Data has the potential to unleash everything from new business models to informing pandemic response and helping achieve net-zero climate goals but the fact that there is no global consensus on how to handle it is limiting its use.
The Schrems II decision by the European Court of Justice in 2020 which invalided the Privacy Shield framework, affecting the $7.1 trillion data transfer relationship between the United States and the European Union, is a case in point. Over 5,300 companies relied at least in part on the Privacy Shield framework for transatlantic data transfers. The Privacy Shield framework was supposed to bridge the gap between data rules in the U.S. and the more restrictive EU General Data Protection Regulation (GDPR).
In late June of this year, the European Data Protection Board and the European Commission affirmed the July 2020 ruling by the Court of Justice of the EU that identifying clear text versions of EU personal data cannot be lawfully processed in U.S. operated clouds, regardless of the location of the servers. This poses a major problem as many companies rely on U.S.-based clouds for processing their data with AI and machine learning.
Some were hoping that a treaty between the EU and the US would resolve this issue however an inaugural meeting of the new EU-US Trade Council in late September ended in an impasse.
Technology may be able to overcome what politics can’t. On October 4, Anonos, a World Economic Forum Tech Pioneer, filed a patent on a technological approach that it says will allow companies based in Europe to legally process data in clouds operated in non-EU countries, such as the U.S. and India. By embedding GDPR pseudonymisation and other controls that travel with the data it says it can ensure zero loss of utility and enable enterprise privacy for on-premises, hybrid cloud and global multi-cloud environments, while ensuring compliance with regulatory and contractual obligations.
It is just one example of how cutting-edge technologies are helping to surmount the seemingly intractable problems surrounding the exchange of data.
“The right technological approach allows both sides to be different, while permitting companies to get the most out of their data,” says Gary LaFever, CEO of Anonos, which has already been granted 12 related patents with more than 80 additional patent assets pending.
Trust requires that data not be identifiable unless permission is given. Traditional de-identification approaches have drawbacks: data suppression introduces inaccuracies; another method, called data perturbation, which shifts things around to reduce likeness or re-identification, reduces the quality and accuracy of the data; adding “noise”, which includes fake information, can introduce errors.
“The reason people process clear text is because attempts to protect the data while in process degrade the accuracy and ability to relink,” says LaFever.
Last summer, the World Economic Forum published a paper, Redesigning Data Privacy: Reimagining Notice and Consent for human technology interaction that described how so-called Fourth Industrial Revolution (4IR) technologies can overcome these kind of problems and reimagine consent and permissioning mechanisms in different ways.
One privacy enhancing 4IR technique called pseudonymisation overcomes the limitations of earlier approaches to data privacy by allowing advanced protection technology to travel with the data wherever it goes to ensure a trusted scope of processing. This approach is designed to enable distributed data sharing, combining, analytics, artificial intelligence or machine learning.
GDPR excludes data that can be anonymized but techniques such as GDPR-compliant pseudonymisation are recommended in Article 25 of GDPR as a measure for implementing data protection principles to protect data when it is in use. Processing of data on clouds based outside of the EU is lawful when conducted on data that has been pseudonymized in compliance with GDPR requirements, provided the GDPR pseudonymisation process and the information necessary to reattribute information to data subjects is under the exclusive control of an EU data controller, says LaFever.
The key to lawfully process in the cloud is to combine Trusted Execution Environments (TEE), a secure enclave within a computer processing unit that extends the protection provided by encryption for data at rest and for data in-transit to protection of data in-use, with software embodying GDPR pseudonymisation, says LaFever.
“We need to break down the silos between different techniques and not look for one solution. That is the significance of the patent,” he says. “TEE extends the ability of GDPR-compliant pseudonymisation to solve the problem for multi-cloud environments. It means companies no longer have to process unprotected data to get the results they want when leveraging the global cloud ecosystem.”
Anonos’ multidisciplinary approach not only limits re-identification risk, but it also expands opportunities to use, share and combine data and improve the accuracy of analytics, AI and machine learning, says LaFever.
Getting To Better Outcomes
Advances in 4IR technologies are important but to fully unleash the power of data, what is needed is a system and a technical and policy framework that empowers every actor, says Sheila Warren, the Forum’s Deputy Head of the Centre For Fourth Industrial Revolution Network.
Traditional business-to-business digital platforms do not offer full data portability, which limits the possibility of combining personal, commercial and government sourced data for multiple purposes, while still respecting rights. The Forum is working on ways to move to permission-based access to data across companies, industries, governments and borders, in order to enhance research and government services and allow the creation of new business models. Data exchanges could give companies and countries access to enriched data sets to help them compete with large technology companies. They could also help empower individuals, giving them more say over what is done with their data and the opportunity to get something in return.
To that end, the Forum is running pilot projects in Finland, Japan, India, and Colombia. “We are looking at different contexts and different sectors to figure out how to exchange data and provide access to data in ways that are respectful of people’s rights and permissions,” says Warren. “How do we respect all of that and still provide access to these insights across all society? Can we create a framework that will enable us to think about these subjects in a global way?”
If the right technologies and policies are put in place, there will be benefits across the entire ecosystem, says Warren. “By leveraging data, we will get better outcomes.”
This deep dive article is content that would normally only be available to subscribers. Sign up for a four-week free trial to see what you have been missing