IGF 2023 - Day 0 - Event 42 Trusted Personal Data Management Service (TPDMS) Program - RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> NAOYA BESSHO: Shall we start.  Thank you for joining our session for the Trusted Personal Data Management Service.  TPDMS.  I'm representing information taken with the association Japan.  My name is Naoya Bessho.  I'm the Director of Small Data Bank Promotion Committee.  I'm moderating this session today.  Providing certification for personal data bank.  We call it in Japanese.  We use that word because bank is a symbol of trust.  And I'm not sure today if people trust bank or not.  However, traditionally bank is a symbol of trust.  Especially in Japan.  Today, Sako Kazue works for special risks in the area and her presentation.  She will explain what is personal data bank and function of certification and so.  Then we will have comments, opinions, or questions from excellent commentators.  We expect process at University to make comments on human centric approach and information bank.  And we expect and innovation in OACD to make comments on enhanced data access and trusted data intermediaries.  And then if we have time, I would like to ask participants in the hall questions or comments.  So, firstly, please start your presentation with a brief introduction of yourself.

>> NATSUHIKO SAKIMURA: Thank you very much.  Good afternoon, everybody and good morning, good evening elsewhere.  For the online people.  I'm Natsuhiko Sakimura and I'm going to take like 20-25 minutes.  To explain what this TPDMS information trust bank or personal data trust bank means and what kind of scheme we are running in Japan.  Hopefully it will be informative for you guys.  And we would probably have a good discussion about those as well.  So, data free flow with trust?  Do any of you guys have heard of this word DFFT?  Like half.  Yes.

So it was one of the key words mentioned in the declaration back if 2019.  At the Osaka leaders declaration.  Cross board he flow of data, information, ideas and knowledge generates higher productivity, greater innovation and improved sustainability development, while raising challenges related to privacy, data protection, IPR and security.

By continuing to address these challenges, we can further facilitate data free flow and strengthen consumer and business trust.  Let's skip.  And such data free flow with trust will harness the opportunities of the digital economy.  And what we call is personal data trust bank or (speaking nonEnglish) we believe is one of the useful facility to enable this.  So today, there are three sections in this session.

First I will talk about information bank.  Quote unquote.  That's (speaking non-English) and then explain about certification of ID bank done by IT Renmei and then we will get into discussion.

About the information bank, a lot of data right now this is in locked in the corporate context in the CRMs, customer relationship management.  Do you know the word CRM?  Customer relationship management.  Not so much.  All right.  Customer relationship management is a scheme that the corporations, enterprises capture the personal data of ours and use that to contact us or market towards us.  You know, sending the e-mails and things like that.

To enable one-to-one marketing.  That is called CRM.  Customer relationship management.  And what is on the right-hand side with in orange is VRM.  Vendors relationship management.  This is the flip of that.  It is one of the concept which was proposed by doc who is in the Bachman centre.  That instead of corporations making guests work on to what we want, we as an individual should express what we would like to get -- what kind of things we want to get.  So instead of just being receptive, we transmit our information.  At our will to express our desires.  That is VRM and that is very, very person centric.  But at the same time, the individuals, the users has to bear its consequences as well.

So the responsibility lies in a lot of responsibility lies into the individuals.  And for many people, that is a little bit too much we felt.  And in Japan, we were seeking a further way which would enable individuals but don't put too much responsibility onto them.  So in the sense the consumer protection considered into VRM kind of things.

And that's how we came up with this idea of trusted personal data management system or information bank.  Here, the -- on your left-hand side, personal data is captured in company A, B, C.  And they are stored there.  They are the data holders.  And we, individuals, are at the centre.  Instead of controlling those data sources directly, there will be a daily intermediary called personal data trust bank into which we entrust our data.

So the personal data trust bank can draw data from the data sources and store in the personal data trust bank and can provide those data for the use by company X, Y, Z, on the right-hand side.  According to our wishes.  We don't have to manage the relationship directly, but it is a trust relationship between the daily intermediary and the individuals.  And the intermediary, the personal data trust bank is going to make sure that the data is going to be kept safe, used ethically and for the purpose and the user is protected.  So that's the main concept.

The legal structure on the scheme is soft law or co-regulation based.  Public/private initiative.  The main -- the two, you know, the factors in this, number one and number two in the slide.  Number one is based acts on advancement using public and private sector data which was enacted in 2016 and promotes appropriate utilization of personal data by multistakeholder under par dissipation of individuals.

