fintech-journey. Accessed December 2019. 107 Rothwell, Graham. “THE BRAVE NEW WORLD OF OPEN BANKING IN APAC: SINGAPORE,” Accenture, September 27, 2018, https://bankingblog.accenture.com/brave-new-world-open-banking-apac-singapore?lang=en_US. 75 Enablers & Safeguards for Trusted Data Sharing in the New Economy so far as to note a number of relevant standards, allow Financial Institutions and FinTechs to discover the playbook does not suggest a specific stan- one another in a neutral marketplace, design col- dard, much less mandate adoption or prescribe a laborative experiments to test digital solutions in a standard.108 shared sandbox, and deploy those solutions rapid- ly.112 The marketplace platform is cloud-based and This movement into infrastructure was continued cross-border in keeping with its goal of providing in 2017, when MAS launched the Financial Industry a space for financial service providers across South API Register to serve as an updated and universal East Asia to innovate and collaborate. The platform, landing site for Open APIs and developer sites which includes structured methods for integration available across the financial services industry.109 and defines relevant standards, plans to support an The register provides access to both transaction array of solutions for use cases such as customer APIs that provide sensitive client data and require onboarding, credit scoring, payments, and com- authentication, as well as information APIs that pliance.113 The platform, also, includes discussion contain nonsensitive data like product offerings or boards and messaging to encourage a learning ATM locations with lower authentication thresh- community among participants with safeguards to olds. The register currently provides access to over ensure information around product offerings or 500 APIs available from 5 banks with DBS bank problems from FinTechs or financial institutions are leading the way with more than 200 APIs and part- not unknowingly shared with competitors. nerships with more than 50 entities. Interestingly, it also includes access to MAS’s own developer APIs For FinTechs, participation in the program is not which provides access to MAS monthly statistics geographically limited, opening up a variety of bulletin APIs,110 as the organization has invested in potential markets to providers across the globe building its digital expertise and expanded avail- as long as their applications are accessible by able APIs from 12 at start to over 40 today.111 API and the APIs are continuously supported to enable active experimentation.114 APIX actively The next infrastructure project was intended to monitors API performance to ensure compliance take some of the same principles of the Financial but is encouraging FinTech adoption with cloud Industry API register across borders. MAS, along service provider credits along with access to the with the World Bank’s International Finance Cor- sales opportunities and testing tools the platform poration, and the ASEAN Bankers Association, provides.115 launched the ASEAN Financial Innovation Network and its API Exchange Platform (APIX) in 2018 to 108 Monetary Authority of Singapore. “Financial Industry API Register,” https://www.mas.gov.sg/development/fintech/financial-industry-api-register. Accessed December 2019. 109 Monetary Authority of Singapore. “Financial Industry API Register,” https://www.mas.gov.sg/development/fintech/financial-industry-api-register. Accessed December 2019. 110 Monetary Authority of Singapore. https://secure.mas.gov.sg/api/Search.aspx. Accessed December 2019. 111 Monetary Authority of Singapore. “MAS Launches First Set of Data APIs,” November 11, 2016, https://www.mas.gov.sg/news/media-releases/2016/mas-launches-first-set-of-data-apis. Accessed December 2019. 112 Monetary Authority of Singapore. “API Exchange (APIX),” https://www.mas.gov.sg/development/fintech/api-exchange. Accessed December 2019. 113 FinTech News Singapore. “ASEAN Financial Innovation Network: An Industry Fintech Sandbox to Drive Innovation and Inclusion” November 17, 2017, https://fintechnews.sg/14574/fintech/asean-financial-innovation-network-support-financial-services-innovation-inclusion/. 114 APIX. “APIX Open Innovation Platform & Sandbox,” November 15, 2018, https://apixplatform.com/static/apix-news/batch55.html. Accessed December 2019. 115 APIX. “About Us,” https://apixplatform.com/static/about/. Accessed December 2019. 76 UNRAVELING DATA’S GORDIAN KNOT The AFIN Exchange furthers MAS’s goal of catalyz- ing new business opportunities for its domestic data-driven financial technology providers and is in keeping with its wider efforts to standardize data governance policy within the region. While the core idea is similar to the register and sandbox MAS has set up domestically, the standardization of integra- tion and authentication are important evolutions in bringing the solution closer to equivalent imple- mentations from the UK and other countries who have set standards across the data sharing journey and mandated compliance. Going forward, there is hope that the new data portability provisions as part of the Personal Data Protection Commission’s review of the Personal Data Protection Act may widen Singapore’s open banking aperture. Indeed, MAS has very recently indicated that they will be implementing a data aggregation portal in 2020 in line with what was proposed by the PDPC and Competition and Con- sumer Commission of Singapore discussion paper on Data Portability as part of the open banking program.116 The portal would allow consumers to aggregate financial data from a wider set of sources, including investment managers, insurers, and banks, and share that information with tradi- tional financial services providers and FinTechs.117 While details on how this will be instituted are not yet clear, it has the potential to set a de facto stan- dard for data sharing in open banking in a way that MAS avoided until now. Consumer protection gaps are still a risk to the continued success of open banking implementation, as recent government data breach incidents, in particular, have shown, but are the focus of many other policy, educa- tion, and enforcement initiatives across the Smart Nation Vision. 116 Lee, Jamie. “Consumers to be able to aggregate and share financial data next year,” The Business Times, October 25, 2019, https://www.businesstimes.com.sg/banking-finance/consumers-to-be-able-to-aggregate-and-share-financial-data-next-year. Cited Discussion Paper available: https://www.cccs.gov.sg/resources/publications/occasional-research-papers/pdpc-cccs-data-portability 117 Lee, Jamie. “Singapore digs deep to bring true financial liberalisation,” The Business Times, November 11, 2019, https://www.businesstimes.com.sg/hub/sff-x-switch-2019/singapore-digs-deep-to-bring-true-financial-liberalisation. Accessed December 2019 77 Enablers & Safeguards for Trusted Data Sharing in the New Economy CHILE: DATA SHARING FOR GOVERNMENT EFFICIENCY BACKGROUND After Chile’s transition to a democracy, the govern- ment built on and expanded efforts to ensure social Chile has taken a comprehensive approach to social protection in the face of high inequality. Through a protection focused on several dimensions of risk that 2004 law, Chile established the Chile Solidario initia- arise from poverty, starting in the 1980s. Economic tive, which combined a system of distributed public reforms under the government in the 1970s impacted benefits to the extreme poor with active psychosocial the most vulnerable—between 1973 and 1980, the support through social worker intermediation and number of state-controlled companies fell from 300 to outreach. Chile Solidario relied on accurate data for 24, with big cuts to budgets for infrastructure, hous- identifying and reaching those in need. However, it ing, education, and social security.118 This led to high was preceded by a fragmented safety net: a mapping rates of poverty, with nearly 17 percent of the popula- exercise undertaken in 2002 found 142 programs with tion classified as indigent by 1987. The government’s poverty reduction objectives being run by 33 different response to these changes was the introduction of a agencies. This reflected a system that undermined social protection regime, which has expanded over government effectiveness. Consolidating these efforts the decades and now supports citizens in times of was key, and the government created an integrated unemployment, ill health, old age, disability, extreme social information system (SIIS) mandated by law poverty, and other vulnerable conditions. under Chile Solidario, to link these several public databases that collected citizens’ data. To link several 118 Davies, Richard (2020). Why is inequality booming in Chile? Blame the Chicago Boys. Retrieved 10 November 2020, from https://www.theguardian.com/commentisfree/2019/nov/13/why-is-inequality-booming-in-chile-blame-the-chicago-boys. 78 UNRAVELING DATA’S GORDIAN KNOT disparate databases managed by different public personal data protection, but one that uses civil courts agencies, Chile used the national ID number—Rol for enforcement, which may be burdensome for some Unico Nacional—alongside the ClaveUnica—a national to seek relief. Digital ID. This enables data gathered by different ministries to be linked together into a single large This case study is structured in three subsequent registry, which is then used for enhancing public ser- sections. The first section looks at the evolution of the vice delivery.119 integrated social household registry and its data shar- ing mechanism. The second section focuses on the As of 2019, the integrated social information system legal and constitutional underpinnings of data pro- (RIS)—which comprises the Social Registry of House- tection in Chile, and the experience of using courts as holds120 and the Intended Public Beneficiaries regis- enforcers. The third section abstracts lessons for data try—contains data shared by 43 state agencies at all governance frameworks from Chile’s experience. levels of government, covering nearly 75 percent of Chile’s population. This intersectoral database deter- mines eligibility for about 80 social protection pro- KEY FEATURES OF DATA SHARING grams and collects self-reported data, administrative data, and geographic data from different sources. ADVANCING INTERSECTORAL DATA SHARING BY LINKING SEVERAL PUBLIC DATABASES Increased data sharing in Chile rests alongside a regime that enshrines protections for citizens’ data. Chile’s experience with targeting social protection Chile was the first Latin American country to enact a programs through an integrated approach to vulnera- data protection law in 1999; a 2018 amendment to bility preceded the rapid uptake of digital technologies that law enshrined data protection as a fundamental across various government departments. As ministries right alongside the right to privacy under Article 19 of across the government digitized their services as part the Chilean constitution. Civil courts enforce data- of different national Agenda Digital strategies, data related disputes, although a current data protection sharing across different ministries, especially to run bill in parliament seeks to establish an independent the integrated social information system, became key. data protection agency. While deciding to set up the registry to aid Chile Soli- dario, the government chose to leverage existing data Chile’s experience with data protection and data sources available within different ministries. sharing over the last two decades in Latin America have important lessons for data governance. Chile Chile’s system of data collection has evolved over the has implemented intersectoral data sharing through years with increasing digitization of public services. institutional arrangements between public sector The first Ficha CAS in the 1980s was administered agencies using a digital ID for interoperability. This through a paper-based system by enumerators at the provides key lessons for other countries who may not local level and contained only self-reported data. Data have the luxury of starting from scratch to implement collection was used primarily for program implemen- a whole-of-government approach to data sharing. tation at the municipal level, without the ability to Chile also demonstrates the experience of a country aggregate data across territorial boundaries. CAS 2— with strong constitutional grounding and laws for an update to the first Ficha CAS that continued until 119 Galasso, E. (2015). Reflections on social protection and poverty alleviation from the long term impact of Chile Solidario. Retrieved 10 November 2020, from https://blogs.worldbank.org/developmenttalk/reflections-social-protection-and-poverty-alleviation-long-term-impact-chile-solidario. 120 Registry of Households: http://www.registrosocial.gob.cl/. 79 Enablers & Safeguards for Trusted Data Sharing in the New Economy 2006—contained self-reported data that was collected The comprehensive registry now has over 13 mil- and digitized, with a basic mechanism for electronic lion entries, amounting to over three quarters of the data exchange manually. Municipalities collected and population. Citizens can self-report information when reported aggregate data from their data gathering applying for public services through local municipal efforts, under this model. offices to update their information on income, occupa- tion, education, and family composition on the Regis- With increased political will for digitization through the tro de Social Hogares. early 2000s and 2010s, the systems that fed into the integrated social information system increased in both The current information interface is integrated and number and complexity. This enabled the government dynamic: citizens can apply for over 80 social pro- to integrate different data sets to identify vulnerable grams, update their information, and access their infor- households better and refine their targeting of social mation online or through local offices. Self-reported protection programs for that purpose. The latest information includes housing, education, health, family version of Integrated Social Information System is the composition, occupation, and income. Data drawn result of several iterations by the Government of Chile, from other administrative systems include information and integrates GIS data to provide granular, spatial on taxes, unemployment insurance, social security and maps of vulnerability for the purposes of targeting. pensions, health insurance, and asset ownership. Figure 6: Household Social Registry Source: Veronica Silva Villalobos, Social Protection and Jobs Global Practice, The World Bank Group 80 UNRAVELING DATA’S GORDIAN KNOT As of 2019, the system contains data from 43 public shared as well as protocols around when the data is sector agencies and helps determine eligibility for updated. This enshrines protection for individuals’ 80 public programs. The registry pulls data from three data as well—in negotiating interinstitutional agree- different data sources—self-reported data by benefi- ments, agencies delineate sensitive noncritical data ciaries, administrative data from several ministries, as from other data that can be shared with ease, enabling well as data from the integrated beneficiary registry better public service delivery while protecting rights. that comprises details from different social protection programs run by the government. Overlaying GIS data Updating data within this intersectoral sharing mecha- in the current system allows targeting granularity. nism is critical for effectiveness, as a system that bases The information is updated monthly, on terms agreed determination of benefit eligibility on a static data set to by the institutions sharing data. Monthly updating will face challenges in reaching those most in need— allows for agencies to accurately vet the administra- and those struggling due to seasonal or transitionary tive data under their purview and make it available for poverty. Indeed, this was amongst the most common the purpose of benefits allocation. This ensures data criticisms under the Ficha CAS 1 and Ficha CAS 2 sys- accuracy. Salient features of the registry’s functioning tems.121 To overcome this, the registry updates every are described in the next section. month with new data from systems that share their data, except for cases where interinstitutional arrange- Leveraging different data sources requires a system ments dictate otherwise. of strong institutional arrangements and coordination between different actors. Chile’s SIIS, the predecessor A key element of integrating data sets across different to the RIS, was housed under the Ministry of Planning, sources for the same individuals is the ability to link which has, over the years, transformed to become data on them across different databases. This requires the Ministry of Social Development and Family. This a unique identification mechanism, which in Chile’s provides key benefits. case is administered by a separate agency within the Ministry of Justice and Human Rights within the gov- First, the agency housing the integrated registry had ernment—the Civil Registry. The Civil Registry (Servicio the capacity for coordination and standardization de Registro Civil e Identificación) administers the reg- across sectors involved in the central and subnational istration of all citizens in Chile. The registry has long governments. While the registry is centralized and issued a physical card—Cédula de Identidad—to enable operates as a virtual social registry, tasks such as data citizens to prove their identity to public and private collection are still completed by local municipalities. institutions, and to vote. The physical card is comple- Therefore, intensive coordination among all relevant mented by a single national ID number, which serves stakeholders to seek their buy-in, and formalizing as the Rol Único Tributario (RUT), a tax identification relationships between them within the government number, and the Rol Único Nacional (RUN), the number became essential for successful implementation. in the national civil register. The mechanism that the Ministry of Social Develop- ment and Family currently utilizes to formalize these The current registry uses a software application relationships is one of interinstitutional data sharing developed in-house to link the various administrative arrangements. These agreements signed between databases held by different public sector agencies public sector agencies and the Ministry of Social using the common Rol Único Nacional as a common Development and Family determine the nature of data identifier across different databases. The current 121 Carine Clert and Quentin Wodon (2001). The Targeting of Government Programs in Chile: A Quantitative and Qualitative Assessment. World Bank Policy Research Working Paper. 81 Enablers & Safeguards for Trusted Data Sharing in the New Economy iteration of ClaveÚnica offers a straightforward web the government website. They then use that profile authentication model. Citizens are required to register to activate their ability to receive services, including for the Cédula de Identidad and request for an activa- updating their self-reported information on the Regis- tion code that is mailed to them in order to activate tro de Social Hogares. A brief summary of the architec- their digital ID. They use this in conjunction with their ture of the current system and the interface with the Rol Único Nacional to create their digital identity on Civil Registry is described below in the figure. Figure 7: Summary of the Civil Registry System Architecture Source: Veronica Silva Villalobos, Social Protection and Jobs, The World Bank Group 82 UNRAVELING DATA’S GORDIAN KNOT DATA PROTECTION THE PERSONAL DATA PROTECTION LAW (19.628/1999)122 Data Protection as a Constitutional Right Key features of the law are in line with current data Article 19 of the Chilean Constitution recognizes, pro- protection principles enshrined in the GDPR, despite tects, and guarantees the right to privacy of all people. Chile’s law being enacted in 1999. Key features of the Chile was the first Latin American country to pass a law are highlighted below. comprehensive data protection law in 1999. Chile’s Law No. 19.628 applies to personal data, defined as Scope identified or identifiable information that pertains to Data processing is broadly defined as any opera- a natural person. This law also establishes responsi- tion(s) or procedures, automated or not, that make it bilities and limitations to the processing of personal possible to collect, store, record, organize, prepare, data. Law No. 21.096 amended the constitution in select, extract, match, interconnect, dissociate, com- 2018, establishing the protection of personal data as a municate, assign, transfer, transmit or cancel per- constitutional right under article 19.4. sonal data, or use it in any form. The law covers both government entities as well as private sector provid- Article 19.- The Constitution ensures to every person: ers under its ambit. 