IGF 2023 - Day 0 - Event 42 Trusted Personal Data Management Service (TPDMS) Program

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> NAOYA BESSHO: Shall we start.  Thank you for joining our session, the session for the Trusted Personal Information Management Service, TPDMS. 

     I'm representing Information Technology Association Japan, IT Renmei, or ITR for short.  My name is Bessho, Director of IT Renmei and the head of its Personal Data Bank Promotion Committee.   I'm moderating this session today. 

     IT Renmei is providing certification for Personal Data Bank.  We call it "joho ginko" in Japanese. Joho means information and data.  And ginko means bank.  We use that word "ginko" because bank is a symbol of trust.  I'm not sure today if people trust bank or not.  However, traditionally bank is a symbol of trust.  Especially in Japan. 

     Today, Sakimura san works for TPDNS project on the special risks in this area for presentation on TPDNS.  She will explain what is Personal Data Bank and function of certification and so.  Then we will have comments, opinions, or questions from excellent commentators.  We expect Sako san, a Professor at Waseda University, to make comments on human-centric approach and information bank.  And we expect Christian san, from OECD, information economist, policy analyst, innovation in OECD to make comments on enhanced data access and trusted data intermediaries.  And then if we have time, I would like to ask participants in the hall questions or comments. 

     So, firstly, Sakimura san, please start your presentation with a brief introduction of yourself.

     >> NATSUHIKO SAKIMURA: Thank you very much for the introduction.  Good afternoon, everybody, and good morning, good evening elsewhere for the online people. 

     I'm Nat Sakimura, and I'm going to take like 20-25 minutes to explain what this TPDMS Information Trust Bank or Personal Data Trust Bank means and what kind of scheme we are running in Japan.  Hopefully it's going to be informative for you guys.  And we would probably have a good discussion about those as well. 

     So, data free flow with trust.  Do any of you guys have heard of this word DFFT?  Like half.  Yes.  So it was one of the keywords mentioned in G20 Osaka Leaders Declaration back in 2019. It was the clause 11.  I will just read it out: Cross-border flow of data, information, ideas and knowledge generates higher productivity, greater innovation and improved sustainable development, while raising challenges related to privacy, data protection, IPR and security.

          By continuing to address these challenges, we can further facilitate data free flow and strengthen consumer and business trust.  Let's skip.  And such data free flow with trust will harness the opportunities of the digital economy.  And what we call is Personal Data Trust Bank or "joho ginko," we believe is one of the very useful facility to enable this DFFT.

     So today, there are three sections in this session.  First, I will talk about information bank, quote-unquote.  That's "joho ginko".  And then I'm going to explain about certification of information bank done by IT Renmei.  And then we will get into a discussion. 

     Now, about the information bank.  A lot of data right now is in locked in the corporate context in the CRMs, customer relationship management.  Do you guys know CRM, the word CRM?  Customer relationship management.  Not so much.  All right.  Customer relationship management is a scheme that the corporations, enterprises capture the personal data of ours and use that to contact us or market towards us.  You know, sending the e-mails and things like that.  To enable one-to-one marketing, that is called CRM.  So that's customer relationship management. 

     And what is on the right-hand side within orange is VRM.  Vendors relationship management.  This is the flip of that.  It is one of the concept which was proposed by Doc sans (ph) who is in the Bachman Centre.  That instead of corporations making guests work on to what we want, we as an individual should express what we would like to get, what kind of things we want to get.  So instead of just being receptive, we transmit our information at our will to express our desires.  That is VRM.  And that is very, very person-centric. 

     But at the same time, the individuals, the users has to bear its consequences as well.

     So the responsibility lies in -- a lot of responsibility lies into the individuals.  And for many people, that is a little bit too much we felt.  And in Japan, we were seeking a further way which would enable individuals but don't put too much responsibility onto them.  So in the sense the consumer protection considered into VRM kind of things.

          And that's how we came up with this idea of Trusted Personal Data Management System or information bank.  Here, the -- on your left-hand side, personal data is captured in company A, B, C.  And they are stored there.  They are the data holders.  And we, individuals, are at the centre.  Instead of controlling those data sources directly, there will be a data intermediary called Personal Data Trust Bank into which we entrust our data.