And data utilization?

Artificial Intelligence and IoT era.  That's from strategy office of cabinet sect tarat and came out in February of 2017 and says personal data trust bank as effective framework to promote personal data utilization and the participation of individuals.  With those in mind, the regulators and the private sectors are working together to form this co-regulation scheme.  On the left-hand side it is regulator side.  The interim report by ICC and MIC.  Minister of Internet affairs and communications on the scheme by private body, social acknowledge qualified personal data trust bank.

This is necessary because individuals won't be able to find out whether the company is actually safeguarding our data or using our data ethically.  So this kind of certification scheme was conceived.  And in response, IT Renmei made the policy recommendation guideline for certification of personal data working group in 2017 and in this we proposed the mandatory data export and create a privacy notice as binding standard contracts and other requirements for operators.

Also, with the interim report the MIC and METI created guidelines on certification personal trust bank verse one back in 2018.  And it set out qualification and model terms and conditions, and governance for individuals' controllability and trust.  And based on that, IT Renmei created guidebook version 1.0 for TPDMS certification application.  And based on the guideline we started TPDMS certification programme for safe and secure services and operators.

So to sum up, personal data trust bank is a service it to utilize systems including PDS and manage personal data based on entrustment agreements on the data utilization with individuals.  And a service to provide such data on behalf of the individuals to third parties in accordance with the instruction of the individuals or prespecified conditions and a service to judge the appropriateness of the processing of the data.

Now this is -- it is in a small font.  I'm not sure if you can read it.  But it is summary of the guideline version one on certification of personal data trust bank.  The certification service sets a criteria for individuals to choose safe and secure personal data trust bank.  And the voluntary certification focus on the flow of personal data under individual's participation and securing reliability and trust from individuals.

And so it is a combination of certification criteria and model terms and conditions.  And governance structures.  Certification criteria encompasses management system, information security, specification of collection method and purpose of utilization of personal data, functions for individuals' controllability such as user interface.  So we make required user interface components.

And governance systems such as data ethics board organized by multistake holders is also there as a requirement.  And liability for damages against individuals.  Has to be borne by those personal data trust bank.

We also set out model terms and conditions.  We provide concrete conditions for contractual agreement for entrustment such as scope of operations, effective consent under the Act On the Protection of Personal Information for providing personal data to third parties and other obligations.  So it is not free for the organizations who subscribes to this information bank scheme to set their own terms, but the terms and conditions actually has to include all of those terms which is included in the model terms.  And the governance aspect covers elledgibility of certification body, method of examination, measures for breach of certification criteria, contractual agreement with certified personal data bank and governance system of certification body.

And those corporations, organizations who got the certification will be granted the TPDMS mark.  TPDMS mark could show to the individuals that the organization is safekeeping the personal data.  That as a personal data trust bank and international standards for privacy protection and information security such ISO29100 and 27001 is being followed.  And TPDMS stands for formal astanded for Trusted Personal Data Management Service, but we use a catch phrase as third way for personal data ecosystem, participation of individuals, data free flow with trust, multistakeholder governance and soft law as well.

All right.  Now let's get to the second point.  The certification as an information bank by IT Renmei.  IT Renmei or Information Technology Federation Japan was established in 2016.  The presidents in Kawabe, Kentaro, representative director of Yahoo foundation and one of the largest federation in IT Renmei is one of the largest federation of IT industry in Japan.  Over 60 associations and around 5,000 companies and around four million employees covered.  IT Renmei is association of association.  So the companies are actually not directly members of the IT Renmei.

In the current landscape of data flow, the data flows from the data sources to data destination without much clarity.  In this picture, I have put the black box into it, but we really don't have too much visibilities on to what is happening on our data. within the flow.  And if there is not black Box intermediaries, information assemtry abounds and not enough trust was formed for data to freely flow per DFFT.  These individuals may wonder is my data treated fairly and are they misused, right?  And then from the data source, they cannot know if receivers are good or not.  And from the data receivers' point of view, they cannot know if the data has been given lawfully or not.

We need to improve the transparency, accountability and participation and control to cope with this situation.  And TPDMS also known as personal data trust bank is a mechanism that reduce this information asymmetry.  Provide transparency, accountability, participation and control so individuals will say transparency is good and control.  And from the point of view of the data providers, they now know that the -- their receiver follows good practice and from their receiver's point of view, they can say that we can now use the data as it was collected and released legitimately.

