The balance between profit and privacy in data regulation: how to look for it in different countries

The most important aspect of building a data use system is finding a balance between the open data market and protecting the rights of entities

Main article: Data management

In the fall of 2021, the analytical review "Improving data management models. Stimulating data exchange between the public sector and key market participants. " The material contains information on the main approaches to data management at the intersection of the interests (interaction) of the state and large market players, including issues of regulating the turnover of various types of data of limited access, main trends and strategies for the development of the data market of foreign countries, a general analysis of approaches to the development of the data market; and recommendations for government agencies, industry organizations and businesses. The study considered:

• Strategic approaches to data market development in selected jurisdictions (EU, USA, Canada, Australia, China, Japan, South Korea);
• Approaches to the definition of different data categories;
• Principles of data turnover, including restricted data;
• Existing data disclosure requirements for public information systems and business, including reporting or statistical information;
• International data standards.

The study includes important policy documents on the development of the data market in different jurisdictions, some models of data management in foreign countries, as well as statistical indicators and graphs.

The reader is invited to familiarize himself with the main provisions and conclusions of this study. The information is of interest to experts in the field of data and digital law, managers of public bodies and private companies, as well as to a wide range of representatives of the relevant community.

The analytical review was prepared and presented to the professional community of ANO "Center for Competencies in Global IT Cooperation" (CGITC) together with the Association of Electronic Communications (RAEC) and the Institute for Internet Research.

Global Data Management Trends

In documents of the international organizations the free data exchange is considered as one of bases of future welfare ^[1] element in achieving sustainable development goals ^[2] for economic ^[3]

At the same time, the movement of information flows is significantly limited by various barriers: technological (underdevelopment of network infrastructure, peculiarities of information processing methods, etc.), social (low level of knowledge of information technologies, non-acceptance of technologies at the human level for one reason or another, etc.), legal and some others.

The significant impact that data collection, processing and exchange has on society means that issues of legal regulation of this area and removal of existing barriers are becoming more acute.

The regulation of data turnover is today relevant for countries with different legal cultures and traditions. All reviewed countries have either adopted or are in the process of discussing data policy documents that focus on enabling the best use of data capacity.

Big data market growth dynamics (source: US $ billion, Global big data and business analytics revenue from 2015 to 2022, statista.com)

A number of jurisdictions (EU, Japan, Republic of Korea) have identified priority areas for the development of data use. These include, inter alia, health, transport, public administration, agriculture, finance, as well as those areas where the use of data can help solve current problems and problems, for example, in Japan and Korea, the field of disaster prevention is included in this list, in the EU - ecology (as part of the Green Course for Europe), in Japan - the care of the elderly and the fight against the aging of the nation.

In China, a classification and categorization approach to data management is outlined in the Data Security Act of 2021, which places additional emphasis on the extent to which data damage affects the national security of the country.

Finding a balance between an open data market and protecting the rights of entities is an essential aspect of building a data use system. Each jurisdiction tries to find its own answer to this question, but several common approaches to data management can be distinguished, which should be conditionally and simplistically divided into the European, Chinese and US approaches.

In the European Union, as well as those countries that build their own data management system based on the European model, the main postulate of initiatives in the field of free data sharing is the protection of human rights. In the USA, data market regulation is based on a priority of economic and commercial interests, and consumers have the opportunity to exercise their rights through provisions of local legislation adopted at the state level. In China, data management is more focused on protecting national security and ensuring economic independence. The protection of the rights of data subjects is considered an element of the national security system and is ensured by the state centralization of data flows.

However, despite traditional differences, countries had to deal with similar problems. General trends in data exchange regulation include:

• Initiatives in the field of open data, first of all - data of public authorities, including the adoption of NAPs, obliging public authorities to disclose their data, the creation of public data platforms, measures to facilitate access and use of data (proactive data disclosure, no fees for providing information, ensuring portability, placing data in a machine-readable format, following data standards, providing metadata, using open licenses, etc.).

