Bottom-Up Data Trusts: Disturbing the ‘One Size Fits All’ Approach to Data Governance
Forthcoming in International Data Privacy Law: Doi.org/10.1093/idpl/ipz014
43 Pages Posted: 9 Nov 2018 Last revised: 9 Oct 2019
Date Written: October 12, 2018
This paper proceeds from an analysis of the very particular type of vulnerability concomitant with our ‘leaking’ data on a daily basis, to show that data ownership is both unlikely and inadequate as an answer to the problems at stake. We also argue that the current construction of top-down regulatory constraints on contractual freedom is both necessary and insufficient. To address the particular type of vulnerability at stake, bottom-up empowerment structures are needed. The latter aim to ‘give a voice’ to data subjects whose choices when it comes to data governance are often reduced to binary, ill-informed consent. While the rights granted by instruments like the GDPR can be used as tools in a bid to shape possible data-reliant futures -such as better use of natural resources, medical care etc., their exercise is both demanding and unlikely to be as impactful when leveraged individually. We argue that the power that stems from aggregated data should be returned to individuals through the legal mechanism of Trusts.
Bound by a fiduciary obligation of undivided loyalty, the data trustees would exercise the data rights conferred by the GDPR (or other top-down regulation) on behalf of the Trust’s beneficiaries. The data trustees would hence be placed in a position where they can negotiate data use in conformity with the Trust’s terms, thus introducing an independent intermediary between data subjects and data collectors.
Unlike the current ‘one size fits all’ approach to data governance, there should be a plurality of Trusts, allowing data subjects to choose a Trust that reflects their aspirations, and to switch Trusts when needed. Data Trusts may arise out of publicly or privately funded initiatives. By potentially facilitating access to ‘pre-authorised’, aggregated data (consent would be negotiated on a collective basis, according to the terms of each Trust), our data Trust proposal may remove key obstacles to the realisation of the potential underlying large datasets.
Keywords: Data Trusts, GDPR, Data Controller, Privacy, Vulnerability, Agency, Medical Data, Genetic Data, Data Sharing, Data Mining, Trusts, Fiduciary
Suggested Citation: Suggested Citation