Podcast - The Datasphere: Governing Data Beyond Borders

Kevin Angle: Today, we're going to talk about data on a global scale. Data influences almost every minute aspect of our daily lives, but it also crosses national boundaries and influences public policy, from addressing climate change to supporting sustainable growth. How can government, civil society, businesses and, yes, lawyers leverage data to address some of our world's most pressing challenges? What governance structures can help to mitigate risk and manage such use? I'm Kevin Angle, senior counsel in the Data Strategy, Security & Privacy practice here at Holland & Knight, and my guest today has been working on issues around data, internet governance and communication policy, both as an academic and professional, for more than 15 years. Lorrayne Porciuncula is the executive director of The Datasphere Initiative, a nonprofit dedicated to global collaboration on technical policy solutions for the cross-border challenges of data governance. Prior to leading The Datasphere Initiative, she was the director of the data program at the Internet and Jurisdiction Policy Network and worked at the OECD as a strategic advisor and internet economist. Last year, she was appointed to the United Nations Commission on Science and Technology for Development Multi-Stakeholder Working Group on Data Governance, where she represents civil society and contributes to global discussions on equitable, interoperable and inclusive data governance frameworks in the context of the UN Global Digital Compact. Lorrayne is based in Brazil. She, for the record, also speaks English, Portuguese, Spanish and French, and other than that, she has barely any accomplishments. Welcome, Lorrayne.

Lorrayne Porciuncula: Hello. Thank you, Kevin. It's a pleasure to be here with you.

Kevin Angle: Absolutely. So I wanted to kick it off – I've read a number of your papers and one of the first ones I read, you had a discussion about the problem with analogies with data, which I think actually gets to the way data is unique as an asset in many ways. And so just for my first question for you, is data the "new oil," as you so often hear?

Lorrayne Porciuncula: Thank you for that question. This is indeed the most common analogy in the field of data. And it's quite catchy, I've got to say. But it's also very misleading, in my opinion. And it is catchy because, in a way, it works, right? Like oil, data is incredibly valuable and fuels the modern economy of sorts. It needs to be refined, also, to be useful. And the consequence of that is that many think that if they hoard it, they'll be richer for it. But oil is a finite extractive resource. Once you burn a gallon of gas, it's gone. And data, on the other hand, is not. It's non-rivalrous and it's generative. If you use a data set to train AI, you can still use the same data sets to improve a public health map, for example. And in the publication that you mentioned, We Need to Talk About Data, we argue that treating it like a physical commodity has several consequences, such as siloing. We only see the part of the problem, not the whole of the problem – or the opportunities that data brings. So in my opinion, we should view it more like water or like air, or even the atmosphere: something that we all breathe in and contribute toward, rather than thinking that it is finite and other actors can take it. So thinking about this in a more complex way, it's more conducive to thinking about solutions as well, for problems we have.

Kevin Angle: Can I just follow up on that? So when you're saying you're only seeing part of the problem, is that just, you know, the more data, the better? Or do you mean something else by that?

Lorrayne Porciuncula: Yes, because often we are led to thinking about those polarizing positions in terms of either I hoard data and I keep it all to myself, or it's free flowing and it's out of my hands. And so in thinking about it in a more nuanced way in the different dimensions on how value of data is created, we can actually think about, you know, the solutions towards problems that we have as well. Which is not necessarily just locking data away. It's actually, how do you responsibly create value from data? So the key is actually thinking about how to do that in a way that benefits people and the planet everywhere.

Kevin Angle: This is a related question then. You're the executive director of The Datasphere Initiative. What is the datasphere? And why does that concept matter?