• Define a model for interacting public sector information openness requirements with personal data legislation and find the necessary balance between data availability and privacy.

• Involve private sector companies in the data turnover process, both as a data user and as a data provider (for example, the creation of open platforms for the use of data, the participation of private companies in the discussion of regulatory initiatives in the field of data, the production of various recommendations, guidelines and compendium of best practices, as well as support for "data altruism" in the EU, Establishing a system of data brokers to enhance trust and secure exchange in Australia and Japan, The commitment of private companies to provide critical data for sharing in China, developing public-private partnerships and supporting data startups in Korea).

• Tightening of legislation in terms of requirements for organizations that process personal data and expand the rights of individuals - data subjects (for example, amendments to the California Consumer Protection Act, modifications to Personal Data legislation in accordance with the provisions of the Digital Charter in Canada, the draft PRC Personal Data Protection Act, amendments to the Personal Information Protection Acts in Japan and South Korea).

• Liberalization of consent requirements: expansion of the grounds for processing personal data (in particular, legitimate interest or the need to fulfill the terms of the contract); the use of consent models such as implied consent or opt-out models; A flexible approach to the form and procedure for obtaining consent; No need to obtain consent for the processing of impersonal data; Mitigation of data disclosure requirements for third parties. There are two main approaches to the basis for dealing with personal data. In the EU and those countries where national legislation in the field of personal data protection is based on GDPR-like principles (in particular, South Korea), data collection, processing and disclosure requires a legal basis without which actions with personal data cannot be carried out. In turn, in the USA, personal data processing is "allowed by default," except when it must be carried out in accordance with special requirements of the law in order to minimize possible risks to entities. Unlike foreign practice, in Russian legislation, the consent of a subject is still considered as the only, with a number of exceptions, legitimate basis for processing personal data.

• Establishing special, easier conditions for the processing of impersonal data and considering depersonalization as the basis for the free exchange of data. In all jurisdictions reviewed, impersonal data are not considered personal data and do not fall under the requirements of the legislation for their protection. However, in none of the analysed law and order data are defined in a simplified manner. Countries take into account the existence or absence of a risk of establishing communication with an individual using other data fragments available to the operator or other persons, and there are special requirements for the depersonalization process - from the rigid option, when depersonalization should be irreversible (GDPR), prior to taking the necessary measures to reduce the risk of exposing the identity of the subject when processing such data, taking into account the existing context (availability of other data, processing circumstances, protection measures taken, etc.). In Russian legislation, a unified approach to the requirements for the processing of impersonal data has yet to be formulated.

• Improvement of approaches to processing public personal data. There are three main approaches to foreign legislation:
1) such data "by default" are available for collection and processing, but the subject has the right to forward a refusal to process data (USA, Australia);
2) such data can be freely processed for purposes for which they were made publicly available, and for all other purposes it is necessary to obtain separate consent or use another basis for processing (EU, Canada, China);
3) such data are not an exception and are processed in accordance with all legal requirements in the field of personal data protection (Japan, South Korea).

• Handling of data of special categories. The list of special categories of data is formed by each jurisdiction in its own way. In general, this category includes data whose processing is associated with a particular risk to the subject, that is, they are especially "sensitive." As a rule, the processing of special categories of data is more stringent than other categories, the requirements are mandatory to obtain prior consent to processing, special conditions for obtaining consent, additional security measures, etc.

• Development of legal models for regulating the turnover of data generated by devices (industrial data or Internet of Things data). Such models are just beginning to form. In the EU, the issue of the legal regulation of the circulation of industrial data was most elaborate, while in other jurisdictions, the processing of data received from devices is mainly limited to ensuring the safety of their processing.

• In most cases, when it comes to professional secrets (banking, medical and other), most often information protected under such regimes is personal data. Issues related to the disclosure of financial data are most developed in the legislation of the EU, the USA and China, while in other countries considered there is no special regulation of the regime of bank secrecy, and the collection, processing and disclosure of data of entities in the framework of the activities of financial organizations is regulated by regulations on the protection of personal data, as well as provisions of common law.

