TechReg Weekly: EU, UAE Regulators Eye Data Protection Reform to Boost Innovation


Among the many ways digital technologies have shaped the way the world does business, the enhanced ability to collect and monetize customer data has been one of the most significant.

While data protection laws such as the EU’s General Data Protection Regulation (GDPR) are widely regarded as an important defense against privacy breaches and the use of people’s personal information without permission, they can also create friction for businesses and inhibit the legitimate use of data to advance innovation.

Read more: Complying With EU Data Laws Is Becoming Increasingly Complex 

Seeking a corrective to this tendency, in recent times regulators have been assessing how they might adapt their data protection frameworks so as to lessen the compliance burden for data processors while maintaining protections for sensitive information.

For example, last Wednesday (Oct. 12), the European Data Protection Board (EDPB) endorsed a certification scheme that will allow individuals or entities to obtain certification from an approved accreditation body to demonstrate to the EU and customers that they are GDPR-compliant.

The first organization granted permission to issue the certificates is Europrivacy, a privacy-focused research institute co-funded by the European Commission and Swiss.

Businesses that want to prove they have met the requirements of GDPR will now be able to gain certification from Europrivacy. Once assessed and certified, businesses will have a credible means of assuring data protection authorities and consumers across the European Union that they are GDPR compliant.

Related: Big Techs Continue to Navigate Legal Quagmire of EU Data Sovereignty

The new system aims to streamline and harmonize the current model in which different EU authorities specify different means of proving GDPR compliance. This leads to inefficient reporting processes and creates a challenge for data protection officers dealing with multiple authorities.

In the same week it announced the new Europrivacy certification scheme, the EDPB sent a letter to the European Commission outlining further procedural aspects of the GDPR framework that could benefit from harmonization at the EU level.

As GDPR leaves a degree of flexibility in terms of its practical operationalization, currently, member states each define their own reporting and certification standards.

Calling for greater alignment between different EU members’ approaches to GDPR enforcement, the EDPB has asked the EC to consider clarifying some aspects of the regulation so as to create more standardized complaints procedures.

For example, the letter suggests outlining the specific rights to access documentation held by parties involved in GDPR complaints. As things stand, there is no common rulebook describing which materials should be granted to complainants and which documents organizations are entitled to withhold.

Unleashing the Power of Synthetic Data

Aside from streamlining the regulatory framework for data protection, another way that authorities can promote data innovation is by legislating around technologies that enhance data anonymization techniques.

For example, synthetic data refers to a type of data that is generated by running original data through a machine learning algorithm that is trained to reproduce the characteristics and structure of the input data.

Because synthetic data is designed to deliver very similar results to original data when statistical analysis is applied, synthetic datasets are useful tools for data scientists when the original dataset from which they are generated contain personal information subject to strict privacy requirement.

On Tuesday (Oct. 18), Dubai Digital launched its Synthetic Data Implementation Framework designed to create the conditions in which data processors can ethically and compliantly take advantage of synthetic data.

For the development of innovative Artificial Intelligence (AI) models trained on large datasets, synthetic data creates opportunities to use information that would otherwise be inaccessible due to privacy concerns.

Learn more: EU Watchdog Mulls Regulation of AI-Cybersecurity Firms

Commenting on the initiative, Younus Al Nasser, assistant director general of Digital Dubai, said: “We understand the importance of data mined from various sectors across the Emirate of Dubai, but at the same time, we are highly aware of the need to preserve the security and privacy of individuals and organizations.”

As companies embrace synthetic data as a way to tap into large datasets without the risk of compromising personal information, it seems likely that more regulators will turn their attention to the field.

Questions surrounding the creation and use of synthetic data are by no means straightforward. Dubai’s forward-looking approach is an important step in creating the kind of regulatory environment that will foster innovation without undermining data protection laws.

For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.