International approaches to data trusts: recent policy developments from India, Canada and the EU
1 October 2020
Our previous blog explored the role that data trusts could play in delivering the EU’s data strategy. Since then, governments around the world have continued to publish policy proposals that give a central place to ‘data trusts’. While the legal underpinnings of such ‘data trusts’ often need further unpacking, a common thread runs through all of these proposals: an endeavour to balance the desire to share data – to support economic activity and societal wellbeing – and concerns about potential harms arising from data use.
This post summarises some of these developments, and the questions they pose about how to create data trusts that empower individuals and groups while unlocking the societal benefits inherent in responsible data sharing.
India’s Committee of Experts on Non-Personal Data: Promoting Data Trusts
In late 2019, India’s Ministry of Electronics and Information Technology established a committee tasked with designing a framework for the regulation of non-personal data. In July, this Committee of Experts on Non-Personal Data published its recommendations, putting data trusts front-and-centre in its proposals.
This report argues that “given the increasing importance and value generation capacity of the data economy, governments around the world realise the need to enable and regulate all aspects of data, both Personal and Non-Personal Data”. It defines three types of non-personal data, which can relate to data collected by governments when carrying out publicly-funded work, anonymised data about communities, and data related to assets or processes that are privately-owned or result from private effort.
In seeking to govern this data, the report argues for the creation of data trusts. It proposes a policy framework in which a data principal – the individual, community or organisation to which the personal data relates – would exercise its data rights “through an appropriate community data trustee”. That data trustee should be “the closest and most appropriate representative body for the community concerned”, and could be a government entity, citizens’ group, or a university, for example. Such trusts would help rebalance power in the data economy between established data-driven platforms with ready access to large amounts of data and new entrants or start-ups.
Responding to these proposals, Mozilla noted the potential of such data intermediaries in enabling trustworthy data use, but also called for further work to identify appropriate technical systems to manage data held in trust, to consider jurisdictional issues associated with the legal instruments underpinning the trust, and to mechanisms of accountability.
The findings of this report are expected to be reflected in the Personal Data Protection Bill, currently before India’s Parliament.
Developments in the EU’s data strategy: ‘novel data intermediaries’ (including data trusts)
In her September 2020 State of the Union speech, President of the European Commission Ursula von der Leyen reiterated the Commission’s commitment to the introduction of policy interventions that support data use and give citizens more control over their personal data. This speech builds on policy announcements published earlier this year, with a white paper on AI aiming to promote a framework for technology development based on “excellence and trust” and a data strategy to support data availability and use.
In further pursuit of this ambition, a recent consultation on a legislative framework for the governance of common European data spacesset out actions to reduce barriers to data sharing, by fostering “structural enablers”, including both new bodies and new processes, that could help effectively manage the data rights already set out under EU law. Noting that “voluntary data-sharing remains costly and complicated”, for both technical and procedural reasons, these proposals stated support for the “novel data intermediaries”, including data trusts, that are emerging as a tool to enable data sharing by individuals and organisations.
Further developments in the EU’s data strategy are expected later this year.
The Government of Ontario’s data trusts consultation
Earlier this month, the Government of Ontario launched a public consultation on proposals to revamp its data privacy legislation. This consultation proposes to “create a legislative framework to enable the establishment of data trusts for privacy protective data sharing”.
Data trusts have been the subject of policy debate in Ontario since 2018’s proposal by Sidewalk Labs to create a civic data trust, tasked with governing data collected as part of a controversial waterfront development. Announcing the consultation, Ontario’s Minister of Government and Consumer Services cited privacy concerns arising from the increased reliance of many citizens on digital services during the COVID-19 pandemic as a key driver for seeking new policy frameworks that enhance transparency and accountability in data use.
These new proposals define data trusts as “a legal mechanism that enables an organization’s data to be governed by a trusted third party, to ensure the transparent and accountable use of that data”. They sit alongside wider proposed changes, including enhanced data portability, increased enforcement powers for the Information and Privacy Commissioner, and a right for individuals to request that information about them be deleted.
The written consultation will be open until October.
Further questions raised by these proposals
As this policy area continues to evolve, these recent announcements highlight a range of issues or questions where further attention is needed, if governments are to realise the potential of data trusts. For example:
What enabling rights need to be in place?
In our last post, we argued that, if the EU’s data strategy is to effectively support the development of data trusts, then further work is needed to better understand both the limits and flexibility inherent in regulatory provisions concerning data portability, access, and erasure. Central to the ability of data trusts to secure positive outcomes is the role of the data trustee in exercising data rights – such as relating to portability – on behalf of their beneficiaries, and there is an emerging debate about whether further regulatory intervention is needed to make such rights mandatable to a trustee. That Ontario’s proposed policy framework links the development of data trusts to rights regarding portability and erasure further underlines the need for regulatory clarity in these areas, if trusts are to be implemented.
Who should act as a trustee and how can trustees be held to account?
In proposing that government could act as a data trustee, India’s proposals have raised questions about who could – or should – be able to take on a trustee role, and what forms of accountability are needed to ensure trustees act in accordance with the interests of a trust’s beneficiaries. The potential absence of a fiduciary responsibility under the Committee’s proposals have also prompted concerns about the level of safeguards that these trusts would provide, and whether they should be designed as trusts, with strong fiduciary elements, or whether other legal models – such as data cooperatives or data commons – might be more suitable for their functions. These concerns echo previous debates arising from Sidewalk Labs’ proposal to establish a ‘data trust’ in Toronto and wider concerns about the extent to which the term ‘data trust’ might be deployed as a marketing tool to garner support for a seemingly socially-conscious governance system, without creating underlying mechanisms to achieve such social benefits.
What role can trust law play in addressing concerns about disenfranchisement and accountability?
We’ve previously argued on this blog that trust law can be a tool for addressing concerns about enfranchisement. Trust law can providea mechanism for individuals and groups to reverse the direction of consent, tasking their data trustees with the negotiation of terms and conditions from service providers on a collective basis.
Trust law already provides accountability mechanisms (were a data trustee to be found in breach of their fiduciary responsibilities, the Court overseeing the trust can intervene and remove the trustee), but further work may be required to clarify and develop these mechanisms, as different actors seek to take on trustee roles. Further research about the manner in which trust law (or its key functional elements) may be applied across non- common-law jurisdictions will also be needed.
Authors: Sylvie Delacroix and Jess Montgomery (2020)