On December 19, 2022, the Central Committee of the Communist Party of China and the State Council officially issued the "Opinions on Building a Data Basic System to Better Play the Role of Data Elements" (hereinafter referred to as "Twenty Articles on Data"), which creatively proposed the right to possess resources, the right to process and use The data property rights system framework with Chinese characteristics of "separation of three rights" and product management rights, and emphasizes research on new methods of data property rights registration. It is pointed out that "establish a data element benefit distribution system that reflects efficiency and promotes fairness", and clearly "establishes a safe, controllable, flexible and inclusive data element governance system". Proposing a system construction plan in terms of data property rights, income distribution, and security governance has great theoretical and practical significance for my country to build a systematic basic system of data elements. Articles 14 to 16 of the 20 Data Articles clarify that security runs through the entire process of data governance, build a multi-party governance model coordinated by the government, enterprises, and society, innovate government governance methods, clarify the responsibilities and obligations of all parties, improve industry self-regulatory mechanisms, and regulate The market development order forms a governance structure of data elements that combines an effective market and an effective government.
As a new type of production factor, compared with traditional production factors such as land, labor, capital, and technology, data has unique characteristics such as non-consumable/non-scarce, non-exclusive, and time-sensitive. The traditional production relationship system has been difficult to adapt to it. At a time of major changes unseen in a century, the contribution of traditional factors of production to economic growth has become increasingly limited. Therefore, to speed up the construction of a basic data system and give full play to the advantages of my country's massive data scale and rich application scenarios, its ultimate value lies in two important goals. One is to enhance the new functions of my country's economic development, and the other is to build a new national competition. Advantage.
With the sounding of the horn of digital construction and gradually entering the fast lane, the contradiction between data flow and security development has gradually emerged: in the process of open sharing, data leakage, data trafficking, and data abuse incidents occur frequently, which poses a serious threat to personal privacy, business secrets, The storage and use of important national data has brought serious security risks. Therefore, to promote digital construction, we should not only promote data sharing and openness on demand, and give full play to the role of data as an innovation engine, but also strictly guard the security defense line to avoid "leakage" of data bases. This requires a rational examination of the root of the contradiction between the two, reasonable use of scientific methodology to find strategies to avoid the contradiction, and a precise grasp of the balance point of the contradiction between the two.
Application Value of Data Security Supervision Sandbox
Data empowerment is increasingly becoming a source of power. If data resources are "hidden deep in the boudoir" without development, it will be a huge waste of resources, which is not conducive to the cultivation of the data element market and the development of the digital economy.
The data security "regulatory sandbox" aims to open up "data islands" to maximize the value of data, and at the same time meet the security requirements of "usable and invisible" data, so as to promote data as a production factor to give full play to its value under the premise of safety. Within the limited scope of business, on the premise of ensuring that the rights and interests of all parties are fully protected, encourage innovation and tolerance of trial and error among organizational units.
On the one hand, it is conducive to the full collision of data between organizations under the domestic cycle and business innovation. Encourage data sharing between enterprises through the data regulatory sandbox, create an inclusive and innovative digital business environment, and realize digital-driven innovation.
On the other hand, it helps to pre-regulate under the cross-border flow of foreign dual-cycle data. The sandbox model of data security supervision emphasizes free flow without supervision under certain time and space conditions. By signing inter-governmental data supervision cooperation agreements, inter-enterprise data sharing agreements, and inter-government and enterprise data open licensing agreements, the cross-border data management agencies of member states adopt prudent measures. An inclusive and open attitude, moderately loose supervision of the cross-border flow of data within the scope of the agreement with a first-hand attitude.
In short, the data supervision sandbox is a supervision model that emphasizes post-event supervision and continuous supervision, forming a regulatory thinking based on "data flow within the controllable range".
Data Security Supervision Sandbox Application Scenarios
01Singapore PET sandbox application example
1. Identify common customers across multiple datasets
Example: A retailer and an insurance company want to find out the number of customers they have in common before building a data sharing partnership to get additional characteristics or attribute data sets of common customers from multiple customers.