• The possibility of providing financial information to third parties is based mainly on mechanisms and grounds such as the consent of the data subject, as well as public interest, mainly related to security issues and/or ensuring proper public administration at different levels (for example, for the purposes of operational-search measures). Disclosure of financial information is allowed in order to protect financial institutions their rights and interests.

• Medical data are usually classified in a special category of data and are subject to more stringent requirements. The disclosure of medical data in the reviewed jurisdictions is allowed with the consent of the subject, as well as:

• in order to provide medical care in the event of a threat to the life and health of the subject;
• To analyse and monitor the performance of the health system, if there is significant public interest in health;
• Research in the field of medicine and human health.

The approach to regulating medical data Russia in is also based on an understanding of the nature of medical data as a type of particularly "sensitive" information. In most jurisdictions reviewed, there is a tendency to modernize medical data processing requirements to ensure the development of innovative technologies, including technology-based ones. artificial intelligence

• The need to develop technical standards in the field of data is noted in the strategic documents of different jurisdictions, especially in the context of the smooth exchange of data, including ensuring the portability of data, their quality, the application of appropriate measures to protect them. The European Data Strategy identifies the creation of data portability standards as one of the pillars of seamless cross-border data exchange within the EU. The U.S. Federal Data Strategy also identifies data standards as one of the best practices for data management and protection. In Japan, data standardization is considered among the measures to promote the use of public and private sector data.

Structure of the certification system of data exchange platforms in Japan (source: Enhancing Access to and Sharing of Data: Reconciling Risks and Benefits for Data Re-use across Societies//OECD, 2019)

• Self-regulation is seen as an important component of data management and is supported by regulators in all jurisdictions reviewed. Self-regulation allows you to close the "white spots" that are not affected by regulation, in the context of the rapid development of new technologies. This provides the flexibility and variability of possible solutions necessary for the development of innovation. In China, self-regulation in the field of data security has the status of a mandatory requirement. Self-regulation initiatives are developing mainly in the field of personal data. Moreover, while in most of the jurisdictions analyzed self-regulation is a continuation of regulation, revealing certain aspects and private cases of application of law, in the USA, in the absence of federal law in the field of data protection, self-regulation, in a sense, is a replacement for regulation. In some countries, such as Japan, practices developed through self-regulation have subsequently been enshrined in national legislation in the area of personal data protection. In Russia, there is no legally fixed mechanism for self-regulation in the field of personal data protection, this direction is developing due to industry initiatives.

Features and trends in Russia

The issues of data turnover and use in modern technological conditions are the focus of attention of Russian state bodies, representatives of the business community and academia. The need for their wider involvement in the economic turnover for the development of new technologies, products and services is recognized by all participants in the discussion.

Measures to improve legislation in this area are included in the program documents for the development of the Russian digital ^[4] The federal ^[5]Individual national strategic ones are also adopted. For example, ^[6] All this confirms the importance and relevance of the topic under consideration, and also indicates that the regulation of data turnover in Russia is currently at the stage of its formation.

It should be noted that relations in the field of data collection, processing and use are the subject of regulation of several independent industries, including:
1) legislation on personal data, regulating the procedure for processing data in order to guarantee the rights of citizens to privacy;
2) legislation on information, establishing the legal status of information, the procedure for receiving, disseminating and protecting information;
3) civil legislation, according to which the rights to the formed databases and the procedure for their economic turnover are determined;
4) antitrust regulation aimed at developing competition in the data market and preventing abuse of persons with market power.

If we talk about the main trends in the development of Russian regulation of data turnover, we can distinguish the following:
1) clarification of the regime of impersonal data, the need to develop new risk-oriented methods and requirements for depersonalization, expanding the conditions for using depersonal data in commercial traffic;
2) discussion of requirements and conditions for the formation of state information systems of impersonal data for developers of artificial intelligence technologies;
3) adoption of federal laws providing for the possibility of establishing special regulation within the framework of the experimental legal regime for data projects, preparation for the launch of the first data exchange and enrichment projects;
4) developing approaches industrial to data management.

