CPDP LATAM 2024 | Data portability and interoperability

So good afternoon welcome everybody uh it's a pleasure to moderate this session my name is Nicolas zingales I'm Professor here at fgv for those who haven't seen me yet uh I um have the pleasure to moderate this panel also because I'm a coordinator of the my data Brazil Hub which is um a an initiative that tries to promote more control over personal data H we organize events we stimulate uh discussions about data Portability and interoperability and we are connected to the my data Global movement so this panel was a proposal submitted on behalf of this

um Hub and uh we also thought it was important to discuss the issue of data portability for two reasons one is that uh the authority the data protection authority ND uh is planning to address uh with some some guidelines some some norti H the issue of exercise of data Subject rights and So within that we have a lot of challenges that come from data portability how to set the standard something that the law empowers the authority to do uh so there's a need for a discussion about what should these standards be not only technical standards

but how they can interface with individual rights and fre so how we can coordinate um opening up data and protecting third parties that might be Affected by this data sharing so this was the first reason and secondly there is also a bill um trans U being negotiated in Congress uh that is about uh regulating exante digital platforms and as part of this regulation uh the authority that will be in charge of implementing the regulation will be empowered to uh impose interoperability measures um across the sector so it will be involving digital platforms and uh forcing

them to open up potential in Certain cases to third parties uh so the issue of how to um transfer data from one uh context to another will become particularly important as we already see today with the digital markets act in Europe so with all that uh we have invited a few experts that come from uh different perspective and different regions of the world uh to Enlighten us on this topic um and I will call them to uh join us on the floor you see we have two joining us online um but let me Start with

the first uh in presence speaker with J vipra she's an AI policy researcher with over eight years of experience in technology policy she was previously worked at the AI now Institute the center for governance of AI V center for legal policy it for Change and the National Institute for Public Finance and policy um she has a master of public policy from the University of Oxford and uh is soon to pursue a PhD in science and technology Studies at Cornell University Welcome J uh then we will have uh our colleague uh friend Ian Brown uh he's

uh Dr Ian Brown is an independent consultant on internet regulation particularly related to information security and privacy and pro competition mechanisms such as interoperability so he's a regular visiting Professor here at fjv and uh he was working for uh a number of Institutions but but including uh the uh Oxford interance Institute uh he was Working for department for digital culture media and Sport um and the UK government among and many other accolades then um the third in presence speaker that will join us is Paulo braner who is uh a partner at Mat andilo a specialist

in technology banking Financial Services crypto assets and in ation issues he's a distinguished professor at pontificia University catholica s Pao and The Graduate and postgraduate professor in business law And Technology at the same institution also a member of the uh International technology law association um so welcome Paul um then finally last but not least we have U joining us online car marel uh she is a doctor in law at the University Federal of Miner I and University of Michigan and a master in law at University Federal of Min jerise uh regulatory um manager and institutional

relation manager at wall P bank and um commissioner conser I'm not sure how you Translate that uh in the association um abranet uh internet Brazilian Association um then finally uh we we have darara derak kashani she is a director of policy for the data transfer initiative uh for those who don't know it is a nonprofit with a mission to empower individuals by enabling effective data transfers and uh well prior to that she was policy manager at metas reality lab focusing on privacy issues related to wearab facial Recognition and augmented reality and she has um JD

from Catholic University at America Columbus law school and ba in cognitive science from University of Virginia so you can see very interesting backgrounds as and uh set of speakers we have with us welcome all of them um so in the interest of uh advancing with our conversation the idea is to start from a view of the local initiative the local discussion related to data portability and Interoperability and uh in that regard we have Caroline marel who has a solid expertise in the financial sector where there was a lot of uh interesting developments over the last

couple of years with open banking now known as open finance um so we'll first hear a few um Reflection from her about the data portability and interoperability challenges in open finance kolene uh you have the floor thank you for joining Us thank you Professor thank you all for this invitation it's a pleasure to be here uh I'm going to share my screen um let me know if you see it yes uh so I would like to apologize not being able to be there in person but um it's a pleasure to be here and um I'm

going to talk about data portability in the financial sector and especially the kind of challenges that we face and the Lessons that we learn from them uh so when we talk about data portability in the financial sector we have more than one kind of portability first we have salary portability which is the the right of the workers to choose which bank they wish to receive their salary in regardless of the employer's choice we also have credit portability which is the right to transfer credit transaction to another financial institution so for example if You have a

loan with bank a and you want to transfer it to bank B that offers offers you better interest rates you can do ACC credit portability we also also can talk about meal vouchers portability which is the right of workers to transfer a meal voucher benefit to a different card uh than the one that the employer chose and lastly we can talk about portability through open finance um open Finance is an ecosystem that enables data sharing between institutions through API integration so we can also talk about the right of portability within this environment so I I

I brought some data on each one of them and um firstly um salary portability uh we have a basically a problem of lack of knowledge so only 56% of Bank population know what it is uh this shows us um especially even Bank Population with is which is population that has access to financial services don't know what what salary portability is and um 33% believe that the request must be made in person uh that it cannot be made digitally and 28 believe that their company do not allow Sal salary portability so we have this first challenge

we also have a challenge of inaccessibility and bureaucracy uh we have numbers increasing in salary Portability uh in the last years but still the approval rate is only 50% so half of them do not um effective the right to to portability because the the request is denied to be incomplete or or uh um some kind of documentation that is is lacking so this m this shows us how complex and bureaucratic the process is on credit portability we have the same challenges as salary portability so to to show some data here only 6% of banked population

has attempted credit Portability and 70% uh 70% would switch Banks if the process was as easy as doing a pigs uh so pigs is uh for those who doesn't were from uh another country pigs is our um inant instant instant uh payment choice so you can transfer money uh at the in seconds to another bank account and we have this Sol solution from Central Bank um again here the approval of credit portability is around 40% when we talk about me vouchers portability uh we have a different kind of problem here is it's it's a a

a situation that it's an early stage so we still we don't have the regulation uh by Ministry of Labor we do have the right on a on stipulated law but still uh under discussion between the private sector and Ministry of Labor and only in this research uh that I'm using here only 22% of workers said that they are interested in M vouchers Portability uh showing that uh they probably don't know what that means and the lack of effectiveness of Meers portability Carolina sorry F if I may in the interest of those who are not from