          So the Personal Data Trust Bank can draw data from the data sources and store in the Personal Data Trust Bank and can provide those data for the use by company X, Y, Z, on the right-hand side according to our wishes.  We don't have to manage the relationship directly, but it is a trust relationship between the data intermediary and the individuals.  And data intermediary, the Personal Data Trust Bank is going to make sure that the data is going to be kept safe, used ethically and for the purpose and the user is protected.  So that's the main concept.

     The legal structure on the scheme is soft law or co-regulation based.  It's a public/private initiative.  The main -- the two, you know, the factors in this, number one and number two in the slide.  Number one is basic Act on Advancement of Utilizing Public and Private Sector Data which was enacted in 2016 and promotes appropriate utilization of personal data by multistakeholder under participation of the individuals.  So that's one of the basic legal premises.

     And number two.  An interim report by working group for data utilization in Artificial Intelligence and IoT era.  That's from National IT Strategy Office of Cabinet Secretariat and came out in February, 2017.  And it says, Personal Data Trust Bank as effective framework to promote personal data utilization and the participation of individuals. 

          With those in mind, the regulators and the private sectors are working together to form this co-regulation scheme.  On the left-hand side, it is regulator side.  The interim report by ICC and MIC.  Minister of Internet Affairs and Communications on the scheme by private body to socially acknowledge qualified Personal Data Trust Bank.  This is necessary because individuals won't be able to find out whether the company is actually safeguarding our data or using our data ethically.     So this kind of certification scheme was conceived. 

     And in response, IT Renmei made the policy recommendation for TPDNS certification at Working Group of ICC in 2017.  And in that we proposed the mandatory Data Ethics Board and create a privacy notice as binding standard contracts and other requirements for operators.  Also, with the interim report the MIC and METI created guidelines on certification Personal Data Trust Bank version one back in 2018.  And it set out qualification and model terms and conditions, and governance for individuals' controllability and trust. 

     And based on that, IT Renmei created guidebook version 1.0 for TPDMS certification application.  And based on the guideline, we started TPDMS certification programme for safe and secure services and operators.

     So to sum up, Personal Data Trust Bank is a service to utilize systems including PDS and manage personal data based on entrustment agreement on the data utilization with individuals.  And a service to provide such data on behalf of the individuals to third parties in accordance with the instruction of the individuals or pre-specified conditions and a service to judge the appropriateness of the processing of the data.

     Now this is -- it is in a small font.  I'm not sure if you can read it.  But it's a summary of the guideline version one on certification of Personal Data Trust Bank.  The certification service sets a criteria for individuals to choose safe and secure Personal Data Trust Bank.  And the voluntary certification focus on the flow of personal data and the individual's participation and securing reliability and trust from individuals.

     And so it is a combination of a certification criteria and model terms and conditions and governance structures.  Certification criteria encompasses management system, information security, specification of collection method and purpose and utilization of personal data, functions for individual controllability such as user interface.  So we make required user interface components.  And governance systems such as Data Ethics Board organized by multistakeholders is also there as a requirement. 

     And liability for damages against individuals has to be borne by those Personal Data Trust Bank.

     We also set out model terms and conditions.  We provide concrete conditions for contractual agreement for entrustment such as scope of operations, effective consent under the Act on the Protection of Personal Information for providing personal data to third parties and other obligations.  So it is not free for the organizations who subscribes to this information bank scheme to set their own terms, but the terms and conditions actually has to include all of those terms which is included in the model terms.  And the governance aspect covers eligibility of the certification body, the method of examination, measures for breach of certification criteria, contractual agreement with certified Personal Data Bank and governance systems of certification body.

     And those corporations or organizations who got the certification will be granted the TPDMS mark.  TPDMS mark could show to the individuals that the organization is safekeeping the personal data.  That as a Personal Data Trust Bank and international standards for privacy protection and information security such ISO 29100 and 27001 is being followed.  And TPDMS stands -- formally stands for Trusted Personal Data Management System, but we use a catch phrase as third way for personal data ecosystem, participation of individuals, data free flow with trust, multistakeholder governance, and soft law as well.

