Privacy-friendly tools for DLT civic services

Eleonora Bassi
Wednesday 4th April 2018

Imagine a city authority that aims to strengthen citizen participation through transparent petitions, or intends to involve citizens in pollution- and noise-control programs, making people more conscious about health data and the environment. In these cases, we have many actors – citizens, cities, civic organizations, businesses, and communities – that need to make use of technology in order to deploy a service, share information, or control data and activities’ results.

The DECODE Project intends to provide the technological and legal tools for realizing these and similar objectives. By developing a DLT (distributed ledger technology) for the control and sharing of data, including personal data, DECODE has its core mantra in the assumption that DLT is an opportunity for realizing civic decentralized activities. Decentralization is indeed crucial to prevent power concentration of our data and shared activities. In other words, open architectures and DLT solutions can contribute to democratize the web and to empower citizens in the creation of services and new market scenarios.

In order to attain these ends, DECODE faces different challenges. First of all, the issue revolves around deploying and releasing a technology that people can trust so as to safeguard their rights. Second, providing a service that empowers citizens’ rights should enable data control and privacy strategies. Third, technological solutions have to be conceived for an environment in which design helps to foster digital rights and shared information.

The role of the Nexa Center for Internet & Society within the DECODE project consortium concerns the legal features brought about by these challenges, namely, to analyze the legal framework of the project activities, in order to uphold the design of specific tools for automatically enforcing users’ rights, while supporting the ethical and legal strategies of the Project.

The first step is to clearly identify both the framework of rights that shall be protected and the legal domains which are involved. Consider the field of IPRs (intellectual property rights, such as copyrights, patents, trademarks, trade secrets, moral rights, licenses, and so on), the public sector information legislation, public and administrative law (which is crucial when you want to reuse data and documents that are made or gathered by the government, cities or local administrations), up to data protection and privacy law.

Trust is a key point. Transparent processes and simple tools are thus fundamental in stimulating trust in a new privacy preserving technology and innovative digital services.

Accordingly, the principle of privacy by design appears crucial for the entire lifecycle of the project. The point is not only of legal compliance: it is an ethical asset that goes hand-in-hand with a specific technical and legal approach. Defining who shall be the data processor, how such data will be processed and where it should be stored, which actions can be performed by citizens that use a service, are some of the issues to be dealt with, in order to ensure transparency and accountability for the entire process. On the one hand, the aim is to be compliant with the European data protection legislation and, on the other, to offer citizens a real control over their own personal data.

Two circumstances strongly recommend the use of privacy preserving technologies in this specific context, namely, an environment in which we need to guarantee both the authenticity of people's interactions and individual anonymity. Those are critical conditions for participatory democracy, digital identity, and social interplay.

Technologists, developers and legal experts need to work together in designing and releasing new tools for data control. Consider the possibility of embedding privacy safeguards and constraints in ‘smart rules’ that are executable on a DLT. Such ‘smart rules’ can be used to authorize or deny access to data, to make automatic some activities that are necessary for rights management and rights enforcement (e.g. communication to the data subject on the data controller and on data processing, and so on). Whereas such solutions, as tools and apps, are a key ingredient for simplifying and making rights more effective and safe, they also shall be provided in a user-friendly language, pursuant to the new General Data Protection Regulation (GDPR) requirements.

This is then what is at stake with the project. At the Nexa Center, we are addressing these challenges (you can find more information in the D1.8 deliverable, published on October 2017 and in D1.9 that will be available in the coming months).