And to achieve that, we have created a new trust service.  TPDMS certification scheme.  A new trust service, Trusted Personal Data Management Service also known as personal data trust banks or information banks access hubs to provide standardized contractual relationships.  So it improves transparency, ensures user participation and control, greatly reduce number of contracts, enforces legal entity KYC.  Ensures the use of data will be ethical and enforces that the data recipient follows good practice or standards for privacy and security at provides assurance for individuals and the TPDMS certification scheme ensures that handling of data at personal data trust banks are following standards and ethical.  And proper oversight of the processing as well as that of the source and the destination of data is implemented.

There are many requirements, but to cited a few, the service has to provide easy to operate user interface for controlling the data processing and control such as traceability like viewing history of provision of data to third parties.  And ability to suspend third-party provision or we also call it as withdrawal of consent.  And the request for disclosure of personal data pursuant to Article 28 of APPI. is there.

And the mechanism to achieve that is provided by personal data bank.  That's going to realize the, you know, using the easy to use interface.  So during the certification scheme we check the user interface as well so that if from the customer point of view it is deemed to be easy to be used.

TPDMS certification, there is another example that I want to cite.  Data ethics board oversees the activities of the personal data trust bank and makes sure that all of the processing of data is in -- from accordance to ethics, ethical standards.  We also have relationship with ISO standards.  Current certification scheme is based on security management and privacy enhancement standards and for the security management we are looking at ISO/IEC27001 and 27002, commonly known as ISMS.  And for the privacy enhancement we are basing on ISO/IEK29100 framework and 29131 prize impact assessment guideline and 29182 online privacy notice and consent and 27701 extension to ISO-27001 and 27002 or privacy information management.  It is good if they could cover everything that we want to do.  But it actually didn't.  On top of that, we also put some additional requirements and controls.

And that is how we are operating TPDMS certification scheme.  All right.  So that is general description of TPDMS.  And perhaps we can get into the discussion on that.

>> NAOYA BESSHO: Thank you.  So although as you understand TPDMS scheme is a little bit complicated, we much appreciate the explanation will be helpful or useful to understand the TPDMS to everyone here.  So could you make comments regarding personal data bank structure and certification system especially from concentric approach point of view and if any, please keep other questions or comments from your point of view before your comments please introduce yourself briefly.

>> SAKO KAZUE: Thank you.  I'm a researcher in security and prize.  And while as a consumer, I would be very interested in this activity because nowadays, all of the data, sorry, all of the shops or all of the places where I do consume services they all have my data digitally.  But what I have is only paper receipt.  Right?  So I only have paper receipt and this was what I was doing this morning.  So I have to type in again lacking at the paper resets and do my own personal housekeeping books, right.  But in reality there are already data about me in all of these compans' database.  How can I not use that?  And that will be very convenient for me to do housekeeping and also to have these data empower myself.  How can I leverage my everyday life if I know more data about me.  So therefore I really expect information bank to gather all of the information about me that I might not know and so that I can use it for myself.  And I would be also interested in knowing which company is interested in my data because I don't know them and currently I think all of these datas are exchanged in places where I don't know.  So, having this information bank that would give me more transparency in seeing who is interested in my data.

Having said that, this activity has been in Japan for more than five years.  And it is -- I'm not using any information bank so far.  What is the reason so this is going to be my question.  What is the reason it is not there yet?  And what would be our next step forward to make this really happen?

>> NATSUHIKO SAKIMURA: So, it as very good question.  And there are several reasons for that, I think.  But one of the main reason is that there doesn't seem to be a lot of data available for entrusting to the personal data bank, right.

In Japan, unfortunately, we don't have mandatory data portability.  We can in principle, as of April last year, access the data but it is -- if you try that, it is really hard.  And the data you are going to get is likely to be PDFs.  Which is not reusable.  So it is not useful in this context.  So that kind of thing is --  unless that kind of thing is solved, it might be difficult to get a flying, well, that's my take.

>> MODERATOR: As you explained, there is a kind of guideline with respect to TPDMS.  From your point of view, the guideline should be based on suitable for the Japanese industry or not?

>> NATSUHIKO SAKIMURA: Which guideline?

>> MODERATOR: The guideline just for the johoginko.

>> NATSUHIKO SAKIMURA: This is just my personal opinion, but I guess we need a little bit more incentive or sticks for the corporations to actually adhere to the good practices.