Brazil since you say that many workers also don't know what me virtual portability is could you explain what is the me voucher portability because in Brazil meal voucher is a program that is established to um help um employers give um subsidized meals to workers and uh I Think outside Brazil nobody knows about this program so it would be interesting to give like a quick definition of course yeah basically it's a a a program that um gives part of the salary of the Employers in uh meals so you have a card uh with uh a design

some money money there so you can use uh but you can only use in markets and supermarkets and uh restaurants so it's a way uh that the government uh Historically um made to ensure uh labor rights and to um give tax uh discounts for companies I don't know if that is is it enough or do you want more thank you and the portability issue there is that it's not easy to use them with all employers right or with all it's still not we still don't have portability actually to be honest we currently it's not possible

to request a portability in Me voucher okay thank you I think that's enough uh so going to open finance uh so open finance as I said uh is this ecosystem that you can share data share Pro of products and service offered by financial institutions and um contracted by customers so the institutions integrate uh via apis and they uh can share data in this safe EOS ecosystem uh to give better conditions For customers so basically it's a initiative from Central Bank Brazilian Central Bank uh we also have it in the UK and Australia others other countries

and uh basically the data here show how shows how uh growing this echosystem is so now we have big numbers and we can safely say that open finance can be used uh to assure portability uh in the financial sector and Um H basically uh it's not something that it's actually currently working you cannot right now request portability through open finance but it's a a scenario that is really nearby for us uh so basically to sum up here I'm probably running out of time I'm sorry if I took a little bit longer my no it's okay

uh basically what we need is to simplify the process because even the portabil that we already have Some the possibility to request is still too complex to use uh people are not sure how to request it when they do request it they do not get the approval so simplification we also have a a financial inclu inclusion problem so we have the those that are do not have access to financial service and they need to be included on that and uh so Central Bank has an agenda to expand this and of course to bank population we

also have to educate them and to make Sure that they understand their rights um and lastly this Horizon of data portability through the expansion of open finance would mean um a faster safer and more transparent ecosystem and would red red reduce the risks and the operational costs um on data portability of course open finance also has some issues as data quality and um uh cyber security but yeah this is Another discussion so basically this is what I prepared for you and I'm I'm glad um I'll be glad to answer any questions thank you thank you

kolina um interesting to see these challenges of awareness and security that are emphasized here in a regulated environment so the open banking open finance is under the control of the regulator we can imagine that these issues might be even more prominent in a context where there is no Designated regulator for uh detailing all the the interconnection standards like in the in the Banking and Financial sector um so well now let's hear then uh from the battlefield of the legal compliance you know what does a company uh have to do follow in terms of the law

how can law firms advise in relation to data portability and interoperability what are the issues that come up for that we uh give the Floor to Paulo braner thank you so much uh thank you Nico for um for the invitation and to be here um going uh directly to to the questions that you just made uh I I think that um this is a matter that normally is related to competition rather to individual rights when we see successful uh use cases of portability and interoperability it always relates to a Situation where you have Monopoly or

you have um uh the incumbents uh playing um in a in a specific sector and then if you want to Foster competition one of the aspects that helps to uh lower barriers to entry is to give access to user data so uh open finance is one of these examples we have in Brazil uh the Telecom sector that introduced portability a long time time ago um uh we have funds management as well as as an example uh each of them In situations in different situations but uh connected to regulated sectors that's the main challenge here because

when we talk about portability we talk about a specific service it's not necessarily portability of data as an individual rights so I think one of the main challenges here is how we understand uh this obligation foreseen in the lgpd and in data protections law throughout the world uh if it's not to Foster necessarily competition but to Grant a right that is foreseen in law and uh just to uh Advance a bit on on what karolina has just mentioned in terms of open finance um I think we can get some examples on on the difficulty of

trying to connect this this unregulated word to a regulated World um in in depending on the model that the portability uh is is chose chosen in a specific jurisdiction so even open finance have different models we have examples in in in Different countries uh throughout the world already implementing open finance but I'll get three uh uh specific environments so in the US uh what we can say is um some more a market approach in the sense that portability given a specific moment back in in the section 10 33 of the dotf Frank act has granted

a right of portability in the financial sector but only in 2021 President Biden issue an ex executive order establishing the obligation to implement Effectively uh um uh uh portability in that uh in that environment so they are struggling on how to do that because it was then just as an example of an individual right that that uh uh uh had the the the right to access data from specific uh uh financial service providers um we have the European model that is a regulator uh regulatory approach um and and we have the example of psd2 that

introdu introduce a different licensing models uh bringing New players and that would only make sense if data uh could be uh interchanged between players but I think that the UK model that Brazil uh has inspired a lot to implement its open finance it's not only regulation but is regulation plus uh uh the the technology standard to be used um in in the portability uh uh environment and that I I think it it makes a whole difference because uh the regulator is not only um worried about Enforcing a specific regulation but trying to develop the ways

how the players will interact it them themselves to create this technological environment to speak the same language and to enable not only incumbents but also newcomers to provide access to data of their own clients so it needs to be interesting to uh all the players that Mak part part of it but again the challenge here is always a connection with services not necessarily uh to through uh individual Rights I think that when we talk about portability uh what we cannot um forget here is is is that it needs to be effective and to be effective