Currently, Russian legislation does not provide all innovative tools that could stimulate the exchange of data between business and the state.

It seems that the priorities for legislators and regulators in this direction should be:
1) consolidation of the principles of data exchange between the state and commercial organizations;
2) stimulating the creation of trusted intermediaries and data pools;
3) clarification of antitrust regulation measures that can be applied in the data market;
4) development of a special mode of access to data by developers of artificial intelligence technologies taking into account the interests of market participants, as well as data security requirements.

Common Risk Map and Data Risk Management

Risk assessment and risk management are key issues in the data management model. Data strategies should take into account the risk map, which is multilevel and subject to changes with the development of technology and public processes.

The risk assessment should first take into account two criteria - the probability of risk and its potential damage. The national standard of the Russian Federation GOST R 58771-2019 "Risk Management" can be used to assess in the widest range of tasks and make decisions in the field of risks. Risk assessment technologies "(developed on the basis of the international standard IEC 31010:2019" Risk management - Risk assessment techniques ").

Example of risk management organizational structure (source: ISO 31000 Risk management - Guidelines)

As a basic classification, the following approach to risk structuring can be proposed, in relation to the consequences that may result from poorly designed and effective data policies:

By effect on a particular area or activity

• risks associated with a threat to physical security or material damage (to the state, society, citizen, in relation to any type of property, etc.)
• economic (trade, economic, financial, commercial relations);
• Scientific, technical and technological (slowing down of scientific, technical and innovative development);

Legal (violation of rights and restriction of freedoms) and discriminatory (various forms of inequality, injustice or oppression);

• Socio-political (loss of governance, rising social tensions, various kinds of social crises, conflicts, etc.);
• reputational (discrediting, damage to the image or brand, loss of trust, etc.).

By category of actors and market participants

Risks to citizens

• Processing of data in the absence of a person's consent or other legal basis;
• improper use of data processing results, including discrimination of citizens based on processing results;
• reduced quality and diversity of services as a result of inaccessibility of data or anticompetitive actions in the data market;
• threats to personal safety due to insufficient quantity or quality of data in the field of health protection, public law and order, legal proceedings, provision and provision of social, state and municipal services, etc.;
• inability to obtain benefits and dividends from the development of data turnover due to lack of skills and knowledge among the participants in the process;

Discrimination due to the emergence of "information asymmetries" between the State and citizens, consumers and businesses, etc.;

• Lack of uniform standards of "ethical behaviour" in data collection, processing and use;

Risks to the State

• economic and technological lag and loss due to inaccessibility of data processing technologies, data sets for training algorithms, low rate of infrastructure update, etc.;
• leaks of closed state data and data of citizens;
• technological lag as a result of unbalanced application of information security measures by regulators and business (to the detriment of technological progress);
• impossibility of obtaining economic advantages and dividends in conditions of uneven digital transformation of public administration and control and supervision activities;
• threats to national security due to unreliable protection of critical infrastructure;
• inability to compete in foreign markets and fully participate in technological and foreign trade cooperation;
• The creation of conditions for the application of various criminal transactions and schemes, the growth of cases of deception, fraud or abuse in the processing of data (for the purpose of obtaining illegal profit or for other purposes detrimental to the State and society).

Business Risks

• unequal position of Russian companies in relation to foreign companies;
• Limiting competition based on exclusivity of data access contracts;
• Increased processing costs;
• Losses caused by administrative barriers to the use of public data;
• Slow development of cooperation and interaction with market players due to lack of uniform interoperability standards and protocols;
• Limiting development opportunities in the absence of clear regulations for certain data categories subject to different information protection regimes;
• monopolization of data and presence in the market of the dominant player\platform defining the rules of data collection and exchange;
• Complexity of business planning due to lack of clear forecasts and consistent (predictable) data policies.

