University of Valencia logo Logo University Research Institute on Robotics and Information and Communication Technologies (IRTIC) Logo del portal

.
.
.
.
.

Privacy challenges in European Data Spaces Initiatives under discussion at Data Spaces in EU

  • October 6th, 2023
Image de la noticia

The event “DATA SPACES IN EU: Synergies between data protection and data spaces, EU challenges and experiences of Spain , organized by the Spanish Data Protection Authority (AEPD) and the European Union Agency for Cybersecurity (ENISA), addressed the European Data Spaces Initiatives from a privacy perspective on October 2 in Madrid. In it, the director of the Chair of Privacy and Digital Transformation of the University of Valencia and member of IRTIC Ricard Martinez contrasted the impact of the Data Act, Data Governance Act, European Health Data Space Regulation and elements related to their interaction.

"After analysing the provisions of each of these regulations, it is clear that the legislator's objective is to combat what academics have defined as the fallacy of consent," said Martinez. In other words, it is a policy that "complements the rights of transparency and direct control over the individuals' personal data."

In this regard, he listed direct access to data by the data subject, purpose limitation on data processing and access to related health data for primary uses, the right to transfer data to third parties other than the main controller, and the high capacity for data sharing in data altruism activities.

In the opinion of the chair's director, most of the consents obtained for secondary use of data have serious problems of validity for reasons such as the user not understanding privacy policies that, for example, ask for consent, as they indicate, "to improve the user experience". The data subject "faces services in a near monopoly regime," adds Martinez, and "there is a situation of imbalance, particularly in the case of social networks, internet services and health research."

The three regulations mentioned aim to provide, therefore, a framework for decision making and data portability (Data Act), new rights of control over secondary uses (data altruism) and control rights over primary uses in health and development of the provisions of Articles 6 and 9.2 of the General Data Protection Regulation (GDPR) in the EHDS.

The capacity to design dynamic consent wallets is among the specific challenges this poses for data holders and data spaces, as well as ensuring hybrid methods for collecting consent that manage cultural risk in the digital divide and managing the generation of digital evidence, the privacy expert notes. In the latter case, he lists human support in the physical world, clear and understandable wording for consent forms, employ of video interfaces integrated on mobile phones environments, Consents in steps with multiple layers of transparency, and double-check validations.

As for reputational risk management, "we must be fair to the data subject and provide transparency in the return of results by indicating what their data has been used for" and "improve the ways in which we communicate our activities to the media," remarks Martínez.

The director of the Chair of Privacy and Digital Transformation at the Universitat de València and member of IRTIC pointed out additional issues in this area, such as environments where providing consent is not a good idea, the recovery of the idea of the common good, and the danger that collecting explicit consent for specific research will be undermined by "click fatigue." On the other hand, the new legislation presents new opportunities and challenges in data processing, the result of lessons learned from the divergence of national health legislations.

The European Union, Martinez opined, is defining a human-centered approach to digital transformation by promoting public and private intermediation services, as well as specific European data spaces. "Most of these policies could learn from European research-funded projects," the expert apostatized.

"As defined by the new legislation, the main secondary purposes of data processing are directly related or similar to research and innovation activities," commented the chair director, so "we are dealing with different national legislations implementing the GDPR, and the soft law provided by regulators increases divergences". Furthermore, he continued, "federated data spaces provide a methodology for processing data locally under national laws and it seems that the only way to process data on a trans-European scale requires anonymization".

The expert commented that this will be problematic because there is no agreement on what anonymisation means. He considered it necessary, despite the difficulties, to "build a new culture around privacy-enhancing technologies that are compatible with pseudonymisation scenarios" and to focus, in addition to interoperability, on security, traceability and local availability.

Providing legal governance at all steps, through the management of data space services, the promotion of clear rules and specific agreements on data sharing and terms and conditions, and the adoption of specific binding user policies on data processing, traceability or no re-identification clauses was one of the new procedures at different levels that Martinez deemed necessary to take into account in data spaces.

Another was to provide organizational governance on ethics through the definition of legal and ethical requirements, including new tools such as AI risk assessments, and the implementation of procedures supported by data access committees or collaborations with new stakeholders such as Health Data Access Bodies.

Martínez also mentioned the definition of a high quality support staff in these aspects, referring to Data Protection, Security, and Chief Data Officers, compliance experts, including AI, and data analysts, among others.

To conclude, the privacy expert stressed the need for "a new approach by independent authorities. Most of our future processing activities will be on the frontier of a sandbox. Now is the time to learn together by building the European Dream on Digital Transformation".

IRTIC is participating in the CHAIMELEON project, an initiative that will establish a structured EU-wide digital information repository of health imaging data. The repository will be used, among other purposes, as a controlled open source for artificial intelligence experimentation in cancer research. The institute focuses on verifying that the system has been designed based on the necessary privacy and security principles, so that research can be conducted with the information available in the infrastructure without undermining the rights of the individuals from whom the medical images have been obtained.

In this line of protection of the data used, the institute is involved in WELLBASED, which aims to alleviate energy poverty among the most vulnerable and disadvantaged people, while promoting energy efficiency behaviors and reducing energy demand in these households. It is doing the same in AI4HealthyAging, an AI-based solution that will enable early detection and rapid action in neurological, motor, and degenerative diseases resulting from aging.

More information on AEPD’s website.