I think we cannot disconnect with interoperability if we just say ability we probably are saying you know uh access right of access to a certain data because you can have it and you can uh uh you can take it to wherever you want but it doesn't make that sense if you cannot have the technological ways to Make it effective um and what we see in examples of uh uh portability and interoperability is uh I I I would say five items of agenda of an agenda of interoperability that will make sense one of them them is

governance I mean who should be the decision makers involving interoperability because if we only have the government saying what to do probably you'll not have the engagement uh of the market and of the Players uh to to make it happen in a way so the example of open finance in Brazil is an example where the go where the government and the players the market players participate trying to design how to to implement a better environment uh to to exchange data uh scope is another important aspect to consider as well uh what should be included in

terms of data to be portable and to be interoperable it it cannot be something Extremely wide in the sense that you want all data to be included in a port ability program because it makes more complex and sometimes it's not useful so what type of data should be included and and the scope is very important here uh and also another aspect of of this agenda would be the players uh who are the players uh to to interconnect or to to to to have their data uh exchange it let me give you an example of a

complex situation where uh We are not talking about a regulated environment so if we get the the the the tech platforms social networks whatever uh example you have in your head uh are we talking about exactly the same products can we uh exchange data in a way that they can be used in a useful way from one platform to another platform or uh it should be limited in the way in a way that you you limit the access of data that you know has no specific usefulness for the data subject And would be only data

to be transferred to another player and he has only the access to data but it doesn't turn into an enhancement of the service to be to be provided so uh these are important aspects to consider as well technology is another uh pillar of of interoperability what is the technology to be used uh when we talk about open finance is basically uh the openness of the apis and how we standardize the exchange of data through some specifics Apis and that M that makes sense because it's uh we have uh some specific services within the financial sector

uh they are similar throughout players so it's easy uh to to have the same techn technology technological language uh but it doesn't mean it's an easy task to do when you are not in an envir in a regulated environment and the last one which we should not forget is pricing because There's a cost to to implement interoperability and in a regulated environment someone says it's not going to cost anything to the end user or is going to cost so we have different examples in in different countries the ones that I mentioned doesn't bring a cost

uh but there's a cost and and uh how the market how the players are going to to manage that um so I um I think that um there's a there are some challenges uh that Needs to be discussed and and how uh uh in our case our uh data protection authority will need to to reflect in its obligation to to develop regulation on on portability uh of course it needs to uh to to see uh different examples to talk with the society I think it's going to be a very important um uh moment uh to

to bring uh this um to the general public but I think that if we see the ex the successful examples of portability And interoperability if you want to have that becoming much more expanded in Brazil I tend to say that it should not be under a specific regulation of the data protection authority but I think the data protection authority uh through the collaborative uh arrangements with uh uh regulatory agents enhancing experience and and exchanging um ways of protecting um data subjects but at the Same time uh fostering the need to to have data portable uh

I think we could have you know other examples other in the financial and the Telecom sectors that could bring opportunities of portability and and and we can tell we can tell us examples open uh not only open finance but open Insurance Open Health it always talks about regul regulated environments when we we we want to have that effective so so I think these are some Of the thoughts that I would like to to bring happy to take any questions thank you thank you thank you Paulo you raised a number of important points uh the question

of scope what kind of data do we want also infer data to be subject to portability um the governance mechanism I think that's a key challenge uh the cost I think some parts you know it it forms uh part of the universe of governance but it's a specific issue that needs to be looked At uh when you mention the governance strategies uh you mentioned the UK as a reference because it's not only regulatory doesn't only create a regulatory space or also fixates the interoperability standard through the API so in that regard I think we can

now uh transition to Ian who has uh studied in depth the situation in the UK can tell us if that model has worked and uh whether the um Europeans also with the new legislation are uh making good use Of these insights or and there's something that we can also import into the Latin American context um so basically your takes on this Ian would be appreciated thank you can can you project my slides please they're in your Google drive folder yes they should be ready perfect thanks um I I will be brief and we can we

can Circle back around to specific points uh if people want to cover those oh they've disappeared again Yes sorry I need them to speak from you know what saw before slides you can start using the imagination okay I go back to okay so um I I'm going to just touch on three areas where the European Union and alongside it the UK which I'm sure you all know left the EU uh a few years back but still has a lot of very the same or very similar legislation has been wrestling with some Of these challenges that

have uh these important questions that have been raised so far so firstly the digital markets act um has just been coming into to full application over over the last year um got quite a lot of uh press coverage in in Europe which isn't always the case with technology and and competition regulation um there are so the dma only applies to the very largest technology platforms that's the first thing to say so they're not in Traditionally regulated sectors like like health and and banking but these are these are firms that um have to be worth over

75 billion euros have uh over 45 million EU users have more than 10,000 business users within the EU those are the the basic criteria that there are more complex mechanisms for looking at firms that are on the boundary but th those are the basics the European commission has designated um seven I believe so far Global businesses That meet those tests they're the the obvious ones the Gaff the gaffs um uh plus booking which is a Dutch a very large Dutch travel platform and um bite dance behind Tik Tok of course um so the these obligations

these dma obligations only apply to these very very largest companies there are some broad platform um obligations which I'm not going to focus on today but those are things like for example apple is having to allow alternative app stores on iOS and allow Um iPhone users to download apps directly um the and by the way some of these Gatekeepers as they're called under the dma are are making these Changes Worldwide but some of them and apple is a good example are only letting users within the EU benefit from uh benefit from these so I'm sorry

