fairsfaircatering to compliant collaboration
Thanks to the European regulatory framework on data, the value related to acts, facts, information and compilations thereof finds its way to the entities that have relations to that data. Data spaces architectures revolve around interoperability, trust, and value creation. The trust component is a combination of control and accountability. On the one hand data processing requires consent by the data owner, and on the other access and use of that data needs to be traceable in order to establish that it was processed and provided in just cause. The ‘platform’ in this sense is not the market place itself. It acts on behalf of entities that want to interact, by holding their data or providing access to this data.
The fairsfair foundation contributes to the trusted exchange by providing policy engines. These engines support the exchange of data, only for and during the data processing activity as agreed by parties. It caters to data governance and user privacy in data exchanges, as such, or within the context of a transaction (services/goods for payment). The basis of the reciprocal consent is the transaction process: a sequence of activities that each require usage and access policies in order to maintain control over the minimally required data which is needed to fulfil the activity.
The decentralised ‘transaction broker’ under the ‘fairsfair’-label is an open source service for trusted data sharing allowing multiple organisations to collaborate on value adding services offered to natural persons and amongst legal entities. Its compliance with the European values, the data strategy and its supporting regulation, a.o. GDPR and DGA, fills a niche in the data spaces reference architecture. Referral to fairsfair certified decentralised transaction brokers in tenders enables authorities to ensure their citizens with full control over data and identity, and assuring a level playing field for market actors, pro-actively.
A process is defined by a sequence of activities
Often we look at the whole puzzle, in stead of the pieces. Putting together IKEA furniture or a LEGO feature, it is a step-by-step proces. A sequence of construction activities in which assembly takes place. After verifying upon each step that the elements have been included as instructed, to move on to the next. And if you come back to the project to witness that someone else has picked up where you left off, you know that in following the same procedure the outcome will be the same. Concluding that everyone with the right skills can contribute to each activity of the process, if properly informed of the state of play and the desired outcome.
To find what binds us
With the digital gateway becoming ever more present. Most offerings are a combination of digital and physical activities. In order to align them, a digital representation of those services is required. Given the consistent features of the mutual agreement, describing services for a compensation between parties during a specific period of time under general or specific terms and conditions, it serves as a format for any transaction. Although the hourly rate may differ between similar jobs from one company to the next. Or the fact that services are completely different in the health and mobility industry. They all have the same concept at their core: the process of value exchange – services versus compensation – based on a mutual agreement. A mutual agreement is subject to the expression of ‘will’. Communicating this will initiates the exchange of payment for the right to consume to the service (‘entitlement’).
Organisation of resources
Banks organise financial resources on behalf of legal entities and natural persons alike. The digital transfer of funds, is organised in the ‘four corner model’: the ‘acquiring’ bank, receiving the funds on behalf of the supplier of the services or products and the ‘issuing’ bank, authorising the payment on behalf of the consumer. This exchange over multiple interchangeable parties is enabled by using identifying mechanisms, like the bank id, account id and payment id. Imagine in parallel the same can apply to the exchange of personal data, account and related media (tokens). Through access and usage policies data owners can mandate data providers to ‘issue’ (personal) data held by a data provider (PDI), to be ‘acquired’ by a designated identifiable data consumer. In channeling these exchanges through others (four corner model) the access to the service and access to the funds needs to be communicated to those acquiring and issuing the data, payment and services related to their activities in the context of the transaction. Notably there is a difference between exchanges between legal entities and those which face natural persons, bringing General Data Protection Regulation (‘GDPR’) in play. Let’s elaborate on that as we go along.
This multitude of interchangeable service providers, either acquiring or issuing funds, entitlements and personal data needs to be informed of transactions being initiated and the current state of play thereof. An independent mechanism validating the transaction, organising the sequence of activities and communicating the state of play of a specific value exchange to the designated stakeholders is what we refer to as a ‘transaction broker’. Like intermediary roles that facilitate activities that initially are part of the platform, the transaction broker functions as a state machine on an ecosystem or data space level to support trusted decentralised collaboration. Aligning the different activities of the transaction exchange, executed by different designated stakeholders. The relationship facilitated by platforms, connecting suppliers and consumers, is replaced by a relationship to the transaction itself. Enabling a many-to-many interaction, across borders and domains.
Compliance with GDPR and DGA
A level of detail, beyond merely the relationship is added: the context of the transaction and even the specific activity of the value exchange for which data is to be presented. The division in activities limits the window to only the extent of accessing the required personal data as input for a specified output of that activity by a designated counterpart.
Personifying the natural person with the unique transaction-id. In a combined interaction of physical services and digital services (incl payment), the digital representation of the citizen differs based upon the actual activities. The transaction intermediary (platform) will have a different representation, than the bank or the service provider (bus company, physician, employer). And being a validated personification of the natural person, the transaction-id is sufficient to identify oneself as the entitled consumer. Opening the possibility to e.g. travel anonymously, although personal credentials are exchanged for payment or additional identification (such as first and last name for cross border travel).
Note that processing is lawful when necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, art. 6.1b GDPR. No additional consent (6.1a) is required for exchange of information under a contract: the exchange is limited to the mutual agreement and even the activities thereof, because these address different aspects: the transfer of funds has no relation to the details of the service/product merely to the transaction itself.
Seeing the transaction broker communicates the factual state, not the details thereof, and for it does not partake in the actual value exchange, it only serves as a custodian watching over the information of the state of events of any given transaction. Which de facto complies with the Data Governance Act (‘DGA’) for trusted data sharing services.