     All right.  Now let's get to the second point.  The certification as an information bank by IT Renmei.  IT Renmei, or Information Technology Federation Japan was established in July 2016.  The president is Mr Kawabe Kentaro, who is a representative director of Yahoo! Foundation.  And one of the largest federation in IT Renmei -- is one of the largest federation of IT industry in Japan.  Over 60 associations and around 5,000 companies and around four million employees are covered.  IT Renmei is association of association.  So the companies are actually not directly members of the IT Renmei.

     In the current landscape of data flow, the data flows from the data sources to data destination without much clarity.  In this picture, I have put the black box into it, but we really don't have too much visibilities onto what is happening on our data within the flow.  And even if there is not black box intermediaries, information asymmetry abounds and not enough trust was formed for data to freely flow per DFFT. 

     These individuals may wonder is my data treated fairly and are they not misused, right?  And then from the data source, they cannot know if receivers are good or not.  And from the data receivers' point of view, they cannot know if the data has been given lawfully or not.

     We need to improve the transparency, accountability and participation and control to cope with this situation.  And TPDMS, also known as Trusted Personal Data Trust Bank, is a mechanism that reduce this information asymmetry.  So it will provide transparency, accountability, participation and control so that individuals will say okay, transparency is good and are control locks. 

          And from the point of view of the data providers, they now know that the -- their receiver follows good practice.  And from their receiver's point of view, they can say that we can now use the data as it was collected and released legitimately.

     And to achieve that, we have created a new trust service, TPDMS certification scheme.  A new trust service, Trusted Personal Data Management Service, also known as Personal Data Trust Banks or information banks access hubs to provide standardized contractual relationships.  So it improves transparency, ensures user participation and control, greatly reduce number of contracts, enforces legal entity KYC.  Ensures the use of data will be ethical and enforces that the data recipient follows good practice or standards for privacy and security.  And provides assurance for individuals and the TPDMS certification scheme ensures that handling of data at Personal Data Trust Banks are following standards and ethical.  And proper oversight of its processing as well as that of the source and the destination of data is implemented.

          There are many requirements, but to cite a few, the service has to provide easy to operate user interface for controlling the data processing.  And control things such as traceability like viewing history of provision of data to third parties.  And ability to suspend third-party provision or we also call it as withdrawal of consent.  And the request for disclosure of personal data pursuant to Article 28 of APPI is there.  And the mechanism to achieve that is provided by Personal Data Bank. 

     That's going to realize that, you know, using the easy to use interface.  So during the certification scheme, we check the user interface as well so that if from the consumer point of view it is deemed to be easy to be used.

     TPDMS certification.  There is another example that I want to cite.  Data Ethics Board oversees the activities of the Personal Data Trust Bank and makes sure that all of the processing of data is in accordance to ethics and ethical standards.  We also have relationship with ISO standards.  Current certification scheme is based on security management and privacy enhancement standards.  And for the security management we are looking at ISO/IEC 27001 and 27002, commonly known as ISMS.  And for the privacy enhancement, we are basing on ISO/IEC 29100 framework and 29134 privacy impact assessment guideline.  29182, online privacy notice and consent.  And 27701, extension to ISO/IEC 27001 and 27002 for privacy information management. 

     It is good if they could cover everything that we want it to do, but it actually didn't.  So on top of that, we also put some additional requirements and controls.  And that is how we are operating TPDMS certification scheme.  All right.  So that is a general description of TPDMS.  And perhaps we can get into the discussion on that.

     >> NAOYA BESSHO: Thank you, Sakimura san.  Although, as you understand, TPDMS scheme is a little bit complicated, we much appreciate Sakimura san's explanation will be helpful or useful to understand the TPDMS to everyone here.  So, Sakimura san, could you make comments regarding Personal Data Bank structure and certification system, especially from human-centric approach point of view.  And, if any, please keep other questions or comments from your point of view.  Before your comments, please introduce yourself briefly.