Brazilian friends and other Latin American friends you're not going to get this from Apple in uh in Latin America unless your governments decide um to Pass something pass something similar what I'll mention a in a little bit more detail here with the dma um and it comes back to what some of the speakers have already said about the sort of duality of interop ility and data portability they're almost the same thing looked at from a slightly different angle in in some ways and uh one one supports the other so there's there is third so the

dma obliges designated gatekeeper services like like search like operating Systems and so on um to give third parties access to platform features and user data so one example of that is you might know if you have if you have an iPhone it has a secure chip in which is used to secure payments when you tap your iPhone on a a card terminal to make a payment and before the dma Apple was very very reluctant indeed to open up that capability even to Banks let alone to fintech or other uh less traditional financial service providers but

that's One example of um a feature that apple is now required to make uh to make interoperable um the gdpr had a limited version of data portability and article 20 but the the which appli to all data controllers the dma for gatekeeper Services takes that significantly further and says Gatekeepers have to enable realtime data portability so um you know I'm I'm say that I'm just thinking of an example say I'm using a search engine that is giving me search Results that are based on a profile it's built up of me over time of the search

queries that I've used of what links I've clicked on that could be a big advantage to Google for example which whose search engine has been designated as a gatekeeper say a startup search engine wants to let me try try their search engine but make use of my Google profile if you know if I want to as the user under the dma that's that's the kind of interoperability that that Competitor um could uh could require there are some there are some more specific portability requirements in the dma for specific types of Gatekeepers so one is very

focused on search um that says that again a competitor of Google Google is learning a huge amount every day from its you know from the billions and billions of search queries and clicks that are putting being put into into Google worldwide and it could be difficult for a startup search engine to Overcome that advantage to to break into that market without access to some of that information so for search the dma requires search G gate geke Keepers to make anonymized we could come back to that term if if people want to versions of that click

and query data available to um to its competitors and then the last example I've given here app store search and social networking service Gatekeepers have to give Fair reasonable And non-discriminatory general conditions of access to those services to competitors and I'll show you an example in a second of what that looks like then very specifically in the dma uh article seven of the dma there's an in uh uh an interoperability requirement for messaging services and so far what WhatsApp and Facebook Messenger have been designated Apple has successfully argued to the European commission that iMessage should

not be designated under The dma so so far Apple will not have to do this for iMessage but meta for um for WhatsApp right now and by September with Facebook Messenger um has to make certain basic functionality of of its messaging clients uh interoperable with competitors so initially that will mean a competitor service if it chooses to its users if they choose to can exchange messages with users users of WhatsApp and a Facebook Messenger after two years that has to be extended to support group Discussions and then after a further two years that has to

support realtime audio and visual Communications between competitors and WhatsApp and um Facebook Messenger so to to give you a picture of what this could look like this is a nice I think this is just an individual developer it's not even a anme at this stage uh this is called flip chat this application you can download it if you're interested effectively it's an alternative what client for WhatsApp um And it helps people learn languages by um if you the the examples the screenshots up here are I think German a German user and and someone who who

is learning German and someone who is learning Spanish what it's showing is they can chat to each other basically in which they can send messages and receive messages in whichever language they like and the person they're talking to so I say I'm talking to nicoo I'm seeing English in my clip chat client nicoo is Learning Chinese say um he's seeing what I'm saying to him in Chinese and he might write his response in Chinese to practice and it comes back to me in English and flip chat handles automatically the translation so this isn't currently using

the dma interoperability Provisions it's basically hacking WhatsApp um and of course the the risk there is at any time meta May meta currently is tolerating it it's small enough that it's not worth Meta's while to try to shut off this client but meta could if it wanted to um flip chat in under that circumstance could say okay we we are going to make use of these dma Provisions these interoperability Provisions to make this client still work and then a second example this is uh so this is open Vibe this is a social networking Ser service

client that lets you connect to open social networking Services currently that's where the name comes from so for Example uh blue sky and I think uh masteron and threads are all on there so those are open by by you know not through regulation by a decision of the services providing them but the in thing here is the dma potentially so the European commission up to three years has to review the dma and one thing it has to review is should the messaging interoperability requirement be extended to social networking services so you could imagine if they

if the European Commission said it should and then the European Parliament and Council agreed um then services like this could add Facebook and other other gatekeeper social networking services so that's the digital Market act we've already heard quite a bit about open Banking and open finance so I'll I'll be very brief on on this this slide um the UK's open banking regime is quite mature now it goes back I think seven or eight years um it came out of partly European legislation the The payment services directive but also from an order from the UK's competition

Authority um the UK for many decades in fact has had a very oligopolistic current account banking sector the same big banks for many years have held almost all all of the UK's population's current accounts so the UK competition Authority said here's an interesting way we could try to open up the these accounts and introduce more competition um through requiring the banks as has Been said not just to make their services interoperable but also to agree a common technology standard set of apis that would make that easy for a startup um just to rise some software

once and then they could plug that software into any of the the UK banks that are supporting this standard so unlike the dma the dma doesn't do that with interoperability uh if you're a startup you might have to write multiple different sets of software to Interoperate with different providers open banking in the UK has a has a common uh common standard set and the one the only other thing I'll say the the pie chart there that's based on some research I did with a project with niiko a few years back um this open banking in

the UK has led to a lot of innovation in financial services hasn't had so much effect on competition per se the big Banks still have all the the current accounts but um the different slices of The pie the pie there show you lots of different kinds of services have have from small companies have plugged into current accounts and small business banking accounts you know obvious things like budget planners like helping people with their tax returns but a lot of other other stuff as well so for example making it easy for someone to say my the

big bank I have my current account with is giving me a really low savings rate on my current account because they can Get away with it so I'm going to have a a separate savings account with a higher interest rate and using open banking every day that other bank is going to automatically look at my my bank balance my transactions and say okay Ian probably can spare you know x00 and move that into the savings account for sure short period of time if necessary move it back when I need it for you know my mortgage

