by Peter Kunz
ERCIM is a partner in the H2020 project TRAPEZE – Transparency, Privacy and Security for European Citizens – a European Innovation Action with the ambitious goal of driving a cultural shift in the protection of the European data economy. It aims to achieve this by reconstructing the concepts of control, transparency and compliance through technical and methodological, citizen-first, innovations. The project will lead the way in putting often-misplaced cutting-edge technologies to practical use for the citizens.
As we witness the rise of the digital age and reap the benefits of a data-driven society, our activities, industrial processes, and research amass an unimaginable amount of data. Moreover, data from previously isolated sources are, be it intentionally or accidentally, combined and interlinked and used by companies and public bodies, big and small alike, often behind the corporate/government firewall. This “Deep Web of Data” holds huge potential for the European Digital Single Market and for business, science and society. However, its growth comes at a cost to the very society that created it – it has become immensely difficult, if not impossible, to manage and, hence, keep the data safe. In other words, this struggle for traditional businesses is both impeding progress in the EU economy and has also opened the door for cybercrime; an increasing concern for the European economy and society.
With the ever-increasing pace of data production, citizens in Europe find themselves at the mercy of those controlling the data. By May 2019, data protection authorities in the EU had received 144,376 GDPR-related queries and complaints from the European public. This is an important indicator that citizens are becoming increasingly aware of the data protection regulation, and risks relating to security and privacy. With the increasing awareness, people are taking a more active role in the protection of their own data. While awareness-raising is key in engaging all participants in the protection of citizens’ fundamental rights, a foundation of trust is essential for strengthening society’s overall cyber-resilience. The right tools and guidelines can help to support the will of the citizens and turn the fight against data misuse and cybercrime into a joint effort.
TRAPEZE is aiming to become a lighthouse for European and global initiatives that aspire to deliver citizen-first, cyber-resilient, innovation.
To make this goal a reality, TRAPEZE aims to put citizens’ security and privacy into their own hands by providing them, first of all, with innovative dashboards that will enable fine-grained and dynamic control of their data protection preferences across all relevant controllers. These will be accompanied by transparency and feedback mechanisms that will allow data subjects to comprehend the complex flows of their data and actively participate in the prevention, detection, and reporting of legal noncompliance or incidents, and in exercising their legal rights.
Furthermore, to ensure citizens of all groups, skills, and physical abilities can manage and monitor their data flows, TRAPEZE will place a special emphasis on usability, but also privacy preferences and sociological aspects across different member states, seeking to establish a feedback loop with its end-users internationally. This collaboration (or co-production) will enable direct involvement of the EU citizen in the development of privacy-enhancing technologies. Additionally, to contribute to the resilience of European society, we aim to increase awareness and competence through open knowledge, gamification, and micro-learning.
Figure 1: The Privacy Dashboard demonstrates the data privacy management capabilities of the TRAPEZE platform. With the TRAPEZE Privacy Dashboard, users can review collected and processed data by a certain controller and configure permissions for processing of their personal data.
TRAPEZE is significantly different from existing approaches in that it does not attempt to protect the citizen by abruptly reshaping the European digital economy. Instead, it seeks to empower the data subject, while enabling a realistic, steady, transition to a more trustworthy data ecosystem that extends beyond online services and deep into the controllers’ data silos. TRAPEZE aims to enable privacy-aware and privacy-preserving data value chains by leveraging the concepts of linked data graphs and distributed ledgers (blockchain). Linked data will be used to control the handling of the payload data (actual personal data relating to the citizen) stored and processed by controllers’, or processors’ systems, even downstream (re-sharing from controller to controller/processor) in the data value chain. Blockchain technology will ensure compliance and decentralisation of records of processing activities, as well as immutability and non-repudiation of said records (with GDPR compliance in mind). In addition, TRAPEZE aims to secure citizens’ smart terminals and online communication through a software development kit for mobile security.
TRAPEZE’s proposed architecture and tools will be developed and evaluated under real-world conditions in three pilot scenarios in government, telecommunication and IT services, and banking. All three pilots involve the processing and aggregation of large amounts of personal data from various data sources, with policies specified at different levels of granularity.
TRAPEZE is not starting from scratch, but builds on a decade of EU-funded research in security and privacy, as well as on proprietary solutions and know-how, towards marketable innovations.
Trapeze aims to:
- bring all stakeholders together under a common resilience framework;
- empower citizens with the necessary tools and know-how to manage their security and privacy;
- support the acquisition of citizens’ consent at collection time and the recording of both the data and the metadata with scalable automated compliance checking in mind;
- restore citizens’ trust in the digital economy by enforcing log integrity and non-repudiation;
- reconstruct data lineage and implement transparency by design;
- demonstrate its applicability in three different operating environments of the public, telecom and financial sectors.
The project includes 13 partners from seven European countries: TENFORCE (BE), ERCIM – The European Research Consortium for Informatics and Mathematics (FR), TU Berlin (DE), Informatie Vlaanderen (BE), Deutsche Telekom (DE), CaixaBank (ES), CINI – Consorzio Interuniversitario Nazionale per l’Informatica (IT), Unabhängiges Landeszentrum für Datenschutz, Schleswig-Hostein (DE), Kaspersky Lab Italia (IT), Institute Mihajlo Pupin (RS), IPSOS (BE), Athens Technology Centre (GR) and E-Seniors Association (FR).
Alexander Vasylchenko, TENFORCE , Belgium