A new framework for global data regulation

TL;DR

This paper proposes a context-based regulatory framework for data protection that links regulations to outcomes and human rights, rather than specific data or tools, enhancing flexibility and effectiveness.

Contribution

It introduces a novel outcome-oriented regulation approach that aligns legal protections with actual use cases and human rights, supported by practical testing in open banking and contact tracing.

Findings

Framework effectively addresses diverse human rights.

Applicable privacy-enhancing technologies demonstrated.

Flexible policy approach aligns with engineering practices.

Abstract

Under the current regulatory framework for data protections, the protection of human rights writ large and the corresponding outcomes are regulated largely independently from the data and tools that both threaten those rights and are needed to protect them. This separation between tools and the outcomes they generate risks overregulation of the data and tools themselves when not linked to sensitive use cases. In parallel, separation risks under-regulation if the data can be collected and processed under a less-restrictive framework, but used to drive an outcome that requires additional sensitivity and restrictions. A new approach is needed to support differential protections based on the genuinely high-risk use cases within each sector. Here, we propose a regulatory framework designed to apply not to specific data or tools themselves, but to the outcomes and rights that are linked to the use of these data and tools in context. This framework is designed to recognize, address, and protect a broad range of human rights, including privacy, and suggests a more flexible approach to policy making that is aligned with current engineering tools and practices. We test this framework in the context of open banking and describe how current privacy-enhancing technologies and other engineering strategies can be applied in this context and that of contract tracing applications. This approach for data protection regulations more effectively builds on existing engineering tools and protects the wide range of human rights defined by legislation and constitutions around the globe.