payment or or some other kind of regular payment so That's uh that's open Banking and that's being extended in the UK uh open finance but also um open mobile open telecoms the government uh Although our government has just changed actually the new government has said it will introd reintroduce the legislation the Old Government had introduced to broaden open banking out to other sectors and then finally um the European Union's data act which comes into uh application next year next September this is very Focused um in particular areas so one of them is connected devices as

the legislation calls them internet of things that they're often called um you know that whether that's your toothbrush your your connected light all kinds of services in the home or in in the office uh the the data act sets quite detailed prescriptive standards then for data portability realtime data portability and interoperability for connected devices and also the EU has a big Ongoing program on um data spaces in different sectors so there's there's a Health Data space for example where some other legislation has just gone through and the data act sets some very specific interoperability provisions

and ways that technical standards can be um enforced in that sector so I hope I hope that's given you some interesting ideas about the different ways of implementing portability and interoperability the EU is working with Thanks thank you I for a very useful overview across all this initiative and use cases I think that's particularly important the title of this this session was Data interoperability and portability so connecting the two but also busting myths and uh very often the me is this is not feasible it's very difficult but we have seen there are a lot of

initiative that show that it is possible uh of course there will be some costs involved and uh again we can go Back to governance questions but this is done quite successfully also in other jurisdictions H in the in India they have been Pioneers in that right with the digital public infrastructure that facilitates data sharing and uh they also have the same for digital identity and payments uh so wanted to hear maybe a little bit of that from ji uh and then other thoughts and Reflections that you I know you have on compute interoperability and Compute

is this working yeah um thank you niolo and thanks everyone it has been really nice to listen to the panel so far um yeah I have a few thoughts on India but I also have a two major points to make today I think one um on Collective data portability rights which I don't think we've talked about very much yet uh and the other on um interoperability Beyond uh data portability so interoperability in computation as well so um I think the Individual right to data portability comes from the idea that an individual uh should not have

uh inordinately High uh costs to switch the platform that they are operating on for instance so if you um if you are a consumer of a financial product uh that a bank provides it should not be so difficult for you to switch the provider all your data should be able to be ported with you so that you can get the same standard of service from another Provider uh but when you talk about multi-sided markets um there's not just the question of uh switching your own individual data or your own individual account but also the question

of network effects where if you are a consumer of Facebook you want all your friends and family also Al to move with you if you want to move platforms and you want their data also to move with them uh if you know they want and you want that to happen seamlessly so you're talking About both Network effects and data and you're also talking about not just your uh cost as an individual to switch the platform but also your competitor the platform's competitors's cost of acquiring data so you are very right when you're talking about this

being primarily an anti-monopoly measure rather than uh you know springing from rights as such and uh the dma like you said uh solves this in a top- down way which I think is Great in that it says um gatekeeper platforms just have to mandatorily mandatorily share data uh with competitors but there's also a bottomup way of thinking about this where people when they self organize into certain economic interest groups might want uh their data to be collectively ported and I don't know if Brazil has this right or it is being considered and Carolina can maybe

talk about it later but I know that there were trade unions in the EU Who wanted um uh who worked for right sharing companies and they wanted to set up their own right sharing platform and uh the data protection uh law uh was not sufficiently enabling of their ability to do that in fact it was restricting their ability to do that and of course the platform refused to collectively uh give them data citing the data Protection Law so you know uh the the goal of creating competition was really thwarted by this very individualistic Idea of

data portability uh and I think uh questions like we saw in Brazil that the lack of knowledge of this being a right is a problem these can be partially solved because in fact why should everyone be aware of this right and you know have to exercise it individually it should be uh the people that they delegate this right to in certain ways who are able to do that of course there are problems with that and we know that in India uh while DPI um You know there is an idea where uh you want to um

create this Collective uh sort of right for data uh portability sometimes that can be exploitative where you uh you just delegate the right to someone else without actually taking that individual uh consent from everyone to do it so you have to think very carefully about uh what kind of Association is given this right and if they're if they're Simply um performing the act of consent or if if it is in fact true consent um the second thing I want to talk about and I will come to uh some Indian examples maybe in a bit uh

is is uh interoperability in computation uh so we know that uh computation is important for any sort of digital activity or transaction to take place and and uh you know there are people who operate digital public infrastructure in India for instance again in right sharing who Now say that the problem is not really data at the moment it is the cost of computation that is the actual cost so anytime someone books a ride you do have to pay uh AWS or whoever that you're using for computation um and so we know that these costs are

high because the market for computation is so concentrated at every part of the supply chain so whether it's data centers whether it's chip design whether it's Chip uh sort of putting them all Together whether it's Chip manufacturing all of these have um monopolies or at best oligopolies right um and so it is possible it hasn't been done yet but it is possible to have this large scale interoperability at some parts of this value chain for computation where whereby you don't have such concentration in the market and where by some of these functions of computation are

returned to the public rather than are uh controlled by a few private Actors and the reason for this concentration of course is intellectual property sometimes there's bundling of certain products that do not need to be sold together but are sold together uh there's of course geopolitics but also there there are reasons of economies of scale whereby the larger you build the uh more profitable it is for you to build and where you also need large upfront Investments and where you have conditions of economies of of scale and Large upfront Investments you do have to ask

the question why these functions are not um carried out by the public sector rather than the private sector right because it's you know the more you invest the better it is for you these companies are now so big that they have uh they determine not only the external but also internal policies of certain countries right so um the these questions are of course these plans are ambitious but uh you can have some e Starts for instance Nvidia has a software development um arm called cuda which uh without using Cuda you can't use nvidia's chips and

