top of page

Building trust for data transfers

All markets require trust

For any market to function effectively, each participant needs to have confidence that others they are dealing with are honest, and can be relied upon to hold up their end of the bargain. This trust can be secured in a number of ways, including through competition and natural market incentives, reviews and recommendations, voluntary arrangements such as industry standards and trust marks, the law, and regulatory oversight.

The personal data economy is no different in this regard, but as yet there is insufficient regulatory oversight and limited voluntary signals available for market participants to quickly differentiate themselves from the bad actors.

Today, we have three exciting announcements about our work to address this challenge:

  1. We have launched our Ethical Data Badge.

  2. CODE will be awarded ‘collaborator’ status by the Data Transfer Initiative (DTI).

  3. We are endorsing the DTI’s high-level trust model for data transfers.

Taken together, these developments will help to pave the way for a thriving ecosystem of consented data transfers.


The Ethical Data Badge

After two decades of online surveillance and dodgy data brokers, responsible data businesses are up against a harmful legacy of mistrust and suspicion. This is amplified by a false and self-serving narrative that only giant integrated corporations should be trusted with people’s data – better to leave it where it is.

In response to this challenge, CODE has today launched the Ethical Data Badge, exclusively awarded to our members.

We consider the suitability of new member applications very carefully and require all applicants to pledge alignment with CODE’s core values. If you aren’t aligned with our values and goals, or something just doesn’t add up, then you aren’t getting in.

We wanted to find a way of signalling to regulators, data hosts, and users that our members take their responsibilities seriously. This is what the Ethical Data Badge is for. It’s about trust.


CODE to be named a ‘collaborator’ by the DTI

As we have highlighted in a previous blog, we have been engaging extensively with the DTI since last year, including providing detailed constructive input into its newly published trust model.

Backed by Apple, Google and Meta, the DTI is an important stakeholder for anyone interested in data portability. At the very least, it is going to be an important contributor to and convener of essential discussions about how progress is achieved. In the longer term, one could foresee it adopting a range of useful roles or responsibilities within a much broader data transfer ecosystem.

We have found the DTI to be a transparent, trustworthy, and wholly credible organisation that has consistently made positive contributions to the public discussion on data transfers. We are therefore pleased that the DTI will soon formally name CODE as a ‘collaborator’ organisation, which is a non-financial arrangement.

We look forward to continuing our work together to empower individuals to exercise more agency over their personal data.


The DTI Trust model for personal data transfers

The DTI has published its proposals for a third-party trust model for direct personal data transfers. In practice, at least in the near-term, these are the DTI’s proposals for how the big tech ‘gatekeeper’ platforms should determine which third-parties can access their new (DMA-prompted) data portability tools. Although rejections that override or restrict users’ choices should be a highly unusual outcome, we accept that in principle some form of screening is a reasonable and worthwhile exercise.

As part of our contribution to this exercise, we previously set out a number of principles for how the model should be structured, along with several red lines that would be unacceptable for CODE in the context of DMA implementation. We summarise below how the model matches up to those proposals.

CODE Principle 1: Denying users their legal rights is an extreme intervention


The DTI’s report appears to agree with us on this important point, stating that “it seems likely that the vast majority of third parties and direct data transfer requests should be capable of establishing trust.” We agree – rejections to access the APIs should be a rare occurrence, and users should be the ultimate arbiters.


In the context of the DMA, we will encourage the European Commission to collect data on the number of applications from third parties to gain access to the new data portability tools, and to monitor and evaluate the proportion that are rejected. CODE will be keeping a close eye on the experiences of our members that apply to access the gatekeepers’ data portability tools, and will be reverting to the European Commission where instances or patterns of unreasonable rejections occur.


We are hope that our Ethical Data Badge will prove to be a helpful signal for data hosts when attempting to differentiate the good actors from the bad.


CODE Principle 2: Ensuring valid user authentication is paramount


The proposed trust model firmly recognises the need to “identify and authenticate users properly to both parties”, with some suggested questions to be asked.


Though we agree on the broad approach, we feel the framing of the sample questions in the model implies a degree of control or influence on outcomes by the receiving party that is not realistic. In practice, and certainly in the context of DMA implementation by gatekeepers, these are arrangements that will be prescribed by the data holders. If or when the model is developed further, this is one area where we believe the ecosystem would benefit from more granularity and direction within the model, in order to drive further standardisation and consistency.