Lorrayne Porciuncula: I really care about thinking about definitions and words that we don't have yet to describe the complexity of the world that we live in. I like to cite Gabriel García Márquez, one of my favorite authors. In the beginning of his book One Hundred Years of Solitude, he says that the world was so young that we still didn't have words for things that we like to point to things because the words weren't there yet. And in coining that term, of course, building in the literature that speaks about the datasphere in different ways, what we did is to give a name to this phenomenon. A phenomenon that we think we all kind of felt it, but we didn't have a name yet. So we define the datasphere as a complex adaptive system that encompasses all types of data and their dynamic interactions between human groups and norms. And by data, we mean all sorts of data, both personal, which is – typically when we think about policy and regulation, people think about personal data, but there's all sorts of data out there that are not personal data. Machine-produced data about the environment, ecosystem, etc. There's also norms, and those are from code. You know, technical norms, all the way to legal texts and human groups, both individuals, corporations, governments. So the interaction between those three elements leads up to what we call the datasphere. And it's as if thinking about a large lake or the ocean where we have so many of those different elements that interact with each other. And the reason why we think it's important is because current laws and legislation, they're based on borders, but data doesn't really care about borders, right? Data that we extract is processed somewhere else and then transformed and reused in a third, fourth and fifth place. So in thinking about how we conceive of the datasphere in a more complex way, how we conceive of it in a more holistic way, we can actually try to tackle some of the world's biggest problems in terms of free flows and how we actually deal with climate change or the pandemics even, but it's looking at it from a complex ecosystem perspective.

Kevin Angle: So I want to come back to some of the definitions you were mentioning because I'm a lawyer and I love definitions. But before we get there, just a related question: I represent clients and then, of course, government actors, there's so many different stakeholders here. Can you just, along the lines of what you were just talking about, big picture, give a description of how the actions of one stakeholder, a private sector actor, for example, who might be using data in some way to train AI or just to conduct research might impact that broad concept of the datasphere?

Lorrayne Porciuncula: Yeah. Let me walk back also in terms of what we mean in a complex adaptive system. There's a whole science to it, right? When we talk about a whole that is not only the sum of its parts. So the whole is an entirely new phenomenon that emerges from those interactions between stakeholders. And the parts affect the whole in three different ways. So the first one is what we call the emergence feature. Think of a flock of birds. There's no leader bird, so to speak, giving orders. Each bird follows a simple rule that you need to stay close to your neighbor and not collide. From this small individual action and norm, so to speak, there's a beautiful complex V-shape that emerges that none of the individual birds could create alone. So you see that the whole is more than just the sum of the parts. The second feature is what's called non-linearity. Small actions can have massive repulse. So in a single system, like a linear system, if you push the pedal 10 percent harder, you go roughly 10 percent faster. But in a complex adaptive system, it's non-linear. You have what we call popularly the butterfly effect, so a single line, a flawed code or bad data, for example, used in software, can lead into a global cybersecurity meltdown.

Kevin Angle: And then somewhere the dinosaurs start attacking, right?

Lorrayne Porciuncula: Yes, exactly. And also, on the other hand, you have the positive flip side as well. So one small policy shift in one country, like let's say the right of data portability, for example, can trigger a global wave of innovation of companies that are trying to adapt and comply, and it changes how data is flowing globally. The third feature, which is very interesting, is the feedback loops and adaptability of the system itself. So the system reacts to the outputs. So it can be through negative feedback, like stabilizing the system in itself. So if a company is exploiting data too aggressively, users may make the decision with their feet, so to speak, and flee to a competitor, correcting the system's behavior. On the other hand, those systems can also see features of amplification, right? If an algorithm is prioritizing engagement, then it's going to promote polarizing content. That's something that we see often in social media. So the algorithm learns to show even more content, and it self-reinforces in that loop and it stabilizes that social fabric. Again, think about the datasphere as that lake. Instead of just looking and thinking of, let's say data is the plankton, which is typically how we think about data governance traditionally, that you're just nearly managing data. We're thinking about it as the whole ecosystem and how one privacy actor, for example, if it's overfishing, for example, or polluting that lake and exploiting personal data without consent or creating chaos in a way, it can lead and affect the health of the entire ecosystem and trust in that ecosystem.

Kevin Angle: My dinosaur reference, by the way, was to Dr. Ian Malcolm in Jurassic Park, in case that wasn't clear to the listeners. So thank you for that. Can you just briefly describe what is The Datasphere Initiative? What kind of work are you doing?

Lorrayne Porciuncula: We are a nonprofit think tank dedicated to the global collaboration on both technical and policy solutions on data governance and also on experimental governance tools such as sandboxes. So we do this by connecting stakeholders from across sectors through different events, consultations, conducting research on concrete data challenges and opportunities, and experimenting with policy and technical data sharing solutions to enact change on data governance narratives and strategies and thinking about those tools such as sandboxes, which is something that we've been working on a lot and I'll talk about later.