The share of citizens willing to provide personal data in exchange for certain economic benefits (source: "Willingness to Share Personal Data in Exchange for Benefits or Rewards," GREF < ref > [https://www.gfk.com/fileadmin/user upload/country one pager/NL/images/Global-GfK onderzoek - delen van persoonlijke Dating.pdf Enpdl/onderzoek)

Currently, in some countries of the world, attempts are being made to find balanced measures that will ensure the possibility of economic growth and innovation without violating the rights of personal data subjects. The basis for most of these measures is a risk-based approach to security and privacy, which enables organizations that process personal data to identify potential risks and focus on areas where they are highest.

A risk-based approach to security can include the following steps:

• assessing the likelihood and impact of potential risks on health information;
• implementation of safety measures in accordance with the identified degree of probability and impact of potential risks;
• Document selected safety measures and, if necessary, justify the selection of these measures;
• ensuring constant appropriate information protection.

The risk management structure is based on the fact that any use of personal information is associated with a certain risk. The approach to describing such a structure is set out in the provisions of ISO 31000 Risk management - Guidelines. Foreign practice shows that the structure of risk management and the principle of "ensuring security at the design stage" can be successfully applied by personal data operators.

The risk management structure consists of the following main elements:

1. Definition of context. A full understanding of the external and internal context of data use is needed to develop risk management measures. The design and implementation of such measures should be in line with the current context.
2. Identify existing risks. Effective protection of personal information requires identification of potential risks to confidentiality for their subsequent elimination or, if impossible, mitigation. In addition to such procedures as privacy impact assessment and regular privacy audits, techniques such as introducing a culture of privacy protection in the organization, improving security measures, describing personal data flows within the company, studying existing business processes, etc., can be used to identify risks.
3. Risk analysis and assessment. Each risk should be assessed in terms of its impact on confidentiality. Since an organization may not have sufficient resources to manage all available risks, it is important to separate critical risks from "acceptable" risks.
4. Risk control. The most effective way to control risk is to prevent it, so the principle of "projected confidentiality" plays such an important role. Other measures include ensuring compliance with legal requirements in the field of personal data protection, as well as best practices in this area; responsibility and accountability; Develop, implement and maintain privacy policies, conduct privacy impact assessments and regular audits to identify vulnerabilities, and apply data protection techniques such as encryption.
5. Monitoring and continuous improvement. Organizations should compare results against targets and evaluate selected strategies to achieve those goals.
6. Communications and consultations. Regular interaction with external and internal stakeholders is essential to achieving a high level of confidentiality risk management.

Data for artificial intelligence (AI) developers

One of the obstacles to the development of AI technologies is the lack of quality data necessary for training machine learning models. More recently, as a possible solution, representatives of the State are increasingly proposing the creation of a public repository of anonymized data, where both government and commercial datasets supplied by operators of anonymized/anonymized data will be collected in accordance with regulatory requirements for their activities.

However, such a solution would not fully address the lack of data and would require significant costs for the implementation of such a programme. The following factors should be taken into account:
1. Large amounts of data and investments in storage infrastructure. 2. Difficulties associated with combining datasets from different operators, the absence of end-to-end identifiers, the difference in data formats, etc.
3. Rapid data loss. In this regard, data-driven models require continuous monitoring and refinement. For example, with the introduction of the remote work format, the predictor, built on the movements of the subject, ceased to bring any value.
4. The state already collects significant amounts of data within the framework of the current legislation, while there is no legal basis for the disclosure and use of such data by AI developers in aggregate/impersonal form.

The following options for addressing data scarcity should also be considered: 1. Creation of industry associations (data pools) to provide data to developers of AI systems with compensation of operators costs by the state. 2. Development of platforms for commercial access of companies to government data.

Companies' commercial access to government data

Open state data has a huge potential for use in business, both in the interaction of citizens with commercial organizations, and in the field of B2B, as well as in the interaction of organizations with the state.