CODE Principle 3: Consistent standards for consent must apply to all


The report recognises that many issues around trust with respect to data transfers are two-directional. For example, in the context of security, the report rightly highlights that “Receiving services may choose not to allow by default the transfer of data from all potential sending services, and may seek to ensure a sender is not transmitting data which could pose harm to the service.”


We would further emphasise that the same principle applies to consent as it is does to security. If the data holders have collected the data without valid consent, then the receiving party may have concerns regarding handling illegally collected data.


On this basis, we believe receiving parties equally retain the right to question data holders about how users authorised the original data collection. For example, the DTI’s proposed questions such as “How is the receiving service’s intended use of the data shown to the user?” would be equally pertinent if put to the data holder.


We expect this kind of symmetric questioning of user authorisation to become more common in circumstances where data holders overstep the bounds of their responsibility when questioning regarding user consent. CODE stands ready to highlight any instances of double standards to relevant regulatory authorities.


CODE Principle 4: Law enforcement should be left to the appropriate authorities


If data holders wish to obstruct data transfers, even in contexts where they are legally mandated to allow them, then they may seek to rely on issues such as privacy or security as reasons to deny access to the tools by developers.


We are pleased that the report acknowledges plainly where the boundaries of the data holders’ responsibilities must lie. For instance, we strongly welcome the clear statement that “Service providers are not regulators, and lack both the authority and the tools to enforce data protection and security laws”.


Importantly, the report also rightly clarifies that the questions asked of the recipient “are not meant to allow the service provider to make judgments regarding the third party’s legitimate business model, nor are they intended to deputize the service provider to enforce data protection law.” 


CODE Principle 5: Reciprocity does not apply to the Digital Markets Act


While we acknowledge it is one of the DTI’s policy principles, we are pleased that the trust model report makes no mention of reciprocity. Reciprocal arrangements are a positive aspiration for data transfers in certain circumstances between like-for-like services, but it would not be appropriate for blanket application, and certainly not in the context of the DMA (where gatekeepers have been singled out for special treatment to help level the playing field).


CODE Principle 6: API permission is not app review


Drawing from well-documented competition concerns arising from app review processes, we recommended that the model should guard against third parties needing to disclose commercially sensitive information, such as detailed information about business models, products in development, valuable IP, or their client base.


As framed, the model is well-targeted, and seems clear that this degree of speculative gathering of commercially sensitive information would not be necessary. The questions categorised under ‘proper use’ are suitably framed such that the data holder would have no need to require the recipient to share valuable trade secrets or client lists.


Another issue that we highlighted under this principle is the way that trust may be reviewed and/or revoked by the data holder. We are satisfied that the report and proposed model includes proposals for moderating this risk for recipients, including an important recognition that “such actions should not be taken lightly without fair warning or notice, as revoking access to data can undermine business models and investment theses” and that “appeals should not be denied through a purely automatic process but should incorporate manual review, and ideally the opportunity for direct communication between providers.”


While we agree that some instances of revocation will inevitably be needed and appropriate, we remain concerned about how data holders might choose to wield this power in the name of “trust”.


This will be an issue that CODE will pay close attention to, whether DMA gatekeepers choose to implement a version of this model or otherwise.


CODE Principle 7: Costs must not be prohibitive for small businesses


We are satisfied that the model makes no mention of costs or fees to be incurred by potential data recipients.


We cautiously endorse the trust model

We are satisfied that the DTI’s proposals have been carefully put together, in a way that is consistent with our guiding principles. We are also satisfied that none of our stated red lines have been crossed by the proposed model.

We are therefore happy to provide CODE’s cautious endorsement of the DTI’s proposed trust model as a high-level framework for future application.

However, our caution stems from the high-level nature of the proposals. While this has the benefit of being applicable to many contexts over time, it has the downside of leaving very substantial latitude for obstructive data hosts to block transfers or circumvent legal obligations. We must therefore be clear that our endorsement of this model does not automatically guarantee our endorsement of its future application by data hosts.

We will unashamedly call out those circumstances where the model is applied in an obstructive or harmful manner. In particular, we anticipate future concerns arising in relation to: (i) the transparency, consistency, and timeliness of application processes; (ii) subjectivity and fairness of decision-making; and (iii) predictability and communication surrounding reviews and revocations.

In this context, the DTI’s proposed model is a useful foundation for further discussion and learning as new data portability tools are deployed. It is welcome that the DTI has presented its proposals as a living document at this stage, and we look forward to contributing to any future iterations.



bottom of page