Blog

At a time of rapid geopolitical change, cuts to international development assistance, and increased emphasis on digital sovereignty - investing in digital public goods (DPGs) represents an attractive option for countries looking to build and evolve their foundational digital public infrastructure (DPI).As open source solutions that incorporate safeguards and best practices by design, and which can be adapted to meet contextual needs, DPGs provide an important starting point for helping countries implement and strategically maintain their most foundational components faster, better and at lower cost-over-time compared to leasing proprietary technologies or building from scratch. Few governments have the capacity and resources to do the planning, financing, deployment, operation or hosting of DPI components fully by themselves, and entering into well-structured agreements with different types of private sector stakeholders is therefore vital for the success of these digital transformation processes. However, when these agreements include the deployment and maintenance of DPGs, especially as part of building DPI, there are risks that may undermine the advantages that open source solutions provide. For these DPG4DPI-deployments we need to evolve a paradigm where a vibrant private sector benefits from actively seeking to meet implementing country objectives and to preserve the advantages and long-term sustainability of DPGs. To inform this topic, it is important to first highlight the broad variety of stakeholder types that are covered by the “private sector” term. Important groups include: Systems integrators (SIs) that specialise in bringing together various components, including hardware, software, and services, from multiple vendors to create a cohesive and functional solution for a client; Independent system vendors (ISVs) that develop, market, and sell software applications running on existing third-party infrastructure, and who tend to create specialised software solutions for more narrow markets; and Hyperscalers/cloud providers, global service providers that offer highly scalable and flexible computing infrastructure, and that provide a wide range of services, including compute, storage, networking, and AI. These different types of private sector stakeholders are similar in that they are all involved because of the expected commercial gain, but they differ widely in size, scope, engagement and business models. Hence, we must recognise that there is immense variation in the bargaining power, resourcing and contribution capacity within the group we collectively refer to as “private sector”.DPGs and the risk of extraction and lock-insThe open-source licence of a DPG ensures that access to the solution is non-exclusive, such that an implementer doesn’t need permission to adopt or adapt the solution to their needs and preferences.Most DPGs that are relevant for implementing DPI take this one step further by having permissive licenses, which give even greater freedom to the users to choose how to modify their own version of the solution, even allowing them to re-license derivatives under a proprietary license. In the context of system integrators (SIs) and hyperscalers, this offers greater flexibility for them to innovate and build upon existing code. Allowing for more seamless integration into existing proprietary systems and greater interoperability. However, it also gives these technology partners, who are at arm's length from the government, that same level of discretion in how they engage with the DPG, sometimes without clear incentives for contributing back to the source product. For example, larger private sector companies supporting multiple implementations of a DPG in different countries may find it more advantageous/profitable to offer a modified version under a new, proprietary license that they own the rights to, or make changes or configurations that result in detrimental forks and other types of lock-in. This risks undermining both the implementing country’s agency and the long-term sustainability of the core DPG.How can we shape private sector engagement in the deployment of DPGs, so that it results in genuine partnerships where country objectives are met alongside commercial goals, with sustained benefits also to the DPGs that are being deployed?

Last year, the DPGA Secretariat launched its first-ever set of Calls for Collaborative Action following discussions with experts in the open source ecosystem, digital public infrastructure, climate action, and public interest AI. These calls are designed to galvanise support and signal to stakeholders the actions they can take to contribute to the success of digital public goods in highly impactful areas. One of those calls is the Open Data for Public Interest AI, which clamoured for DPGs that can make identifying, preparing, sharing, and using higher-quality open training data easier. The development of public interest AI depends on the opportunity to train models on both existing and new high-quality openly licensed datasets. In a time where generative AI is advancing at breakneck speed, and the term “open-source AI” is often misconstrued to describe systems that fall on varying degrees of openness, such as releasing model weights without transparency around the training data. Thus, it has become increasingly imperative to work towards a transparent and open way of building AI systems that serve the public interest.Several challenges, including infrastructure limitations, funding constraints, and limited access to open solutions, exist that impede this at a larger scale, underscoring the need for greater resources to produce and share open data across diverse geographical contexts. In an earlier blog post by the DPGA Secretariat CEO, Liv Marte Nordhaug, she mentioned that “DPGs, as open, adaptable digital solutions, with documentation that can help facilitate reuse, can play an important role as tools for addressing common challenges to scaling public interest AI – both in the near future and longer term. In particular, DPGs can help unlock more and higher-quality open training data and data sharing.” Thus, over the past several months, we have focused on exploring how DPGs can help reduce some of the technical barriers to having more high-quality open training data, particularly for use cases like the development of language models that address language gaps in AI development, solutions for public service delivery, and research-based climate action (monitoring, mitigation, adaptation). One fundamental way we addressed this challenge, with multiple stakeholders participating on the call, was by creating an adaptable and reusable toolkit that can be recommended to countries and stakeholders to facilitate the collection, extraction, processing, validation, and preparation of data.