4° The respect and protection of private Finality Principle life and the honor of the person and his The Chilean legal system abides by the finality princi- family, and furthermore, the protection of ple, which states that the use of data cannot exceed personal data. The treatment and protec- the remit of the purposes for which it was collected. This is similar to the purpose limitation principle under tion of this data will be put into effect in the the GDPR and other new and emerging data pro- form and conditions determined by law. tection regulations. To comply with the law (19.628), all government bodies and agencies in Chile must The explicit inclusion of the right to data protection register databases containing personal data with the imposes affirmative duties on third parties regarding Civil Registry and provide a legal basis for their exis- the treatment and protection of data, as opposed to tence, purpose, data types stored, and stakeholders the mere exclusionary right granted through the right implicated. The agencies are required to inform the to privacy already enshrined under Article 19 of the Civil Registry and identification service of any changes Constitution. to that information within 15 days. No private sector equivalent exists. The current law in force is not based on any inter- national instrument on privacy or data protection in Protections for Sensitive Data force, such as the OECD guidelines, Directive 95/46/EC, The law distinguishes between ordinary data and EU General Data Protection Regulation, or the Euro- sensitive data. Sensitive data may only be processed pean Convention on Human Rights and Fundamental with consent from the data subject or where the Freedoms. processing is necessary for a public purpose, such as the determination of health benefits. In addition to sensitive data under the personal data protection law, sector-specific laws apply to certain other kinds of per- sonal data, as described in the following section. 122 The full draft text of the law is available in Spanish online: https://www.bcn.cl/leychile/navegar?idNorma=141599. 83 Enablers & Safeguards for Trusted Data Sharing in the New Economy The law takes a functional approach to defining There is an established redress procedure if the per- protections. There are no distinct duties for owners, son responsible for the personal data registry or bank controllers or processors; all provisions apply across fails to respond to a request for access, modification, them. Government agencies are limited by the remit elimination or blocking of personal data within two of their legal authority. However, the law is not explicit business days, or refuses a request on grounds other on the regulation of private sector aggregation of than the security of the nation or the national interest. sensitive and nonsensitive data. SECTORAL LAWS Rights of Data Subjects Under 19.628, people who provide their personal data Beyond Law 19.628, Chile has sector-specific laws enjoy: a right of modification, if the personal data is that relate to data protection. Financial data (personal erroneous, inexact, equivocal, or incomplete; a right to financial information) is governed by Law 19.496 and block processing when the individual has voluntarily imposes a five-year term limit for the communication provided his or her personal data but no longer wants of confidential information after the financial obliga- it to be processed; a right of cancellation or elimina- tion has ended. Law 19.799 in relation to electronic tion of expired data; a right to access their data for signatures ensures the privacy of signatories. Per- free, and the right to oppose the use of their data for sonal data is required to be deleted or cancelled when advertising, market research, or opinion polls. there are no legal grounds for its storage or after data has expired. Under the right to access, a data subject may make a request to an institution holding their data to provide Law N° 3/1978, the General Law of Banks, established their data, as well as information about how it was the confidentiality of transactions that individuals collected; the purpose for storing it; and the nature of conduct with and through banks. The law distinguishes its ongoing use. transactions covered by secrecy, which in principle are subject to an absolute prohibition of disclosure, and Data subjects may not exercise their rights of modi- transactions covered by reserve, which are subject to a fication under certain circumstances, such as when it significant limitation on the possibility of disclosing the would affect government supervisory functions, the transaction (a disclosure may only be made to persons confidentiality or secrecy established in legal or regu- that can demonstrate a legitimate interest and only if it latory proceedings, or national security. cannot be foreseen that the knowledge of the disclosed facts may cause property damage to the customer). Damages The law provides for monetary fines of up to 5,000 Law 20.584/2012 regulates the rights and duties of UTM123 for improper processing of data. Judges adju- individuals in the context of health care. It says that dicate claims based on general tort and contract law all information contained in patient files or docu- principles and decide the amount of compensation mentations of medical treatments are sensitive data based on the specific circumstances of the case. The and establishes the obligation of health care profes- fines can range between US$60 (50,000 Chilean Peso) sionals to maintain patient data confidential and to and US$600 (500,000 Chilean Peso); they are at times comply with the principle of purpose limitation. It also higher, when financial data is under question. The includes certain cases when such data can be deliv- law has not been tested by cases involving large data ered, partially or totally, to the data subject and to breaches. other individuals or entities. 123 UTM stands for “Unidad Tributaria Mensual,” a monthly tax unit that is used generally for the payment of taxes, fines, or customs duty in Chile. The measure of this unit is constantly adjusted for inflation. 84 UNRAVELING DATA’S GORDIAN KNOT Law 20.285, Chile’s Freedom of Information Law, The Data Protection Agency would be housed within allows for access to government-held information, the Chilean Transparency Council, the agency respon- which provides for a level of accountability. sible for both data protection and freedom of infor- mation laws. The Transparency Council is the most Sensitive data Law 20.521/2011 amended Law 19.628 experienced agency with respect to data protection to prohibit credit risk predictions or assessments and fully autonomous within the Chilean regulatory based on subjective data. framework, which should help ensure competence, resourcing, and independence. Law 20.575/2012 established the ‘purpose principle’ in the processing of personal data for commercial risk Chile is seeking an upgrade to its laws that will secure assessment for the credit granting process. an adequacy determination from the EU. INSTITUTIONAL ARRANGEMENTS TO EFFECTIVELY Reforms will be, in large part, based on the 2017 Stan- ENACT DATA PROTECTION dards for Data Protection for the Ibero-American States from the Ibero-American Data Protection Network, Weaknesses in the current law include the lack of an effort to harmonize data protection laws across adequate supervisory mechanisms and lack of clarity Latin America. One core objective is “to make the flow on how it may apply to cover the electronic processing of personal data between Ibero-American States and of information. To remedy these shortfalls, Chilean beyond their borders easier, in order to contribute to lawmakers have been working to reform the law for the economic and social growth of the region.” several years, proposing the creation of a personal data protection agency to ensure compliance with legal obligations. RECENT DEVELOPMENTS As there is no special data protection authority in Chile has initiated several efforts to capitalize on the Chile, data protection is addressed by civil courts. potential of the digital economy. The Government’s Cases have not explicitly dealt with data loss in digital Digital Transformation Strategy (2018) has three forms, although there was a case that held Santander objectives: to improve public services for citizens Bank liable for disposing paper-based financial and businesses; to engage in evidence-based policy records in a landfill.124 Electronic data breaches have making; and to mainstream the digital transformation not been considered in the relatively thin body of across government and the economy. Chile recently cases that have been considered under Law 19.628. adopted a Presidential Instructive on the Digital Transformation of the Administration and the Devel- The National Congress of Chile is considering a new opment of a new Digital Transformation Strategy for Data Protection Bill. This bill includes additional rights the State through The Digital Transformation Law, Law for data subjects, introduces provisions on consent 21.180 (November 11, 2019).125 The law seeks to make and new obligations for data controllers, and amends 80 percent of government services available online the definitions of sensitive data to include biometric by 2021; 100 percent by 2023. Further, Law 21.180 data. This bill seeks to align with Convention 108 and establishes digital government services as default, the GDPR. with paper-based transactions only available when the 124 State of Privacy Chile (2019). Privacy International. Retrieved from https://privacyinternational.org/node/28#dataprotection. 125 OECD (2019), Digital Government in Chile—A Strategy to Enable Digital Transformation, OECD Digital Government Studies, OECD Pub- lishing, Paris, https://doi.org/10.1787/f77157e4-en. 85 Enablers & Safeguards for Trusted Data Sharing in the New Economy lack of digital access and skills justifies it. The law revises the legal and regulatory framework for digital government to accelerate digital integration and intragovernmental interoperability. Chile’s recent Digital Transformation strategy identifies the digital identity among its six lines of action. This has been bolstered by Presidential Instructions in 2019 that create a roadmap for more than 300 central government agen- cies to adopt the ClaveUnica as their sole authentication mechanism. At present, ClaveUnica is used primarily for browser-based web authentication and functional IDs are still used by some public sector agencies. The policy and strategy-setting function to enable full digitization and inte- gration across the government has been given to a special- ized body—MINSEGPRES—Ministerio Secretaria General de la Presidencia. This line ministry is in charge of relationships with Congress and the process of discussing and approving bills. The Ministry as a team works on this agenda, and the MINSEGPRES has played a leading role in championing data sharing within the highest levels of government since the 1980s and helped galvanize political will amongst all partic- ipating ministries. Operational coordination for this effort is led by the Civil Registry, which will work with other minis- tries to integrate the digital ID to simplify e-government procedures to improve public service delivery. Complete integration of the ClaveUnica is also expected to allow citizens to carry data wallets, where they will be able to view an audit trail of organizations that have collected and used their data and in what capacity. At this moment, data on user experience of these wallets is unavailable as they have yet to be implemented. Internationally, through its participation in the Digital Econ- omy Partnership Agreement (DEPA) with Singapore and New Zealand, Chile seeks to promote digital trade through e-invoicing, cross-border data flows, AI, and digital ID. Chile has also taken steps to prohibit data localization require- ments that impede cross-border data flows. These efforts have attracted private sector investment—Google, for instance, recently expanded its data center in Chile. 86 UNRAVELING DATA’S GORDIAN KNOT MAURITIUS: DATA SHARING FOR ECONOMIC GROWTH BACKGROUND and the financial sector—and now accounts for approximately six percent of GDP growth and employs The economic transformation of Mauritius— 25,000 people.129 an island nation of fewer than 1.5 million—from a monocrop-based economy with negative growth The growth of the ICT sector has been anchored by a only a few decades ago to one of the fastest growing National Strategic Plan since 1998 and renewed every economies in Africa has been attributed to good mac- three to five years, providing significant policy guid- roeconomic policy, strong public and private institu- ance to drive the development of the country’s knowl- tions and productive interactions between them, and edge economy and to respond to the rapid changes in emphasis on trade-led development.126 Between 1970 the technology sector. This helped drive the country’s and 2009, Mauritius averaged five percent growth in digital transformation in a number of ways: real GDP and diversified to become a strong, dynamic economy.127 • Massive investment in internet connectivity: Mauritius Telecom has invested more than Rs 5 Over the last decade Mauritius has continued its billion (approx. US$75m) to roll out fiber across the economic success story, maintaining strong average island and, in 2018, became only the sixth country growth rates and emerging as Africa’s most mature in the world with 100% Fiber to the Home (FTTH),130 digital market.128 The information and telecommunica- enabling individuals to benefit from broadband tions (ICT) sector has emerged as a third main pillar of speeds of up to 100 Mbit/s at some of the most the modern Mauritian economy—along with tourism affordable rates in Africa.131 126 https://siteresources.worldbank.org/AFRICAEXT/Resources/Mauritius_success.pdf, p.3. 127 African Center for Economic Transformation. “Mauritius Transformation Profile“ http://africantransformation.org/2014/02/07/mauritius/. Accessed December 2019. 128 BuddeComm Telecomms Maturity Index. January 3, 2019, https://www.budde.com.au/Research/Global-Telecoms-Maturity-Index-Top-20-Countries. Accessed December 2019. 129 Economic Development Board of Mauritius, https://www.edbmauritius.org/node/19. Accessed December 2019. 130 ITU News. “The digital transformation of Mauritius: Q+A with Minister Sawmynaden,“ August 29, 2019, https://news.itu.int/the-digital-transformation-of-mauritius-qa-with-minister-sawmynaden/. Accessed December 2019. 131 Alliance for Affordable Internet. “Affordability Report: Regional Snapshot—Africa,” https://1e8q3q16vyc81g8l3h3md6q5f5e-wpengine.netdna-ssl.com/wp-content/uploads/2019/12/AR2019_Africa-Regional_Screen_AW.pdf. Accessed January 2020. 87 Enablers & Safeguards for Trusted Data Sharing in the New Economy • Invested extensively in building the digital capa- of data between government ministries and between bilities of its people: Starting in 2006, the National the government and business. This effort has been Computer Board (NCB) began to implement a shaped predominantly by an effort to digitize gov- universal ICT Education Program, making training ernment services, drive trade, and create a strong available to all Mauritians to learn how to use the innovation ecosystem for businesses and entrepre- internet and through which the internationally rec- neurs. Importantly, the Government of Mauritius has ognized Computing Core Certification was offered. enhanced the National Strategic Plan with a number This broad-based training was meant to build a of pieces of legislation that have enabled the country more inclusive e-government and ensure citizens to foster a competitive and trusted digital ecosystem, could avail themselves of the rapidly expanding making Mauritius an attractive market for ICT invest- offering of tech-enabled public services. Addition- ments and tech-enabled business process outsourcing ally, in 2014 the government set up the ICT Acad- (BPO) and increasing the country’s participation in emy to build its own ICT talent pool. The Academy digital trade. is set up as a public-private partnership in which the government covers 45 percent of the cost. These complementary—but not fully unified—policy The Academy offers internationally recognized and legislative efforts have included specific steps to industry-led ICT certification courses such as those expand the value of data in ways that align with the provided by multinational ICT companies such as country’s economic growth strategy while also ensur- Microsoft, Oracle, CISCO, and SAP across a wide ing data protection and privacy. Most notably, these range of ICT industry needs including cybersecu- efforts include: rity, software development, and so on.132 1. Adoption of its Data Protection Act 2017 (DPA 2017), • Innovation Ecosystem: The country has invested in which made Mauritius the first country in the creating an innovation ecosystem, particularly in southern hemisphere to update its data protection the financial services sector, where Mauritius has legal regime to come into compliance with the Gen- positioned itself to be the gateway to the African eral Data Protection Regulation (GDPR); market. To effectively support innovation in the financial sector, the government has supported 2. Implementation of InfoHighway, a government regulatory sandboxes and institutions like the data exchange layer that customized and adapted Mauritius Africa FinTech Hub, which provides a eco- Estonia’s X-Road model for Mauritius and helped system where entrepreneurs, corporations, gov- connect basic registries—supported through an ernments, tech experts, investors, financial service MoU with Estonia’s eGovernance Academy (eGA); providers, and researchers can collaborate to build financial services products for the African market. 3. Adoption of the National Open Data Policy in 2017 and the subsequent creation of Open Data Mau- As it has digitized its economy, Mauritius has also ritius, a portal that houses and provides links to been a regional leader in developing the policies, insti- government data sets. tutions, and architecture for facilitating the exchange 132 Oolun, Krishna; Ramgolam, Suraj; and Dorasami, Vasenden. “The Making of a Digital Nation: Toward i-Mauritius,” World Economic Forum, The Global Information Technology Report 2012, http://www3.weforum.org/docs/GITR/2012/GITR_Chapter2.2_2012.pdf. Accessed December 2019. 88 UNRAVELING DATA’S GORDIAN KNOT KEY FEATURES OF DATA SHARING • They contain any personal or sensitive information as per the Data Protection Act; CREATING THE POLICY AND REGULATORY • they are classified as confidential under the Gov- ENVIRONMENT FOR DATA SHARING ernment Security Instructions; • they have a public safety or national security The Digital Government Transformation Strategy dimension; 2018–2022 provides directions to accelerate public • they are covered by third party-rights; and sector digitization to enhance operational effective- • they are reworked by the ministries and depart- ness and efficiency.133 The Strategy notes “how criti- ments, to produce value-added services for specific cal it is to use and reuse data to support the work of customers. Government, to optimize, transform, and create better government services and to achieve large-scale busi- The Open Data Policy is intended to “create value out ness optimization that improves effectiveness.” The of the release of government data sets” and is consid- Strategy lays out twelve key principles for achieving ered a “bedrock” for innovation, which is seen as a key the country’s digital transformation goals, including driver of the country’s future economy.134 At the time of three which specifically address how data is governed: approval, the Government of Mauritius had identified (1) Reiterating the country’s commitment to its Open 25 data sets that would be available immediately. This Data Policy, (2) Emphasizing data-driven decision- number has since grown to over 250 with more than a making and policy formulation, and (3) Establishing quarter of those being updated within the last year. the “Once-Only Policy” for Mauritius, which mandates, “Capture data only once from citizens and stake- The national policy also stipulated that all data sets holders and reuse the data (e.g., copy of IDs, proof would be governed by The Creative Commons Attri- of address, birth/marriage/death certificate) if it is bution 4.0 International licence which allows users already available within government.” of Open Data to use, reuse, and redistribute the data provided that appropriate Attribution clauses are Open Data included in the data sets by the users. The Creative Building upon a World Bank-supported Open Data Commons Attribution 4.0 International licence ensures Readiness assessment conducted in 2015, the Mauri- that the supplier of data continues to hold copyright tian Cabinet approved the National Open Data Pol- on the data while allowing the users to use, reuse, and icy in 2017, which established an “Open by Default” redistribute the data freely or even commercially.135 position for all government data except when dealing with personal data or data with a national security Data Protection dimension. More specifically, the policy outlined the Mauritius adopted its first comprehensive data pro- instances when the National Open Data Policy pro- tection with a 2004 Data Protection Act which came vides exception to the “open” classification: into force in February 2009. In the same year, Mau- ritius adopted Data Protection Regulations which 133 Government of Mauritius, Central Informatics Bureau. “Digital Government Transformation Strategy 2018–2022“ http://cib.govmu.org/English/Pages/digitalgovernment.aspx. Access December 2019. 