     >> KAZUE SAKO: Okay, thank you.  My name is Kazue Sako.  I'm a researcher in security and privacy. 

     And, while as a consumer I would be very interested in this activity because nowadays, all of the data -- sorry, all of the shops or all of the places where I do consume services, they all have my data digitally.  But what I have is only paper receipt.  Right?  So I only have paper receipt, and this was what I was doing this morning.  So I have to type in again looking at the paper receipts and do my own personal housekeeping books, right. 

     But in reality there are already data about me in all of these companies' database.  So how can I not use that?  And that will be very convenient for me to do housekeeping and also to have these data empower myself.  How can I leverage my everyday life if I know more data about me.  So, therefore, I really expect information bank to gather all of the information about me that I might not know and so that I can use it for myself. 

     And I would be also interested in knowing which company is interested in my data because I don't know them.  And currently, I think, all of these datas are exchanged in places where I don't know.  So, having this information bank, that would give me more transparency in seeing who is interested in my data.

     Having said that, this activity has been in Japan for more than five years.  And it is -- I'm not using any information bank so far.  What is the reason -- so this is going to be my question.  What is the reason it is not there yet?  And what would be our next step forward to make this really happen?

     >> NAOYA BESSHO: Sakimura san.

     >> NATSUHIKO SAKIMURA: So, it's a very good question.  And there are several reasons for that, I think.  But one of the main reason is that there doesn't seem to be a lot of data available for entrusting to the Personal Data Bank, right.

     In Japan, unfortunately, we don't have mandatory data portability.  We can in principle, as of April last year, access the data.  But it is -- if you try that, it is really hard.  And the data you are going to get is likely to be PDFs, which is not reusable.  So it is not useful in this context.  So unless that kind of thing is solved, it might be difficult to get it flying.  Well, that's my take.

     >> NAOYA BESSHO: Sakimura san, as you explained, there is a kind of guideline with respect to TPDMS.  From your point of view, the guideline should be based on suitable for the Japanese industry or not?

     >> NATSUHIKO SAKIMURA:  Which guideline?

     >> NAOYA BESSHO: The guideline just for the "joho ginko."

     >> NATSUHIKO SAKIMURA: Again, this is just my personal opinion, but I guess we need a little bit more incentive or sticks for the corporations to actually adhere to the good practices.

     >> NAOYA BESSHO: Thank you.  Then Christian san, could you please introduce yourself and make comment, especially from in-house data access and trusted data intermediary point of view.  In addition, if you could explain OECD's projects or programme regarding TDI.

     >> CHRISTIAN REIMSBACH: Yes, thank you.  Thank you very much.  And also thank you very much for inviting me and giving me the opportunity to talk to you linking the OECD work with the discussion happening here on information banks. 

     So my name is Christian Reimsbach.  I have been working for the OECD now for 15 years.  A little bit more than 10 years on data governance issues.  We have explored basically the role of different kind of mechanisms from legal to technical to organizational mechanisms to facilitate data sharing.  And maybe one point, a little caveat that what I'm basically now about to say and comment on is not the official view of the OECD but my point of view as an expert having worked, as I said, more than ten years on data issues. 

     The very first point that I wanted to make is in terms of information banks is that I wanted essentially to congratulate you, congratulate Japan for basically taking leadership in this area.  Because having looked at the TDI, standing for Trusted Data Intermediaries, you will note that the concept of information banks is actually something relatively new compared to when looking at what is happening around the world.  I mean essentially discussion on information banks started already 2010, right. 

     And by that time, there weren't really a lot of countries talking about similar things.  Nowadays, we have other concepts that are comparable.  For instance, some of you may have heard about data trusts, may have heard about personal information management systems, may have heard about data stores and so on.  So there are many similar concept that have now emerged that are similar. 

     Now, some of you may argue what about data brokers because that concepts has been a long time out.  But there is a fundamental -- obviously a fundamental difference between a data broker and information bank, which is essentially that the information bank is still acting on behalf or in the interest of the data subject, right.  Which is not necessarily the case of a data broker who is essentially controlling and commercializing the data for its own benefit.  That is an important difference. 

