Under the current regulatory framework for data protections, the protection of human rights writ large and the corresponding outcomes are regulated largely independently from the data and tools that both threaten those rights and are needed to protect them. This separation between tools and the outcomes they generate risks overregulation of the data and tools themselves when not linked to sensitive use cases. In parallel, separation risks under-regulation if the data can be collected and processed under a less-restrictive framework, but used to drive an outcome that requires additional sensitivity and restrictions. A new approach is needed to support differential protections based on the genuinely high-risk use cases within each sector. Here, we propose a regulatory framework designed to apply not to specific data or tools themselves, but to the outcomes and rights that are linked to the use of these data and tools in context. This framework is designed to recognize, address, and protect a broad range of human rights, including privacy, and suggests a more flexible approach to policy making that is aligned with current engineering tools and practices. We test this framework in the context of open banking and describe how current privacy-enhancing technologies and other engineering strategies can be applied in this context and that of contract tracing applications. This approach for data protection regulations more effectively builds on existing engineering tools and protects the wide range of human rights defined by legislation and constitutions around the globe.

翻译：在当前数据保护监管框架下，广义人权保护及其相应结果与既威胁这些权利又需用于保护它们的数据及工具之间，在很大程度上是相互独立监管的。当数据与工具未与敏感用例关联时，这种工具与其产生结果之间的分离可能导致对数据及工具本身的过度监管。同时，若数据可在限制较少的框架下收集和处理，却被用于驱动需要额外敏感性和限制的结果，则分离也可能导致监管不足。我们需要一种基于各领域真正高风险用例提供差异化保护的新方法。在此，我们提出一个监管框架，其适用对象并非特定数据或工具本身，而是这些数据与工具在具体情境下使用所关联的结果与权利。该框架旨在识别、应对并保护包括隐私在内的广泛人权，并提出一种与当前工程工具及实践相契合的更灵活的政策制定方法。我们以开放银行业为背景测试该框架，并阐述如何在此类场景及接触者追踪应用中应用现有隐私增强技术及其他工程策略。这种数据保护监管方法能更有效地依托现有工程工具，保护全球立法与宪法所界定的广泛人权。