How to get insights from data shared between organisations while also safeguarding sensitive data? Both data spaces and Privacy Enhancing Technologies (PETs) can do this. But despite this similarity, the development of data spaces and PETs is driven by two different communities with different approaches. Real progress can be made if we combine both methods. This combination enables us to get insights from larger numbers of (privacy sensitive) data and still meet the required privacy protection.
Conclusions in whitepaper confirmed by Spanish AEPD
Freek Bomhof and Harrie Bastiaansen (and others), both consultants at TNO and affiliated with the CoE-DSC, recently published a whitepaper on this subject; ‘Leveraging the benefits of combining data spaces and privacy enhancing technologies’. Their conclusions about the advantages of combining data spaces and PETs are now being confirmed by the Spanish privacy Authority (AEPD) and The European Union Agency for Cybersecurity (ENISA). In their report about the workshop ‘DATA SPACES IN EU’ : Synergies between data protection and data spaces, EU challenges and experiences of Spain”, they stated that including GDPR principles in the design of data spaces is a clear requirement to reach the data sovereignty goals of data spaces.
Scalable data sharing
In their whitepaper Harrie Bastiaansen and Freek Bomhof clarified that both data spaces and PETs emerged in response to the need to share data between organisations in a trusted way. PETs are used to get the outcome of a data analysis without having to view the data itself. So the data used for the analysis isn’t traceable to an individual. This is very relevant but not scalable, since a consultant always has to set up a new tailormade combination of PETs for each new analysis in order to perform it. Another scalability challenge arises when you want to combine PETs of different vendors. To do this, some form of standardisation between organisations is needed. Applying PETs within data spaces can help, because involved parties have to adhere to agreements and standards that are already used in a data space. Read the interview with Harrie and Freek to learn more.
Sharing succes cases will help overcome hessitance
In their report, the AEPD defined the term ‘sharing’ as ‘accessing and processing’, which is not the same as personal data transfer and copy. This is an essential observation, which fully resonates in the PET community. Furthermore, the Spanish AEPD emphasised that, to achieve data protection by design and by default in European data spaces, standardisation plays an important role. Technical standards in general foster trust among different actors in data spaces and provide common baseline benchmarks. Creating trust is essential, because the Spanish AEPD sees that organisations are hesitant to share data using PETs or other technologies due to two reasons:
1. A lack of awareness about these solutions
2. A lack of regulatory guidance on the matter
Sharing success cases of data sharing will surely help to overcome this and will result in more trust in new technologies.