     Now, another point where I also would like to congratulate you is the concept of certification because a lot of our work has shown that when it comes to those kind of, let's say, actors and institution as a consumer in particular you face a problem that you don't necessarily know who to trust.  If you look at the market there may be a lot of personal information banks and then the question can I trust my data.  And it is very obviously difficult for a consumer to do the assessment of the quality of such an institution, which is why we definitely are looking at this, welcome this kind of approach.  And the government also stepping in and providing the certification.  And when you know the government has certified something, basically you can trust it.  That is definitely a good thing.

     I would like now maybe to point to some, I wouldn't say criticism, but let's say questions that I have.  Knowing also or noting that I don't obviously know a lot about information bank, we are essentially now starting this in depth in our work.  The very first one is, indeed, what you mentioned on the question about data portability.  A lot of interesting initiative are happening in other countries.  The Article 20 of the EU GDPR that gives you a right to data portability.  

     So in the EU, every citizen has a right to have his data be ported, transferred in machine readable format so it doesn't refer necessarily to PDF which is maybe digital but it's not necessarily machine readable in that sense.  This is one of the point that we have observed when you look in particular at the EU is that the problem there is that citizens have a right to data portability.  But it is also not picking up really.

     One thing that the European Commission, among others, considering is indeed to look into should we maybe have intermediary step in.  So some of you are maybe familiar that there is now in the EU a Data Governance Act.  And in the Data Governance Act there is actually provisions that refer to intermediaries or data intermediaries.  So there seems to be the recognition that your data portability right is not enough, you need to have something that makes it actually practical and operational.  And maybe this is, indeed, something that is eventually missing here where you have the information bank but you don't necessarily have a data portability right that gives people a kind of mechanism to really ask, a right to basically ask the data to be transferred to a third-party so it can be reused. 

     Maybe a few other questions that I have.  The question about to what extent do you, also companies', potential clients of the information banks, because I'm referring also to this, I'm thinking about the data portability in Australia.  There is in Australia, as some of you know, there is a Consumer Data Right.  And what is interesting about that from the data portability perspective, which is essentially a data portability regime, is that this right is a right that is not only granted to individuals but also to small and medium-sized enterprises.  So some small enterprises have a right to data portability. 

     So the question is, is it also something possible here in Japan where as a small business I may also have an interest in having my data that is stored, let's say, in a cloud.  And if I want to transfer my data from one cloud provider to another, that kind of thing may be also useful.  So this is also something to raise as a question.  The other one, this will be my last one for now, I don't want to talk too much.  The question about how much control do you have as an individual.  Meaning, for instance, there is a concept of data trust that is out there.  And that has raised a lot of interest in particular in the context of AI where you see countries like the UK or Canada are promoting this as a way to basically enable data sharing and make it available for machine learning. 

     And the question that is often not really considered or an issue eventually is that as once the data is essentially in the control of the data trust, it is assumed that the trust will always act on behalf of the consumer.  So no granular control mechanism that I have as a consumer to say I don't want to have that data now shared with that.  It is basically now you can revoke your rights and so on, but you don't have granular control. 

     And so my question would be when it comes to the information banks, how much control do I have as a data subject?  Is it once it is out there that I have to assume that the information bank will act on my behalf essentially like a data trust?  Or is there some kind of mechanism where I can control?  So thank you very much.

     >> NAOYA BESSHO: Thank you very much, Christian san.  The first question, Christian san, how do you think about the data portability and DPI?

     >> NATSUHIKO SAKIMURA: I believe data portability is the missing part in the system so we need it.

     >> NAOYA BESSHO: You are thinking that in Japan we should have such system?

     >> NATSUHIKO SAKIMURA: Yes, I'm really hoping that it's going to be implemented.

     >> NAOYA BESSHO: And your opinion on that point?

     >> KAZUE SAKO: The data portability? 

     >> NAOYA BESSHO: Yes.

     >> KAZUE SAKO: I really want that because that would be necessary to do my housekeeping and books.

