This blog considers the role of data trusts in the European policy landscape and the action needed to create a policy environment to support their development.

The continued success of the digital economy relies on data being available to those developing new technologies, products, and services, and public confidence in data use. However, with new uses of data potentially creating novel vulnerabilities or exposing individuals to harm, there is often a tension between the desire to make data – in particular, personal data – more accessible and the desire to protect individual rights. This tension sits at the heart of many of today’s debates about data governance.

A package of policy announcements made by the EU earlier this year indicate how it intends to manage this tension, with a white paper on AI aiming to promote a framework for technology development based on “excellence and trust” and a data strategy to support data availability and use. At the core of both is the ambition to embed individual and social values in the data economy. Reflecting this ambition ,when introducing new strategies on data and AI, President von der Leyen called for an EU digital environment that “reflects the best of Europe – open, fair, diverse, democratic, and confident.”

To achieve this aim, the EU’s draft data strategy calls for action to increase data availability, redress imbalances in market power, and implement governance systems that empower individuals to exercise their data rights. Its proposed approach to these challenges is the development of common data spaces – to increase the flow of data in key areas – alongside the introduction of measures to support individuals to exert their rights over data they generate.

A variety of EU frameworks already regulates different forms of data use, while creating a constellation of data rights and responsibilities. These stem from regulations on the use of personal data, the flow of non-personal data, cybersecurity policies, and legislation to promote open data. However, these top-down approaches cannot on their own bridge the gap between the aspiration to share data and the need to protect individuals and groups from the vulnerabilities that stem from data sharing.

Data trusts offer a tool to help fill this gap, supporting the creation of European data spaces, particularly in areas where personal data is at stake.

A data trust is an institution that uses trust law as a framework for data governance. It provides a mechanism for groups of individuals to pool the data rights created by law (such as the GDPR) into an organisation - a trust. Within the framework of a trust, trustees are tasked with leveraging these data rights to obtain better terms and conditions for data use from service providers, or with negotiating and monitoring data sharing agreements. Bound by a fiduciary obligation of undivided loyalty, the data trustees would exercise the data rights conferred by the GDPR (or other regulation) on behalf of the trust’s beneficiaries.

Data trusts are designed to complement existing legal and regulatory frameworks that define the rights an individual has over how data about them is used. Having access to the data pooled by its members would give the trust a stronger voice in negotiations with organisations seeking to use data than any individual could have. The data trustees would be placed in a position where they can negotiate data use in conformity with the trust’s terms, thus introducing a much-needed, independent and intermediary layer between data subjects and data collectors.

Adding to ‘one size fits all’ regulatory approaches that set the boundaries of data use, each trust would define its own approach to data management (within legal confines), taking into account the aspirations of its members. The fiduciary duties that direct the work of data trustees offer strong safeguards that mean a trust would be an independent steward of data. In this way, trusts could offer a way of aligning an individual’s (or group’s) values with the way their data is used, connecting the aspiration to share data for collective benefit with the desire to protect individual rights.

Across the world, there is growing interest in the development of data trusts as a means of trustworthy data governance. Germany’s Data Ethics Commission has recommended further funding to research and develop data trust schemes, the Canadian Government has been consulting on similar proposals via its Digital Charter, and the UK Government’s AI review called for the development of data trusts to facilitate the development and deployment of AI.

Further policy development is needed to understand whether additional legislative measures are necessary to enable citizens to invest their data or data rights in a data trust, or move between trusts; further research is necessary to understand what jurisdictional issues might arise in the development of data trusts internationally, and what forms of international cooperation might be needed to address these; and new policies or institutions may be required to support the professionalisation of data trustees.

Progressing the concepts and methods behind the idea of data trusts in the EU will require action from policymakers, industry and civil society:

  • to better understand the limits of existing regulatory provisions - particularly when it comes to mandatability - concerning data portability, access, and erasure, clarifying, for example: is further EU-level intervention required to make the latter rights mandatable to a data trustee, or should such interventions be made by national regulators?

  • to develop further the processes by which individuals can move their data (between trusts or otherwise);

  • to support a wide range of individuals and communities to engage with data trusts to ensure that their benefits and protections are accessible by all, especially currently disenfranchised communities.

The European Data Strategy is an opportunity to review both the legislative and socio-economic environment that would help foster the development of data trusts in the EU, and to identify how the EU can maintain a leading role in future developments in this area of data governance.