The concept of digital sovereignty—the collective ability of states and communities to shape, govern, and safeguard digital infrastructures, data, and standards that underpin their societies—is a crucial topic gaining traction worldwide. While it’s out of reach, impractical, and counterproductive for every country to own every layer of its technology stack, national and regional digital sovereignty movements should focus on developing critical capacities and being strategic about their technology dependencies. They should also embrace like-minded digital cooperation if they choose to engage in such conscious decoupling. Digital public goods (DPGs) and the communities built around these public interest, open-source tools are proving to be of great value to governments, communities and people as they seek to strengthen their digital sovereignty in a shifting geopolitical landscape.A Global Imperative: Beyond EuropeDigital sovereignty has become one of the leading policy priorities in the European Union, which is addressed twofold by (1) laws and regulations that are designed to address the concentrated power of tech giants, e.g. through the Digital Markets Act, Digital Services Act and industrial policy proposal and (2) by strategically supporting Europe’s tech ecosystem through legislation and investment vehicles such as the European Chips Act, the Apply AI Strategy, and the InvestAI Initiative. The growing EU tech sovereignty movement doesn’t stop there. Initiatives such as the EuroStack proposal and calls for strategic funding of open-source software with a European Sovereign Tech Fund are increasingly focusing on the role of open-source technologies in achieving technology sovereignty. Yet, this debate is far from a solely European concern.We also see this desire for digital sovereignty on the African continent, where the pursuit of digital self-reliance is equally, if not more, critical. The African Union's Digital Transformation Strategy for Africa (2020-2030) explicitly aims to empower Africa's "ownership of modern tools of digital management" and safeguard the continent's data sovereignty. Similarly, the AU Digital Compact (2023) further emphasises the need for an inclusive and rights-respecting digital future, built on African terms. H.E. Wamkele Mene, Secretary-General of the African Continental Trade Agreement Secretariat, described digital sovereignty, alongside inclusivity and interoperability, as a shared principle on which African digital public infrastructure should be built. The Stakes Are High: Lessons from Real-World ExamplesThe urgency of this quest is underscored by real-world incidents where a lack of digital sovereignty has led to significant vulnerabilities.Consider the case of Kenyan health data. For years, critical national health systems and sensitive patient data were hosted on US-based servers, supported by USAID. When USAID was dismantled, these systems were abruptly shut down, leaving Kenya without access to its own vital public health information. This starkly illustrates how external control over fundamental digital infrastructure can undermine a nation's ability to manage its own public services and safeguard its citizens' well-being.Another powerful example emerged from a diplomatic spat involving the International Criminal Court (ICC) and Microsoft. Amidst US sanctions against an ICC official, Microsoft was compelled to disconnect the official's email account temporarily—although the details of this process remain contested. Even though the data might have been physically located in Europe, the incident highlighted the extraterritorial reach of certain national laws, like the US CLOUD Act. This demonstrates that not even the physical location of data always guarantees sovereignty if the service provider is subject to foreign jurisdiction, posing a significant challenge to the notion of data control.In light of these and other examples, there’s a growing uncertainty over the reliability of critical digital infrastructures that power societies if they can’t be effectively controlled. The Linux Foundation concluded: “That lack of certainty is driving governments everywhere to find self-reliant solutions that put the steering wheel back in their hands."

