Secure Data Sharing: Charting a course for the EU’s Digital Future
The past several years have highlighted just how vital it has become for government and commercial companies alike to have access to a comprehensive and up-to-date data foundation to make well-informed decisions. From supporting with the distribution of PPE in the fight against COVID-19, to mitigating the effects of supply chain disruptions in unprecedented times, Palantir software has helped organisations overcome the challenges posed by disconnected and fractured data landscapes.
As a company that builds digital infrastructure to empower data-driven operations and decision making, we recognise the transformative impact of a connected data ecosystem.
This recognition is also being reflected in EU policy where, under the European Strategy for Data, a range of new initiatives aim to facilitate data sharing in the EU. The strategy seeks to harness the power of shared data, with the goal of stimulating innovation, facilitating the green transition and benefiting society. At the same time, however, EU landmark legislation, including data protection and information security, remain paramount.
Though these two visions of the EU’s digital future need not be in opposition, organisations may struggle to navigate the current policy landscape and to accurately evaluate the implications on their day-to-day operations.
In this blog post, we provide a brief overview of some of the main regulatory initiatives that will shape the EU’s digital future at the intersection of data sharing and data protection. We also explore how software solutions, like Palantir’s, that are built to facilitate secure data sharing in highly regulated environments can help organisations implement the EU’s vision in practice.
A New Vision for Europe
The goal of the European Strategy for Data is to ensure that “more data becomes available for use in the economy and society, while keeping the companies and individuals who generate the data in control.” The strategy reflects a new vision for the EU’s digital future in which the ability to access, share and reuse data is essential. The following regulations are key:
EU Data Governance Act (DGA)
The EU Data Governance Act (DGA) was adopted in May 2022 and will be applicable from September 2023. The goal of the DGA is to increase trust in data sharing by facilitating the reuse of certain public sector data. In this way, the DGA aims to give potential to public sector data that is currently unavailable as open data and also establishing “data altruism” (i.e., the possibility to “donate” data for the public good, such as advanced research in the fields of environment or mobility). Access to and reuse of data will be facilitated through data intermediation services provided by trustworthy organisations via secure data pooling and sharing possibilities (i.e., data marketplaces).
EU Data Act (DA)
The counterpart to the DGA is the EU Data Act (DA), a regulation that is currently in draft form. The DA aims to harmonize rules on fair access to and use of data, with a particular emphasis on data generated by devices and services pertaining to the Internet of Things (IoT). The goal is to alleviate asymmetries between end users (i.e., device owners) and manufacturers, allowing both to benefit from generated data.
In practice, this regulation would enable data users, such as EU citizens, but also public and private institutions, to access data from so-called “data holders” more easily. Data users may also request the transfer of their data from data holders to additional “data recipients”, for instance, for the purpose of aftermarket services. Additionally, the DA would enable users to transfer their data more easily between providers of data processing services (e.g., cloud), hence empowering users to switch providers more easily. Ultimately, the DA endeavors to unlock the EU cloud market within an overall efficient data interoperability framework.
European Health Data Space Regulation (EHDS)
Finally, the proposed European Health Data Space Regulation (EHDS) provides an example of what a common European data space might look like in practice. The primary purpose of the EHDS is to create a standardized format in which patients can access their health data across Europe. As a secondary intent, the regulation would also enable third parties to request access to de-identified data for limited secondary purposes, for instance, to contribute to research and innovation.
Importantly, both non-personal and personal data are within the scope of the EU Strategy for Data, including, in the case of the EHDS, sensitive health data. This raises the critical question: how can data sharing be facilitated both at scale and in a secure manner?
Facilitating secure data sharing in practice
Since Palantir’s founding, our company has made the secure processing of sensitive data core to our software. While data integration has always been a critical component of our work with customers, equally critical is our commitment to data protection, as reflected in our decision to invest in a dedicated privacy and civil liberties (PCL) engineering team more than a decade ago.
In practice, this means that the standard configuration of our software is maximally privacy protective. For instance, any access that a user gets to data must be explicitly and deliberately permitted by the responsible organization and the level of identifiability at which data is displayed can also be managed in a granular way. While some users may be permissioned to see personal data directly, others might only be able to access data once in a de-identified way. In the context of data sharing, it is precisely these granular controls — built into our software by design — that enable our customers to share data selectively and securely.
For example, to manage the spread of COVID-19, healthcare organisations needed to rapidly bring together data from many systems, including testing programmes, care homes, and hospitals, and give thousands of users, from healthcare workers to academics, access to different subsets of this information. This created an acute challenge for data governance teams responsible for tracking who had access to what information and why. In order to protect the privacy of the individuals whose personal information is in the data, data governance teams also had to ensure that users had access to sensitive or personal data only when strictly necessary, and that any such data was deleted when it was no longer needed. The National Health Service (NHS) in England relied on our software to meet this challenge. Palantir Foundry supported the formation of a data dashboard that helped supply government officials with a true picture of infection spread and critical care capacity while also providing the highest standards for automated and transparent data governance.
Similarly, in the US, our software supported a “Common Operating Picture” for the U.S. Centers for Disease Control and Prevention (CDC) to manage the distribution of vaccines and PPE throughout the pandemic. Palantir Foundry helped facilitate collaboration in the form of data collation and integration across the federal government, jurisdictional health departments, private sector entities and other key health partners to support advances in outbreak response all while enforcing robust security and governance with strict role-and-permission-based access controls.
Beyond playing a critical role in the response of public health agencies to the COVID-19 pandemic, our software has been used to support complex digital infrastructures of businesses across a range of industries, including aviation — an industry renowned for operational complexity. Airbus’ Skywise, powered by Palantir, is an open-data platform that serves major aviation players a single access point to data from a vast range of sources, including in-flight data from over 10,500 aircraft, maintenance, and operational data. Skywise leverages Palantir software to analyze disparate data sources, offering new insights for the entire aviation industry. With over 25,000 users the platform enables collaboration and sharing to drive key outcomes for airlines, such as increased fleet reliability and predictive maintenance. At the same time, data governance is paramount to Skywise, with each airline controlling their own data, maintaining administrative rights to their data, and selectively choosing which data to share with other participants in the Skywise ecosystem.
Palantir software helps organisations drive critical outcomes through the creation of data infrastructures in which privacy and data governance are foundational. This track record reflects our commitment to helping customers meet their compliance obligations in ever-evolving regulatory environments.
Preparing for tomorrow, today
The benefits of secure data sharing are clear. At the same time, care must be taken to ensure that sensitive data, and critically, personal data, remains protected.
Undoubtedly, as the EU Strategy for Data continues to evolve, the importance of being able to manage and share sensitive data selectively will be reinforced. One of the biggest challenges relates to the secure sharing of personal data, in which the ability to choose the right de-identification, including anonymisation, strategy will be key. To help organisations navigate this space, we have put together an overview of different de-identification strategies here.
Perhaps most importantly, however, EU-based organisations should consider what investments they need to make in their technical infrastructure today to meet the regulatory challenges of tomorrow.
Visit our PCL Thought Leadership page to learn more about Palantir’s approach to privacy and civil liberties engineering.
Authors
Paula Cipierre, EU Privacy and Public Policy Lead
Philipp Wotan Wolf, Privacy Counsel
Secure Data Sharing: Charting a course for the EU’s digital future was originally published in Palantir Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.