TRAPEZE Use Cases are Achieving their Final Stage

The TRAPEZE project is advancing and has already reached the final year of its lifetime. Indeed, the three project use cases are advancing accordingly with the objective of demonstrating TRAPEZE prototype solution working on real-world scenarios. The use cases will show how the TRAPEZE solution will help to overcome current-day constraints and enhance the way enterprises, public administration and citizens are interacting in the management of their sensitive information. The current development and status of the use cases is highly promising: our solution will be flexible, robust, scalable and ethically compliant; it is to be adopted in a broad range of cases and by a large number of entities and citizens beyond the close of the project.

Pilot 1 – Informatie Vlaanderen (AIV): “My Citizen Profile”

To demonstrate all the capabilities of the TRAPEZE outcomes in a realistic business context, three different use cases were defined and are being implemented, led by Informatie Vlaanderen (Belgium), Deutsche Telekom (Germany), and CaixaBank (Spain).

In recent years, there has been a growing emphasis on citizen-centricity and secure data sharing as important aspects of digital transformation. Digital Flanders is a government agency from the Flemish Government that recognizes this and is working on a new infrastructure to address these needs. Their aim is to create a secure and standardized way for citizens to reuse government data, with a focus on providing an excellent user experience.

To achieve their goal, Digital Flanders is leveraging Solid, a technology that was invented by Tim Berners-Lee, the creator of the World Wide Web, and researchers from UGent. Solid technology provides a platform that enables users to control their own data and choose how and with whom they share it, while ensuring the data remains secure and private. One of the main advantages of Solid is that it allows multiple organizations to make use of the same data, being stored in decentralized stores called Pods.

Digital Flanders is building on this technology to create a state-of-the-art data-sharing infrastructure. They are also leveraging existing developments from their popular MyCitizensProfile platform, which enables citizens to access their own data and manage their interactions with government services.

One of the first use cases for Digital Flanders’ new infrastructure will be with Randstad, a large HR group. Randstad will use diploma data from Digital Flanders during their application process. Thanks to Solid, Randstad only needs to offer a visual interface where the user can authenticate and consent to Randstad accessing the diploma data from the Solid Pod of the applicant. The project is expected to go live in Q2 of 2023. This collaboration will provide a practical demonstration of the capabilities of Digital Flanders’ new infrastructure.

Digital Flanders is also part of the TRAPEZE consortium, which has a goal of investigating and setting up a privacy platform that allows citizens to assess which third parties have consent to use their data and audit how their data has been used. This platform will build on the foundations of the Solid technology and aims to take consent management to the next level.

To achieve this, Digital Flanders plans to use the blueprint of the Solid project with Randstad to assess whether TRAPEZE can offer more advanced consent management features, and whether it can be integrated within their existing infrastructure. This will allow them to offer even greater control and security to citizens when it comes to their personal data.

Pilot 2 – Deutsche Telekom (DT): Tools & Applications for “Data sharing via APIs”

DT’s main concern is to make language and privacy policies defined in the TRAPEZE language as well as tools available for legal and commercially useful exchange/sharing of telco-specific personal data. These tools can then also be marketed by T-Systems (DT’s subsidiary for IT service provisioning) in the “Data Intelligence Hub (DIH)”. Both contexts require an automated, GDPR-compliant mechanism for formulating, applying, and managing rules for data sharing. These are formulated in privacy policies.

DT is actively contributing to the CAMARA Telco Global API Alliance. In this context, APIs for sharing data – including personal data – are provided for 3rd parties to make use of functions, features and data provided by telco carriers. For Telcos, this is a unique opportunity to finally monetize some of the data they host. DT pays a lot of attention to not harming its’ excellent reputation in terms of privacy and security. Thus, customer consent is collected in advance, and agreed privacy policies are used as a means of consent management.

TRAPEZE language (based on W3C dpv CG) is used to define, share, manage and enforce consent (or rather “agreed privacy policies”). DT integrated TRAPEZE language, tools, and concepts in its’ “Magenta Hyper Consent (MHC)” product. This product is targeted toward product owners and (in the CAMARA context) API monetization. Thus, there is no dedicated “TRAPEZE” user interface used, but rather DT/product-specific user interfaces are utilized to collect consent and to allow users to manage their privacy preferences.

While the MHC Core deals with policy- and consent management (independently of actual data), the MHC Gatekeeper uses the policies to filter 3rd party data requests. Figure 1 shows the overall architecture from a technical point of view.

Figure 1: MHC architecture overview.
Figure 1: MHC architecture overview.

Since MHC aims at B2B business and product managers, not directly at end customers, all components are built in a way to allow easy integration in new (and existing) products and services. It enables the DIH and other DT Business units to safely deal with personal data in the context of GDPR and other regulations.

A first application was trialed with DT’s approach for consent management, the “group consent clause” which allows customers (i.e. citizens) to grant, revoke and manage their consent for data using and sharing. A key requirement is the open exchange format of privacy policies as it was developed in TRAPEZE and its predecessors.

Pilot 3 – CaixaBank (CXB): “Customers’ Digital ID wallet”

CXB wants to develop a “Customer ID Wallet” that allows the bank direct and transparent communication with clients about the usage of their data. It will be designed to enforce GDPR compliance and increase the data privacy security awareness of their clients as well as incorporate the bank’s business requirements. There is not yet a common platform that gives security privacy control and transparency to clients/citizens and establishes trust among sector stakeholders. In terms of possible technical solutions to that challenge, CXB wants to explore the great potential of the TRAPEZE platform and its building blocks for establishing it.

Moreover, the recent release of the European Commission about the development of a European Digital Identity framework has just strengthened the innovation perspective of the bank towards the need for trusted solutions and frameworks for self-managing the identity and data of each individual. That should help to streamline the secure onboarding process to new digital financial services but also to improve the overall security awareness and data privacy consciousness in society, and in the end reduce the amount of successful social engineering attacks and impersonations.

In that line, the Customers’ ID Wallet pilot aims at developing an identity wallet that can work as a technical reference or complement the future EU Digital wallet, considering the digital identity verification means provided by the EU and Member States (when available) or any other trusted entity that works as an identity provider.

One of the main use cases that can be supported by this pilot is to facilitate the secure exchange of Know Your Customer (KYC) information between entities, a set of information from their clients that banks need to collect and keep updated. That is required by Anti-Money Laundering (AML) regulation and is mandatory by any financial institution. However, to properly collect, update and attest to the truthfulness of that information from all of its clients is a heavy time-consuming task for the banks but also for the citizens that want to acquire their services. Currently, every time a citizen needs to open an account with a new bank, he or she needs to provide the required personal and financial information.

What would happen if we could collect and validate KYC information only once?

That would simplify the process for banks and citizens, and that is the main objective of the “Customers’ Digital ID wallet” pilot, allowing citizens to provide that information once to one financial institution. This information will be validated by the entity as usual. However, Digital ID Wallet will keep track of that already attested information and provide means to share that information when it wants to have a financial service with another bank.

For this to happen, the customers must also be able to assess both the risks and the potential benefits of such actions (e.g. control with which entity they are sharing the data in order to identify them and their profile faster). The TRAPEZE platform will provide an easy and user-friendly way in which citizens can manage their data privacy policies and also review which entity has the consent to access which sensitive data from them and for which purpose.

As a result, Customers’ Digital ID Wallet can improve the citizens’ overall awareness of their data security and privacy risks, making them active players in the protection of their own data and finances.

Figure 2: The Digital ID Wallet.

Authors: Lauro Vanderborght (Digitaal Vlaanderen), Martin Kurze (Deutsche Telekom) and Ramon Martin de Pozuelo (CaixaBank).