However, current mechanisms for obtaining and sharing such data do not fully realize the potential of reusing public data. Unfortunately, for almost 12 years since the adoption of the Federal Law "On Ensuring Access to Information on the Activities of State Bodies and Local Governments" No. 8 of the Federal Law, the executive authorities have not fully developed the practice and culture of data disclosure in the interests of society or business.

Alternatively, as a result of industry initiatives, GIS data are being accessed in return. At the same time, for this form of access to public data, there are a number of barriers that hinder the development of new services and services based on them. Commercial companies cannot obtain the necessary data sets stored in GIS at an acceptable time, and integration takes place separately with each of the information systems of government agencies.

The main problems of the current regulation of commercial access to public data are:

• Lack of legal access to a wide range of information, documents and information contained in the GIS for third parties with the consent of a citizen or organization;
• Lack of a single window and a public disclosure organization;
• No practice of creating regulations and maintenance level agreements for GIS in digital form;
• The need to establish in the legislation on information and personal data protection the principles of legality of providing and processing information contained in the GIS to third parties, including organizational and technical measures to ensure the security of such data and the rights of entities;
• Establishment of a mechanism for the management of consent to the receipt, processing and storage of data on citizens and organizations stored in GIS;
• The need to amend legislation to establish a charging and payment scheme for commercial access to government data.

To organize commercial access to state data, it is possible to use the infrastructure of State Services as a single window to obtain information from GIS within the framework of the state service for access to infrastructure at a regulated level of technological service. In addition, intermediary service platforms can be used to organize interaction on commercial access and the formation of data sets, including by enriching the datasets of commercial companies with government data. Such platforms, established through industry associations, could take on the challenges of interacting between data owners and consumers by creating a trusted data-processing environment. The commercial access mechanism can be developed in a sandbox format to develop best technical, legal and administrative practices for data exchange between the State and the private sector.

Exchange of commercial data between companies

In the B2B segment, the main barriers to data exchange between companies are:

• Lack of economic incentives;
• Lack of trust between companies to use data in contractual relationships and inequality in negotiating positions;
• Risk of data leakage to a third party;
• Lack of clear legal procedure and order regarding data processing and use of results.

In order to overcome these barriers and create competitive market conditions, the creation of a trusted environment based on the following principles should be encouraged:
a) transparency of procedures and availability of data to all parties involved
b) legal, organizational and technical standards
c) accountability and compliance
d) ensuring data security and data exchange environment
e) ethics in data use

For realization of exchange of commercial data such mechanisms as can be used:

• Trusted intermediaries: the business transfers certain data to digital intermediaries (usually industry NGOs), who then organize interaction between various stakeholders and control the use of data.
• Data Pools: Business (and other stakeholders) collect homogeneous data to enable database analysis on a scale not possible with private application
• Research partnership: business and the state transfer datasets to the scientific (academic) community for analysis on the basis of individual agreements, while the data do not become public.

Implementation of the above principles requires the participation of all parties. So ethical principles can be implemented through the activities of industry associations and the academic community.

At the same time, the State needs to play a leading role in a number of regulatory actions, including:

• Adoption of data-processing standards, including standardization of formats, protocols for data collection, processing and exchange;
• Adoption of amendments to the legislation on personal data, allowing the implementation of data exchange, including with the participation of data intermediaries, and the establishment of requirements for such organizations;
• Providing legal clarity on the liability of parties for the use of data, including in terms of intellectual property, as well as the purposes and boundaries (limitations) of their use;
• Clarification of the procedure for processing data for scientific, statistical or other purposes for the full implementation of the principles of data-altruism.

Government access to commercial company data

In the B2G segment, there are four main ways of exchanging government data with commercial companies:

• Regulatory requirements. There are three categories of such requirements:
  • Disclosing or providing statistical information to a government agency.
  • Disclosure as a condition of public financing of projects or procurement.
  • Data disclosure as a condition for market access (obtaining a license, etc.). Such a form has been increasingly found recently at the regional level for transport companies.