134 Dolan, Jonathan. Notes from interview with Data Protection Commissioner of Mauritius, February 26, 2020. 135 Ministry of Information Technology, Communication, and Innovation, http://mtci.govmu.org/English/Documents/2017/Communique/ Press%20Communique/Mauritius%20Open%20Data%20Policy%20May%202017.pdf. Accessed December 2019. 89 Enablers & Safeguards for Trusted Data Sharing in the New Economy supplemented the DPA 2004 by creating the rules, The regulation applies to the processing of personal processes, and fees for registering as a data control- data that is wholly or partly performed by automated ler and created the Data Protection Office, under the means by organizations that are (a) established in aegis of the Prime Minister’s Office, led by the Data Mauritius and (b) organizations not established in Protection Commissioner, who is responsible for Mauritius but using equipment in Mauritius to process enforcement. Much of the data protection-related personal data (other than for the purpose of transit case law136 based on the earlier 2004 Act was specifi- through Mauritius). Notably, it does not apply to “the cally concerned with the protection of personal data in exchange of information between ministries, govern- connection with identity-related information such as ment departments, and public sector agencies.”140 fingerprints and other biometrics in connection with Mauritius’ National Identity Card Act, Act 60 of 1985.137 The DPA 2017 is a sector neutral law and applies to all categories of industries. There are four main roles In June of 2016, Mauritius became the second non-Eu- stipulated by the DPA 2017 in relation to data. ropean state to ratify the Council of Europe’s Conven- tion 108 (and its additional protocol on supervisory • Data subject: an identified or identifiable individual authorities and transborder data flows).138 The 2017 Data Protection Act (DPA), which repealed the 2004 • Controller: a person or public body which, alone or Act, was specifically designed to update the national jointly with others, determines the purposes and law and align it with international standards. When means of processing personal data and has the DPA was enacted in 2017, in a clear example of the decision-making power with respect to the pro- “Brussels effect,” Mauritius’ Data Protection Com- cessing; one or more parties may be joint control- missioner expressly acknowledged that the DPA was lers if they determine the purposes and means of drafted to be “in line with” the GDPR139 and reflected in processing together the rationale of the bill in the National Assembly. The DPA 2017 governs privacy rights of individuals • Processor: person or public body that processes in relation to requirements of collection, process- personal data on behalf of the controller ing, storage, transfer, and handling of personal data and special categories of personal data that warrant Implementation of the DPA 2017 has brought numer- heightened protections, where “personal data” is ous benefits to Mauritius. By increasing accountability broadly defined to mean “any information relating of controllers, the DPA 2017 has helped controllers to a data subject.” The regulation is seeking to strike implement better processes, having better organiza- a balance between the interests of businesses, the tions, and achieving better productivity. It also intro- Government of Mauritius, and the fundamental right duced steeper penalties, with some offenses actually to privacy of individuals. subject to penalty of up to five years imprisonment. 136 See, e.g., Madhewoo M. v. The State of Mauritius & anor 2013 SCJ 401; see also Madhewoo M. v. The State of Mauritius & anor [2016] UKPC 30. 137 See http://attorneygeneral.govmu.org/English/Documents/A-Z%20Acts/N/Page%201/NATIONAL%20IDENTITY%20CARD%20ACT,%20 No%2060%20of%201985.pdf. Accessed February 2020. 138 https://www.coe.int/en/web/portal/-/mauritius-joins-the-data-protection-convention-convention-108-. 139 See An Overview of the Data Protection Act, DPO of Mauritius, http://dataprotection.govmu.org. Accessed February 2020. 140 See Art. 3(4)(a), DPA. 90 UNRAVELING DATA’S GORDIAN KNOT It has also strengthened individuals’ trust, by enabling a secure and scalable platform offering e-government the latter to gain confidence in the level of data pro- services by the Government of Mauritius but also a tection of relevant products and services. In addition robust service platform to facilitate the consumption by enhancing data subjects’ rights, the DPA 2017 has of published data among government agencies and provided individuals greater control over their per- private entities to improve operational efficiency in sonal data. Moreover, it has improved the digital legal public administration and business operations. Info- landscape to respond to the new EU requirements Highway therefore aims to fulfill the following main for adequacy, thereby attracting foreign investors. objectives: And finally, the DPA 2017 has helped to minimize data breaches.141 • Provide Government of Mauritius with a single plat- form offering scalable e-services; Section 3(4)(a) of the Data Protection Act 2017 (DPA) exempts the exchange of information between min- • Provide a robust service platform to facilitate the istries, government departments and public sec- consumption of published data among govern- tor agencies from the Act where such exchange is ment agencies and private entities to improve required on a need-to-know basis, providing wide operation efficiency; latitude for intergovernmental and interagency data sharing. In addition, the Electronic Transactions Act • Improve the turnaround availability time of has been amended to allow a public sector agency updated and useful data for government agencies (such as a ministry, government department, local and private institutions for their business needs, all authority, or a statutory body) to share information, in a secure environment; and through its electronic system, with a private sector institution. • Establish links to other ministries/epartments and institutions. CREATING A TECHNICAL ARCHITECTURE FOR DATA SHARING InfoHighway is administered by the Ministry of Tech- Mauritius and the Indian Ocean Commission (inter- nology, Communication, and Innovation. The DPO is a governmental organization composed of Comoros, member of the InfoHighway High-Level Management Madagascar, Mauritius, Réunion, and Seychelles) Team, which considers requests from agencies wish- signed an MoU with Estonia’s e-Governance Academy ing to exchange data through the platform. to implement the national data exchange layer and on developing digital identity, basic registries, and InfoHighway uses a “Publish and Subscribe Model” for databases. intragovernmental data sharing, whereby the agency sharing data is the “Publisher” and the one requesting In Mauritius, where the platform is known as Info- the data is the “Subscriber.” Highway, the principal objective is not only to provide 141 Dolan, Jonathan. Notes from interview with Data Protection Commissioner of Mauritius, February 26, 2020. 91 Enablers & Safeguards for Trusted Data Sharing in the New Economy Figure 8: InfoHighway Subscribe-Publish Model Source: The Ministry of Technology, Communication and Innovation. “InfoHighway Website,” https://ih.govmu.org/. Accessed March 2020. Government officials view the application and gover- Board, Civil Status Division, Central Informatics nance structure of InfoHighway to be a key contrib- Bureau, IT Security Unit, and the National Com- utor to cultivating trust in the data sharing system. puter Board). Examination of the request to share Broadly, this includes four main steps: data is carried out to ensure compliance with the Electronic Transactions Act, Data Protection Act, 1. Prospective subscribers and publishers fill in an Civil Status Act, Business Registration Act, and application form to join the InfoHighway. At the other legislations, and the justification for the data time of application, the expected purpose for par- sharing. ticipating in the data sharing system are identified. 4. Approvals is then granted or refused on the basis 2. Submit the filled form to the MoTCI. of the examination.142 3. The form is then considered by the High Level Man- In addition to the mechanics of the application and agement Team tasked with operationalizing the review processes, it is also important to understand InfoHighway. The committee consists of represen- that the technical design of InfoHighway technically tatives of the Ministry of Finance, Economic Plan- is several modules operating together in a secure ning and Development, Attorney General’s Office, environment. Data Protection Office, Economic Development 142 Dolan, Jonathan. Notes from Interview with CTO’s office. April 27, 2020. 92 UNRAVELING DATA’S GORDIAN KNOT Figure 9: InfoHighway Modules Infohighway Mod Live dashboard showing: - Logins/Queries/Statistics 01 InfoWatch - Use for monitoring the platform. - Any abused or downtime can be seen on the dashboard. - Web-portal used to perform queries. - User need to be on secured platform and 02 InfoHighway Portal access E-Services based on their role and user right. - Intelligent extraction solution in-line with Data Protection Office. - Comparison made between subscriber DB 03 InfoSync and Publisher data to ensure data is sent on a need to know basis. - Extraction solution sharing data as InfoHighway 04 InfoExtract - required based on date. An example is death list Modules - Soap Webservice provided to the subscriber to integrate directly into their 05 Webservice internal system. - A soap request is sent and a response in xml format is delivered back. - Public website (https://ih.govmu.org ) allowing the general public to understand 06 Website the InfoHighway solution. - The website provide also request forms and key statistics. - Virtual Machine monitoring using Grafana User Interface is used by InfoHighway team to 07 Server Monitoring monitor servers, including Network, Bandwidth, Disk Space, Server availability etc. InfoSync, for example, is the module of InfoHighway Currently InfoHighway is only used for intragov- that ensures synchronization of data happens across ernmental data sharing and allows for visibility into government agencies—connecting, for instance, social the nature of the data request and the size of the security data with marriage license data. This mod- data being shared but only the parties to the data ule has two key features that help build trust. First, it exchange are able to see the content of the data. The reinforces data protection policies by ensuring only government is currently finalizing plans—which may those governments that “need to know” have access go into effect as early as this year—to open up Info- to the relevant data for a specific transaction. Second, Highway to private firms as well and, at the moment, it helps minimize how much data any one government the expectation is that they will have to log the type of agency must hold in order to provide services, thereby content they are sharing to give the government some reducing potential vulnerabilities. InfoWatch, another visibility into the data flowing through InfoHighway. key module for building trust in the data sharing There are additional plans being made to give individ- ecosystem, supports the dashboard which is used to uals new capabilities to view and manage how their monitor data flows and increase transparency into data is flowing over InfoHighway, though the timeline how data is being shared. for this is still being determined.143 143 Dolan, Jonathan. Interview with CTO’s Office. April 27, 2020. 93 Enablers & Safeguards for Trusted Data Sharing in the New Economy BUILDING THE INSTITUTIONAL CAPABILITIES FOR DATA SHARING teams build upon existing practice within the Govern- ment of Mauritius to have embedded statisticians from Following best practice guidance for successful open the National Statistics Office in each ministry. data implementation, the National Open Data Policy created a Central Open Data Team (CODT), which In addition to these government constructs, the local reports to the Chief Technical Officer of the Minis- private sector emerged as an important force in shap- try of Technology, Communication, and Innovation ing the country’s data sharing efforts. Local entre- (MoTCI). The CODT is responsible for steering Open preneurs and business associations became vocal Data work across government ministries and depart- advocates in the push for creating the policy and have ments, including establishing and reviewing standards sustained efforts to hold the government accountable. for Open Data and setting up and administering the This push from the private sector on the demand side National Open Data Portal. The CODT is also respon- is apparent in the language of the Open Data policy sible for setting the standards for Privacy Compliance documents. In making the case for the country’s Open Assessments to be carried out at the level of ministries Data policy, the government identifies (1) Economic and departments prior to the release of data sets as Advantages and (2) Accountability and Transparency Open Data. as the main policy drivers. Importantly, in addition to the centralized team, each On the first point, the document notes, “The overrid- ministry was compelled by the National Open Data Pol- ing priority of the government is the creation of high icy to create an Open Data team to support the CODT. value jobs and wealth. The expansion of the circle of These ministry-level teams are expected to have at a opportunities and economic space are the corner- minimum a permanent secretary, a program manager, stones of the intention of the government to engage a systems analyst, and a statistician—a team drawn into an Open Data Initiative. Open Data is the bedrock from different government agencies and embedded of innovation which will be the driving force of the into each ministry. The creation of the ministry-level Mauritian economy in the next decade.”144 144 Ministry of Information Technology, Communication, and Innovation, http://mtci.govmu.org/English/Documents/2017/Communique/ Press%20Communique/Mauritius%20Open%20Data%20Policy%20May%202017.pdf. Accessed December 2019. 94 UNRAVELING DATA’S GORDIAN KNOT URUGUAY: DATA SHARING FOR GOVERNMENT EFFICIENCY, TRANSPARENCY, AND INDIVIDUAL EMPOWERMENT BACKGROUND Uruguay took the first steps toward improving digital connectivity in 2000 with the launch of the National Uruguay is a high-income South American country Committee for Information Society. The committee with a population of approximately 3.5 million. The drafted the Digital Agenda for Uruguay (ADU), a country has enjoyed a remarkable drop in the rate of multistakeholder vision with representatives from families living below the poverty line, decreasing from government, academia, the private sector, and civil 40 percent in 2004 to 6 percent in 2016.145 Today, the society organizations.148 The council established con- country enjoys the lowest poverty rates and lowest crete goals for the country’s digital development and, corruption146 of any country in Latin America. to achieve these goals, the government of President Tabaré Vásquez in 2007 created the Agency for Elec- In the early 2000s, only 10 percent of Uruguay’s tronic Government and Information Society (AGESIC) population had access to the internet, and broadband as the institutional home to drive the digital agenda. speeds were much lower than in developed coun- tries. Yet, the government recognized the economic AGESIC reports to the Office of the President and and social opportunities of digital technologies for its works with technical autonomy and in close collabo- citizenry and devised a far-reaching plan to improve ration across government agencies to offer improved the country’s mobile and internet infrastructure. As a digital services to the citizens of Uruguay, including small country, heavily dependent on exports of beef leadership in data protection, access to information, and agricultural goods, digital transformation rep- cybersecurity, and digital government initiatives. resented an opportunity to dramatically remake its economy and modernize its engagement with every- AGESIC’s work has been guided by a series of national day citizens through e-government services.147 digital agendas, issued in 2008, 2010, 2015, and most recently in 2020. During this time, Uruguay has made 145 The tip of the iceberg The Digital Govt Architecture of Uruguay (slide deck from AGESIC). 146 Transparency International ranking. 147 Sabatino, Carlos. “Uruguay’s Digital Development Policy,” June 2017, Global Delivery Initiative, http://www.globaldeliveryinitiative.org/library/case-studies/uruguay%E2%80%99s-digital-development-policy. 148 Center for Public Impact: A BCG Foundation. “Digital Agenda in Uruguay,” March 18, 2016, https://www.centreforpublicimpact.org/case-study/digital-agenda-uruguay/. Accessed April 2020. 95 Enablers & Safeguards for Trusted Data Sharing in the New Economy tremendous strides in connecting its citizens to the society,” including an effort to expand the use of internet and ensuring that people have the necessary secure digital identity mechanisms for authentica- digital skills to actively engage online. As of June 2019, tion purposes. 82 percent of homes were connected to broadband internet and the state-owned telecom provider, Antel, 2. Sustained political will: Many specific initiatives that had reached 75 percent of homes with its fiber- have emerged from the ADU are joint efforts of to-the-home (FTTH) network and expected to have AGESIC and other government agencies and line near-universal coverage by the end of 2020. Addi- ministries. The National Plan for Digital Literacy, tionally, all of the country’s public schools have high for instance, was designed and delivered through quality internet access, and it is the only country in a collaboration between AGESIC and the National the world that provides free laptops to all public and Telecommunications Administration (ANTEL), Min- secondary school students.149 The country has not istry of Education and Culture (MEC), and National only prioritized digital skills acquisition but has been a Bureau of Civil Service (ONSC).151 leader in the the concept of the digital citizen defined by UNESCO as a “set of skills that enables citizens to These conditions have enabled Uruguay to emerge, access, retrieve, understand, evaluate, and use, to along with Mexico, as a regional leader in the use of create as well as to share information and media in all technology to build a more efficient and responsive formats, using several tools, in a critical, ethical, and government, and as the building blocks for digital effective way to participate and engage in personal, transformation—e.g., connectivity, digital skills— professional, and social activities.150 have solidified AGESIC’s role within government has evolved and expanded. The first two iterations of Beyond creating the conditions for engaged digital the ADU were focused primarily on setting up the citizens, Uruguay has developed its national digital necessary infrastructure for digital transformation, agenda in a way that has cultivated public trust and establishing the enabling environment for ICTs to take enabled sustained political will even as administra- root, and building human capacity. Starting in the tions have changed. 2011–2015 plan, the ADU started to shift its focus to delivery of direct services to people and this focus has 1. Cultivating trust: As with the original ADU, the been further emphasized in the current plan, includ- subsequent ADUs have been developed through ing a commitment to have all government services a multistakeholder engagement process and all online this year. This evolution has included placing stakeholders remain engaged in the implemen- an increased importance on the use of data to deliver tation and monitoring of the ADU through the benefits to people and society. National Council for the Information Society. This approach has led to high degrees of public trust. The use of data is now identified as an essential tool The current 2016–2020 ADU continues to empha- for the country’s development in both the ADU and in size the importance of the trust ecosystem in order the Digital Government Plan—two key documents that “to promote full participation in the information guide AGESIC’s work. 149 Uruguay: Investment, Export, and Country Brand Promotion Agency. “URUGUAY: A TECHNOLOGICAL REVOLUTION IN A LITTLE MORE THAN A DECADE,” December 2019, https://www.uruguayxxi.gub.uy/en/news/article/uruguay-una-revolucion-tecnologica-en-poco-mas-de-una-decada/. Accessed April 2020. 