>> MODERATOR: Thank you.  Then Christian, could you please introduce yourself and make comment, especially fromy house access and trusted data intermediary point of view.  In addition, if you can explain OE CD projects or programme regarding TDI.

>> CHRISTIAN REIMSBACH-KOUNATZE: Yes.  Thank you.  Thank you very much.  And also thank you very much for inviting me and giving me the opportunity to talk to you.  Linking the OECD work with the discussion happening here on information banks, so my name is Christian Reimsbach Kounatze.  I have been working for the O ECD for 15 years.  A little more than 10 years on data governance issues.  We have explored baseball the role of different kind -- basically technical to legal to organizational mechanisms to facilitate data sharing and maybe one point a little caveat what I'm about to say and comment is not the official view of OECD but my point of view as an expert having worked more than ten years on data issues.  The very first point that I wanted to make is in terms of information banks is that I wanted essentially to congratulate Japan for basically taking leadership in this area.  Because having looked at the TDI standing for trusted data intermediaries you will note that the concept of information banks is actually something relatively new compared to when looking at what is happening around the world.  I mean essentially discussion on information banks started already 2010, right.

And by that time, there weren't really a lot of countries talking about singular things.  Nowadays we have other concepts that are compare seasonably.  Some of you may have heard about data trusts and personal information management systems, may have heard about data stores and so on.  Many similar concept that have now emerged that are similar.  Now, some of you may argue what about data brokers because that concepts has been a long time out.  But there is a fundamental difference between a data broker and information bank which is essentially that the information bank is still acting on behalf or in the interest of the data subject, right.

Which is not necessarily the case of data broker who is essentially controlling and commercializing the data for its own benefit.  That is an important difference.  Now, another point where I also would like to congratulate you is the concept of certification because a lot of our work has shown that when it comes to those kind of let's say actors and institution as a consumer in particular you face a problem that you don't necessarily know who to trust.  If you look at the market there may be a lot of personal information banks and then the question can I trust my data and it is very obviously difficult for a consumer to do the assessment of the quality of such an institution which is why we definitely are looking at this -- welcome this kind of approach anded government stepping in and providing the certification.  And when you know the government has certified something basically you can trust it.  That is definitely a good thing.

I would like now maybe to point to some I wouldn't say criticism but let's say questions that I have.  Knowing also or noting that I don't obviously know a lot about information bank, we are essentially now starting this in depth in our work.  The first one is, indeed, what you mentioned on the question about data portability.  A lot of interesting initiative happening in other countries.  The Article 20 offed GDPR that gives you a right of data portability.  In the EU, every citizen has a right to have the data ported, transferred in machine readable format so doesn't refer maybe to PDF which is digital but not necessarily machine readable in that sense.  This is one of the point we have observed when you look in particular at the EU, the problem is that citizens have a right to data portability.  But it is also not picking up really.

One thing that the European Commission among others considering is, indeed, to look into should we maybe have intermediary step in.  So some of you are maybe familiar there now a EU data governance act around provisions that refer to data intermediaries.  The recognition that the data portability is not enough and you need to have something that makes it practical and operational and maybe this is, indeed, something that is eventually missing here where you have the information bank but don't necessarily have a data portability that gives people a kind of mechanism to really ask, a right to basically ask the data to be transferred to a third-party so it can be reused.  A few other questions.

The question about to what extent do you also companies potential clients of the information banks, because I'm referring also to this thinking about the data portability in Australia.  There is in Australia as some of you know, a consumer data right and what is interesting about that from the data portability perspective this is a right not only granted to individuals but also to small and medium sized enterprises.  Some small enterprises have a right to data portability.  The question, is it also possible in Japan where as a small busy may also have an interest in having my data that is stored let's say in a cloud and I if I want to transfer my data from one cloud provider to another that kind of thing may be also useful to raise as a question.  The other one, I don't want to talk too much, the question how much control do you have as an individual.  Meaning there is a concept of data trust that is out there.

And that has raised a lot of interest in particular in the context of AI where countries like the UK or Canada are promoting this as a way to basically enable data sharing and make it available for machine learning.  And the question that is often not really considered or an issue eventually is that as once the data is essentially in the control of the data trust it is assumed that the trust will always act on behalf of the consumer.