you can only use Cuda for NVIDIA chips so uh you know maybe you can have some sort of Separation at those layers of computation there's other layers that you can think about um the other thing I want to add is that the lack of interoperability in computation is not just a problem for National markets it Also makes International Market and uh geopolitics a zero sum game so for instance there are uh United States export controls on uh Advanced AI chips which they are only able to enforce because every chip that is produced uses some sort

of um us technology and because this is a very concentrated market and you may have seen the recent news where uh the United States uh officials said that um uh they would use uh even more stringent measures against Netherlands and uh Japan for still continuing to export uh you know AI technology to China for instance um so I think that uh not just current export controls but there are plans for you know Hardware mechanisms where the chips themselves will have by design a lack of interoperability so that other people uh cannot use it without the

permission of the United United States so these are plans in development currently uh I think now is a good opportunity for Other countries at the G20 to promote interoperability and open- Source development in computation as well uh just to avoid a sort of international um concentration of power as well as a private sector concentration of power so in short I think this is an ambitious but also a worthwhile program thank you very much J very interesting Concepts this one about Collective portability it's something I've never Heard about and it's quite fascinating to think about how

it could be built and uh the second one is about the digital public infrastructure basically uh for computing which is quite important in the AI context but I think it has some parallels with the costs that are imposed for the data to be really used meaningfully uh that already existing today uh when you try to transfer from one system to another so maybe by way of introduction to to the concept of Portability we can we should recall that there are two versions of portability one is to download uh in a commonly used usable format the

data and the other one is to get a transfer of those data from one controller to the other and this for example in the general data protection regulation in neuron is subject to the provision when it's technically feasible H in the Brazilian context uh there's also this division but uh there is no specific Requirement of when it's technically feasible so we need to see how it will be implemented uh but I think it generates some of these tensions regarding the cost of not only of those who give the data but also those who want to

acquire it and and use it meaningfully so for that I think it's a perfect uh transition to pass to delara who has led this project uh now for for a few years um on the transfers between companies H so the data transfer Initiative is all about that so we are looking forward to hearing about uh the the details of this initiative Tara you have the floor can can you all hear me yes fantastic uh I don't think we could have planned that this overlaps perfectly with what you were speaking about uh my name is darara

Derk shaani I'm so grateful here to be here today to provide insights um from the perspective perspective of DTI and as you mentioned our mission is to empower people by Building a vibrant ecosystem for simple and secure data transfers as was just mentioned data portability can mean different things to different people um depending on the jurisdiction um depending on the context for DTI during this talk my focus will be on user initiated transfers of personal data from one online service to another one-time operations where a user's data of a particular type is moved directly uh

for example a user transferring their Playlist from One streaming service to another We Believe at DTI that this is the future of data portability uh direct TR uh data transfers and that's why our work focuses on practical solutions to help make implementation in this regard of reality I think the general takeaway from my presentation is going to be that there is great value and bringing companies together uh to build a shared set of tools for direct data transfers DTA DTI finds itself in a position uh Where we are well positioned to convene educate and help

develop practical solutions for service provid providers in this ever changing and uncertain landscape with all these um new regulations uh around the world as we're as was touched on earlier um in doing so our goal is to streamline engage ment for companies of all sizes uh simplify and standardize data models help to bridge knowledge gaps between apis and reduce overhead reduce cost for Companies um related to processes such as authentication a tiny bit of history for those of you who are not aware of our organization we originally started out as a Consortium of technology companies

back in 2008 and back then we were known as the data transfer project dtp dtp was essentially an open-source code base and it has supported many of the tools with which some of you might be familiar with today tools such as Google's takeout Service meta's transfer your information tool and Apple's data transfer tools last year we revamped as a newly formed nonprofit and today we are um building on that dtp work to build tools that are simpler faster more secure we are not a trade Association we are an independent nonprofit with a mission of social

welfare uh and we are proudly independent uh but we do benefit a great deal from the work that we do with our organizations's founding members who are Google Apple and meta they provide dedicated engineering and product contributions to help make these tools of reality just last week actually we're excited to announce the introduction of a new tool that allows users of Google photos to directly transfer their uh data to Apple's iCloud photos a product that will be available to billions of people around the world that being said we are constantly expanding our Partnerships our collaborations

to Additional players and always welcome opportunities for partnership so what are the some of the challenges that we are working to overcome before I give you two examples of our work um the spirit of the regulations we've discussed today are admirable but transferring data between Services is technically complex data may be stored in various formats and structures compatibility can be a challenge if a user wants to export data from one Service to another uh the structure and other characteristics of data and one system may not be represented the same way in another and so some

level of translation must be done facilitating that translation and transfer is the core of our product goals and what we build for but equally important as our product work is our policy work where priorities are not only to convene thought leaders uh appin on novel questions in this space but we also Serve as a resource and an educator to governments all around the world as well as the public and in addition again we are constantly looking for opportunities to expand our partnership work with companies of all sizes as well as civil society because we recognize

that the best Collective outcomes when it comes to implementation requires extensive collaboration so I'd like to talk about a recent initiative by DTI that tackles a very real problem of how to prioritize Security and privacy and ensure that there is trust during these direct data transfers many of the regulatory Frameworks some of which we've discussed today do not specify how harm should be mitigated there are no details or requirements as to how third parties could or should take steps to ensure that a new uh receiving company is protecting data or that it is a responsible