Example: A travel agency and telecommunications company want to create a federated data model that builds functionality that describes travelers' travel preferences without revealing sensitive data.
2. Make data available for AI model development and testing
Example: An investment firm wants to train an investment risk AI model with overseas supply chain data of its investment firms, but faces regulatory or confidentiality constraints.
02 Application example of Singapore trusted data sharing framework
1. Improve customer experience and generate new revenue
Example: A bank and telecommunications company (both data provider and data consumer) are looking to engage in two-way bilateral data sharing to improve customer experience and improve business outcomes for both entities. The data exchanged is used to better understand customer needs and deliver more relevant solutions, experiences and offers to the combined customer base. The partnership enables both parties and their partners to anticipate and better respond to customers' changing motivations and preferences, and deliver value to customers beyond a single entity or industry.
2. Improve the overall efficiency of the supply chain, thereby reducing costs
Example: Sharing supply chain service provider data to company data provides customers with real-time data on current inventory, allowing them to better understand inventory and optimize cargo turnover. A local SME launched an integrated platform for real-time order and inventory management. Eliminates unnecessary cross-warehouse stock movement of slow or expiring inventory and increases turnover of goods.
03Description of the application scope of the regulatory sandbox in the Digital Economy Partnership Agreement
The Digital Economy Partnership Agreement (DEPA) is a new type of trade agreement jointly initiated by Chile, New Zealand and Singapore to promote digital trade and the digital economy. The agreement was signed on June 12, 2020.
DEPA has designed more than ten modules covering business and trade facilitation, handling of digital products and related issues, data issues, business and consumer trust, emerging trends and technologies, innovation and digital economy, SME cooperation and digital inclusion and other topics. On November 1, 2021, the Ministry of Commerce of China sent a letter to New Zealand Trade Minister O'Connor to formally apply for membership. On August 18, 2022, China's accession to the DEPA working group was established.
The "Digital Economy Partnership Agreement" mentioned that the regulatory sandbox is a mechanism for government and industry cooperation. In the data sandbox, data, including personal information, will be shared between companies in accordance with the domestic laws of each country, thereby supporting private sector data innovation. And bridge policy gaps while keeping pace with new developments in technology and business models. Through the DEPA agreement, Singapore, Chile and New Zealand will commit to collaborating on a data regulatory sandbox to create a safe environment where businesses can innovate in consultation with governments. The FinTech Regulatory Sandbox enables financial institutions and FinTech players to experiment with innovative financial products or services within a defined space and duration in a trusted data-sharing environment, thereby promoting competition and an efficient open market.
Application of foreign data security supervision sandbox
Since 2017, based on the inspiration of the regulatory sandbox concept, countries and international organizations such as Singapore, Finland, the United Kingdom, Norway, China, the European Commission, and ASEAN have tried in the field of privacy protection. Among them, ICO (UK Information Commissioner's Office) and Singapore Information Communication Media Development Authority are more typical.
01ICO Application
The ICO data security regulatory sandbox will focus on medical health, COVID-19 vaccine experiments, financial fraud, and light biometric authentication in 2020. In 2021, the focus will be on children's privacy protection, improvement of housing quality, reduction of violent crimes, patient sharing, road safety, etc. 2022 focuses on identity authorization, mental health care, special services for children, combating cybercrime and more. The key application areas of ICO in 2023, in terms of emerging technologies, focus on consumer health, Internet of Things, VR/AR, and decentralized finance; in terms of biometrics, focus on applications in public, education and other fields.
Take the application of Yoti in ICO as an example. Since 2014, Yoti has been providing digital identity services and physical identification technology to clients around the world. One of Yoti's main products is their age estimation technology, which estimates a person's age by algorithmically evaluating a person's facial features. Yoti went to Sandbox to explore how they can expand the use of age estimation technology to young people aged 6 to 12. This will ensure that providers of services dedicated to children, such as gaming sites and forums, can create safe virtual environments and online spaces.
Yoti was included in the sandbox on November 6, 2020. Due to the epidemic, in February 2022, Yoti and ICO completed the last work of the Yoti sandbox project and ended their participation in the ICO sandbox. One of the goals is that Yoti will use the data collected by Go Bubble on its behalf (and possibly other data sources) to train its age estimation technology to effectively calculate the age of children aged 6-12 (however, due to the epidemic, in February 2021, Yoti Decided not to rely on Go Bubble to provide training data for their purposes. Instead collect data by using a web portal. As well as collect data through a family digital health organization (Be In Touch based in South Africa).
02Application of data regulatory sandbox in Singapore
Singapore's data security regulatory sandbox is under the umbrella of data sharing and innovation, and has formed a white paper on the Trusted Data Sharing Framework (Trusted-Data-Sharing-Framework). The overall data security regulatory sandbox is divided into three steps. Namely participation, guidance and policy. The main considerations for using a data regulatory sandbox include four parts: innovation, public benefit, ready and specific, and risk assessment and mitigation.
Innovation: use cases should demonstrate how data can be used to derive new value or create new products;
Public benefit: use cases should not have any adverse impact on consumers;
Ready-made and concrete use cases: Use cases should not be hypothetical. It should generate sufficient interest among relevant stakeholders and produce clear results;
Risk Assessment and Mitigation: Risks and impacts should be assessed and mitigated, and reasonable efforts should be made to protect individual interests.
The trusted data sharing framework includes four parts: data sharing strategy, law and regulation, technology and organization, and data sharing and collaboration.
Data security supervision sandbox construction mechanism
Referring to the operating mechanism of my country’s financial technology “regulatory sandbox” and the application situation in the United Kingdom and Singapore, the data security regulatory sandbox can be divided into: access test stage, test design stage, program evaluation stage, actual test stage, exit stage and final evaluation stage.
In the access test stage, the regulatory authority is based on principles and has regulatory flexibility. After the enterprise submits the application materials to the regulatory authority, the regulatory authority will evaluate it in accordance with relevant national laws and regulations, and enter the test design stage for companies that meet the requirements. Enterprises that meet the requirements are ordered to withdraw from the "regulatory sandbox".
The second stage is the test design period. In this stage, the supervisory department communicates with the enterprise to be tested, and the two parties negotiate a set of personalized test plans that comply with regulatory rules and are based on the characteristics of the enterprise to be tested.
The third stage is the program evaluation period. The regulatory department re-evaluates the test plan established in the second stage, and can enter the actual test stage after passing the review. If the plan fails to pass the review, it will return to the second stage to formulate a new plan.
The fourth stage is the actual testing stage. During this process, the regulatory department should track the testing process of the enterprise in real time, and the enterprise should formulate an operation report and submit it to the regulatory department. If there is any abnormal situation, when the application is found to be unfavorable to the market environment, society and user interests, the company should be ordered to withdraw from the sandbox test.
Enterprises that successfully pass the actual testing stage can enter the fifth stage—exit the sandbox stage. At this stage, the regulatory authorities should do a good job in connecting the "sandbox enterprises" with the external market, conduct further review on the compliance of enterprise products, and require "sandbox enterprises" to establish an appropriate user protection system in order to successfully exit the sandbox , to ensure that the interests of real market users can be fully protected.
Finally comes the final evaluation stage. The testing company needs to submit a test report to the regulatory department. The report is evaluated by the regulatory department based on the expected data of the "regulatory sandbox" to analyze whether the products participating in the test meet the standards. Then the regulatory department announces and discloses the report results.
Construction framework of data security sandbox platform for some manufacturers
The data security sandbox platform is the landing support platform for the data security supervision sandbox mechanism. The platform needs to integrate trusted execution environment, federated learning, multi-party secure computing, blockchain and other related technologies. With the trusted execution environment as the core, it realizes the privacy protection, integrity protection and audit traceability of data in the computing process. While opening up the "data island" to play the value of data, it can also meet the security compliance of "usable and invisible" data Require.
