International perspectives on data institutions: lessons for data trusts
Governments across the world have looked to data trusts as a new form of data institution, aiming to support data sharing for social benefit while managing potential harms from data use. In developing policy frameworks for data trusts, researchers and policymakers can draw lessons from the different approaches to data governance that are being established across different jurisdictions. Our second Working Paper explores international perspectives on the development of data institutions. This blog summarises some of the key themes –
Different jurisdictions provide different legislative frameworks for data institutions
A prerequisite for the establishment of data trusts is that individuals have rights over data about them that can be held in trust. Countries and regions of the world differ in the types of right that are available under current legislative frameworks. For example:
In the EU, personal data rights – including rights of access, erasure and portability between providers – are provided under the General Data Protection Regulation.
In Canada, data protection laws exist at both federal and provincial levels, with different frameworks for public sector data and private sector data. Adding to this framework, proposed legislative changes through the Consumer Privacy Protection Act would bring de-identified data within the scope of data governance frameworks.
In South Africa, data rights are created through both data protection legislation and constitutional provisions, based in human rights law, as well as database laws.
In the US, few personal data rights exist through federal law. At state-level, there are examples of data protection-like legislation. In California, for example, the California Consumer Privacy Act seeks to give individuals control over the type of information that is collected about them by businesses.
While the UK has a long history of trust law to manage the rights and responsibilities associated with different types of asset, the availability of equivalent legal frameworks varies across countries. Where trust law – as understood in common law jurisdictions – is not available, there are usually alternative legal frameworks that can foster independent stewardship and enable collective action, while providing institutional safeguards. In the US, for example, the Delaware Statutory Trust Act could provide a framework for data trusts; in Quebec, the legal framework for Quebec Trusts could be adapted to develop data trusts from a civil law perspective.
Institutional design needs to reflect local needs and opportunities
The term ‘data trust’ is now widely used to describe a collection of different approaches to data governance. The Data Trusts Initiative takes as its starting point that a data trust is a mechanism for individuals to pool their data rights into an organisation that: provides independent stewardship of those data rights; embeds fiduciary responsibilities in its ways of working; operates within a frameworks of institutional safeguards; and facilitates collective action.
Thinking in terms of these core characteristics can help identify relevant legal frameworks across different jurisdictions. It can also highlight areas where further clarity is needed, if data trusts are to operate effectively in these different jurisdictions, including:
What rights can be asserted in different jurisdictions, how do these rights interact with each other, and how they can be settled in a data trust;
What value can data trusts add to the local data governance environment, based on its history, stakeholders and needs;
The purposes for which data trusts might be better suited than other legal mechanisms for data stewardship;
Why or how different stakeholders might be incentivised to – or disincentivised from – creating a data trust, and what value data trusts create for those stakeholders.
Jurisdictions differ in the rights they provide, and communities will differ in their ambitions for data use. Data trust pilot projects will need to adapt to these differing circumstances, operating within local regulatory frameworks and responding to user demands. In some contexts, there may be opportunities to build on existing civic institutions to create new data institutions. In the US, for example, companies that have built electricity infrastructure and social credit unions could benefit from creating data trusts to govern the data they hold and direct its use for community benefit.
Data trusts should enable innovation while managing risks
A range of different approaches to collective data governance challenges have emerged across jurisdictions, from cooperatives that manage data from gig workers to trusts to distribute equity benefits from data-driven companies. These initiatives illustrate the diverse operational issues that data trusts must navigate, which we explored in our previous Working Paper and which include:
Developing business models for long-term sustainability;
Designing technical architectures for data access or management;
Creating methods of participatory governance;
Negotiating perceptions of trustworthiness;
Distributing benefits from trust activities.
Coming years will likely bring a variety of experiments around new forms of community-focused data governance. While pursuing these innovations, those leading such projects have a responsibility to consider how their work can best respond to community needs and what happens if these projects fail.
Taking data trusts from theory to practice will require further work to design ways of working and to safely pilot data trusts methods. In taking forward this agenda, there are opportunities to learn from experiences of different countries about which approaches work in different contexts.
For more information on these jurisdictional perspectives, take a look at our Working Paper: International perspectives on the development of data institutions.
Author: Jess Montgomery (2021)