150 Clastornik, Jose. “The digital citizen is here—are governments ready?” Apolitical, August 4, 2019, https://apolitical.co/en/solution_article/the-digital-citizen-is-here-are-governments-ready. Accessed April 2020. 151 Center for Public Impact: A BCG Foundation. “Digital Agenda in Uruguay,” March 18, 2016, https://www.centreforpublicimpact.org/case-study/digital-agenda-uruguay/. Accessed April 2020. 96 UNRAVELING DATA’S GORDIAN KNOT OPEN GOVERNMENT Uruguay first established open government commitments in 2012, aligning with the goals set forth in the 2011–2015 ADU. Its adoption of open government has allowed Uruguay to lead the region in creating social value and informed government decision-making through the adoption of transparent processes and technological innovation. A Tu Servicio—Open Government and Data Sharing in Action Every February, Uruguayan citizens are given the opportunity to choose whether to change or stay with their existing health care provider. In the country’s mixed public-private health care system, several factors come into play when making this decision: the location of the health provider, number of doctors and pedi- atricians available, hours open, etc. These decisions were difficult to make without easy access to this infor- mation. Initially, as part of the Government’s Open Government efforts, the Ministry of Health published detailed spreadsheets on each health care provider. However, these spreadsheets were never downloaded more than 500 times in any given year. Given the low uptake of the data, Datos Abiertos, Transparencia y Acceso a la Inform (DATA) Uruguay, an Uruguayan civil society organization focused on open data, independently attempted to create a user- friendly comparison tool, which started a dialogue between the organization and the Ministry. Ultimately, DATA Uruguay partnered with the Uruguayan Ministry of Health to create A Tu Servicio, a website provid- ing easily digestible, searchable and visualized infographics based on open government health data and available to be used by the public. The platform allows users to select their location and then to compare local health care providers based on a wide range of parameters and indicators, such as facility type, medical specialty, care goals, wait times, and patient rights. A Tu Servicio has introduced a new paradigm of patient choice into Uruguay’s health care sector, enabling citizens not only to navigate through a range of options but also generating a healthy and informed debate on how more generally to improve the country’s health care sector. Ultimately, the program resulted in an increase in users from 500 to around 75,000 downloads in 2016, resulting in 63,130 people actually changing health service providers during February 2016. Beyond user growth, the project helped improve the quality of data—e.g., errors were discovered by users, providers, and the Ministry itself—and helped to lower prices for consumers. After its initial release in 2015 caught providers by surprise, several opted to decrease their prices in January 2016, knowing that the tool would allow for easy comparison and give them a competitive advantage. The ability to share data in a trusted ecosystem, enabling programs like A Tu Servicio, is possible through a number of updates to the legal and regulatory environment, investment in a robust technical architecture for data sharing, and clear authority and consistent leadership from AGESIC. 97 Enablers & Safeguards for Trusted Data Sharing in the New Economy KEY FEATURES OF DATA SHARING In 2012, the European Commission formally approved Uruguay’s status as a country providing “adequate CREATING THE POLICY AND REGULATORY protection” for personal data within the meaning of ENVIRONMENT FOR DATA SHARING the European Data Protection Directive (Directive 95/46/EC), the predecessor to the GDPR. In 2013, Uru- Legal Foundations guay became the first non-European state to accede to the Council of Europe’s Convention 108, further Although Uruguay’s constitution does not contain signaling its commitment to international data protec- any express rights to data protection, Article 28 does tion standards. provide that “The papers of private individuals, their correspondence, whether epistolary, telegraphic, or of Uruguay is also a member of the Ibero-American Data any other nature, are inviolable, and they may never Protection Network (RIPD for the Spanish acronym), be searched, examined, or intercepted except in con- which adopted the Standards for Data Protection formity with laws which may be enacted for reasons of for the Ibero-American States, a common data pro- public interest.” tection framework for the Ibero-American countries (the Spanish-speaking countries in North, Central, That said, Uruguay has a relatively long history of and South America, plus Portuguese-speaking Brazil). data protection. Data protection in Uruguay is gov- One of the aims of the RIPD is “to make the flow of erned under the “Data Protection Act” of 2008, Law personal data between Ibero-American States and No. 18,331 on Personal Data Protection,152 the Habeas beyond their borders easier, in order to contribute Data Act of 2008 (or Access to Information Law), and to the economic and social growth of the region,”154 Decree No. 664/008 and Decree No. 414/009, which demonstrating how personal data protections can provide further clarifications and guidance on the Act. promote data sharing for economic development. Decree No. 664/008 provides complementary provi- sions and guidance on the application of Law 18,331, Data Protection Act while Decree No. 414/009 stipulates the requirements for registering databases. The Act defines “personal data” as “any kind of infor- mation related to a person or legal entity identified or The “Data Protection Act,” which is very similar to the identifiable,” and “sensitive personal data” as “any kind GDPR, outlines several principles for those collecting of personal data evidencing: racial or ethnic origin, and processing personal data, including: the principle political preferences, religious or moral beliefs, trade of legality, the principle of truthfulness and verac- union membership, and any kind of information con- ity, the purpose of limitation principle, the principle cerning health or sexual life.” of prior consent, the principle of data security, the principle of confidentiality, and the principle of liabil- The national DPA is the Unidad Reguladora de Control ity. Unlike GDPR, Uruguay’s Data Protection Act also y Actos Personales (the “URCDP”). While there is no extends to “juridical persons” such as entities and requirement that organizations appoint a data protec- corporations.153 tion officer, an organization that owns or maintains a database containing information gathered or obtained through means, mechanisms, or sources located in Uruguay, must register that database with the URCDP. 152 See Ley 18331. https://www.impo.com.uy/bases/leyes/18331-2008. 153 See Art. 4(D), Data Protection Act 2008. 154 See https://iapp.org/media/pdf/resource_center/Ibero-Am_standards.pdf. 98 UNRAVELING DATA’S GORDIAN KNOT In order to collect data, an entity must obtain prior “contractual clauses” and “self-regulation systems” consent from the individual or entity whose informa- providing the same levels of protection as the laws tion is being collected. Consent is not required in the of Uruguay. Intracompany transfers are permitted case of personal data from public sources; obtained by without authorization where an entity has registered public authorities in compliance with legal obligations; a conduct of code with the URCDP (akin to binding limited to domicile, telephone number, ID number, corporate rules under the European framework). nationality, tax number, corporation name; necessary for the performance of a contract or the provision of Data processors must implement appropriate tech- a professional service; and obtained by individuals or nical and organizational measures to guarantee the corporations for their personal and exclusive use. security and confidentiality of the personal data. These measures should be aimed at preventing the loss, Personal data may only be processed for a legitimate falsification, and unauthorized treatment or access, as reason, i.e., a lawful basis. Personal data may not be well as at detecting information that may have been used for additional or secondary purposes different lost, leaked, or accessed without authorization. In the from the purposes for which the data was originally event of a breach that could substantially affect the obtained. Once the purposes for processing personal rights of the data subject, and/or the rights of any data are achieved, personal data must be deleted. other agent or person involved, the data processor should notify affected persons. Personal data can only be transferred to a third party for purposes directly related to the legitimate interests The URCDP has broad investigatory and enforcement of the transferring party and the transferee and with powers, including audit and inspection rights, and the prior consent of the data subject. The data sub- subpoena, search and seizure authority. The URCDP ject must be informed of the purpose of the transfer can impose penalties including warning, admonition, and the identity of the recipient. Evidence of such fines up to US$60,000, suspension of the database for consent should be maintained, and the data subject five days, and closure of the database. may revoke that consent at any time. Prior consent of the data subject is not necessarily required when DATA ARCHITECTURE the personal data to be transferred is limited to the data subject’s name, surname, identity card number, Uruguay has a robust digital government architecture nationality, address, and date of birth. The transferor that facilitates the secure sharing of data including remains jointly and severally liable for the compliance both a digital government services platform and sin- of the recipient’s obligations under the Act. gle state portal for citizen access and a data exchange architecture that links federated records of people, In general, the Act prohibits the transfer of personal enterprises, public services, and addresses available data to countries or international entities which do as metadata on the interoperability platform.155 not provide adequate levels of protection according to European standards. International transfers to “inade- The data exchange model is based on a combination quate” countries or entities is allowed where the data of decentralized data management and centralized subject consents to the transfer in writing, or when the communication with the interoperability platform guarantees of adequate protection levels arise from serving as a shared resource for all government and 155 Uruguay Digital. “Transforming with Equity 2020,” https://uruguaydigital.uy/wps/wcm/connect/urudigital/44f1500c-6415-4e21-aa33- 1e5210527d94/Download+Digital+Agenda+%28English+Version%29.pdf?MOD=AJPERES&CONVERT_TO=url&CACHEID=44f1500c-6415- 4e21-aa33-1e5210527d94. Accessed March 2020. 99 Enablers & Safeguards for Trusted Data Sharing in the New Economy public agencies and establishes the standard for and, through the sharing of data, a civil identification exchanging data between them. The interoperability number is immediately generated in the public registry. platform is built on a secure private network. The platform integrates systems across the state at The interoperability infrastructure was launched in the backend and is divided into two layers: an interop- 2008 but only began to be widely used in 2016 due erability layer (semantic and technical) and a security to varied technology maturity across public agencies, layer. The semantic interoperability is solved by the the difficulty in breaking down silos generated by metadata definition of common data objects. Those bureaucracy, and, importantly, the initial lack of trust definitions are made in agreement with all agencies between agencies in exchanging the information and involved in the use of that information and published in the whole-of-government approach. in the form of a data dictionary, an xml schema, and an uml object diagram. The technical interoperabil- Today, however, the platform exchanges over 10 mil- ity is implemented with an Enterprise Service Bus lion transactions per month with over 100 entities con- (ESB) accompanied by a set of definitions based on nected. It supports a wide range of critical government open standards. This allows the simplification of data services initiatives. For example, each child born in exchange and the ability of offering added value ser- Uruguay is registered with the Ministry of Public Health vices on it. Figure 10: Platform Overview Source: Provided by AGESIC. 100 UNRAVELING DATA’S GORDIAN KNOT All exchanges over the platform are based on Web Services Soap1.1 and comply with WS-Basic Profile 1.1. Message delivery is implemented using WS-Addressing standard, which provides capacity of dynamic routing. The security layer covers physi- cal security and logical security. SSL v3.0 (HTTPS) with mutual authentication is used for physical transport security. Logical security covers authentication and authorization of services. Open standards allow universal use of the platform, becoming independent from proprietary protocols and overcoming difficul- ties at the integration stage. Legally the data sharing model requires that each exchange must be made between two entities—public or private—registered in the public records. To accomplish this, the government requires each exchange to be signed with a digital certificate that legally represents the entity. The entities authorized to access the plat- form are those that provide a public service. The platform allows access for the private sector only when the data concerned is owned by public entities that request the access under the same security conditions. Importantly, the data exchange system is supported by whole-of-government architecture that defines a framework to standardize and optimize the building, evolution, and doc- umentation of public organizations architectures (enterprise architectures), from the business processes to supporting infra- structure. The main goal is to establish a technical framework that includes standards, products, best practices, and recommen- dations in order to guide public organizations in the design of technical solutions in such a way that promotes interoperability. The whole-of-government architecture provides interoperability guidelines as well—establishing a framework for vertical sectors like e-health, public finance, and education. The interoperability guidelines align with the components of the interoperability plat- form and are based on a reference model for data architecture. This model enables the government to work with different levels of data including: organizational and management data, private sector data, and citizen data. This ability to work across different types of data is essential to the country’s whole-of-government approach.156 156 Technical description provided by AGESIC. 101 Enablers & Safeguards for Trusted Data Sharing in the New Economy MEXICO: DATA SHARING FOR GOVERNMENT EFFICIENCY AND TRANSPARENCY BACKGROUND emerged as a regional leader in leveraging informa- tion and communications technologies (ICT) to mod- Mexico, an upper-middle-income country with a pop- ernize government. While the use of ICTs to improve ulation of nearly 130 million people, has the second government services extends at least as far back as largest economy in Latin America after only Brazil 2002, when the Presidential Agenda for Good Govern- and the fifteenth largest in the world. Over the last ment included e-government as one of six pillars, the ten years, the country has experienced moderate but digital transformation of the public sector accelerated consistent economic growth, averaging just over two significantly in 2012. percent annually until 2019 when the economy con- tracted slightly. Despite this decade of reasonable eco- Starting in 2012 and building on a decade of nomic stability, poverty and inequality have remained e-government experience, the government introduced high with more than 43 percent of the population a National Development Plan that acknowledged the living in poverty and a Gini Index of almost 50.157 importance of digitization and included the country’s Approximately three out of every five jobs remains in first National Digital Strategy which addressed both the informal economy, representing nearly a quarter public sector digital transformation, as well as the of the country’s economic output.158 building blocks needed for a more inclusive digital society including greater internet access and broad To tackle this persistent economic and social inequal- digital literacy. A National Digital Strategy Office was ity, Mexico has invested heavily in digital transforma- created under the Office of the President to coordi- tion, particularly over the last eight years, and has nate the Digital Strategy. 157 IMF News. “Mexico’s Economic Outlook in Five Charts,” November 8, 2018, https://www.imf.org/en/News/Articles/2018/11/07/NA110818-Mexico-Economic-Outlook-in-5-Chart. Accessed May 2020. 158 Radu, Sintia. “Can Technology Solve Economic Disparity?” U.S. News, February 14, 2020, https://www.usnews.com/news/best-countries/ articles/2020-02-14/technology-is-being-used-to-fight-economic-inequality-in-latin-america. 102 UNRAVELING DATA’S GORDIAN KNOT Figure 11: Framework for Mexican National Digital Strategy: Objectives and Enablers Source: Government of Mexico, “National Digital Strategy,” https://www.gob.mx/mexicodigital To realize the goals of the Digital Strategy, the were Internet users, while only two out of ten people government successfully amended the Mexican in the lowest income bracket used the internet, essen- constitution in 2013 to make universal internet access tially reinforcing rather than reducing the social and a right and ushered in a series of legal and institu- economic disparities.159 tional reforms governing the ICT sector, including the creation of an independent agency focused on ICT The reforms introduced in 2013 have had remarkable licensing and concessions, a commitment to build success in expanding internet access, particularly the a nationwide fiber optic backbone network, and a shared public network, which has become known as commitment to install a shared public network— all Red Compartida. of which designed to increase competition in the telecommunications market and reduce the country’s Red Compartida became the first large-scale, whole- digital divide. sale mobile network in the world and enabled the installation of a single network that can be shared A study conducted shortly before the creation of the by all operators, reducing their costs, particularly National Digital Strategy found that approximately in regions that are otherwise commercially unat- seven out of ten people in the highest income bracket tractive to install and deploy their own networks. Red 159 Montiel, Juan Manuel Mecinas. “THE DIGITAL DIVIDE IN MEXICO: A MIRROR OF POVERTY,” Mexican Law Review, July–December 2016, https://www.sciencedirect.com/science/article/pii/S1870057816300464#fn0025. 103 Enablers & Safeguards for Trusted Data Sharing in the New Economy Figure 12: Mexico’s Digital Divide Source: Barry, Jack J. “Mexicans have world-first constitutional right to government-provided internet,” Apolitical, November 28, 2018, https://apolitical.co/en/solution_article/internet-poverty-connection-mexico. Compartida is a US$7 billion privately funded project Mexico has experienced significant and accelerating that is operated as a public-private partnership and growth in the number of internet users in the country, is ultimately expected to cover more than 90 percent growing from 44 percent in 2014 to over 70 percent in of the population in Mexico with the most advanced 2019 and continuing to expand.161 mobile broadband services. Ultimately, the PPP was signed in early 2017 and the project was awarded This growth in usage has been complemented by through an international-public-tender (IPT) process expanded government services, which have extended conducted through 2016. In supporting this model, to the reach of public services and led to significant the government not only aspired to extend internet cost savings for the country. access but viewed it as a key platform upon which digital government and other critical services from As of 2018, 90 percent of government transactions can mobile banking to health and education services be initiated online and 75 percent can be completed would grow.160 digitally.162 Furthermore, in addition to supporting more inclusive public services, Mexico has saved 1.6 Catalyzed by the reforms that started in 2012–2013, percent of GDP between 2012 and 2017 by lowering 160 ITU, “Red Compartida,” https://www.itu.int/net4/wsis/archive/stocktaking/Project/Details?projectId=1514835212 161 Internet World Stats. “Internet Usage and Population in Central America,” https://www.internetworldstats.com/stats12.htm 162 OECD (2020), Digital Government in Mexico: Sustainable and Inclusive Transformation, OECD Digital Government Studies, OECD Publishing, Paris, https://doi.org/10.1787/6db24495-en. 104 UNRAVELING DATA’S GORDIAN KNOT the cost of government transactions for citizens and KEY FEATURES OF DATA SHARING residents.163 Mexico’s experience is illustrative of how centralization of responsibility—in the National Digital CREATING THE POLICY AND REGULATORY Strategy office—can simplify and standardize digital ENVIRONMENT FOR DATA SHARING government and strengthen the ability to share data safely and securely. The Digital Strategy office has Key components of data governance in Mexico are the defined three levels of standardization: Constitution, the public sector data protection law, the private sector data protection law and corresponding 1. Level 1 defines the criteria for data capture, regulations, and self-regulatory schemes. 