So no granular control mechanism that I have as a consumer to say I don't want to have that data now shared with that.  It is basically now you can revoke your rights and so on but you don't have granular control.  And so my question would be when it comes to the information banks, how much control do I have as a data subject.  Is it once it is out there that I have to assume that the information bank will act on my behalf essentially like a data trust?  Or is there some kind of mechanism where I can control?  So thank you very much.

>> NAOYA BESSHO: Thank you very much, Christian.  The first question, the second -- how do you think about the data portability and DE&I?

>> NATSUHIKO SAKIMURA: I believe data portability is the missing part in the system.  We need it.

>> NAOYA BESSHO: You are thinking in Japan we should have such system.

>> NATSUHIKO SAKIMURA: Yes, I'm really hoping it will be implemented.

>> And your opinion on that point?

>> SAKO KAZUE: The data portability.  I really want that because that would be necessary to do my housekeeping.  And books.

>> MODERATOR: Thank you very much.  The second point that potential clients, so do you think we will be able to get success to get more potential client in our scheme?  Flatts so that depends on how much data we can actually access and utilize.

>> NAOYA BESSHO: That must relate to the panel.

>> NATSUHIKO SAKIMURA: You're right, yes.

>> NAOYA BESSHO: And third question, how much and to what extent the individual should have the control using the TPDMS?

>> NATSUHIKO SAKIMURA: So TPDMS is making it mandatory to have very granular control on what you can do with the data.  All right.  And in the beginning you are going to set up the general rule, right.  But you know, after awhile you may change your mind, right.  So you should be able to go into that and tweak the -- how the data going to be treated.  So that is what we are doing.

>> CHRISTIAN REIMSBACH-KOUNATZE: I have a follow-up question because it is, indeed, very interesting.  Because when I saw the someone of the slides it actually suggested that there is a -- because all of the data essentially at the original data holder which can be a company, a commercial entity and so on.

And if I -- I mean one thing that I didn't understand is if the idea is also to transfer the data from the data holder original data holder to the information bank?  And I'm asking this question following what you just said because as you do know, there are mechanisms like, you know, what we refer at the OECD as privacy enhancing technologies where you can do federated learning and keep the data essentially there.

I wonder if when you talked about the mechanism does it include that as well?  These kind of mechanisms where you basically don't have to download the data and control it but basically have some kind of federated control mechanisms.

>> NATSUHIKO SAKIMURA: Potentially.  But right now it is all of the data download and control kind of control, yeah.

>> NAOYA BESSHO: Do you have any other questions or comments?

>> CHRISTIAN REIMSBACH-KOUNATZE: I definitely just wanted to follow up to say that this is -- I don't know if I mentioned this.  I briefly was mentioned that we are working on trusted data intermediaries but one of the reasons also why I was very excited to be here is actually to learn about information bank so that we can study this in more detail.  So for the people in the room, stay tuned.  You will see OECD report basically coming out next year where we will feature also information banks.  But also other kind of intermediaries.

>> NAOYA BESSHO: Thank you very much.  I would like to have questions or comments from the floor of this court.  So anyone? so please use the microphone.

>> AUDIENCE: Thank you.  My name is Christopher Wilson.  Director of my data global.  I was hoping you could unpack a little bit more the incentives for data holders to enable data portability.  I think we all agree that is kind of a holy grail.  No one would argue against that.  There is a whole host of assumptions what might make it possible and we could talk about the sticks.  And I think even in Europe where we do have the GDPR article, it is largely not actionable.  It is just too complicated and difficult for users to use.

And there is person developments, notably the digit markets act requires data portability in any case of gate keepers but unclear how it will play out.  Easy to think for regulation to incentive might take quite a bit of time.  One might also think about the carrot, the positive case.  What is your feeling on the ability to make a base case to data holders to enable the data portability either by facilitating it or opening up for other services or users to do it?

And then lastly, I think it is reasonable to assume that if we think about the relationship between the number of data holders that provide data portability and the amount of value that provides the users it will be a hockey stick graph, right?  If I have just one or services providing me with data it is not worth much.  If I have 80%, it gaves value.  It really gives value if almost everything I use is providing that.  If a lot are small companies and not affected by legislation like the DMA today, how do we incentivize that?  A kind of culture change across markets and how do we get there in places like Japan?  Thanks.

>> NAOYA BESSHO: Yes.  So unfortunately our time is over.  It is time to close.  So yes, we would like to continue your question outside of the room.  So thank you very much.  For attending today, the session.  We are so happy the experience on TPDMS in Japan will be useful and beneficial to everyone here.  Thank you very much.