Image Source: Wikimedia commons; Image only for representation purpose
This is the fourth in a series of blogs on the Draft Report of the Committee of Experts on Non-Personal Data.
Data trusts have emerged as a recent but popular formulation to refer to a set of legal and institutional practices of data governance by collectives. In the Draft Report, a ‘data trust’ refers to an institutional structure with certain shared protocols for containing and sharing data. The Draft Report frames a ‘data trust’ as a ‘data pool’ of sorts, to hold data from various sources, which is to be managed by public authorities.
The framing of data governance institutions as ‘data trusts’ is an emergent phenomenon that attempts to redress a widespread problem in contemporary debates on data governance, namely, the lack of agency over data, by people who may have rights or interests over that data. The formulation of ‘trusts’ invokes a very specific legal tradition of legally defined institutions governing assets in a fiduciary duty for specified beneficiaries. Historically, trusts under common law imply an equitable duty of care to be undertaken by a set of persons (the trustees) on behalf of beneficiaries, generally on principles established by a settler, or the person who provides the asset to be governed.
It is easy to see why ‘data trusts’ have emerged as an attractive framework for governing data in the context of the contemporary digital economy. The framework of trust allows for communities of individuals to establish collective agency over the information in a manner in which extant data protection law, which is notoriously individualistic, does not. As we noted previously, the contractual model of data governance which hinges on individual consent and establishing agency is limited in the face of modern data processing activities which take place at aggregate levels, and the implications of which individuals may not be able to account for in their decision-making. Additionally, data governance responsibilities currently rest only in the firms and services intending to collect information, which is by and large corporations which serve shareholder interests. As we increasingly come to identify individual and community rights in the data shared with such corporations, a clear conflict of interest arises, where the terms of data governance do not (and perhaps can not) reflect the interests of the subject of the data.
Data trusts attempt to frame clear rules for pooling of data from various sources (which could include individuals or communities to whom data relates or those who have generated or measured certain data). The trust provides a mechanism for collective data governance without the conflict of interests entailed in the direct relationship between data sources and data users and provides a mechanism for both individuals and communities to exercise agency over how and why data may be collected or shared.
Data trusts are being explored by communities, governments, and private firms around the world, as an alternative to existing models of data governance, and do not have an established meaning or structure as yet. One of the most ambitious attempts to establish a data trust was in the context of governing the extensive information collected in establishing the Toronto Quayside Project, by Sidewalk Labs (a subsidiary of Google), which attempted to articulate rules for a ‘civic’ trust for the data of all residents of the neighborhood which was being developed ‘from the internet up’. The UK government has piloted three concepts of data trusts with the Open Data Institute, to manage information gathered from public spaces in the public interest.
While data trusts may be an idea whose time has come, there needs to be much more deliberation about the shape and form, and particularly the legal obligations by which we establish these institutions. How do we identify the beneficiary communities? What are the rules and fiduciary duties of a trustee? To what extent are rules of trust and equity applicable to property ownership relevant for data governance through such institutions? The Draft Report on Non-Personal Data throws up many of these questions but ultimately does little to answer them.
Delacroix, Sylvie, and Neil D. Lawrence. “Bottom-up data Trusts: disturbing the ‘one size fits all’ approach to data governance.” International Data Privacy Law 9.4 (2019): 236-252. (here)