2. Level 2 defines technical standards for the format The Constitution of data downloads, and Mexico’s Constitution underpins its legal framework for data governance. The 1917 Constitution enshrined 3. Level 3 includes the web format, interoperability a fundamental right to privacy in Article 16. In 1977, standards, and digital signature. the Constitution was amended to include a right to freedom of information.165 In 2002, Congress passed By February 2018, the Digital Strategy office had the Federal Law of Transparency and Access to Public helped produce more than 5,400 standard informa- Government Information, which took effect in 2003.166 tion files, more than 600 standardized download The Law aimed to secure access to any public infor- formats, and 948 standardized online forms.164 mation and incorporate principles and standards for the protection of personal data. The federal law was As Mexico’s digital government transformation has followed by freedom of information legislation at the accelerated, the country has taken a number of addi- state level, which ultimately imposed different legal tional steps to bolster citizen engagement and public frameworks and institutional capacities on citizens and trust in government, including a number of updates businesses, impeding transparency. In 2015, the Mex- to personal data protection laws and investments in ican Congress responded by enacting the General Act technologies and institutions to encourage secure of Transparency and Access to Public Information167 sharing of data. to enhance uniformity of access to information laws across Mexico’s 33 separate jurisdictions. 163 Benjamin Roseth, Angela Reyes, Pedro Farias, Miguel Porrúa, Harold Villalba, Sebastián Acevedo, Norma Peña, Elsa Estevez, Sebastián Linares Lejarraga, and Pablo Filottrano. “Wait No More: Citizens, Red Tape, and Digital Government,” Inter-American Development Bank, Jun 6, 2018, accessed through: https://books.google.com/books?id=u6x2DwAAQBAJ&pg=PA164&lpg=PA164&dq=digital+identity+mexico+and+interoperability&- source=bl&ots=qPicy2oEHa&sig=ACfU3U2Tfn9_QA6NH7klVnw5MwNI2cD5_Q&hl=en&sa=X&ved=2ahUKEwimjf6Z9vboAhUTlXIEHa2H- DeA4ChDoATADegQICRAv#v=onepage&q=mexico&f=false. 164 Benjamin Roseth, Angela Reyes, Pedro Farias, Miguel Porrúa, Harold Villalba, Sebastián Acevedo, Norma Peña, Elsa Estevez, Sebastián Linares Lejarraga, and Pablo Filottrano. “Wait No More: Citizens, Red Tape, and Digital Government,” Inter-American Development Bank, Jun 6, 2018. 165 See Article 6, Mexican Constitution (“the right of information shall be guaranteed by the state”). 166 In January 2014 Congress approved an amendment to the Constitution to create an autonomous entity to be in charge of enforcing the Private Data Protection Law and to take on the duties of the Federal Institute for Access to Information and Protection of Data (“IFAI”), which was originally created as a semiautonomous agency separate from the federal government. As a result of the new General Law for Transparency and Access to Public Governmental Information, which annulled the effect of the former Transparency Law – the IFAI’s responsibilities are now handled by National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) as an autonomous entity. See https://thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-review-edi- tion-6/1210064/mexico. 167 INAI. “General Act of Transparency and Access to Public Information,” March 12, 2016, http://www.law-democracy.org/live/wp-content/ uploads/2012/08/Mexico-General-Act-of-Transparency-and-Access-to-Public-Information-compressed.pdf. 105 Enablers & Safeguards for Trusted Data Sharing in the New Economy In 2009 Congress approved a crucial amendment to covers companies and private individuals. While the the Constitution to recognize the protection of per- FDPL is an omnibus data protection law that sets sonal data as a fundamental right. Article 16 of the the principles and minimum standards that shall be Constitution amended to add an express right to data followed by all private parties when processing any protection providing, in pertinent part, “All people personal data, it also recognizes that standards for have the right to enjoy protection on their personal implementing data protection may vary depending data, and to access, correct, and cancel such data. on the industry or sector. As such, it may be supple- All people have the right to oppose the disclosure of mented by sectoral laws and self-imposed regulatory their data, according to the law. The law shall estab- schemes focused on particular industry standards and lish exceptions to the criteria that rule the handling requirements, to the extent that those standards and of data, due to national security reasons, law and requirements comply with the data protection princi- order, public security, public health, or protection of ples in the FDPL.170 third-party’s rights.” This constitutional underpinning forms the basis for Mexico’s data protection laws. The FDPL was followed by the Regulations to the Federal Law on the Protection of Personal Data held Public Sector General Data Protection Law by Private Parties (Reglamento de la Ley Federal de Mexico’s domestic legal framework for data protec- Proteccion de Datos Personales en Posesion de los tion centers around two key laws—one for the public Particulares) (the “Regulations”), which entered into sector and one for the private sector. The more recent force on December 22, 2011171 and set out to clarify General Law on the Protection of Personal Data held the scope and obligations set out in the FDPL, and by Obligated Parties (Ley General de Protección de the Privacy Notice Guidelines (the “Guidelines”), which Datos Personales en Posesión de Sujetos Obliga- entered into force on April 18, 2013172 and stipulated dos) (“GDPL”—the English acronym), which entered the requirements for privacy notices for data process- into force on 27 January, 2017, applies to any public ing that any subject could do. In 2014, the Ministry of authority, entity, body, or organism of the executive, the Economy also issued the Parameters for Self- legislative, and judicial powers of the government, Regulation Regarding Personal Data,173 setting out autonomous entities, political parties, trusts, and pub- best practices, requirements, and eligibility parame- lic funds, at federal, state, and municipal levels.168 ters to be considered by the data protection authority for approval, supervision, and control of self-regula- Private Sector Federal Data Protection Law tion schemes, and authorization and revocation of The Federal Law on the Protection of Personal Data certifying entities as approved certifiers. held by Private Parties (Ley Federal de Proteccion de Datos Personales en Posesión de los Particulares) (“FDPL”), which entered into force on July 6, 2010,169 168 On 4 January, 2018 Congressman Ramón Villagómez Guerrero submitted a bill to modify the FDPL to standardize it with the GDPL, which has not yet been approved by Congress. 169 See Executive Branch—Ministry of the Interior Decree: https://iapp.org/media/pdf/knowledge_center/Mexico_Federal_Data_Protection_Act_July2010.pdf. 170 To date, the Mexican Official Standard NOM-004-SSA3-2012 for medical records is the only sector-specific legal framework. 171 See http://www.diputados.gob.mx/LeyesBiblio/regley/Reg_LFPDPPP.pdf. 172 Additional relevant materials include the Recommendations on Personal Data Security of November 30, 2010, the Parameters for Self-Regulation regarding personal data of May 30, 2014, and the General Law for the Protection of Personal Data in Possession of Obligated Subjects (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), which entered into force on January 27, 2017. 173 See http://www.dof.gob.mx/nota_detalle.php?codigo=5346597&fecha=29/05/2014. 106 UNRAVELING DATA’S GORDIAN KNOT Scope of the Private Sector Law (FDPL) in a form that permits identification of data subjects The FDPL applies to the processing of personal data for no longer than is necessary for the purposes for by individuals and legal persons (i.e., corporations). which the data was collected or for which it is further “Processing’” includes the collection, use, communica- processed. Data subjects are entitled to a reason- tion, or storage of personal data by any means, and able expectation of privacy in the processing of their “personal data” means any information concerning an personal data, as well as rights of access, rectification, identified or identifiable individual. “Sensitive personal cancellation, or objection (“ARCO rights”). data” is personal data that, if misused, may lead to dis- crimination or pose serious risks to the data subject, To legally process personal data, data controllers must including data that could reveal racial or ethnic origin; provide a comprehensive privacy notice providing: the past or present health conditions; genetic information; identity and address of the data controller collecting religious, philosophical, or moral beliefs; union affilia- the data; the purposes of the data processing; the tion; political views; sexual orientation; fingerprints;174 options and means offered by the data controller to and geolocation, among other things. It is subject to data subjects to limit the use or disclosure of their heightened requirements. data; the means for exercising their ARCO rights; the data transfers to be made; the procedure and The regulation of the Federal Law applies extraterri- means by which the data controller will notify the data torially to all data processed when: (1) in a facility of subjects of changes to the privacy notice; and iden- the data controller located in Mexican territory; (2) by tification of any sensitive personal data that will be a data processor, regardless of location, processing processed. data on behalf of a Mexican data controller; (3) where Mexican law applies by virtue of international law or Consent is required for all processing of personal data, the execution of a contract (regardless of the data except as otherwise provided by the law. Implicit, opt- controller’s location); and (4) by any means located out consent is generally permissible, while express, in Mexico, regardless of where the data controller is opt-in consent is required for processing financial located, unless such means are for transit purposes data and express, opt-in, written consent is required only. Notably, the FDPL does not apply to the govern- for processing sensitive personal data. Consent is not ment, certain credit reporting agencies, or to personal, required where the processing is: permitted by law; noncommercial processing. based on publicly available or de-identified data; pur- suant to a legal relationship between the data subject Data controllers are bound by the core principles of and controller; undertaken in an emergency situation legality, information, consent, notice, quality, pur- threatening an individual or their property; essential pose, loyalty, proportionality, and accountability.175 for medical attention, prevention, diagnosis, health This means personal data must be: collected and care delivery, medical treatment, or health services processed fairly and lawfully; for specific, explicit and management when the data subject is unable to give legitimate purposes and not be further processed in a consent; subject to a duty of professional confidential- way incompatible with those purposes; adequate, rele- ity; or pursuant to a resolution issued by a competent vant, and not excessive in relation to the purposes for authority. which it is collected or further processed Accurate and, if necessary, updated; erased or rectified; and kept 174 Beyond “fingerprints,” the concept of biometric data is not defined under the FDPL. However, nonbinding guidance issued by INAI defines that biometric data is “sensitive personal data.” 175 As the FDPL was largely inspired by Directive 95/46/EC, these principles largely correspond to the European framework. 107 Enablers & Safeguards for Trusted Data Sharing in the New Economy Data Security process personal data according to the instructions of All data controllers must establish and maintain phys- and for the purposes identified by the data controller, ical, technical, and administrative security measures must implement adequate security measures to main- designed to protect personal data from damage, loss, tain the confidentiality of the personal data subject alteration, destruction or unauthorized use, access, to processing, and must delete personal data after or processing, at least as stringent as the measures the legal relationship with the data controller ends or in place to manage their own information. The risk when instructed by the data controller, absent a legal involved, potential consequences for the data sub- requirement for the preservation of the personal data. jects, sensitivity of the data, and technological devel- opment must be taken into account when establishing International data transfers do not need the approval security measures. of the INAI or any other regulator but must be evi- denced by written agreement or any other document Data controllers must promptly notify data subjects of whereby the third party assumes the same data any security breaches that materially affect the prop- protection obligations undertaken by the data control- erty or rights of the data subject, including informa- ler and the conditions for processing as consented to tion about the nature of the breach, the personal data by the data subject as detailed in the corresponding compromised, recommended protective measures the privacy notice. data subject can take, corrective actions implemented by the controller, and the means by which to obtain Supervision and Enforcement more information regarding the breach. While Mexican law does not require data controllers to register with a data protection authority or other regu- lator, controllers are required to designate a person Transfers of Data or department to act as the Data Protection Officer While the general rule is that consent is needed from for handling data subject requests and enhancing the the data subject in order to execute data transfers, protection of personal data within their organization. domestic or international transfers of personal data may be carried out without the consent of the data The National Institute of Transparency for Access to subject where the transfer is: pursuant to an applica- Information and Personal Data Protection (Instituto ble law or treaty; necessary for medical diagnosis or Nacional de Transparencia, Acceso a la Informacion y prevention, or health care delivery or management; Proteccion de Datos Personales) (INAI) is the country’s made to a party under the common control of the data protection authority, while the Ministry of Econ- data controller; necessary for the performance of a omy (Secretaria de Economia) cooperate on specific contract between the data controller and a third party elements as established by the FDPL. The INAI is in the interest of the data subject; necessary or legally responsible for the enforcement of individual rights, required to safeguard public interest or for the admin- the resolution of disputes, verifications and audits, istration of justice; necessary for the recognition, and sanctions. The Ministry of Economy is responsible exercise, or defense of a right in a judicial proceed- for issuing industry guidelines, such as it did with the ing; or necessary to maintain or comply with a legal Guidelines for Binding Self-Regulation and the Guide- obligation. lines for Privacy Notices, in collaboration with the INAI. A handful of other public agencies have some author- Data controllers may share or transfer data with data ity over secondary sectoral regulations. processors without informing or obtaining the con- sent of data subjects. However, processors may only 108 UNRAVELING DATA’S GORDIAN KNOT Where data subjects cannot enforce their ARCO Rights exchange of information and the minimum require- via a data controller, they can seek recourse via INAI ments of compliance remediation.176 and ultimately the judiciary. INAI may perform verifi- cation procedures that include on-site inspections to Regional and International Legal Frameworks verify data controller compliance. Violations of the law Mexico is also party to a variety of international and are subject to monetary sanctions in the range of 100 regional legal frameworks on data protection. Mexico to 320,000 times the Mexico City minimum wage, and is a member of the Ibero-American Data Protection double that for violations involving sensitive personal Network (RIPD), a network of 22 data protection data. Certain violations are subject to up to five years authorities that promotes the development of a imprisonment, and double that for violations involving comprehensive data protection legislation and the sensitive personal data. introduction of data protection authorities throughout Latin America. FinTech Law In March 2018, the Mexican Congress approved the Mexico is also a member economy of the Asia- Ley para Regular las Instituciones de Tecnología Finan- Pacific Economic Cooperation (“APEC”) forum, which ciera (the “FinTech Law”). The main objective of the has published a framework to protect privacy within FinTech Law is to regulate the providers of FinTech and beyond economies and to enable regional trans- services such as crowdfunding platforms and e-money fers of personal data to benefit consumers, busi- issuers, giving them legal recognition as “Financial nesses, and governments (the “APEC Privacy Frame- Technology Institutions” (FTIs) authorized, regulated, work”). The APEC Privacy Framework is designed to and supervised by the local financial authorities as facilitate information sharing and forms the basis of they receive, maintain, and manage resources from the APEC Cross-Border Privacy Rules (“CBPR”) system. the public. Most importantly with respect to data sharing, Article 76 of the law sets the legal frame- On June 12, 2018, Mexico became only the second work for mandatory data sharing information by Latin American country (after Uruguay) to accede financial entities and FTIs to third parties through to the Council of Europe’s Convention 108 and its standardized APIs, in line with internationally recog- additional protocol on supervisory authorities and nized Open Banking initiatives. Regulation 2/2020, cross-border data flows, bringing its practices in closer issued by BANXICO on March 10, 2020, contains the alignment with emerging international best prac- provisions referred to in Article 76 and establishes tices. While Mexico has not been recognized by the the standards for the interoperability of APIs used by European Commission as a third country providing credit reporting agencies and financial switches, as adequate data protection to facilitate personal data well as for determining the technical information for transfers to countries within the EU, it does partici- such interoperability. The regulation deals with with pate in Asia-Pacific Economic Cooperation’s (APEC) the exchange of open and aggregated data, specifi- Cross-Border Privacy Rules (CBPR), through which cally regulating (1) requirements for the approval of certified companies and governments work together APIs, (2) requirements for other regulated entities to to ensure that the movement of personal information gain access to the data, (3) minimum requirements for across borders is protected in accordance with the interconnection agreements, and (4) BANXICO’s super- standards prescribed by CBPR and can be enforced by visory authorities, including the power to suspend the the participating jurisdictions.177 176 GreenbergTraurig. “New Open Banking Regulation in Mexico,” June 16, 2020, https://www.gtlaw.com/en/insights/2020/6/open-banking-en-mexico-nueva-regulacion. Accessed July 8, 2020. 