• PPPs in the field of data (mutually beneficial agreements and projects on data exchange and data sharing).
• Purchase of data from private players (procurement of information and analytical services).
• Use of public data (most often in terms of analysis of content on the network and social media).

Intermediaries and service platforms can be created on the basis of industry associations that organize interaction between data owners and consumers by creating a trusted environment. Such a mechanism can be developed in a data sandbox format to develop best technical, legal and administrative practices for data exchange between the State and the private sector.

At the same time, the key components of "soft" regulation become:

• requirements for interoperability and quality of data, including standardization of formats, protocols for data collection, processing and exchange;
• Providing legal clarity on the liability of parties for the use of data, including in terms of intellectual property, as well as the purposes and boundaries of their use;
• establishing requirements for accreditation of organizations and maintaining a register of accredited organizations admitted to the creation and participation in the work of service platforms;
• A transparent mechanism for all data owners to manage the access and use of their own data by consumers on a trusted platform with monitoring, audit and reporting requirements;

It is advisable to regulate the State's access to the data of commercial companies on the following principles:

• Proportionality in data use: Requests for and use of private sector data must be justified by clear and obvious public interests. The potential benefits of the public interest pursued must be reasonably balanced with those of other stakeholders.
• Restriction of data use: an agreement between business and the government (public authority) or a regulatory act that requires the sharing of data must clearly determine the intended purposes of use or public interest, as well as determine the rights to use data (including the term of use and the procedure for destroying data). Cooperation agreements must comply with existing legislation, including laws on confidentiality, intellectual property and information, as well as contractual obligations to which private organizations and non-profit organizations may be bound.
• Compensation. Cooperation agreements between business and government should be mutually beneficial, but recognize a public interest goal by giving preferential treatment to public sector bodies.
• Transparency and public participation: cooperation between business and government in the field of data should be transparent to the parties to the cooperation and their goals. Where possible, public authorities should also be transparent about the data used and the algorithms used, as well as about the results of cooperation, including prospects for subsequent decisions, assessment of the impact on society.
• Fair and ethical use of data: data should be transmitted and used in a legal, fair, ethical and inclusive manner, with full respect for the choice of individuals as to how their data can be used.

Conclusions

Need for a single data strategy

A common conceptual conclusion, based on the analysis of the information used in the review, is the need to quickly create an integrated national data strategy in Russia, which, on the basis of a strategic and systemic goal, would reveal Russian priorities, form a model and specificity of approaches to data management. Such a strategic document, providing a clear and structured mechanism for interaction between participants within the country and on the external circuit, would allow intensifying economic growth and innovative development of the country, giving more attention to the social sphere.

In developing a competitive data market, the State may pursue several interrelated objectives:

• Increasing the availability of necessary datasets in the right amount for business, including for SMEs.
• More efficient use of collected data, reuse of data, stimulation of data exchange between companies for useful aggregation (data aggregation) and sharing.
• Create a trusted environment for data exchange between businesses and other stakeholders.
• Protection of competition, including through the application of non-discriminatory access to datasets (the concept of FRAND- "fair, reasonable and non-discriminatory," based on the balance of interests of rights holders and users ),

requirements for interoperability and standardization of data and information systems.

• Harmonization of legal and technical aspects of the regulation of transboundary data exchange. Monitoring of foreign practices and, if necessary, harmonization of legislative and organizational and administrative requirements related to data management.

To achieve these goals, it is advisable to form a framework for starting legal regulation (will be improved as experience is gained in practical use) and develop and apply standards regarding definitions and terminology that will allow classifying data, operating in a common understanding, developing legal instruments, etc.

Depending on the direction of the data flow (B2G, G2B, B2B) and the purpose of organizing such flow (increased competition, statistics, optimization of service delivery processes, research projects, increased efficiency of budget spending, etc.) Different combinations of disclosure and data exchange models are useful, thus developing and improving an integrated, flexible access control policy based on safety criteria and assessing the expected impact.

When using the materials and conclusions of the review, a reference to this publication is mandatory.

Notes