The Government of Nigeria has joined the Digital Public Goods Alliance! As a new member, the country will work to integrate digital public goods into its government services, foster public-private partnerships, and build local capacity through initiatives like 3MTT and DevsInGovernment.Nigeria also plans to develop a national playbook to standardise and scale the adoption of digital public goods such as OpenCRVS, DHIS2, and KoboToolbox across government agencies and states, ensuring that innovation is transparent, interoperable, and globally connected.“Nigeria’s membership of the Digital Public Goods Alliance reinforces our commitment to building an open, inclusive, and collaborative digital ecosystem that empowers our people and drives sustainable growth,” said Dr. Bosun Tijani, Nigeria’s Minister of Communications, Innovation & Digital Economy. “Through this partnership, Nigeria is not only participating in a global movement, but also contributing homegrown solutions that reflect our leadership in shaping the future of digital transformation in Africa.”“Nigeria’s embrace of digital public goods demonstrates global leadership in driving inclusive and sustainable digital transformation”, said Liv Marte Nordhaug, Chief Executive Officer of the Digital Public Goods Alliance Secretariat. “By embedding digital public goods into policy and capacity building, the country strengthens its digital infrastructure while improving service delivery in critical sectors like education and health.”The announcement was made during the DPI Cooperation in Motion 50-in-5 Milestone Event, held alongside the 80th United Nations General Assembly in New York City.Click here to learn more about Nigeria’s commitment to advancing the country’s DPI framework through Digital Public Goods Alliance membership, including reading their full announcement.Visit the Digital Public Goods Alliance Roadmap to learn more about Nigeria’s efforts to support digital public goods.

Liv Marte Nordhaug, CEO of the Digital Public Goods Alliance; Chea Sereyvath, Secretary General of the Digital Government Committee, Cambodia; and Henri Verdier, Ambassador for Digital Affairs, France, during the announcement that both countries have joined the Digital Public Goods Alliance (DPGA). Photo: Anthony Randazzo

