by Lauro Vanderborght (Digitaal Vlaanderen), Martin Kurze (Deutsche Telekom) and Ramon Martin de Pozuelo (CaixaBank)
The TRAPEZE project, titled “Transparency, Privacy, and Security for European Citizens,” is making remarkable progress as it moves forward in its journey. With its objective of demonstrating the TRAPEZE prototype solution in real-world scenarios, the three project use cases are advancing splendidly. These use cases will exemplify how the TRAPEZE solution overcomes present-day limitations and revolutionizes the way enterprises, public administration, and citizens interact with their sensitive information.
Three real-world use cases led by Informatie Vlaanderen, Deutsche Telekom, and CaixaBank demonstrate the capabilities of TRAPEZE outcomes. The development and status of the use cases are highly promising. The solution is designed to be flexible, robust, scalable, and ethically compliant. Its potential extends far beyond the project’s conclusion, as it is set to be adopted by a broad range of entities and citizens, positively transforming various scenarios.
Informatie Vlaanderen: “My Citizen Profile”
In recent years, there has been a growing emphasis on citizen-centricity and secure data sharing as important aspects of digital transformation. Digital Flanders is a government agency from the Flemish Government that recognizes this and is working on a new infrastructure to address these needs. Their aim is to create a secure and standardized way for citizens to reuse government data, with a focus on providing an excellent user experience.
To achieve their goal, Digital Flanders is leveraging Solid, a technology that was invented by Tim Berners-Lee, the creator of the World Wide Web, and researchers from UGent. Solid technology provides a platform that enables users to control their own data and choose how and with whom they share it, while ensuring the data remains secure and private. One of the main advantages of Solid is that it allows multiple organizations to make use of the same data, being stored in decentralized stores called Pods.
Digital Flanders is building on this technology to create a state-of-the-art data-sharing infrastructure. They are also leveraging existing developments from their popular MyCitizensProfile platform, which enables citizens to access their own data and manage their interactions with government services.
One of the first use cases for Digital Flanders’ new infrastructure will be with Randstad, a large HR group. Randstad will use diploma data from Digital Flanders during their application process. Solid simplifies Randstad’s process by offering a user interface for authentication and consent to access diploma data from the applicant’s Solid Pod.. This collaboration serves as a practical demonstration of Digital Flanders’ infrastructure capabilities.
Digital Flanders is also part of the TRAPEZE consortium, which has a goal of investigating and setting up a privacy platform that allows citizens to assess which third parties have consent to use their data and audit how their data has been used. This platform will build on the foundations of the Solid technology and aims to take consent management to the next level.
Digital Flanders aims to utilize the Solid project blueprint in collaboration with Randstad to assess TRAPEZE’s potential for enhanced consent management and seamless integration into their existing infrastructure. This will enable enhanced control and security for citizens’ personal data.
Deutsche Telekom: Tools & Applications for “Data sharing via APIs”
Deutsche Telekom’s (DT) concern is to make language and privacy policies defined in the TRAPEZE language as well as tools available for legal and commercially useful exchange/sharing of telco-specific personal data. These tools can then also be marketed by T-Systems (DT’s subsidiary for IT service provisioning) in the “Data Intelligence Hub (DIH)”. Both contexts require an automated, GDPR-compliant mechanism for formulating, applying, and managing rules for data sharing. These are formulated in privacy policies.
DT is actively contributing to the CAMARA Telco Global API Alliance. In this context, APIs for sharing data – including personal data – are provided for 3rd parties to make use of functions, features and data provided by telco carriers. For Telcos, this is a unique opportunity to finally monetize some of the data they host. DT pays a lot of attention to not harming its excellent reputation in terms of privacy and security. Thus, customer consent is collected in advance, and agreed privacy policies are used as a means of consent management.
TRAPEZE language is used to define, share, manage and enforce consent (or rather “agreed privacy policies”). DT integrated TRAPEZE language, tools, and concepts in its’ “Magenta Hyper Consent (MHC)” product. This product is targeted toward product owners and (in the CAMARA context) API monetization. Thus, there is no dedicated “TRAPEZE” user interface used, but rather DT/product-specific user interfaces are utilized to collect consent and to allow users to manage their privacy preferences.
While the MHC Core deals with policy- and consent management (independently of actual data), the MHC Gatekeeper uses the policies to filter 3rd party data requests. Figure 1 shows the overall architecture from a technical point of view. Since MHC aims at B2B business and product managers, not directly at end customers, all components are built in a way to allow easy integration in new and existing products and services. It enables the DIH and other DT Business units to safely deal with personal data in the context of GDPR and other regulations.
Figure 1: MHC architecture overview.
A first application was trialed with DT’s approach for consent management, the “group consent clause” which allows customers (i.e. citizens) to grant, revoke and manage their consent for data using and sharing. A key requirement is the open exchange format of privacy policies as it was developed in TRAPEZE and its predecessors.
CaixaBank: “Customers’ Digital ID wallet”
Caixa Bank (CXB) wants to develop a “Customer ID Wallet” that allows the bank direct and transparent communication with clients about the usage of their data. It will be designed to enforce GDPR compliance and increase the data privacy security awareness of their clients as well as incorporate the bank’s business requirements. No existing unified platform yet ensures security, privacy control, transparency, and trust among stakeholders. CXB wants to harness the potential of the TRAPEZE platform and its building blocks to address this challenge effectively.
Moreover, the European Commission’s recent release on the European Digital Identity framework strengthens CXB’s innovation perspective on trusted self-management of individual identity and data. This should help to streamline secure onboarding processes for new digital financial services, enhance overall security awareness, promote data privacy consciousness, and ultimately reduce successful social engineering attacks and impersonations. In that line, the Customers’ ID Wallet pilot aims at developing an identity wallet that can work as a technical reference or complement the future EU Digital wallet, considering the digital identity verification means provided by the EU and Member States (when available) or any other trusted entity that works as an identity provider.
The pilot supports a key use case: enabling secure exchange of Know Your Customer (KYC) information between entities, ensuring banks collect and maintain up-to-date client information. This is essential due to Anti-Money Laundering (AML) regulations, which mandate the collection and maintenance of client information for all financial institutions. However, properly collecting, updating, and verifying the accuracy of this information from all clients poses a significant time-consuming challenge for both banks and citizens seeking their services. Presently, whenever a citizen intends to open an account with a new bank, they are required to provide the necessary personal and financial details.
What if we could collect and validate KYC information just once? This would simplify the process for both banks and citizens, and that’s precisely what the “Customers’ Digital ID Wallet” pilot aims to achieve. With this pilot, citizens can provide their information once to a single financial institution. The entity will validate the information as usual, but the Digital ID Wallet will securely retain and enable sharing of this attested information when the citizen seeks financial services from another bank. For this to happen, the customers must also be able to assess both the risks and the potential benefits of such actions (e.g. control with which entity they are sharing the data in order to identify them and their profile faster). The TRAPEZE platform will provide an easy and user-friendly way in which citizens can manage their data privacy policies and also review which entity has the consent to access which sensitive data from them and for which purpose.
Figure 2: The Digital ID Wallet.
As a result, Customers’ Digital ID Wallet can improve the citizens’ overall awareness of their data security and privacy risks, making them active players in the protection of their own data and finances.
Lauro Vanderborght, Digitaal Vlaanderen, Belgium
Martin Kurze, Deutsche Telekom, Germany
Ramon Martin de Pozuelo, CaixaBank, Spain