Understanding the Data Governance Act: in conversation with Sylvie Delacroix, Ben McFarlane and Paul Nemitz
Publication of the draft Data Governance Act marks the next phase of the European Commission’s plans to bolster data sharing across the EU. The Act sets out a regulatory framework for data intermediaries – providers of data sharing services – including platforms for data sharing and organisations that support individuals to assert their data rights. Publication of the Act has raised a variety of questions about the development of data trusts. In a bid to shed some light on the intricate questions surrounding this Act’s reference to the delegatability of data rights, Sylvie Delacroix (University of Birmingham) hosted a conversation with Ben McFarlane (University of Oxford) and Paul Nemitz (European Commission) –
The provision in the Data Governance Act that states rights under the GDPR “can only be exercised by each individual and cannot be conferred or delegated to a data cooperative” (recital 24) has attracted a lot of speculation. What is the Data Governance Act trying to achieve in this respect?
Paul: The intention behind the Act is to create a framework for institutions that can act as trustworthy data intermediaries. These would support different parties to access data and help people to share their data for the public interest, while also supporting individuals to exercise their data rights.
Sylvie: These data rights have been hard-won. So it isn’t surprising there are concerns that, if they aren’t properly governed, data intermediaries could lead to a watering-down of those rights by circumventing processes around consent. But this really depends on how those rights are managed by the intermediary and how those intermediaries can be held to account.
Paul: Rights can be managed in different ways – typically, when we talk about delegating a right, we expect there to be a mechanism where that delegation can be revoked. This is different to the conferral of rights, which is permanent. Given the aim of the Act is to help people exercise their rights, it seems unlikely the Act is genuinely seeking to rule out delegation to data intermediaries of rights regulated by the act under the heading “Rights of Data Subjects” in Chapter III of GDRP, such as the right to ask for deletion of data . This would prevent a range of relationships we know are helpful in helping people exercise their rights – like when individuals task an agent with acting on their behalf and which already exist, such as services which help people to find data about them and seek their deletion. Delegation is also different to transfer of rights, which usually implies something more permanent. But when it comes delegation, and even more conferral, of consent or the ability to make a contract on data processing, the situation is of course different and much more delicate. I would think the formulation in the recital in the first place is to be read as these “rights” of individual data subjects relating to their data.
Given what the Act says, would data trusts be able to act as a data intermediary?
Ben: What is usually distinctive about trusts is that the trustee holds rights on behalf of a beneficiary and has a duty to exercise those rights in the ways set out in the terms of the trust. This differs from using an agent to manage your rights – when working with agents, you keep the rights, and the agent exercises them on your behalf. At first look, it might seem like the Data Governance Act is incompatible with trust-style governance, but there are different ways of setting up trusts.
Sylvie: The way that rights are held in trust doesn’t seem to quite fit in either of the two extremes – the permanence often associated with the idea of ‘transfer’, or the delegation that implies no transfer.
Ben: Yes – in some trusts, rights are transferred, but the transfer is not irrevocable, and there are lots of examples of trusts where there is the option to take back the rights held in trust. Conversely, there are also examples of rights that cannot be transferred, but where a trust has still been established to help govern their use. This tends to arise in cases involving contractual rights that are expressly or impliedly non-assignable. In those cases, courts have held it is possible to have a trust. In the context of data trusts, there would potentially provide a workaround if there are concerns about the transferability of data rights: the holder of the data right (the data subject) could declare that she holds the right on trust for the data trustee. The data trustee would then get the benefit of this data right, which she would be bound to use in a particular way, according to the terms of the trust. In such a scenario, no transfer of a right has occurred.
Sylvie: So it is possible to disentangle questions about whether you can transfer or delegate a data right and whether you can establish a data trust. Would these be sufficient to ease concerns people might have about maintaining their rights?
Paul: The key thing for data trusts is that this process of managing rights does not become so complicated as to make trusts inaccessible to the people they should serve. It needs to be easy to make choices about data use and move between data sharing services.
Ben: There are some rights that both cannot be transferred and cannot be held on trust, but this is quite rare. In English trust law, there is an interesting conceptual question about what characteristics must rights have if they are to be capable of being held on trust.
Looking at the bigger picture, what does the Data Governance Act tell us about the data governance landscape and the role that data trusts could play in it?
Paul: The Data Governance Act is fundamentally trying to increase data access while also increasing our ability to exercise our data rights. There are different ways of achieving this aim, which need to be worked through in legislative discussions.
Ben: Trusts is an area of law where researchers and practitioners have long had to grapple with the idea that parties can hold different types of rights and that those parties can be subject to duties to use those rights in certain ways. This means trust lawyers have had to think about how rights can be aggregated, how their use can be monitored, and what action should be taken if someone fails in their duties.
Sylvie: In that context, data trusts are a way of trying to promote enfranchisement – helping individuals have a voice in decisions about data use – while protecting against vulnerabilities stemming from data use. The key question that the Data Governance Act raises is: what types of safeguards need to be in place to give confidence that those managing my data rights are doing so in my interests, and that those intermediaries that fail in these duties would be held to account?
Ben: An advantage of trusts is that the courts can intervene to control a trust and can, for example, replace the trustees, if they are failing in their duties.
Paul: The Data Governance Act is also pointing to other forms of safeguards that regulators can put in place. In it, the Commission is proposing mechanisms like certification as a way of making sure data intermediaries meet certain standards. To understand what this means, and what further efforts are needed, we need to get further into the use cases that can show us how these safeguards might work in practice. The emphasis on cooperatives in the proposal is important for the mixed nature of the data economy. It is not desirable to have a data ecosystem only built around or even dominated by stock exchange notated or capitalistically organised players. Giving cooperatives, foundations, public interest organisations, such as NGOs, should be part of our concern on the future data ecosystem. In light of the ever-growing digital giants on the US Stock Exchange, we have to strengthen elements of a mixed economy, also for spreading risks between different organisational forms, so as to have a healthy mix of organisational forms in our societies and economies.
Sylvie: Trust law is but one legal framework among others when it comes to developing innovative data stewardship mechanisms. I think it is of particular interest (and could inspire other frameworks) because of the robust institutional safeguards that come ‘built-in’. These safeguards go beyond those available in the other data governance mechanisms that are available today. At the Data Trusts Initiative, we hope to be looking at these issues, and make such safeguards work in practice over the coming year.
Author: Jess Montgomery (2021)