Kevin Angle: Great. I did want to circle back, like I said, to the whole notion of definitions and how important they are, or I was going to maybe press you on how problematic they might be. I'm a privacy attorney, and we have all kinds of categories for things. We have controllers and we have processors. We have personal data, we have sensitive data, and I've been thinking a lot about, let's take sensitive data for example. We have defined categories under the GDPR of what's sensitive, and if you fit within that bucket, then certain controls apply, and if you fall outside that bucket then, you know, there's still other controls, but you don't have the same controls. And I wonder how useful having definitions like that really are or if they're too limiting in some ways. I mean, you need definitions, but I just wonder if you have any thoughts about that.

Lorrayne Porciuncula: Yeah, I have many thoughts about that, because for me, we should think about regulation in a less linear way, and again, it's about thinking about it from a complexity point of view. Sometimes you assume if you change Part A, you get Result B, and often when you're producing a piece of legislation, that's what you think. If you have a definition on controllers like this, this is what it triggers. And the problem is that a lot of it falls into a gray area. And often we are legislating towards things that don't exist yet, right? And so I like to think that at some point we're going to be able to have mechanisms that are able to also internalize those learning feedback loops. And the same way that we have software, that we have several versions of it – the 1.2.3 and all of that – we should also have a mechanism that the legislation can learn from the experiences. That's what I've been dedicating so much of my time to research, is how can we include that more adaptable mindset – still structured, still putting down safeguards, but making sure that we're able to learn from those experiences. Because so much about governance of emerging tech and governance of data is very context-specific. So it's a great starting point for us to have principles, and definitions are important because we need to start somewhere, but we need also to be humble and learn from the experience and say, this is not really working on this case, it should be something else. So what are the tools that can provide enforcers with the flexibility to learn from that and to also invite those new perspectives that will challenge the set definitions? So you're going to get me going here because –

Kevin Angle: Yeah, I know we could go on with this forever. I mean, even fundamental concepts such as controller and processor, you know, they made a lot of sense in 2016, but I feel like the world of data has changed since then, and so we're trying to fit a square peg in a round hole now and which hat you're wearing matters so much. I want to move on to some other things I know you're working on, and one of those is that you're discussing some of the tools that can enhance data sharing, which, I think you would agree can be a good: The more data people can access to and use, that can be good. But also, of course, there's risks with data sharing. So what are some of the tools that can enhance data sharing between governments, organizations, private sector, etc.?

Lorrayne Porciuncula: I think there are a number of experimental and innovative tools around governance and policy that have been used in the past few years. Hackathons are a way to kind of test that traditional process on how bureaucrats usually work once they're embedded internally but also test beds. We have been doing a lot of work on sandboxes, and sandboxes have emerged as a more structured space for this kind of testing. And the way that we define it – and again, this definition also keeps on evolving – is that we look into sandboxes as a space that is time-bound, that has a specific learning objective, that has provided safeguards, but it is within a structured governance in itself as well. And so when we're thinking about the problem of traditional regulation and why it fails, those laws being linear, as we're saying, experimental tools such as sandboxes can be very useful. Because instead of trying to control the whole system from the top down, sandboxes and those experimental tools can allow us to observe how the parts interact in a safe space. You can test which small changes or small rules lead to the best emerging outcomes for everyone. And I think what's the most interesting feature from sandboxes is that it's iterative and typically you have several cohorts working one after the other. And that repeated exercise creates trust in the ecosystem, which I think is lacking when we're thinking about a relationship between a regulator and a company of sorts. Typically, you have different incentives: The regulator wants to enforce the law, the innovator wants to innovate and push out a product quickly. And so it's very hard for you to work and share information that could benefit the system as a whole. It's a typical prisoner's dilemma sort of issue there where if you have the game played once, typically, the result is lose-lose, right? You don't know if the regulator is going to come down on you, and the regulator has incentives to mistrust the innovator as well, or startups. And if you start playing the game several times and you start understanding what moves those players and how they would react in different circumstances, then you start sharing more and then you'll start creating trust. So having those spaces that are run in a structured fashion, in a more neutral way where the rules of what's being shared and what's not being shared are clear, can be very beneficial to actually building trust in the ecosystem.

Kevin Angle: And so, just for the benefit of folks who may not be familiar with the concept, what is a regulatory sandbox?