     >> NAOYA BESSHO: Thank you very much.  So the second point that potential clients.  So Sakimura san, do you think we will be able to get success to get more potential client in our scheme? 

     >> NATSUHIKO SAKIMURA: So that depends on how much data we can actually access and utilize. 

     >> NAOYA BESSHO: That must deeply relate to the data portability.

     >> NATSUHIKO SAKIMURA: You are right, yes.

     >> NAOYA BESSHO: And third question.  How much and to what extent the individual should have the control using the TPDMS?

     >> NATSUHIKO SAKIMURA: So TPDMS is actually making it mandatory to have very granular control on what you can do with the data.  All right. 

     And in the beginning you are going to set up the general rule, right.  But, you know, after awhile you may change your mind, right.  So you should be able to go into that and tweak the -- how the data going to be treated.  So that is what we are doing.

     >> CHRISTIAN REIMSBACH: I have a follow-up question because it is, indeed, very interesting.  Because when I saw the, one of the slides, it actually suggested that there is a -- because all of the data essentially is stored at the original data holder which can be a company, a commercial entity and so on.

     And if I -- I mean one thing that I didn't understand is if the idea is also to transfer the data from the data holder, original data holder to the information bank?  And I'm asking this question following what you just said because, as you do know, there are mechanisms like, you know, what we refer at the OECD as privacy enhancing technologies where you can do something like federated learning where you keep the data essentially there.

     So I wonder if when you talked about the mechanism, does it include that as well?  These kind of mechanisms where you basically don't have to download the data and control it but basically have some kind of federated control mechanisms.

     >> NATSUHIKO SAKIMURA: Potentially.  But right now it is all of the data download and control kind of control, yeah.

     >> NAOYA BESSHO: Do you have any other questions or comments?

     >> CHRISTIAN REIMSBACH: I definitely just wanted to follow up to say that this is -- I don't know if I mentioned this. 

     Briefly was mentioned that we are working on trusted data intermediaries, but one of the reasons also why I was very excited to be here is actually to learn about information bank so that we can study this in more detail.  So for the people in the room, stay tuned. 

     You will see OECD report basically coming out next year where we will feature also information banks.  But also other kind of intermediaries.

     >> NAOYA BESSHO: Thank you very much.  We just have a few minutes, but I would like to have questions or comments from the floor.  So anyone?  So please use the microphone.

     >> CHRISTOPHER WILSON: Thank you.  My name is Christopher Wilson, I'm Executive Director of My Data Global. 

     I was hoping you could unpack a little bit more the incentives for data holders to enable data portability.  I think we all agree that is kind of a holy grail, no one would argue against that.  But there is a whole host of assumptions about what might make it possible.  We could talk about the sticks.  And I think even in Europe where we do have the GDPR article, it is largely not actionable.  It is just too complicated and difficult for users to use.

     And there's been important developments, notably the Digital Markets Act now requires data portability in any case of gatekeepers.  But it's unclear how that's going to play out.  So it's easy to think that for regulation to incentivize might it take quite a bit of time, legislation hasn't been started. 

     One might also think about the carrot, the positive case.  What is your feeling on the ability to make a business case to data holders to enable the data portability either by facilitating it or opening up for other services or users to do it?

     And then lastly, I think it is reasonable to assume that if we think about the relationship between the number of data holders that provide data portability and the amount of value that it provides to users, it will be a hockey stick graph, right?  If I have just one or two services that are providing me with data, it is really not worth very much.  If I have 80% of the services that I use within one sector, then it starts to give value.  But it really gives value if almost everything I use is providing that.  But if a lot of those are small companies and not affected by legislation like the DMA today, how do we incentivize that?  Does that require a kind of culture change across markets?  And how do we get there in places like Japan?  Thanks.

     >> NAOYA BESSHO: Yes.  So, unfortunately, our time is over so it is time to close. 

     So yes, we would like to continue your question outside of the room.  So thank you very much for attending today, the session.  We are so happy if experience on TPDMS in Japan will be useful and beneficial to everyone here.  Thank you very much.

     [APPLAUSE]