177 Asia-Pacific Economic Cooperation. “What is the Cross-Border Privacy Rules System?” April 15, 2019, https://www.apec.org/About-Us/About-APEC/Fact-Sheets/What-is-the-Cross-Border-Privacy-Rules-System. Accessed July 8, 2020. 109 Enablers & Safeguards for Trusted Data Sharing in the New Economy It is also important to flag the recent tripartite trade The IDMX is embedded in the country’s Open Data deal between the US, Mexico, and Canada included a Policy Implementation Guide, and contains more than new chapter on Digital Trade. The deal includes assur- 600 data sets about anticorruption, human rights, eco- ances that data can be transferred cross-border and nomic development, climate change, and public ser- that limits on where data can be stored and processed vices. This infrastructure was built based on a citizen are minimized, to enhance data sharing and protect consultation through the one-stop government portal, the global digital ecosystem.178 In fact, it is the first US Gob.mx/participa. In this consultation, more than trade agreement or deal to include an express prohi- 2,000 participants from civil society, private sector, and bition on local data storage requirements. Finally, the citizens participated to prioritize and propose the data deal promotes “open access to government-generated they considered central to public concerns and helpful public data, to enhance innovative use in commercial in identifying solutions to the country’s development applications and services,” which intends to encourage challenges. The infrastructure is available through data sharing from the public to the private sector. datos.gob.mx/idmx and the number of data sets is expected to increase over time.180 Creating a Technical Architecture for Data Sharing Like other global leaders in digital government, In addition to the Open Data portal for sharing gov- Mexico has complemented its policy and legal envi- ernment data publically, the government has also ronment for data sharing with investments in secure invested in InteroperMX, a data sharing and interop- technical architecture. erability platform. InteroperaMX powers the govern- ment’s one-stop digital government portal, Gob.mx, Mexico has been a regional and global leader in open by facilitating secure data exchange between line data—ranking fifth in the world on the OECD’s OUR- ministries and government departments. Data Index, which measures the availability, acces- sibility, and government support for reuse of public InteroperaMX, modeled after Estonian’s X-Road, allows sector data.179 The government has positioned open public institutions to share reliable and trustworthy data in its national development plans as strategic data, with clear identification of the source and certifi- infrastructure, along with more traditional infrastruc- cation of the information. As in Estonia, InteroperaMX ture like roads and power plants, needed to support supports efficient delivery of public services, including policies aimed at social and economic inclusion. Given through a once-only policy whereby citizens only have this strategic positioning, the government has worked to provide personal data to a single, appropriate gov- to identify a list of the most strategic, high-value data ernment agency, and then that data is shared through generated by the government and created the Open a set of defined permissions. Data Infrastructure (IDMX) that catalogues the most valuable data sets from diverse government sectors. 178 Office of the United States Trade Representative, “UNITED STATES–MEXICO–CANADA TRADE FACT SHEET Modernizing NAFTA into a 21st Century Trade Agreement‘‘ https://ustr.gov/trade-agreements/free-trade-agreements/united-states-mexico-canada-agreement/fact-sheets/modernizing. 179 OECD Stats. “Government at a Glance—2019 edition—Open Government Data,” https://stats.oecd.org/index.aspx?queryid=94409. 180 ITU. “MX Open Data Infrastructure,” https://www.itu.int/net4/wsis/archive/stocktaking/Project/Details?projectId=1514323093. 110 UNRAVELING DATA’S GORDIAN KNOT INTEROPERAMX IN ACTION Mexico has pointed to birth certificate manage- ment as a key use case of InteroperaMX and has used its successes to highlight the potential of the platform to catalyze further efficiency gains. A birth certificate is required as proof of identity for at least 45 percent of all public pro- cedures and services at the federal level. In its analogue format, the birth certificate has rep- resented considerable costs—both in terms of financial and time—to Mexican citizens, which has particularly disadvantaged low-income populations. The government of Mexico esti- mates that citizens invested MXN 2.2 billion in 2016 (approximately US$115.5 million), with the poorest 10 percent spending roughly 1.5 per- cent of their real annual income on birth certifi- cate procedures, excluding the related costs of transportation, possible bribery, or time spent to complete the procedures. InteroperaMX now enables citizens to access their birth certificate online in just minutes though the interopera- bility of the national population registry and state-level databases where birth registration takes place. Additionally, birth certificates can then be used online to access over 150 other government services. 111 Enablers & Safeguards for Trusted Data Sharing in the New Economy SPOTLIGHT ON OPEN BANKING: DATA SHARING FOR ECONOMIC GROWTH AND INDIVIDUAL EMPOWERMENT BACKGROUND also introduce new dangers. Sharing customer infor- mation among multiple players heightens the risk of WHAT IS OPEN BANKING AND ITS RELEVANCE TO DATA SHARING? misuse of their data, leaving many millions vulnerable to being targeted with unsuitable offerings.181 Open banking provides third-party financial service providers open access to consumer banking, transac- These characteristics are heightened further in low- tion, and other financial data from banks and nonbank and middle-income countries where more open use financial institutions through the use of application of data can benefit low-income people entering the programming interfaces (APIs). Open banking is formal financial system and improve their ability to intended to drive innovation in the financial services engage with the real economy. Conversely, of course, industry by allowing the accounts to be connected those same populations have fewer assets and are and for data across institutions to be shared for use more likely to be functionally or financially illiter- by consumers, financial institutions, and third-party ate and therefore may be particularly vulnerable to service providers. exploitation.182 As the Consultative Group to Assists the Poor’s For these reasons, it is valuable to understand how research (CGAP) has highlighted, experiences in countries that have taken a leadership role in Open designing and implementing Open Banking initiatives Banking have built systems that drive a virtuous cycle are illustrative of the opportunities and challenges of between data sharing and data protections for con- creating a trusted data sharing ecosystem. As a recent sumers. Open Banking is, in many respects, still in its piece pointed out, Open Banking’s “new systems infancy, but there are numerous examples of Open for data sharing and payments flexibility could spur Banking emerging around the world, but this case innovation by unlocking access to consumer data now study focuses on the emerging practices and inter- held within payment companies, banks, and other esting features of the implementations in the United financial institutions. ... Yet the very same structures Kingdom and Australia, given their relative maturity that hold out such promise for inclusion and growth and availability of information. 181 Chen, Greg and Faz, Xavier. “Open Data and the Future of Banking.” CGAP Leadership Essay Series, October 23, 2019, https://www.cgap.org/blog/open-data-and-future-banking. Access March 2020. 182 Chen, Greg and Faz, Xavier. “Open Data and the Future of Banking.” CGAP Leadership Essay Series, October 23, 2019, https://www.cgap.org/blog/open-data-and-future-banking. Access March 2020. 112 UNRAVELING DATA’S GORDIAN KNOT Illustrative Country Experiences desktop channels and over one million customers that have used an open banking-enabled application. The UNITED KINGDOM model has influenced many other regulators already Open banking was implemented in the United King- and is notable for its funding and implementation dom (UK) as part of the remedy to a competition model, consultative and open source standard setting review of the retail banking sector and executed process, regulator support for the start-up ecosystem, based on the government’s experience with Midata, emphasis on consumer safeguards, and aspirations a program that had been envisaged early in the for expansion to other areas of finance and other sec- 2010s to improve consumer welfare and choice. The tors of the economy. PSD2 empowers account holders effort aligned with government goals of supporting with the authority to share data, removing financial the growth of the UK financial technology sector and institutions’ role as gatekeeper.183 improving the competitiveness of the wider finan- cial services industry in hopes of ensuring the future To drive competition in retail banking in the United of London as a global financial hub and the UK as a Kingdom, its Competition Markets Authority required net exporter of financial services. Coming out of the the largest UK banks to open up and share their data. experience with Midata, the Enterprise and Regulatory While it is still too early to assess the impact of these Reform Act 2013 empowered the UK’s new Competi- efforts, one recent study by the UK’s Financial Conduct tion and Markets Authority (CMA) to enforce the open- Authority found the move could usher in more com- ing up of data which was also supported by efforts in petition and innovative business models, delivering the EU around data portability, specifically the data better customer services such as cheaper payment portability right (and data protections) included in solutions, budgeting and money management tools the General Data Protection Regulation (GDPR) and based on customer data, and the ability for customers expanded access to payment accounts provided for in to easily switch to new providers.184 the revised Payment Services Directive (PSD2). While open banking is still in the midst of implemen- AUSTRALIA tation, as is PSD2, the ecosystem of innovation sur- Australia was an early proponent of Open Data with its rounding the increased access to data open banking online data portal launched in 2009185 and its Declara- provides has seen early signs of success, with over tion of Open Government in 2010186 and today ranks 200 regulated providers as of January 2020, open highly in the Global Open Data Index187 and the Open banking-enabled services available to the majority of Data Barometer.188 Given the historical relationship UK banking customers through existing mobile and and influence of the UK, the Australian Government 183 Brodsky, Laura and Oakes, Liz. “Data Sharing and Open Banking,” McKinsey & Company, September 5, 2017, https://www.mckinsey.com/industries/financial-services/our-insights/data-sharing-and-open-banking. Accessed March 2020. 184 Chen, Greg and Faz, Xavier. “Open Data and the Future of Banking.” CGAP Leadership Essay Series, October 23, 2019, https://www.cgap.org/blog/open-data-and-future-banking. Access March 2020. 185 Office of the Australian Information Commissioner. “Towards an Australian Government Information Policy,” Issue Paper 1, https://www.oaic.gov.au/information-policy/issues-papers/issues-paper-1-towards-an-australian-government-information-policy/. 186 Original not available but archived copy available here: https://apo.org.au/sites/default/files/resource-files/2010/07/apo-nid62429-1076971.pdf. 187 Australia has a score of 79 percent with perfect or near perfect scores across Government Budget, National Statistics, Procurement, Administrative Boundaries, Draft Legislation, Air Quality, National Maps, Weather Forecasts, Company Registers, Election Results, and Locations, a 50 percent score for Water Quality, and a 0 percent score for Land Ownership and Government Spending. The Global Open Data Index 2016/2017 is an annual benchmark for publication of Open Government Data run by the Open Knowledge Network. Data cat- egories are scored against the “Open Definition” that Open Data can be “freely used, modified, and shared by anyone for any purpose” but does not look at other aspects of data such as context, use, or impact. https://index.okfn.org/place/ https://opendefinition.org/. 188 The Open Data Barometer is produced by the World Wide Web Foundation with the support of Omidyar Network and takes steps to “uncover the true prevalence and impact of open data initiatives around the world.” The 4th edition is based upon a peer reviewed expert survey, a government self-assessment, and secondary data from the WEF, WBG, UN, and Freedom House. https://opendatabarometer.org/?_year=2017&indicator=ODB 113 Enablers & Safeguards for Trusted Data Sharing in the New Economy was closely monitoring the progress of GDPR, with and earlier competitions reports and introduce a Con- special attention to its data portability right, and open sumer Data Right to give consumers greater access banking in thinking about its own data governance and control of their banking, energy, phone, and strategy. internet transactions.190 Several competition-focused inquiries and reviews in Australia built momentum Like the UK, Australia suffers from competitive con- around data portability as a way to catalyze Australia’s centration and low switching in a variety of relevant calcified industries and promote innovation, starting industries including retail banking, energy, internet with the Competition Policy Review,191 and Financial service, and mobile telephony. The Productivity Com- System Inquiry in 2015, which led to the Productivity mission Inquiry Report on Data Availability and Use Commission Inquiry,192 and followed by the Indepen- tasked with examining access to data and its use in dent Review to the Future Security of the National Australia noted that Australia’s data governance policy Electricity Market—Blueprint for the Future 2017193 was falling behind many other countries globally and released at a similar time to the Productivity Commis- recommended both an update to data sharing and sion report. Across each of these reports, regulators protection legislation alongside a comprehensive right felt that increased access to data would enable better for consumers to access and share their data.189 These product comparison, easier switching decisions, and factors heavily influenced the government’s commit- better advisory use cases which would increase con- ment to enact a Consumer Data Right, intended to sumer benefit, spur innovation, and improve compe- establish a cross-economy data portability provision tition which were echoed in the Productivity Commis- that would be implemented sector by sector. sion report. Australia’s Consumer Data Right is interesting for its As a result of the Productivity Commission report, the powerful rhetoric around consumer empowerment, Government initially announced it would introduce specificity in data portability across a number of sec- an open banking regime to Australia and a Treasury tors, collaboration across functional and sector regu- Review into open banking in Australia was commis- lators, government involvement in standard setting, sioned in July 2017, to decide the most appropriate consultative process for guiding implementation, and model.194 The government sought a model “under phased implementation process. which customers will have greater access to and control over their banking data” which would “increase In November 2017, the government announced that price transparency and enable comparison services,” they would follow the recommendation of the Produc- “drive competition in financial services” and “deliver tivity Commission’s Data Availability and Use Inquiry increased consumer choice and empower bank 189 Productivity Commission (Government of Australia. “Data Availability and Use—Inquiry Report,” March 31, 2017, https://www.pc.gov.au/inquiries/completed/data-access/report/data-access.pdf. Accessed December 2019. 190 Department of the Prime Minister and Cabinet (Government of Australia). “Australians to own their own banking, energy, phone and internet data,” November 26, 2017, https://ministers.pmc.gov.au/taylor/2017/australians-own-their-own-banking-energy-phone-and-internet-data. 191 The Treasury (Government of Australia). “Competition Policy Review—Final Report,” March 31, 2015, https://treasury.gov.au/publication/p2015-cpr-final-report. 192 The Treasury (Government of Australia). “Improving Australia’s financial system Government response to the Financial System Inquiry,” 2015, https://treasury.gov.au/sites/default/files/2019-03/Government_response_to_FSI_2015.pdf 193 Finkel, Alan, et al. “Independent Review into the Future Security of the National Electricity Market,” June 2017, https://www.energy.gov.au/sites/default/files/independent-review-future-nem-blueprint-for-the-future-2017.pdf 194 The Treasury (Government of Australia). “Review into Open Banking in Australia,” 2017–2018, https://treasury.gov.au/review/review-into-open-banking-in-australia 114 UNRAVELING DATA’S GORDIAN KNOT customers to seek out banking products that better The indication that data should be available “in a read- suit their circumstances.”195 ily usable form and in a convenient and timely man- ner” set important foundations for the method of data The Australian government determined that the CDR transfer and the standards necessary to enable that will first apply to the banking sector, followed later by transfer. The Consumer Data Right implementation is the energy sector, and telecommunications sectors. by four key principles: While CDR is intended to apply across sectors, the early implementation experiences in the financial sec- • The Consumer Data Right should be consumer tor are most illustrative for understanding how it can focused. It should be for the consumer, be about support a trusted data sharing ecosystem. the consumer, and be seen from the consumer’s perspective. • The Consumer Data Right should encourage com- KEY FEATURES OF DATA SHARING petition. It should seek to increase competition for products and services available to consumers so CREATING THE POLICY AND REGULATORY that consumers can make better choices. ENVIRONMENT FOR DATA SHARING • The Consumer Data Right should create opportuni- ties. It should provide a framework from which new AUSTRALIA ideas and business can emerge and grow, establish- Australia’s introductory information on the CDR ing a vibrant and creative data sector that supports outlined important features of how it would function better services enhanced by personalized data. and be implemented. The CDR would allow access to • The Consumer Data Right should be efficient and data held by businesses about consumers and also fair. It should be implemented with security and the products available to them but be limited only to privacy in mind, so that it is sustainable and fair, specific data sets and classes of data holders, setting without being more complex or costly than needed. the general scope of data, yet giving regulators room to make sector-specific decisions as to the merits of The CDR introduction also outlined key use cases for extending the right to different data sets and data the data that would be made more widely accessible holders.196 Consumer scope was set wider than initially in the scheme and outlined its vision for the customer recommended by the Productivity Commission Report journey, in keeping with the first principle for the CDR to include all individuals and businesses (rather than implementation. The introduction describes com- just SMBs), providing the right for those that might parison tools for individuals and businesses to help not be covered by other areas of Consumer Protection better inform their financial services product selection law. The introductory information limited data receiv- and place them in a better position to switch prod- ing participants to “accredited third parties,” neces- ucts or negotiate better deals. The government also sitating the creation of an accreditation process and forecasted budgeting tools that aggregate financial suggesting tiers of accreditation based on data access information across sources and provide insights on and usage.197 spending habits or recommendations for reaching savings goals, improving the customer experience, 195 The Treasury (Government of Australia). “Review into Open Banking in Australia,” 2017–2018, https://treasury.gov.au/review/review-into-open-banking-in-australia. 