Lorrayne Porciuncula: So we have two different types of sandboxes – well, several now if you're considering different types – but typically we look into regulatory sandboxes and operational sandboxes. Regulatory sandboxes, typically when regulators are involved, may have a feature of actually lifting temporarily a regulation. Some of them provide other types of incentives, like a space for dialogue and learning with the regulator, but they are necessarily time-bound. So there is an exception to a rule or exception or incentive of some sorts where the regulator creates that space. It can be done by one regulator or several regulators in one country in a corporation. We also looked into sandboxes that can be a corporation across borders, for example, and they become more and more complex in this way. They can be municipal, they can be at the national level, regional or even global. But also there are operational sandboxes where typically they handle data and they provide a special kind of access to data sets. You have a few examples of those around health where you'd provide special access from startups to special sorts of data sets that allow them to develop solutions around health. And we call those operational sandboxes also, and they're sort of like those data lakes with special access.

Kevin Angle: Do operational sandboxes – we also talk about data clean rooms. Are they similar concepts?

Lorrayne Porciuncula: Yeah, those are also features within the sandbox they run and they have through cohorts. So you have kind of a learning objective that the regulator wants to achieve, right? So that's part of a program of trying to understand how innovators would be using that data set or not, and we also have hybrids. We have sandboxes that are partially providing a sort of exception to the rule and partially providing access to data sets as well. You can have different types of incentives, but we also see the emergence of different types of sandboxes, like policy sandboxes for testing policy, not only regulation, and also even some ideas that are emerging around legislative sandboxes where you can actually use that to actually test new pieces of legislation or how the legislative power is using AI for itself. So anyway –

Kevin Angle: Yeah, no, it's all so fascinating. And just as one example of going back to the regulatory sandbox of how this might work. So Utah passed a law, the Artificial Intelligence Policy Act, and it creates these regulatory sandboxes where, if you agree, you basically enter into a contract with the regulator there, that you'll abide by these certain controls. And then if you do that, they won't pursue regulatory action against you, as long as you're sort of reporting and you're working together with them. And so, the first one we saw there was a student-focused mental health app, which, as we've seen, you know, the combination of AI and mental health can be very difficult and problematic. So this is one way they can experiment with something that might be super beneficial without the risk of regulatory action, assuming that they will take steps to mitigate some of the other risks that regulators might be looking at.

Lorrayne Porciuncula: Yes. You have different types of leeway that is possible within different sandboxes. You can have a pretty big regulatory leeway, that the regulator provides within those sandboxes, and there are some sandboxes that give basically no leeway at all. If you look at the EU AI Act, it's mostly used as a compliance tool rather than providing exception. But I think what they have in common is that they have a learning objective. If you want to give a free pass to a company, you can do that, you don't need a sandbox to do that, but necessarily, you enter into a dialogue with the participants of the sandbox, or you should enter into dialogue, so that you can learn, and that could potentially inform future regulation or future changes and exceptions that then will be made permanent.

Kevin Angle: All right, so I have one last question for you I usually ask at the end of these: How can lawyers help to foster innovation? But let me just change that somewhat. How can lawyers help to build a sustainable datasphere?

Lorrayne Porciuncula: That's a good one. I think lawyers play a really important role and they can be architects of this datasphere. If I'm using a term to qualify that role, I always like to say that data management software, the way that we conceive it, like off-the-shelf software, is the easy part of the equation. You know, we have all sorts of technical solutions to help us manage data. We have new tools like homomorphic encryption that allows you to analyze or work on encrypted data without ever really needing to unlock it. We have differential privacy. We have all sorts of tools that are emerging and allowing for these new ones to take place as well. But getting people to trust each other is much harder. You can have the best software out there for managing data, but if one lawyer is sitting at the table across from another, and you have clients trying to share sensitive data, and the lawyer says this is not possible, no matter what tool you have, it's not going to happen. And so I think for me, lawyers have a really important role to being stewards of that process of building trust. Going from "no you can't do this," to thinking about "how?" How can we create trust and how can we enable this ecosystem to work in a more balanced way. We talk a lot in our work about the problem of polarization: Either you share all of it or you share none of it. I think lawyers can help in creating that nuance, right? And that trust to help that data flow in a responsible way and that fine balance between innovation and trust.

Kevin Angle: We have a lot of work to do. Thank you so much for joining the podcast. I really appreciate your time.

Lorrayne Porciuncula: Thank you, Kevin. It was a pleasure.