Bottom-Up Data Trusts: Disturbing the ‘One Size Fits All’ Approach to Data Governance

Forthcoming in International Data Privacy Law:

43 Pages Posted: 9 Nov 2018 Last revised: 9 Oct 2019

See all articles by Sylvie Delacroix

Sylvie Delacroix

King's College London; The Alan Turing Institute

Neil Lawrence

University of Cambridge

Date Written: October 12, 2018


This paper proceeds from an analysis of the very particular type of vulnerability concomitant with our ‘leaking’ data on a daily basis, to show that data ownership is both unlikely and inadequate as an answer to the problems at stake. We also argue that the current construction of top-down regulatory constraints on contractual freedom is both necessary and insufficient. To address the particular type of vulnerability at stake, bottom-up empowerment structures are needed. The latter aim to ‘give a voice’ to data subjects whose choices when it comes to data governance are often reduced to binary, ill-informed consent. While the rights granted by instruments like the GDPR can be used as tools in a bid to shape possible data-reliant futures -such as better use of natural resources, medical care etc., their exercise is both demanding and unlikely to be as impactful when leveraged individually. We argue that the power that stems from aggregated data should be returned to individuals through the legal mechanism of Trusts.

Bound by a fiduciary obligation of undivided loyalty, the data trustees would exercise the data rights conferred by the GDPR (or other top-down regulation) on behalf of the Trust’s beneficiaries. The data trustees would hence be placed in a position where they can negotiate data use in conformity with the Trust’s terms, thus introducing an independent intermediary between data subjects and data collectors.

Unlike the current ‘one size fits all’ approach to data governance, there should be a plurality of Trusts, allowing data subjects to choose a Trust that reflects their aspirations, and to switch Trusts when needed. Data Trusts may arise out of publicly or privately funded initiatives. By potentially facilitating access to ‘pre-authorised’, aggregated data (consent would be negotiated on a collective basis, according to the terms of each Trust), our data Trust proposal may remove key obstacles to the realisation of the potential underlying large datasets.

Keywords: Data Trusts, GDPR, Data Controller, Privacy, Vulnerability, Agency, Medical Data, Genetic Data, Data Sharing, Data Mining, Trusts, Fiduciary

Suggested Citation

Delacroix, Sylvie and Lawrence, Neil, Bottom-Up Data Trusts: Disturbing the ‘One Size Fits All’ Approach to Data Governance (October 12, 2018). Forthcoming in International Data Privacy Law:, Available at SSRN: or

Sylvie Delacroix (Contact Author)

King's College London ( email )

United Kingdom

HOME PAGE: http://

The Alan Turing Institute ( email )

96 Euston Road
London, NW1 2DB
United Kingdom

Neil Lawrence

University of Cambridge ( email )

Trinity Ln
Cambridge, CB2 1TN
United Kingdom


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics