Secure and trustworthy data rooms – a factual tour d’horizon

The 17th Conference on IT and Law took place on 26 August at Bern City Hall and was dedicated to the topic of data rooms from a regulatory and economic perspective. The conference revealed that there are many unanswered questions, but also some initial good projects.

What are data rooms? People understand the term in very different ways. From a technological perspective, data rooms are secure digital platforms that enable the controlled exchange and/or shared use of data between different organisations. From a legal and organisational perspective, they are regulated (socio-technical) ecosystems in which participants can provide and use their data under clearly defined conditions. From a strategic business perspective, they are strategic instruments for creating value from data: Companies and institutions can share, analyse and jointly use data. And from a political perspective, they are part of a state/supranational/international infrastructure and instruments for safeguarding digital sovereignty.

On the one hand, this is just a selection of perspectives and, on the other, very different types of data spaces are conceivable in relation to each of the perspectives cited. Digital sovereignty alone is associated with different concepts ranging from open data to purely commercially orientated data service platforms. Above all, however, very different strategic goals are being pursued with data spaces, very different governance concepts are being discussed and there are very different technical architecture concepts.

We should therefore not strive for a universal concept in the first place – this was confirmed once again at the conference – but wait and see whether prototypical forms of data spaces emerge over time. It is difficult to say whether this will happen at all. In any case, it would be useful to develop a model language based on practical experience in order to be able to exchange information about the experiences gained in setting up a data space. Such pattern languages have existed in computer science for a long time, starting with the design patterns of object-oriented software development, which were once inspired by Christopher Alexander’s legendary pattern language for architecture.

Opening and Contributions

Michael Schöll, Director of the Federal Office of Justice and President of the eJustice.ch association, opened the conference and raised the question of whether trustworthiness and data space are two concepts that can go together. Using the example of Catena-X, he illustrated that data rooms are already an eminently important instrument for the economy. And he explained the aims of the conference, namely to make the idea of data spaces tangible using concrete examples and to formulate the critical questions on the topic in an understandable way.

Felix Gille reported on the activities of the Federal Chancellery to promote the development of data spaces in Switzerland. Two aspects are at the centre of this: governance and technical architecture. Both are characterised by the question: How do we create trust in the data rooms? Trust that the data is reliable and that it will not be misused. Felix Gille addresses these issues in particular with the methods of enterprise architecture.

Georges-Simon Ulrich, Director of the Federal Statistical Office (FSO) and in a key role for the topic of data rooms in the federal administration, spoke about the challenges and necessary framework conditions and reported on the FSO’s experience with its services. Standardisation and interoperability are basic requirements for data rooms. Contrary to many prejudices, data protection and data utilisation can often be reconciled. However, a great deal of persuasion is still required for the success of data rooms. His call to action was clear: now is the time to create a reliable basis for AI with trustworthy data rooms.

Martin Andenmatten introduced the private sector perspective, presented the governance approaches of the newly founded Gaia-X Hub Switzerland and made it clear that the development of AI solutions is a key motivation for the founders of the Swiss Gaia-X Hub. He then presented the interoperability concepts inspired by the European Interoperability Framework (EIF) and emphasised that the different approaches to data spaces complement rather than compete with each other.

Mario Meir-Huber presented pilot projects from Austria, including in Austrian tourism. His messages were: firstly, clear governance rules are needed; secondly, clear role specifications are crucial; and thirdly, the development of a data room is something that needs to be approached in an agile manner and cannot be planned through as a whole. In his view, the most important thing is to start concretely. In a subordinate clause, however, he formulated an even more important statement: governance is the sum of all the rules that apply to a data room. So, we can stop pondering the mystery of governance.

Franziska Sprecher gave a fundamental introduction to the complex topic of data room law, which is much more than just data protection. She emphasised that values and values are the starting point for legislation and that the need for regulation stems primarily from the asymmetries in the relationships between the individual players. For her, too, digital sovereignty is central, but primarily as a basis for digital self-determination. The interplay between data use, data security, data protection and data availability determines the degree of this digital self-determination. For Professor Sprecher, not everything can be regulated in one law. For her, the regulation of secondary data use, a framework law for data spaces and sectoral regulations are necessary.

Irene Bernhard presented MODI, the national mobility data infrastructure for the secure and trustworthy exchange of data in the mobility data space. For her, mobility data is part of the country’s system-relevant infrastructure and a necessary prerequisite for the best possible utilisation of mobility services. MODI consists of the national geodata infrastructure operated by swisstopo on the one hand and the national data networking infrastructure NADIM on the other, which enables the standardised exchange of mobility data between the various players in the mobility ecosystem.

Noémie Zink presented agridata.ch, the data room for the Swiss agricultural and food sector. She used various use cases to illustrate the benefits of the data room. It enables the implementation of the once-only principle, saves work for farmers and ensures the digital self-determination of farmers in terms of who is authorised to do what with their data. To this end, all stakeholders are involved, right down to the end consumers of the food. Here too, the basis for creating trustworthiness is the formulation of clear governance rules.

To conclude, Christoph Bloch and I were able to summarise the conference. Our conclusion: anyone involved in data rooms should ask themselves five questions about a specific project: Firstly, and most importantly, what benefits does the data room bring for whom? Secondly, what roles are there and how does the data room work? Thirdly, what are the concrete foundations for trust in the data room? Fourthly, what is the role of the state in this and what is its motivation? Fifthly, what is the degree of self-determination in the data space?

There is also the general question of what the legislator can and should do. What should a framework law look like that ensures that the great potential benefits of data spaces in Switzerland are actually utilised and that digital self-determination in Switzerland is strengthened as a result? Because if we don’t move forward, Swiss businesses and the Swiss population will eventually have to use foreign services that are largely indifferent to Swiss values. After all, the practical examples show: We are already doing something!

Contributions from the 2025 Conference on IT and Law:

https://ejustice.ch/tagung-fuer-informatik-und-recht/