196 The Treasury (Government of Australia). “Consumer Data Right,” May 9, 2018, https://treasury.gov.au/sites/default/files/2019-03/t286983_consumer-data-right-booklet.pdf. 197 The Treasury (Government of Australia). “Consumer Data Right,” May 9, 2018, https://treasury.gov.au/sites/default/files/2019-03/t286983_consumer-data-right-booklet.pdf. 115 Enablers & Safeguards for Trusted Data Sharing in the New Economy and convenience of using financial services. These use model, with the ACCC, the Data Standards Body and cases are intended to be enabled in a way that is both the Office of the Australian Information Commission seamless, in that is not encumbered by the types of (OAIC), and the Department of the Treasury all playing friction seen, for instance, in the Midata program, and specific roles. makes it clear that consumers are sharing their data, with the option to specify specifically which data will • The Treasurer has final approval for ACCC rules, be shared and for how long. appoints the Data Standards body chair, and works with sector-specific regulators to coordinate As articulated in the introductory document, the implementation. The ACCC is the lead regulator regime will differ from Open Data based on its with responsibility for sector-specific rulemaking consumer-initiated data transfers. Emphasis is placed including outlining the necessary functionality for on ensuring that consumers are well-equipped to the regime in each sector in consultation with the consent to these transfers and understand what they OAIC, the public, and sector-specific regulators, are consenting to, prohibiting open-ended or implied setting accreditation criteria and processes for data consents. The government hopes that these will lead recipients, managing the accreditation register, and to greater consumer choice, convenience, and confi- taking enforcement action in response to serious or dence and eventually a more customer-centric data systemic violations of the Consumer Data Right.199 sector, with providers competing based on their ability to develop products and services that meet individual • The OAIC “will work with the ACCC to inform con- consumer needs and deliver them in a way that maxi- sumers, data holders, and accredited data recip- mizes value for consumers. ients about the scheme” and will also “be the pri- mary complaints handler under the CDR scheme” The CDR is distinguished from other data portability with certain investigative and enforcement powers provisions by the structure of its process for enacting granted to the Australian Information Commis- the right in new sectors, including its mechanisms sioner. 200 The OAIC will also provide privacy exper- for ensuring multiregulator input and allowing spec- tise, advising the ACCC on privacy impacts of its ificity in sector-specific rules. While GDPR includes a rules and supporting the standard setting process cross-sector data portability right, the necessary sup- to ensure privacy protections.201 porting policy and processes to implement that right in sectors beyond payments, where PSD2 and open • The Data Standards Body is responsible for setting banking have initiated this process, have not been the necessary technical standards to enable the enumerated.198 implementation of the Consumer Data Right.202 These technical standards include those related The implementation of the Consumer Data Right to data transfer with an aim of ensuring adequate brings together an even wider set of regulators. safety, convenience, and efficiency, those related Implementation is managed with a co-regulator to data description designed to create consistency, 198 Parliament of Austrlia. “Treasury Laws Amendment (Consumer Data Right) Bill 2019,” August 2019, https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6370. 199 The Treasury (Government of Australia). “Consumer Data Right Booklet,” September 2019, https://treasury.gov.au/sites/default/files/2019-09/190904_cdr_booklet.pdf. 200 Office of the Australian Information Commissioner. “About the Consumer Data Right,” https://www.oaic.gov.au/consumer-data-right/about-the-consumer-data-right/. 201 The Treasury (Government of Australia). “Consumer Data Right Booklet,” September 2019, https://treasury.gov.au/sites/default/files/2019-09/190904_cdr_booklet.pdf. 202 The Treasury (Government of Australia). “Consumer Data Right,” May 9, 2018, https://treasury.gov.au/sites/default/files/2019-03/t286983_consumer-data-right-booklet.pdf. 116 UNRAVELING DATA’S GORDIAN KNOT integrity, accuracy, and clarity while reducing $60 million through 2022–2023, while the OAIC and redundancy and documenting business processes, CSIRO nearly evenly split the remainder.207 While this and those related to security purposes with pro- does include initial funding for the energy sector, this tecting the system. The Data Standards Body works outlay seems predominantly for open banking mean- in a highly collaborative way with sector regulators, ing that implementations in other sectors may require data holders, data recipients, industry solution additional funding. providers, consumer advocates, and working group members to ensure standards are tailored to While still in its early days of implementation in the specific sectors where necessary but created with financial sector, the CDR regime has the regulatory cross-sectoral linkages in mind.203 foundation and organizational processes in place to expand to a wider section of the economy unlike many This co-regulator model sets out a workable struc- of the other countries that have enacted data portabil- ture for coordination between functional and sector ity provisions. regulators which allows for sector-specific customiza- tion while also ensuring some level of harmonization The legislation and implementation of the Consumer across the regime. Data Right has been notably supported heavily by consultation with the general public and specifically The cross-regulator model is further supported by with relevant private sector firms. The most import- regulator-specific budget allocations to encourage ant precedents to the CDR, the Productivity Commis- collaboration. The initial allocation of ~$45 million AUD sion Report on Data Availability and Use208 and the over four years for open banking204 has been supple- Treasury Review into open banking in Australia,209 mented with additional funds for testing and assur- were both the result of open consultations and open ance205 and a related allocation to the same regulatory comment periods. The Consumer Data Right legisla- entities to ensure adequate privacy safeguards. In all, tion underwent two rounds of consultation and two the government will contribute ~$90 million AUD and rounds of open Privacy Impact Assessments210 while 45 staff over 5 years towards the regulators imple- the ACCC’s rules frameworks211 and accreditation menting the Consumer Data Right.206 The ACCC will processes212 for the Consumer Data Right have gone receive the lion’s share of the funding, receiving nearly through public drafting and consultation processes. 203 The Treasury (Government of Australia). “Consumer Data Right,” May 9, 2018, https://treasury.gov.au/sites/default/files/2019-03/t286983_consumer-data-right-booklet.pdf. 204 Brookes, Joesph, “New Consumer Data Right Funding Set To Fuel Open Banking,” WHICH-50, May 10, 2018, https://which-50.com/new-consumer-data-right-funding-set-to-fuel-open-banking/. Accessed December 2019. 205 Pearce, Rohan. “MYEFO: Government funds work on Medicare payments, ATO resilience,” ComputerWorld, December 15, 2019, https://www.computerworld.com/article/3490329/myefo-government-funds-work-on-medicare-payments-ato-resilience.html. Accessed December 2019. 206 The Treasury (Government of Australia). “Consumer Data Right,” May 9, 2018, https://treasury.gov.au/sites/default/files/2019-03/t286983_consumer-data-right-booklet.pdf. 207 Note: Unclear how the 45 Average Staff Levels (ASLs) are distributed across the regulators and whether that is captured in funding allo- cations. 208 Productivity Commission (Government of Australia. “Data Availability and Use—Inquiry Report,” March 31, 2017, https://www.pc.gov.au/inquiries/completed/data-access/report. Accessed December 2019. 209 The Treasury (Government of Australia). “Review into Open Banking in Australia—Final Report,” February 8, 2018, https://treasury.gov.au/consultation/c2018-t247313 210 The Treasury (Government of Australia). “Treasury Laws Amendment (Consumer Data Right) Bill 2018,” August 4, 2018–September 7, 2018, http://treasury.gov.au/consultation/c2018-t316972/. 211 Australian Competition and Consumer Commission. “Consumer data right (CDR): ACCC consultation on Rules Framework,” September 12, 2018, https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0/accc-consultation-on-rules-framework. 212 Australian Competition and Consumer Commission. “Consumer data right (CDR): CDR draft accreditation guidelines,” September 25, 2018, https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0/cdr-draft-accreditation-guidelines. 117 Enablers & Safeguards for Trusted Data Sharing in the New Economy UNITED KINGDOM Data 61 is a division of the Commonwealth Scientific While the UK is seen as a leader in the field, it’s par- and Industrial Research Organization, Australia’s ticular form of open banking differs meaningfully national science research agency, focused on leading from forms in other countries. open banking in the the charge on digital research.215 Data61 claims to be UK is mandated, although only for a narrow number one of the world’s largest digital research and devel- of large institutions, and covers all payment enabled opment organizations, boasting “more than 1,000 accounts for individuals and businesses. It does data scientists and 300+ PhD students from 70 coun- include a reciprocity provision, such that financial tries, combined with talent embedded in 30 partner services firms who opt to receive data under the open universities” and a “global network of third parties banking regime must also share the same relevant such as academia, government, and business, also data. Standards have been set by a government- known as the D61+Network.”216 The Data Standards empowered entity to provide for not only data sharing body is led by an Independent Chair, similar to the and security but also payment initiation and account Trustee of the OBIE, who will provide direction for the portability. Open banking in the UK is focused on standard setting effort, select members of advisory consumer consent-enabled account access and data committees, and ultimately be accountable for stan- transfers and the regulatory focus on ensuring a suit- dards decision-making.217 able customer experience has led to an expansion in the scope of the standards. Data61 has created several iterations of the necessary banking and common API standards and posted them openly on GitHub. Given the more limited scope of CREATING THE TECHNICAL ARCHITECTURE FOR DATA SHARING Australian open banking (including only data access and transfer but not payment initiation), the technical AUSTRALIA API standards are somewhat less complicated but do CDR is also instructive for the large role that the include a number of common CDR APIs allowing for government is playing in standard setting. Through customer identification and endpoint status checks, the co-regulator model, the Data Standards Body is banking-specific API’s to access financial data sets, charged with creating standards for how to share data admin API’s to track usage metrics, security stan- within the CDR scope.213 Data61 (the data arm of CSIRO, dards for authentication and authorization, and data the Australian Government’s research organization) standards to set the schema for certain data types.218 has been appointed as the interim standards body and Standards development has been aided by an advi- is working with the ACCC and the OAIC to design the sory group of various financial sector stakeholders necessary application programming interfaces to allow and consumer advocates219 and more granularly for consumers to access and share their data.214 supported by working groups which have been open to anyone with interest and expertise.220 While input from stakeholders has been widely solicited, the 213 The Treasury (Government of Australia). “Consumer Data Right,” May 9, 2018, https://treasury.gov.au/sites/default/files/2019-03/t286983_consumer-data-right-booklet.pdf. 214 The Treasury (Government of Australia). “Consumer Data Right,” May 9, 2018, https://treasury.gov.au/sites/default/files/2019-03/t286983_consumer-data-right-booklet.pdf. 215 CSIRO Data 61. “Our Values,” https://data61.csiro.au/en/About. 216 CSIRO Data 61. “Our Work Culture,” https://data61.csiro.au/. 217 The Treasury (Government of Australia). “Consumer Data Right,” May 9, 2018, https://treasury.gov.au/sites/default/files/2019-03/t286983_consumer-data-right-booklet.pdf. 218 Consumer Data Standards. “Introduction,” https://consumerdatastandardsaustralia.github.io/standards. 219 Consumer Data Standards. “Banking Advisory Committee,” https://consumerdatastandards.org.au/about/advisory-committee/. 220 Consumer Data Standards, “Technical Working Group,” https://consumerdatastandards.org.au/workinggroups/api-standards/. 118 UNRAVELING DATA’S GORDIAN KNOT government has played a central role in setting a wide transaction accounts will be made available. Around variety of standards, especially in comparison to more six months later, banks will have to share consumer commercially-driven open banking regimes, and has data about credit and debit cards, deposit accounts, set a wide mandate as to who will need to comply with and transaction accounts, and both consumer and these technical standards. product data about mortgage accounts. Another six months later, both product and consumer data for In addition to these technical standards, based on personal loan accounts, as well as transaction data learning from the UK experience, Data61, in its capac- across account types.224 The first deadline, which ity as the Data Standards Body, has also set up a although it has since been delayed on a couple of customer experience working group and published CX occasions, includes a pilot phase to experiment with standards and guidelines.221 The CX standards include the API’s and ensure proper testing prior to going live data language, accessibility, consent, authentication, at scale. This staging of data sets and capabilities by authorization, and consent withdrawal standards.222 respective level of sensitivity and complexity for banks These standards have been “developed for the Aus- of varying sizes can be instructive to other countries tralian context through extensive consumer research, planning similar implementations. industry consultation, and in collaboration with vari- ous government agencies” and supported by “an Advi- UNITED KINGDOM sory Committee, spanning representatives from the The Open Banking experience for consumers in the financial sector, FinTechs, consumer groups, and soft- United Kingdom is enabled on both desktop and ware vendors,” illustrating its commitment to under- mobile application channels. Consumers interested standing user needs and building collaboratively.223 in product or service offers from an existing bank or third party are redirected to the bank that currently Given its role in standard setting within open banking provides their payment account. They authenticate encompassing both technical and customer experience themselves using their existing online banking cre- standards, and ongoing general CDR standards work, dentials and then consent to share their data with the Australian government has delegated extensive the offer provider for a set amount of time. Access to responsibilities to the Data Standards Body in building their account and relevant data is then available to the infrastructure to enable the Consumer Data Right. service provider with unquestioned provenance in a machine readable format with no further intervention Implementation of the standards has been planned as by the consumer necessary. Consumers can revoke an iterative process, allowing regulators and the pub- this consent at any time, are prompted to renew it lic sector to learn from less complex and less sensitive after the set time period expires, and have set chan- pilots early on, in keeping with global best practice nels by which to report suspicious account activity or in open banking. Firstly, the regulation segments other issues. The customer’s bank would be in charge the relevant types of information into tranches and of ensuring the third party requesting data was sets an implementation timeline for data of increas- licensed, authenticating the customer, capturing their ing sensitivity: on the first date, product report data consent, and providing access to the customer’s data about credit and debit cards, deposit accounts, and and account. 221 v1.2.0 available here: https://consumerdatastandards.org.au/wp-content/uploads/2020/01/CX-Standards-v1.2.0.pdf and here: https://consumerdatastandards.org.au/wp-content/uploads/2020/01/CX-Guidelines-v1.2.0-1.pdf. 222 Consumer Data Standards, “CX Standards,” https://consumerdatastandards.org.au/cx-standards/. 223 Consumer Data Standards, “Consumer Experience Standards,” https://consumerdatastandards.org.au/wp-content/uploads/2020/01/CX-Standards-v1.2.0.pdf 224 Australian Competition and Consumer Commission. “Consumer data right rules—data sharing obligations, phasing summary table,” https://www.accc.gov.au/system/files/Proposed%20CDR%20rules%20-%20Phasing%20table.pdf. 119 Enablers & Safeguards for Trusted Data Sharing in the New Economy SPOTLIGHT ON HEALTH SECTOR DATA SHARING: THE PROMISE AND PERILS OF DATA SHARING DURING COVID-19 The COVID-19 pandemic has brought into sharp focus USER APPLICATIONS the promise and perils of data sharing for disease sur- veillance and mitigation in countries across the world. As the pandemic tests governments, economies, and The urgent need for reliable real-time information to health systems, data from individuals’ use of digital simultaneously manage the outbreak, develop vaccines devices has increasingly been used to monitor the and treatments, and mitigate social and economic spread of the disease, provide notification of potential impacts of the pandemic have led to myriad digital exposure, and in some countries, help enforce restric- applications and collaborations between data holders. tions of movement. Digital applications developed by Digital applications that require people to share sensi- governments, as well as private sector companies, tive personal data about their health status, location, have been used for symptom identification and case and social interactions are proliferating around the escalation, contact tracing, and exposure notification, world in response to COVID-19. Governments are col- as well as in some cases, containment enforcement. laborating with telecommunications service providers Several countries have used apps that integrate all to track population movements at scale. New collab- three functions (such as the Aarogya Setu app in orations that combine different types of sensitive and India), while others (e.g., South Korea) have opted for nonsensitive data, as well as personal and nonpersonal separate digital applications for each function. data using machine learning tools to provide insights into the effects of the pandemic abound. PREVENTION AND SYMPTOM IDENTIFICATION In countries with weak data protection frameworks, Mobile applications on smartphones, low-resource these advancements may pose a threat to privacy, text-based, and Interactive Voice Response (IVR) sys- hard-fought freedom, and civil liberties, and normal- tems on feature phones are being used for symptom ize unwarranted surveillance. This case study looks at identification and prevention in several countries. three data sharing use cases and the data governance Some examples include: issues that they pose: (a) digital user applications for managing the pandemic, (b) Call Data Records (CDRs) • The NCOVI app, introduced by the government to inform public policies on movement restrictions, of Vietnam, that enables people to self-declare and (c) data collaboratives for research collaborations. their health status.225 In addition to providing 225 Dharmaraj, Samaya. “Vietnam Launches Health App to Manage COVID-19,” OpenGov, March 10, 2020, https://www.opengovasia.com/vietnam-launches-health-app-to-manage-covid-19/. 