In an increasingly digital world where data has become a critical asset, privacy and data security have emerged as fundamental rights and essential safeguards for individuals and communities. From healthcare systems and financial services, to educational platforms and humanitarian aid delivery, digital solutions handle vast amounts of sensitive personal information that require appropriate protection and responsible handling. For users of digital solutions around the world, robust privacy measures are not just important but an essential part of preventing exploitation, and mitigating harm.The Digital Public Goods Standard is a set of specifications and guidelines designed to maximise consensus about whether a digital solution conforms to the definition of a digital public good (DPG) as defined in the UN Secretary General’s Roadmap for Digital Cooperation. As part of this, in order to be considered a digital public good, solutions must be designed and developed to comply with privacy and other applicable laws (Indicator 7 of the DPG Standard) as well as to anticipate, prevent, and do no harm by design (Indicator 9). Recognising the importance of privacy and data security to achieve these aims, the Digital Public Goods Alliance is pleased to announce these updates to the DPG Standard. The updates introduce six new requirements as well as an annexure of privacy and data security best practices, which serve as a practical guide for applicants seeking to improve their digital solutions. These changes are the result of a consultative process and will strengthen the design and development of open solutions seeking DPG recognition. The criteria will apply to all new solutions seeking certification in the DPG Registry and will be collected from existing DPGs during their annual review. Formation of Privacy Expert Group for driving DPG Standard EnhancementIn April 2024, the DPGA Secretariat, in collaboration with the Open Knowledge Foundation, assembled a distinguished Privacy Expert Group comprising neutral privacy professionals from legal, technical and multilateral sectors. This expert group was specifically tasked with addressing critical gaps in privacy compliance within the existing DPG Standard and aligning DPGs with global best privacy practices.The expert group, co-led by DPGA Secretariat’s Standards Lead, Amreen Taneja, and Open Knowledge Foundation representatives, Renata Avila (CEO) and Patricio Del Boca (Technical Lead), worked alongside Thomas Shone from the Netherlands, Godfrey Kutumela from South Africa, Clarissa Luz from Brazil, Marie C. Bonnet from France, Puneet Bhasin from India, Emma Day from the United Kingdom and Aparna Bhushan from the United States. This geographic diversity ensured that the updated requirements could accommodate local legislation and regional privacy ecosystems while maintaining global applicability.The expert group focused on three objectives:1. Conducting a gap analysis and risk assessment to identify shortcomings in privacy compliance within the DPG Standard; 2. Defining clear parameters for privacy compliance under Indicator 7 to be embedded in the assessment process, with the aim of ensuring fair criteria for both small scale and larger DPGs; and3. Proposing an annex to Indicators 7 and 9(a) that sets out recommended best practices for privacy and data security, strongly encouraged for applicants to adopt.Privacy Requirements for the DPG StandardThe Privacy Expert Group's recommendations were submitted to the DPG Standard Council as part of the Standard's governance process. The Standard Council reviewed and adapted these recommendations, ensuring they could be effectively incorporated into the DPG review process while maintaining accessibility for applicants.The updated requirements, now mandatory for all DPG applicants, are structured around six fundamental privacy concepts that are be addressed through specific questions in the application process. These questions are designed to extract critical information traditionally found in extensive documentation such as Privacy Impact Assessments (PIAs), Data Protection Impact Assessments (DPIAs), and Data Retention Policies that would be required by the DPG Review team for assessing the design and development aspects of the product, while ensuring the process remains accessible to applicants ranging from large organisations to small scale innovators.Six New Privacy Considerations for DPG Applicants1. Data Minimisation: Applicants must now answer: ‘Is this the minimum amount of PII data required for your solution to function properly?’ This question ensures alignment with global privacy regulations like GDPR (General Data Protection Regulation), by demonstrating that DPGs collect only the minimum amount of Personally Identifiable Information (PII) necessary for functionality, particularly important when serving vulnerable populations.2. User Consent Mechanisms: The application process now requires responses to: ‘How does your solution communicate to the user that you are collecting their PII data?’ This addresses the critical need for transparency in obtaining and managing user consent, ensuring compliance with frameworks such as GDPR and the California Consumer Privacy Act (CCPA) while empowering users to make informed choices about their data.3. Data Usage Transparency: Two key questions in the application process address this aspect: ‘Please provide your privacy policy or any relevant documentation that outlines consent management procedures, the reasons for collecting and processing PII data, and any processes in place for handling subject requests.’ and ‘Where in the solution is PII data being processed or used? And which components of the solution allow access to this data?’. These questions ensure that applicants clearly articulate their data practices, demonstrating compliance with the principle of purpose limitation and operational transparency.4. Adherence to Privacy-By-Design Principles: Applicants must answer the question: ‘Which mechanisms does your solution provide to delete PII data?’ This question evaluates applicants’ readiness to handle data retention and deletion responsibly, highlighting mechanisms for addressing user requests and preventing indefinite data storage. Solutions with strong privacy-by-design features reflect a commitment to ethical data practices and regulatory compliance.5. Transparency Around Data Retention: Using the same question as privacy-by-design, this requirement ensures that solutions have clear data retention and deletion procedures, demonstrating compliance with regulations that mandate minimising risks associated with prolonged data storage while fostering trust among users, particularly in solutions serving marginalised communities.6. Data Governance and Access Controls: The question ‘Where in the solution is PII data being processed or used? And which components of the solution allow access to this data?’ also addresses the need for secure data management, ensuring that PII is protected against breaches and misuse through robust governance mechanisms that align with principles of data isolation and segregation.Best Practices Annexure LaunchedAlongside the mandatory requirements, we have released a comprehensive annexure of privacy and data security best practices that, while not mandatory, are highly encouraged for all DPGs. This detailed guidance document provides a practical roadmap for both small and large-scale open solutions seeking to align with industry standards.This annexure encompasses four critical areas of privacy and data security practices. 1. Privacy Governance and Accountability establishes policy-level best practices, including comprehensive privacy policies that align with international standards, consideration of non-PII and group data risks, and governance accountability measures such as designating Data Protection Officers and establishing independent ethics review processes.2. Compliance Documentation and Proofs provides guidance on essential documentation, including Data Protection Impact Assessments, data flow mapping, retention and disposal policies, security issue communication protocols, training records, and third-party vendor management. These documentation requirements ensure that DPGs maintain comprehensive records of their privacy practices and can demonstrate compliance when required.3. Technical and organisational safeguards outline best practices for implementation requirements for minimum data protection controls, including robust authentication and access controls with role-based access and multi-factor authentication, comprehensive logging and auditing systems, state of the art encryption for data in transit and at rest, systematic vulnerability management, data isolation and localisation measures, and privacy enhancing technologies such as differential privacy and federated learning.4. Lifecycle Management and Oversight ensures that privacy considerations are embedded throughout the entire data lifecycle, including ongoing risk monitoring, audit readiness, and change management processes that assess privacy and security implications during product updates.How Privacy Enhancements Strengthen the Digital Public Goods EcosystemThese enhanced privacy requirements represent a significant advancement in ensuring that DPGs anticipate, prevent, and do no harm in the design and development of their solutions. By embedding effective privacy safeguards into the design and development stages of DPGs, these updates enable DPGs to better serve users and communities while upholding critical privacy rights. The privacy-focused approach is particularly crucial for DPGs serving vulnerable populations, who face heightened risks from data misuse or unethical practices. Aligned with global privacy standards, these updates aim to strengthen the credibility and long-term sustainability of digital public goods, making them more trustworthy to partners, funders, and international initiatives. They also establish privacy compliance as an integral part of DPG evaluation, reinforcing both operational efficiency and ethical practice across the ecosystem.As DPGs play an increasingly vital role in advancing the UN Sustainable Development Goals, these enhanced privacy protections ensure they can fulfill their mission while maintaining the trust and confidence of the communities they serve. Through these comprehensive updates to the DPG Standard, we aim to lead the way in establishing ethical frameworks for digital development, ensuring that DPGs create maximum positive impact while upholding fundamental principles of privacy and security essential for sustainable global progress.

