The Personal Data Intermediary (PDI) is a technical and business building block of the data space that facilitates human-centric, secure and controlled management of personal data while ensuring individual control, privacy and adherence to privacy and security regulations. This can be achieved by the combined application of the following principles:
- Decentralisation is important to avoid monopolies in the ecosystem which reduce the trust. A decentralised approach requires a technical architecture that is not dependent on a single provider and applies to actors, roles, standards, tech providers and infrastructure.
- Consent: this concept provides the user with transparency and control on data exchanges. It implies that a user gets informed about and can approve the usage of personal data. In Data Spaces, a user-level consent is mandatory, not only from a human centric approach but also since there is no public authority that can give a general consent to use personal data. Consent mechanisms also contributes to the minimization of the risks for abuse or leakage of personal data.
- Compliance with legal requirements involves adhering to the GDPR and AI Act when passing, storing, or processing personal data. This is achieved by implementing measures such as informed consent, robust data protection, and transparency in handling personal data, ensuring Personal Data Protection and Access to Personal Data are integral technical Building Blocks.
- Security: several protection features must be implemented prior to making data shareable across Data Spaces including access control, authentication.
7.3.1. Technical Usage #
PDIs serve as a trusted intermediary between individuals and data consumers / data providers, enabling individuals to securely manage and share their personal data. The technical implementation of PDIs involves the following components:
- Consent: Developing a consent management system that allows individuals to give explicit consent for data sharing and revoke consent if needed. The system would adhere to standards like the Kantara Consent Receipt Specification, which provides a common format for recording and communicating consent information.
- Identity: Ensuring seamless interoperability across personal identities, providers, and standards is paramount. This component facilitates harmonious interactions within the ecosystem.
- Distributed data visualisation: Enabling data space actors to access recommendations effortlessly, regardless of the UI implementation. This includes creating a versatile visualisation component that can be seamlessly embedded into any application.
- Catalogue: This component offers individuals a user-friendly catalogue of data sources. It simplifies navigation and discovery of apps, data users, and data sources within their personal data space.
- Data Sharing and Access Controls: Providing mechanisms for individuals to selectively share their data with trusted entities while enforcing access controls. Data sharing agreements and fine-grained access control mechanisms ensure that data is shared securely and in compliance with privacy regulations.
- Privacy and Security Measures: Applying privacy and security measures to protect personal data, including compliance with data protection regulations, encryption of data in transit and at rest, and regular security audits.
7.3.2. Interaction with the Data Space #
PDIs interact with the data space architecture by integrating with existing data space use cases and platforms. They act as intermediaries between individuals and data providers & consumers, facilitating controlled data sharing and maintaining privacy and security in the process. PDIs leverage APIs and protocols to securely transfer individuals consents to enable data exchange within the data space, while adhering to the principles of self-sovereign identity and human centricity. While they do not directly access personal data, they play a crucial role in managing user consent.
PDIs design user-friendly interfaces with a focus on simplicity and clarity, allowing individuals to seamlessly navigate and control their consent preferences. These interfaces typically feature intuitive dashboards where users can easily view, modify, and track their consent settings for different data/service providers. Through these interfaces, individuals can grant or revoke consent with just a few clicks, providing a straightforward and transparent way to manage their data-sharing preferences.
Additionally, these interfaces often include informative elements, such as clear explanations of data usage policies and the specific services associated with each consent choice. Visual cues and notifications may also be incorporated to enhance user awareness and understanding. The goal is to empower individuals with a high level of control over their personal data, promoting a user-centric approach in alignment with principles like self-sovereign identity.
PDIs assist in ensuring compliance with privacy and security regulations within the data space. They enable individuals to exercise their rights such as accessing or deleting their personal data and provide transparency regarding data usage and processing practices.