120 UNRAVELING DATA’S GORDIAN KNOT information about their own health status, users notify the owners of phones that recently came into are encouraged to report knowledge of suspected proximity of the infected person’s phone that they cases in their neighborhoods. should self-isolate.227 • The World Health Organization has launched a • In Israel, emergency regulation was invoked to dedicated messaging bot in Arabic, English, French, allow for the temporary use of data collection sys- Hindi, Italian, Spanish, and Portuguese along with tems operated by the country’s intelligence service WhatsApp and Facebook to keep people safe from to combat security threats.228 coronavirus. • Singapore has deployed the Trace Together app—a • South Korea requires all travelers to install the voluntary app that uses Bluetooth technology to Self Diagnosis Mobile App on their phones and detect proximity to other users having this same record their daily health status through the app for app. When the app is downloaded, a random 14 days. Failure to comply triggers enforcement number is assigned to the user, and the data is actions.226 stored on the phone itself in an encrypted manner. Singapore’s Ministry of Health (MoH) is the only CONTACT TRACING AND EXPOSURE NOTIFICATION entity that can decrypt this data, and it can request the users to share it if the user is diagnosed with Mobile phone applications have been developed to COVID-19.229 track the movement of diagnosed cases in order to automatically alert people in their proximity that they • Google and Apple have joined forces to launch may be at risk of infection. The intent of these applica- exposure notification apps that work across the tions is to augment conventional contact tracing tech- spectrum of Android and iOS powered phones. This niques, which are highly labor intensive and carried application works on a decentralized model of data out by public health authorities. collection and exposure notification, with users controlling who can access their data. The technical specifications and implementation approaches of contact tracing solutions vary around As the use of contact tracing technology and applica- the world. tions rises, a heated debate on the nature of opt-in/ opt-out clauses for these apps has emerged. In most • In Pakistan, the app relies on a cell phone tracking cases, citizens can opt to temporarily share their system based on call detail records (CDR) data, location data to help with contct tracing. A study by which uses the location of cell phone towers to epidemiologists at Oxford University estimated that identify the locations of users. The system iden- more than half of the population in a given area would tifies the locations visited by a known COVID-19 need to use the app that traces contacts and notifies case over the prior 14 days, enabling authorities to users of exposure, combined with other tactics such 226 Park, Rosyn. “Govt Mandates Travelers From China To Download ‘Self-Diagnosis’ App,” TBSeFM News, February 12, 2020, http://tbs.seoul.kr/eFm/newsView.do?typ_800=P&idx_800=2384604&seq_800=. 227 Jahangir, Ramasha. “Govt starts cell phone tracking to alert people at risk,” The Dawn, March 24, 2020, https://www.dawn.com/news/1543301. 228 Chin, Monica. “Israel is using cell phone data to track the coronavirus,” The Verge, March 17, 2020, https://www.theverge.com/2020/3/17/21183716/coronavirus-covid-19-israel-natanyahu-cellphone-data-tracking. 229 Hui, Mary. “Singapore wants all its citizens to download contact tracing apps to fight the coronavirus,” Quartz, April 21, 2020, https://qz.com/1842200/singapore-wants-everyone-to-download-covid-19-contact-tracing-apps/. 121 Enablers & Safeguards for Trusted Data Sharing in the New Economy as broader testing and the quarantining of vulnerable Data Governance Challenges populations segments, for the app to help effectively Amassing and using large volumes of personal data contain the virus.230 in the fight against the spread of COVID-19 can pose risks to the rights of individuals and communities. Other countries such as Australia, India, and Israel Beyond immediate risks that endanger physical secu- have implemented laws that are harder to opt out of. rity, user applications without the right safeguards In India, several government offices require clearance can lead to disproportionate loss of privacy, long-term by the exposure notification app before permitting risks to freedom, and civil liberties. workers to enter. Western Australia’s Emergency Man- agement Amendment (COVID-19 Response) Bill 2020 Commercial sources of location data vary widely in empowers the state to install surveillance devices in their accuracy, precision, and volume. Importantly, homes, and direct individuals to wear an approved anonymization of location data can prove to be a com- electronic monitoring device. plex challenge, even with the application of privacy- enhancing technologies (PETs). Research has shown CONTAINMENT ENFORCEMENT that complex data sets of personal information cannot be protected against re-identification by current meth- Governments around the world, including Singa- ods of “anonymizing” data—such as releasing samples pore, India, Thailand, Vietnam, South Korea, Hong (subsets) of the information.232 Kong, Israel, Taiwan, and China are combining phone data with human efforts to help enforce quarantine The use of technologies that rely on collecting and compliance.231 processing highly sensitive personal data has the potential to enhance government surveillance capa- • To limit the spread of COVID-19, Taiwan has devel- bilities and/or the power of commercial technology oped a geo-fence, or “electronic fence,” which uses providers. The speed with which many apps were mobile phone location-tracking to ensure people designed and deployed has, in some cases, preempted who are quarantined stay in their homes. Those careful consideration of the safeguards required to who are placed in high-risk groups or identified instill the necessary public confidence in the systems. with COVID-19 are given government-issued The absence of preexisting, well-defined data sharing mobile phones and monitored via location tracking. policies has in many cases exacerbated the issue. This technology monitors phone location data and The push to design and deploy apps to notify peo- alerts authorities when quarantined individuals ple of possible exposure to the virus has exposed a leave their designated shelter locations or turn off consequential power imbalance between the world’s their mobile devices. largest digital technology providers and sovereign states. Early technology design aggregated users’ data • In Poland, the Home Quarantine app requires peo- on a central server to give epidemiologists and poli- ple at risk to upload several pictures of themselves cymakers the ability to analyze how the virus spread to assure the government of their compliance with within and between countries. The updates Google quarantine norms. and Apple made to their mobile operating systems, 230 University of Oxford. “Digital contact tracing can slow or even stop coronavirus transmission and ease us out of lockdown,” April 16, 2020, https://www.research.ox.ac.uk/Article/2020-04-16-digital-contact-tracing-can-slow-or-even-stop-coronavirus-transmission-and- ease-us-out-of-lockdown. 231 TechUK. “How Taiwan used tech to fight COVID-19,” March 31, 2020, https://www.techuk.org/resource/how-taiwan-used-tech-to-fight-covid-19.html. 232 Rocher, L., Hendrix, J.M. and de Montjoye, Y. Estimating the success of re-identifications in incomplete datasets using generative models. Nat Commun 10, 3069 (2019). https://doi.org/10.1038/s41467-019-10933-3. 122 UNRAVELING DATA’S GORDIAN KNOT however, prevents user data from being centralized, CALL DATA RECORDS TO ANALYZE fearing such an approach could enable undue state COVID-19 TRANSMISSION surveillance of mobile phone users.233 Currently, a multistakeholder consortium, the Pan-European Pri- One source of data that has assumed importance is vacy-Preserving Proximity Tracing (PEPP-PT) group is the use of Call Data Records (CDRs). A key driver to developing contact tracing technologies in compliance understand the transmission of COVID-19 is popula- with European privacy and data protection laws and tion mobility, density, and behavior. Anonymized and principles. aggregated data from mobile phones (CDR-derived indicators) can act as a proxy to study human mobility. In addition to the push and pull between govern- ments and technology companies, public outcries Passively generated Call Detail Records (CDR) capture questioning aspects of the technical specifications and the geolocation and time of phone activity (calls and policies associated with state-issued apps in countries texts). The analysis of these CDR-derived indicators, such as India and Australia234 have led to revisions of often in conjunction with other publicly available data app features and enabling legislation in hopes that sets can offer valuable and near-real time insights into strengthening trust will increase their utility in fighting the impacts of mobility in a public health and epidemi- the virus. The example of the Indian government’s ological context. Aarogya Setu (“bridge to health care” in Hindi) high- lights the importance of calibrating consent policy, In some countries, CDR-derived insights are being transparency measures, the proportionality of data requested directly by governments and enabled captured, purpose limitation, and data destruction through flexing regulation and privacy legislation. For policy to enabling trust in systems that share personal example, the European Commission released guid- information directly with the governments. ance clarifying the permissible use of location data under GDPR for pandemic response and there has Careful design of safeguards for data collection and been unprecedented collaboration between gov- sharing can help mitigate some of the risks posed to ernments and MNOs around the use of this data in protecting personal data by user applications. Good several European countries.235 practices include the collection and use of health data for health purposes only, and where possible, to Used effectively and responsibly, this data offers the collect and analyze aggregate data. When this may not potential to support improved preparedness and be possible, the use of privacy enhancing technologies rapidly inform more effective policy and operational (e.g., differential privacy) should be adopted. Data responses. CDR-derived indicators can support fore- destruction policies—such as where data is destroyed casting and early warning modelling based on his- after 14 days unless there is a positive exposure noti- torical patterns of transmission and mobility. During fication—and sunset clauses on emergency measures social distancing, lockdowns, and mobility-based adopted during COVID-19 should be considered and travel restrictions, CDR data can be analyzed to assess implemented where feasible, as well. policy effectiveness. Analysis of CDR data can inform 233 https://www.politico.eu/article/google-apple-coronavirus-app-privacy-uk-france-germany/. 234 Greenleaf, Graham and Kemp, Katharine. “Australia’s ‘COVIDSafe App’: An Experiment in Surveillance, Trust and Law,” University of New South Wales Law Research Series, May 18, 2020, https://poseidon01.ssrn.com/delivery.php?ID=6340871030980220171060841200241120 700550220300670380350660700701180031060760741250731070130200350050311160841170181070050041150170360660650111271 19092073001028050009035101017068007091027089101064112104072020103098008102065099071080008015006108078&EXT=pdf. 235 European Commission. (2020) Coronavirus: Commission adopts recommendation to support exit strategies through mobile data and apps. 8 April 2020. https://ec.europa.eu/commission/presscorner/detail/en/ip_20_626. 123 Enablers & Safeguards for Trusted Data Sharing in the New Economy resource allocation, such as where to place handwash- DATA COLLABORATIVES ing stations, high-traffic corridors, and areas that may be vulnerable to food insecurity where supply chains Accelerating data sharing to address knowledge gaps may need to be bolstered. Analysis of CDR-derived related to the pandemic holds clear potential. How- indicators can also support ongoing epidemiological ever, the utility of some new data sharing applications modelling to inform decisions on reopening regions remains unclear given a range of constraints, from and sectors of the economy. a lack of relevant data to “train” and verify computa- tional models to the enduring “digital divide,” which Countries are already utilizing this data with some leaves many of the world’s most vulnerable beyond success. The World Bank has facilitated data sharing the reach of mobile telephones and internet access. for pandemic response through the COVID-19 Mobil- Some of these applications involve sharing personal ity Task Force. The task force was formed to estab- or otherwise sensitive data, raising concerns about lish partnerships and data sharing agreements with how to best balance individual rights such as privacy Mobile Network Operators (MNOs) and client country against public safety. Questions of efficacy aside, the governments to support access to anonymized and new forms of data sharing prompted by the pandemic aggregated mobility data for COVID-19 response and are forcing quick decisions on trade-offs between recovery efforts.236 competing interests that will provide important lessons going forward. As one academic researcher Data Governance Challenges noted, this crisis has prompted data sharing arrange- As mobility data becomes more ubiquitously used for ments in weeks that typically take years to negotiate public policy, the public benefit of the proposed data because of the complexity of protecting data privacy use should be clearly articulated and be sufficient to and security.237 justify potential risks. Especially as mobility data can be highly sensitive, using anonymized and aggre- Computational modelling is being used to predict and gated data wherever possible should be preferred to monitor the disease across populations, to accelerate granular, small-cell data. The use of the best quality the discovery of a vaccine and therapeutics, to opti- data at a granularity to answer research questions mize medical supply chains, and to improve the effec- without compromising privacy and security should be tiveness of policy measures such as social distancing promoted. and stay-at-home orders, among other applications. This type of data sharing, between institutions, is Beyond its negotiated access, due regard should be increasingly taking place within a new construct paid to modelling likely risks in research scenarios known as “data trusts” or “data collaboratives.” using CDR data with or without additional data sets on a case-by-case basis, so that appropriate safeguards Data collaboratives are an emerging form of collab- can be applied, and results interpreted accurately. oration in which proprietary data held by a private sector entity is leveraged in partnership with another entity, often from the public sector or civil society, in order to create new public value from the exchange. Such collaboratives, or pooling of data between and across sectors, rely on governance models in which 236 World Bank COVID-19 Mobility Analytics Task Force. 2020. https://github.com/worldbank/covid-mobile-data#readme. 237 The Economist. “Countries are using apps and data networks to keep tabs on the pandemic,” March 26, 2020 Edition, https://www.economist.com/briefing/2020/03/26/countries-are-using-apps-and-data-networks-to-keep-tabs-on-the-pandemic. 124 UNRAVELING DATA’S GORDIAN KNOT the data holders agree to shared terms around the and determine when and where to deploy scarce use and processing of the data, as well as the terms of resources such as personal protective equipment and releasing insights derived from analyzing the com- testing.241 The inputs gathered for this effort include bined data sets.238 Different forms of data collabora- public data sets from international organizations such tives have emerged as governments, the global scien- as population information from WorldPop;242 data tific community, and the health care industry work to on Malawi’s health care workforce maintained by the understand COVID-19 and mitigate its impact. WHO;243 and, data related to secondary risk factors such as food insecurity, poverty, and whether available Rapid and open sharing of data is viewed as key to on the Humanitarian Data Exchange maintained by accelerating the scientific research and discovery the UN.244 This public information is supplemented by needed to develop Covid-19 treatments and a vac- and combined with government-held data on disease cine. Numerous initiatives to coordinate data sharing prevalence, health outcomes, and Malawi’s health care among researchers and public health agencies have supply chain.245 De-identified call record data from been established, including the European Union’s Malawi’s large mobile network operator is an import- COVID-19 Data Platform, which aims to enable the ant source of proprietary data added to the mix to rapid collection and comprehensive data sharing of help infer population movement and mixing based on available research data from different sources for the location data derived from phone usage. European and global research communities.239 The G20 endorsed such approaches, calling for collabora- Private entities are also leveraging and processing tion to “collect, pool, process, and share reliable and publicly available and crowdsourced data to offer accurate nonpersonal information that can contribute insights to understand the pandemic. For example, to the monitoring, understanding, and prevention of BlueDot software in Canada uses big data, natural the further spread of Covid-19.”240 language processing, and machine learning to provide insights by scraping data from hundreds of thousands Governments around the world are also leveraging of sources, including statements from official pub- aggregated data sets in collaborative-like structures lic health organizations, digital media, global airline to inform their response. In Malawi, the Ministry of ticketing data, livestock health reports, and population Public Health is working with a team of data scientists demographics. In the case of COVID-19, in addition from the nonprofit CooperSmith to build a regis- to sending out an alert, BlueDot claims to have been try of data sets that can be combined and analyzed able to correctly identify the cities that were highly to yield predictions for a national epidemiological connected to Wuhan to help predict the spread of the model, identify the areas of the country most at risk, virus through travel. Similarly, Metabiota’s epidemic 238 Verhulst, Stefaan, Young, Andrew, and Srinivasan, Prianka. “An Introduction to Data Collaborative: Creating Public Value by Exchanging Data,” GovLab, https://datacollaboratives.org/static/files/data-collaboratives-intro.pdf. 239 COVID-19 Data Portal, https://www.covid19dataportal.org/. Accessed May 2020. 240 SPA (Saudi Press Agency). “G20 Digital Economy Ministers Stress Promising Role of Digital Technologies in Enhancing COVID-19 Response,” https://www.spa.gov.sa/viewfullstory.php?lang=en&newsid=2081034. Access May 2020. 241 CooperSmith. “How to use your data to fight COVID-19: A roadmap for countries in Sub-Saharan Africa” April 14, 2020, https://medium.com/@CooperSmithOrg/how-to-use-your-data-to-fight-covid-19-a-roadmap-for-countries-in-sub-saharan-africa- 8e8b3967ce15. Accessed May 2020. 242 World Pop. “Open Spatial Demographic Data and Research,” https://www.worldpop.org/. Accessed May 2020. 243 World Health Organization. “WHO Global Health Workforce Statistics,” December 2018, https://www.who.int/hrh/statistics/hwfstats/en/. 244 OCHA Humanitarian Data Exchange, https://data.humdata.org/. 245 Held in Malawai’s DHSI2 and LMIS systems, respectively. 125 Enablers & Safeguards for Trusted Data Sharing in the New Economy tracker service is monitoring incidence across 37 countries using 39 public data sources, ranging from the Hong Kong Centre for Health Protection to the World Health Organization. An aggregated view of the data is publicly available. Metabiota has created a near-term forecasting model, which incorporates the known characteristics of the virus. Data Governance Challenges Data collaboratives by definition operate under spe- cific rules agreed to by all entities and often include enforcement mechanisms to ensure that purpose lim- itations are observed and de-identified personal data is not re-identified. Private efforts that rely on publicly available information sources or crowdsourced infor- mation do not raise significant privacy concerns as the ingested data is either nonpersonal or anonymized. However, many governments are either imposing or contemplating far more invasive applications to con- trol the spread of the disease, including information on individuals’ health status, location, movements, and even facial recognition. Across each phase of pandemic response and health systems strengthening, ensuring the privacy and security of the data is paramount. For countries that already have data protection regimes in place, and that have invoked extraordinary measures, a clear path to return to the status quo ante is essential. The COVID-19 pandemic has highlighted both the value of data sharing for supporting policy and decision-making, and the importance of coordinated efforts, long-term investment, concerted capacity building and establishing standards and common approaches. It is too soon to know if these attempts to repurpose existing data sources will have a meaning- ful impact on the fight against this pandemic’s course. However, even in exceptional circumstances, experi- ence is showing that building trust in data protection measures is critical to enabling robust data sharing.