Data trusts and the draft Data Governance Act
The draft Data Governance Act marks the start of a new phase of action by the European Commission in its ambition to “boost a data-driven economy in Europe”. The Act sets out a framework to govern the work of data intermediaries – organisations that are involved in data sharing services – with the aim of increasing data sharing while supporting individuals to exercise their data rights. A range of different data sharing structures can help achieve these functions, and data trusts are one form of potential data intermediary. In this post, we look at some of the questions the draft Data Governance Act raises about the development of data trusts.
Data trusts and data intermediaries
Under the Commission’s definition, data intermediaries are “providers of data sharing services” that “contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing”. In technical terms, the Regulation focuses on “providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders.” Within this scope, the Act notes there is a specific category of data intermediaries that seek to empower individuals to assert their data rights under the GDPR.
Data trusts provide institutional mechanisms to support such empowerment. These bottom-up organisations allow individuals to pool their data rights into an organisation – a trust – in which a trustee is tasked with making decisions about data use on their behalf.
To operate effectively, a data trustee would need to be able to make decisions about how to exercise data rights – such as those set out in the GDPR – on behalf of the trust’s beneficiaries. While the Act does not specifically consider data trusts in this respect, it does comment on data cooperatives, stating that rights under the GDPR “can only be exercised by each individual and cannot be conferred or delegated to a data cooperative”.
This suggests that data trusts may need to be established in ways that do not entail any rights transfer. As a possible workaround (suggested by Prof. McFarlane in our previous blog), one could consider a scenario whereby “the holder of the data right (the data subject) could declare that she holds the right on trust for the data trustee. The data trustee would then get the benefit of this data right, which she would be bound to use in a particular way, according to the terms of the trust”. Independently of these concerns about rights transferability, it is crucial to ensure it is simple for individuals to move between trusts: this points to some important design considerations that need to be factored into the creation of trust documents.
Institutional safeguards for trustworthy data intermediaries
In seeking to ensure the trustworthiness of data intermediaries, the Act focuses on systems that can ensure their neutrality and accountability.
To demonstrate the neutrality of data intermediaries, the Act proposes a range of different safeguards. These include:
restrictions on the use of data by an intermediary, with an intermediary being barred from exchanging data for its own interest (for example, to develop its own product or service);
clear separation of functions in those intermediaries that offer data sharing services in addition to other, potentially data-enabled, services; and
a requirement to notify Member States’ competent public authority of their intention to provide intermediary services, with that public authority being tasked with monitoring compliance with the Regulation.
The Act further creates a right to lodge a complaint against a data intermediary, tasking national competent authorities with the responsibility of managing such complaints and informing complainants about the right to seek administrative or judicial remedy. These provisions lay the foundation for mechanisms that allow competent authorities or courts to sanction data intermediaries that are found to be failing in their duties.
Imposing fiduciary responsibilities on data intermediaries “in the case of providers of data sharing services offering services for natural persons” requires that a data intermediary be held to a duty of undivided loyalty to the interests of the individuals – the data holders – it purports to serve. Quite how this will be translated in practice is a key question.
In trust law, fiduciary responsibilities are well-established and delineated through centuries of case law. A fiduciary responsibility requires trustees to act with prudence, impartiality and undivided loyalty on behalf of their beneficiaries. In the context of data trusts, these responsibilities act as an institutional safeguard, helping ensure the trustee acts independently of outside interests.
Outside trust law, understandings of what is meant by the term ‘fiduciary responsibility’ vary. Clarifying both the nature of the responsibilities required from different data intermediaries as well as the nature of the institutional safeguards meant to give ‘teeth’ to those responsibilities will be necessary.
Widening access and participation
In setting conditions for providing data services, the Act acknowledges that, without policy intervention, such services may be out of reach for many in society. In response, it sets a requirement that an intermediary “shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data holders and data users, including as regards price”.
As we discussed in a recent Working Paper, further action is required to ensure that data trusts are accessible to all and that all those in a trust are able to meaningfully contribute to decision-making. Achieving the goal of fair, transparent and non-discriminatory intermediary services requires careful design of all points of interaction between a data trust and its users. These interactions might include promotion of the services offered by the trust, efforts to make the tools and skills to create and manage a trust accessible to all, and systems of participatory governance that engage all those in a trust in decision-making.
Where next?
The draft Data Governance Act sets out to create “hands-on conditions to encourage public bodies, companies and people to take action, use their rights and share their data”. In so doing, it raises questions about the role that different forms of data intermediary can play in empowering individuals and communities to influence how data about them is used. It also raises important questions about the design and implementation of such intermediaries, including data trusts.
Over the coming year, the draft Data Governance Act will be subject to further comment and scrutiny in the European Parliament. In parallel, we’ll be working through some of the questions it raises at the Data Trusts Initiative, looking for ways in which we can establish data trusts that provide independent stewardship of data rights for the benefit of society as a whole - and not just its least vulnerable members.
To read more about the implications of the draft Data Governance Act for the development of data trusts, take a look at our recent blog ‘in conversation with Sylvie Delacroix, Ben McFarlane and Paul Nemitz’.
Jess Montgomery (2021)