Steward there's no Universal method for establishing trust uh for Those involved in a direct transfer process and therefore many questions arise how can the receiving or originating service be confident that data when transferred will not introduce security or other risks how will users be confident that transfers reflect their understanding and their intention most importantly their intention so in order to protect the interests of end users and service providers DTI has developed a trust model and the goal of This is to enable Services who are both receiving and sending data to mutually authorize each other for

direct transfers this work uh if I'm being honest was initially inspired by the near-term challenge of facilitating and affecting dma compliance in Europe but our broader goal is actually to help grow trust in direct transfers period regardless of the nature of the parties or their location our work is global and we believe that this is the future as Users are going to come to expect easily accessible and simple direct transfer tools and as we've seen today as Regulators increasingly around the world recognize data portability um and its benefits to competition Innovation and user agency so

for this process we brought together organizations large and small IND industory Andi Civil Society to tackle questions of how companies should assess RI risks and make a determination about whether or not to Allow a transfer so why are we doing this what are the benefits our main goal here is to help guide structure and align independent efforts in a way that provides more consistency and harmonization we believe this approach is preferable to companies independently developing their own mechanisms for a few reasons it promotes greater neutrality and consistency and fairness in application of review it requires

stakeholder buyin and acceptance that at The very least there is some baseline that is required while also giving individual companies the option to add more requirements if they so choose it's more efficient uh and most importantly if trust cannot be established then direct transfer should not and does not take place um I think it's clear to all of us that a lack of trust would be devastating to all of our goals in this space no matter who the stakeholder the other initiative I'd love to highlight Before I pass uh it back to you all is

um something that I I love that two of the panelists at least two of the panelists touched on this problem of user uh education uh this initiative called our data portability map uh focuses on transparency and user empowerment and simp similar to our other work it is also open source and and available to anyone and we encourage everyone to visit our website and take a look or Contribute in my personal opinion one of the most important things we can do and perhaps arguably has not received enough attention to date um in order to make this

system Thrive is to educate users they need to be equipped with knowledge of what tools exist to them and so for this reason we have created what we call a port ility map essentially it's just a public repository of help articles with answers to portability use case questions uh where we give the users Option to provide detailed feedback on use cases or if they choose to contribute help articles uh I think that hearing feedback from users is in incredibly important our work at DTI has always been user Centric user driven uh and it helps us

understand what's most important Reality by gathering these use signals we can understand where existing offerings may fall short and where additional investments in particular Data types or service pairings would be worthwhile again anyone can contribute and learn more about these existing tools our website is DTI n.org um but this tool is only in its beginning stages and we are exite excited to expand on it and help users and the public I think out of respect for time I'm going to stop there and turn it back and you all but also happy to answer any questions

at any time perfect thank you very much darar For this practical examples and overview of about the DTI um I mean you pointed to one of the key challenges in my view which is uh how to ensure that the portability is not used as a a Trojan orse you know basically that can open up to a third malicious third party access to a wide range of data and we saw this uh for example with the Cambridge analytica Scandal right it was one of the worst example so I guess one of the questions like for the

governance of This in the future is uh should it be uh a private self-governance framework should it be public should be a mix you know how it should it be set up you you mentioned the importance of involving various parties in defining uh some of the features uh I think this is a discussion that we must have uh I saw a hand raised was it yours carolene it was actually mine but it might have been premature I didn't wasn't sure if if that was the question You were posing to the group or if if we

were it was just a comment it was just a comment and uh guess challenge for the future but uh now I wanted to take this last 15 minutes to open it up for questions see if there's any reactions also to the uh the talks that were made um so um we'll we'll bring the microphone to you if you have any any questions this is the right moment don't be shy I'll bring yes microphone is coming Okay thank you very much it was very enlightening um my name is Ena V zand I've done some Empirical research

in Banks after the introduction of psd2 in in the European Union um and one of the things that I found well one of the issues that was uh very prevalent at first when it came to data protection ction uh was that consent under psd2 didn't mean the same thing as consent under the gdpr and there was a lot of confusion there at first um and in the End uh because it was two different types of consent one of the issues was that there were not the same requirements for uh Banks or other financial service providers

to inform end users of the potential risks of uh data sharing so what happened was they would emphasize very much the advantages like you could get a nice budget app or I don't know what um but they wouldn't tell people about the potential risks whereas at the same time There was a a huge rise in digital uh financial fraud so my question I guess to especially the people who are um working on the banking sector how do you make sure that people are informed of those risks as well and I don't mean just general education

but at the moment that consent is asked or at the moment that is relevant how do you make sure the service providers also provide that kind of information absolutely great Question um I think maybe the best position to address this question is koline who has experience in the financial sector but I'll open up for everybody kolene of course thank you for the question uh first I would like to say that we had the same problem uh here in Brazil that consent in open finance is not the same as consent in our data Protection Law because

in data Protection Law consent is uh how you Justify your uh your treatment of data so you can use consent um uh and you also have other options by the law that you can use to justify uh your use of data and how you're treating data uh in open finance we all we always need consent so that's like basic is the first step you need a consent uh to make sure to to share the data you need the consent of the user uh this consent uh in open finance it has a Time limited period Which

make it harder in a certain way than in data Protection Law because we don't have that limitation in data Protection Law uh so in two years you have to re request it again uh and we actually right now in open finance we've been discussing how uh to uh overlap that time limited um uh CH maybe change that it's a discussion that been occuring in the council that deliberates um on on on standards for open finance because it's already hard to get the Consent and uh we usually sometimes can have a problem of um Lo losing

consent in time so uh that would uh decrease open finance a little bit so that said uh I I I say that it's a hard question to know which kind of measures uh you can use to educate but uh first I I would definitely say that um you can have you should have a better user experience I I definitely focus on that so uh one of the measures that you can use to make sure that people Understand why they are sharing their data what are the benefits to sharing their data specifically in open finance is

to improve user experience and make it as simple as possible accessible in A Accessible language uh and yeah I I guess I would react like that I think Paulo wants to to complete me also if I may interject yesterday we were talking about the importance of highlighting some features because the users will not read the whole privacy policy usually They don't finish it so a layered privacy note is something that can make the risks I more identifiable I think it's it's a good move forward thank you and and just to add some of the the

