This content was created by the Data Sharing Coalition, one of the founding partners of the CoE-DSC.
Organisations that want to share data face various challenges, including the legal hurdles they have to take. What are legal challenges and best practices with regards to data sharing? We discussed this topic with Andre Walter, who leads the Data Law Solutions team of our participant Pinsent Masons and who is an expert in the field of data protection and privacy. With more than 400 partners and approximately 1,800 lawyers working in offices in 25 countries, Pinsent Masons is one of the hundred largest multinational law firms in the world.
‘First mover disadvantage’
Although most organisations recognise the value of data sharing, Andre often sees that the step to actually start sharing data is still too big. “In the past, I have been involved in a project of a bank and telecom provider, in which they worked on innovative data sharing use cases. In one of them, we investigated the scenario in which a consumer receives an alert on his or her mobile phone when his or her debit card is used, without that person’s phone being near an ATM. This is a perfect example of a use case design that looks beautiful on paper, but might not fly in practice. The moment a party has to take the first step to share their data, doubts and fear arise. Business people immediately think about the competitive value of data and lawyers about the legal consequences of sharing data, e.g. a compliance breach. In addition, the first party that makes its data available often does not immediately reap the benefits. This is a ‘first mover disadvantage’ and ultimately means, that many of these use cases never see the light of day: there is too little trust among the parties.”
The European Data Governance Act brings more legal certainty
What is needed for organisations to make their data available after all? “Initiatives such as MyData contribute to the ethical debate about data sharing and the principle that the owner of the data should always have control over what happens with his or her data,” says Andre. “The Data Sharing Coalition goes one step further by also creating generic agreements of data sharing that organisations can use to share data under the same conditions.” Andre thinks that new European legislation and regulations will really accelerate data sharing. “With the new European Data Governance Act that will be introduced, parties will have more legal certainty. This law perfectly describes which roles and functions organisations can fulfil to share data in a legal manner, for example through data trusts. This ensures lawyers feel more comfortable to check the obligations of both their own organisation and third parties. Both the European Parliament and the European Council have now reviewed this proposal and the law is expected to be introduced next summer. The rapid emergence of this law demonstrates the importance Europe places on data sharing.”
Joint controllership enables all involved parties to jointly fulfil the role of the responsible and mutually commit to compliance obligations. This significantly lowers the threshold for sharing data and makes the parties take shared responsibility.
Best practices from a legal perspective
As the European Data Governance Act has yet to be approved, what best practices in the field of data privacy and protection would Andre recommend to organisations that want to exchange data today? “To be able to determine which data protection risks an organisation is facing, it is important to start by conducting data processing risk assessment (a.k.a. DPIA) so you get a better idea whether you are in line with the GDPR,” says Andre. “In addition, when developing new solutions, it is wise to apply the ‘privacy by design’ principle, so you process personal data in a legitimate way from day one. Even if you do not intend to process personal data during the development of you application or technology, you do comply when it goes live.”
From a legal point of view, Andre believes in the adoption of emerging technologies such as Multi Party Computation (MPC). Andre: “MPC makes it possible to split one dataset into, for example, three encrypted pieces. Obviously, one piece of the puzzle is less risk sensitive than the entire puzzle put together. MPC is a promising technology that is also endorsed by the European Data Protection Board in the context of international data transfer. However, I don’t see MPC being put into practice often yet. Within the Data Sharing Coalition, together with NGOs, Roseman Labs, Sustainable Rescue Foundation, Pinsent Masons and other participants, we set up a use case to investigate how MPC could add value to share data between the parties combating human trafficking.” According to Andre, MPC helps reduce the compliance burden that organisations experience when they want to share data. “The biggest responsibility now rests with the processor of the MPC technology. When using MPC, it makes much more sense to consider a joint responsibility, which is a relatively new concept under the GDPR, so called ‘joint controllership’. It enables all involved parties to jointly fulfil the role of the responsible and mutually commit to compliance obligations. In my opinion, this takes away the ‘first mover disadvantage’, which not only significantly lowers the threshold for sharing data, but also makes the parties take shared responsibility.”
Combining knowledge in the Data Sharing Coalition
By sharing their legal knowledge, Pinsent Masons contributes to the acceleration of (cross-sectoral) data sharing. Andre: “It is a pity that many organisations prevent themselves from gaining more value from data. The Data Sharing Coalition is a great initiative in which knowledge from different areas of expertise is bundled. We believe we can make a valuable contribution with our legal background. Both when it comes to the human trafficking use case and the generic agreements that the Data Sharing Coalition is working on.”
Are you interested in the human trafficking use case? Learn more. We always welcome ideas to define and realise new cross-sectoral use cases of data sharing. Do you have an interesting idea? Please send us an email: email@example.com