Data trusts as new models for the data economy
Author: Aline Blankertz, Data Economist at Stiftung Neue Verantwortung and Co-chair of the Sine Foundation
Making new models possible: What regulation for data trusts should look like
Data trusts are a promising concept for enabling data use while maintaining data privacy. Data trusts can pursue many goals, such as putting data protection into practice more effectively, increasing the participation of consumers or other data subjects, and strengthening data sharing along the value chain. They have the potential to become an alternative model to the current data practices of large platforms, which are accused of accumulating data power and using it primarily for their own purposes. To fulfil these hopes, data trusts must be trustworthy, allowing their users to understand and trust that data is being used in their interest.
Data trusts can take on many different legal shapes and forms, depending on the jurisdiction in which they operate and the rights that citizens in that jurisdiction have over data about them. Considering them from a civil law perspective, for example, in Germany, it can make sense to consider a data trust’s defining features without using a legal trust (in the form set out in UK law). Under German law, because there are no absolute rights to data, these cannot be transferred comprehensively.
However, no absolute right to data is required to authorise a data trust, for example, to make an access decision on behalf of the data subject (such as consumers or companies). If, as consistent with recent literature, all legal relationships whose objective is the internal representation of the interests of one contracting party vis-à-vis another are considered trusts (German “Treuhand”), data trusts can also be included under this broader concept of trusts. On this basis, we can think about data trusts as trustworthy data intermediaries - organisations that manage data on behalf of others while adhering to a legal framework (including competition, trade secrets, and privacy laws) in a trustworthy manner.
Why and how to regulate data trusts
Currently, the political approach is to subject all forms of data trusts and other intermediaries to the same rules through a “one size fits all” regulation. For example, the Data Governance Act (DGA) gives data trusts little leeway to evolve in the marketplace. In our recent paper we argue that, , regulation should systematically analyse risk factors. These can be identified across sectors; in particular, centralised or decentralised data storage and voluntary or mandatory use of data trusts are among them. The business model is not one of the main risk factors.
It is important for data trusts to be trustworthy for them to be widely adopted, which can justify additional regulation. However, to still encourage the development of data trusts, such additional rules should be designed depending on the use case. The risk of a data trust use case should be considered as well as the need for incentives to act as a data trust. It is important to assess if, with additional obligations on data trusts to ensure trustworthiness, other obligations can be relaxed.
It is helpful to look at specific sectors in which data exchange is likely to increase and change to develop concrete proposals for which regulation could be appropriate to govern that data exchange through data trusts. Below we consider the case of medical data trusts and personal information management systems in this regard.
Use case 1: Proposal regulation for medical data trusts
Medical data holds enormous potential for research to develop new and more personalised forms of diagnosis and treatment. At the same time, the data is highly sensitive and includes current treatment data as well as potential future risk factors. Risks associated with using such data include self-censoring behaviour, discrimination, and treatment failure if data is not interpreted carefully.
Data trusts could help ensure increased data sharing and trustworthy data use in medical research. To do so, they would need a legal basis for data processing by scientific and commercial organisations for medical research with data provided by a data trust. This legal basis would overcome the considerable challenges that come with informed consent by patients that persist with broad consent, an approach that is intended to allow consumers to make the purposes for which data subjects provide consent less specific. Opt-out would always remain possible.
In addition to this legal basis, trustees and policymakers should consider additional regulation to ensure that the risks of the approach remain manageable. Specifically, IT security must be certified by a state-supervised body. Furthermore, data access should be designed in such a way that only the data necessary for the research is accessible, and personal identification is reduced as much as possible, for example, with pseudonymisation, aggregation and/or federated learning. Organisations that operate in areas that are likely to discriminate, such as insurance and advertising, should be excluded.
By developing additional safeguards on IT security, privacy, and discrimination alongside more competencies to use medical data without having to rely on consent, data trusts could enable medical research. This approach could allow for a broad range of medical research while still ensuring that the interests of patients and society, in general, are taken into consideration.
Use case 2: Proposal regulation for PIMS (data trusts)
Personal information management systems (PIMS) are intended to help consumers enforce their rights and interests more effectively. However, consumers have been reluctant to use these services, and companies such as large platforms have found it easy to circumvent these systems. At the same time, there is a risk of abuse in direct dealings with consumers (e.g., through misleading information and menu navigation).
To control these risks and support the development of PIMS, model terms and conditions for PIMS could be made the basis for certification. This certification should identify them as meeting specified standards of trustworthiness and align PIMS with the interests of consumers. These terms and conditions should include minimum standards for IT security and provide explicit consent for monetisation of personal data such that direct monetisation of personal data is only possible when consumers are aware. Furthermore, transparency requirements should make the monetary and non-monetary transfer of data visible, for example, by requiring a continually updated list of data users. The terms and services should also contain restrictions on the use of data by affiliated services, such that it takes place under the same conditions as for external services. This would prevent conglomerate firms to give their affiliates preferential access to data.
With these standards being met, it also makes sense to allow PIMS to represent consumers more comprehensively, for example, to grant or deny consent on behalf of their users. While the degree of mandatability of data rights under the GDPR is not clear, positive examples exist, for example, in the form of “authorized agents” under the California Consumer Protection Act (CCPA) which can represent consumers to request data about them to be deleted and/or not to be sold to any other parties. Large companies such as social media platforms could be obliged to cooperate with certified PIMS in order to avoid that PIMS are circumvented systematically but adopted more widely by both consumers and data users.
Far-reaching neutrality obligations, such as those spelled out in the DGA, can make PIMS less likely to develop and succeed. PIMS such as polypoly.eu, digi.me and bitsabout.me already struggle in the market, but risk becoming even less viable if, for example, they are not allowed to charge commissions for providing data access. Voluntary certification can help consumers to identify trustworthy models without prohibiting other models from entering the market. The terms that serve as a basis for certification should address specific conflicts of interest to allow PIMS to still pursue some remaining commercial interests.
Recommendations for action across sectors
Regulating data trusts should not increase existing legal uncertainty and complexity but reduce them. This is necessary to incentivise the development of new models and approaches. Additional requirements to establish trust and reduce risks also justify lowering hurdles. Overly strict neutrality requirements inevitably mean that data trusts can be provided only by the government, which creates other potential problems. Instead, it is more productive to use legal restrictions to prevent specific conflicts of interest.
Certification can aid transparency, if specified requirements are met. Certification is a sensible approach particularly when the risk of overly restrictive regulation is high, and information asymmetries, for example, call for intervention. Another pragmatic way to promote data trusts is to use pilot projects and government demand strategically. However, this method is no substitute for developing new models, especially business models.
Whether data trusts can fulfil the high hopes placed on them depends largely on how the regulatory framework that applies to them is designed. Overall, regulatory proposals for data trusts should aim to make data use and data protection more compatible. To this end, it is helpful to focus on specific risks that are not covered by the existing legal framework; at the same time, it is also helpful to remove hurdles that stand in the way of this goal.