The Digital Public Goods Alliance is committed to the long-term success of digital public goods (DPGs), including helping those who run and maintain DPGs to make their voices heard. In response to a shifting funding landscape, DPG product owners have come together to issue an open letter reminding digital transformation supporters from different focus areas worldwide of the vital role DPGs play in advancing the Sustainable Development Goals.DPGs are already helping countries and organisations deliver public services more effectively and are serving as the solutions needed to address critical challenges—from climate change and healthcare to education, financial inclusion, strengthening information integrity efforts, and beyond. They are also enabling more effective digital transformation by helping countries and organisations avoid duplication, reduce costs, and scale impact through open, interoperable, adaptable technologies that can be tailored to local contexts. As development assistance models evolve, the cost, speed, and collaboration advantages of DPGs underscore why they are the solutions we need now more than ever.This letter, written and signed by more than 15 product owners, encourages governments, funders, civil society organisations, technologists—including system integrators and hyperscalers—and all others across the ecosystem to read and reflect on the important call to actions highlighted within the letter, and consider how they can help ensure the continued sustainability of DPGs.

This year’s Internet Governance Forum (IGF) in Norway brought together global leaders, technologists, and policymakers to build trust, resilience and digital cooperation to ensure technology and future innovation is sustainable, accessible, and rights respecting. The Digital Public Goods Alliance (DPGA) was proud to contribute to this momentum by spotlighting the role of digital public goods (DPGs) and open-source solutions as key enablers of IGF’s goals. At a time when countries are seeking ways to build digital systems that are both cost effective and equitable, the DPGA used its presence at IGF to make the case that DPGs—open-source, interoperable tools designed for public benefit—are not only viable, but vital for achieving safe, inclusive, and interoperable digital public infrastructure.

UNICC has joined the Digital Public Goods Alliance! The announcement happened during the UN Open Source Week side event “Accelerate SDG Impact, Scaling Open Source”, with Lucy Harris, COO, DPGA Secretariat; Emily Bennett, Head of Digital Public Solutions, UNICC; and Anish Sethi, Chief, Digital Solutions Centre, UNICC.As a member of the DPGA, The United Nations International Computing Centre marked a strategic step forward in its mission to enable inclusive and sustainable digital transformation across the UN system, other international organisations, and governments.“Joining the DPGA is a natural extension of our mission to support the United Nations’ digital transformation journey. Our technical and strategic contributions can help ensure that digital public goods are developed and deployed in a way that reflects the values, needs, and standards of the UN system.” said Sameer Chauhan, Director, UNICC.“We are proud to welcome UNICC to the DPGA. Their membership not only supports the United Nations’ digital transformation journey but also strengthens the DPG ecosystem by contributing potential new solutions to the DPG Registry. Beyond advocating for open, scalable solutions across the UN system, UNICC helps expand the adoption of DPGs where they’re needed most, ultimately accelerating digital cooperation efforts to achieve the SDGs.”, added Liv Marte Nordhaug, CEO, Digital Public Goods Alliance Secretariat.