great explanation brought by by kolina I think consent is always a challenge no matter what environment we are talking about as usual um one of the aspects I think I I I have two comments one is that regulation of the Central Bank uh uh is align with the general data Protection legislation meaning they made it clear that the open finance environment need needs to follow data protection legislation in in general and that helps in terms of bringing transparency full explanation so on and so forth and the other aspect that tries to to put the control

in terms of the exchange of data within this environment is that uh the central bank has uh opened the possibility of exchanging data based on consent but at the same Time it has a principle of reciprocity which means that you can only share data with the ones that will always will also share data with you it's it cannot be just one way environment of sending data it needs to uh to have the participation of the ones that will exchange data between themselves so it tries to control the environment where this data is shared so you

should not be able to expand that to other environment so it's a way to try to control where this data Is is transferred so just this to then two uh pragmatic follow-ups to that in the on the European side so one way the UK with open banking dealt with with some of these issues was to say and it it comes back to the regulated versus unregulated sectors um any firm that wants uh to get access to People's Bank account data or initiate payments in the UK scheme has to First be accredited by the financial conduct

Authority one of the you know The Regulators for the Financial sector so they had to meet quite high standards for the firm for the security that they they applied to to this data and so on um but more broadly speaking as I'm sure you're entirely aware but I'll tell everyone else because I think they'll be uh they'll be interested um the European data protection board produced guide detailed guidance on this following some of these debates and and and questions um if you want to look it up the Guidelines are 06 2020 uh on the interplay

of the second payment services directive and the gdpr version 2.0 um and just uh paragraph five in there I think very briefly I think summarizes some of the issues so all of the first of all all of this EU this this new EU digital legislation one of the starting points is um that the you know the gdpr remains in control of personal data processing within this framework this this legislation is not meant to weaken The gdpr and people um implementing the you know the the second payment services directive and then more recently some of this

other legislation will have to follow the gdpr uh so things like the prec the precise purpose of the processing should be specified applicable legal basis should be named relevant security requirements laid down in the gdpr must be implemented the principles of necessity proportionality purpose limitation proportionate date Retention periods and so on um and and that's uh that guidance on pstd 2 is quite detailed from the edpb and I believe they're producing um new guidance on the digital markets act and some of these interoperability Provisions a couple of points that the edpb expands on in this

guidance which I think are of of interest in in all of these different areas we've been talking about there's there's questions of in gdpr Terms special category data of Course your bank transactions can reveal you know your Trade union membership a political party membership if you're paying subscriptions medical insurance details dealing with with private medical clinics um you know all sorts of potentially special category data that needs to be dealt with very very carefully and cautiously um in these Frameworks there's the question of what the what the edpb called Silent party data data about other

people so if I you Know I say I've made a bank transfer to niiko and I choose to share my information with Paulo's firm how much of that will cover niiko ver versus me that's an important question um and one General principle of course in the gdpr and and uh data protection legislation like it is of data minimization so if I'm doing you know I'm I'm sharing my data with a firm for a very specific purpose then only give them enough data for that purpose don't just hand over You know three years of a detailed

transaction history if that's not remotely needed yeah absolutely there's a lot of uh loose points that uh need to be there's I mean one question is whether we could have an harmonized framework uh and you know not just have every country addressing these points in a different manner so also from the perspective of collaboration among Latin American countries like maybe more discussion Around these points more clarity uh more exchange of best practices would be something very useful um you mentioned the part about uh what is called also network data so data that involves third parties

I wonder how that would work in the collective uh portability case how would you envision J the the consent being given by the connected parties I don't know think about uh this because it's not I don't suppose That the questions are necessarily different for individual versus collective in the sense because you're talking about uh people who are parties to transactions but who are not part of the collective so you know it but the the right share uh drivers I was talking about they wanted only the data of the drivers so you know even that is

useful of course uh there are elements where you can Divine what the data of the uh passengers is also if you are given uh The data of a lot of drivers but you know that's that's just a problem with data in general like big data true and I second also the point that consent is is often an issue and I think here it would be basically the weakest the the system is as strong as its weakest link and here often it goes down to consent because for example in the dma there is this prohibition on

sharing uh data across Services unless you obtain the consent uh in a sense of The gdpr now of course this position is strong if the consent provision of the gdpr is enforced effectively otherwise uh it's basically uh not very useful H so I think this this will raise questions also about resources because as darara was saying uh we will have many more transfers you know direct transfers of data so there will be a lot of resources uh that go into not only making this transfer but also overseeing how they are occurring and whether They're respecting

third party rights um so I think uh it's a challenge of resources for authorities as well um so I hope that this discussion is uh helping in contributing in in moving a little bit forward um and uh yeah we are already out of time but uh I want to say I mean this is an endless discussion uh that can be made any uh questions that are raised and very little questions very few that are responded too but the idea was to show that it is Feasible it is being done um maybe moving forward what would

be interesting is to have a framework that says um well you have somebody that can help you to make your portability effective um an intermediary to which you can delegate uh the power to uh request the transfers and that can also serve multiple individuals at the same time so that you can get Collective knowledge about processes and and Collective movement Are facilitated um currently we have uh just for you to know there is a um a bill here that envisions some kind of um portability of data for the purpose of commercialization uh which is the

um uh legislative proposal on the creation of the um an ecosystem of monetization of uh data and and this of course brings the other challenge about uh you know how you Ure that these data are not going to be uh just collected more and More to then feed the surveillance capitalism ecosystem and then uh used potentially in a way that are again the original purpose um so well I think uh we will see how this project move forward but I think you have provided a lot of interesting insights you and and uh the remote speakers

uh I want to thanks thank everybody thank the the audience for participating um and uh we look forward to continue this conversation with You for