“Data trusts are a type of data steward which are legally recognised trustees that hold data in a trust, as defined by law, and make decisions on behalf of people. There is a fiduciary responsibility between the people whose data it is and the trustees who hold it. The trustees can decide on how this data is used, how it is not used, where it is shared, who it is shared with,” a speaker explained at MediaNama’s discussion on the Governance of Non-Personal Data held on August 7. It is a legal structure or relationship that doesn’t reveal much about the underlying data commons, another speaker pointed out. Both the speakers cautioned that there are very few data trust models in the world.
Data stewardship, on the other hand, “is the ability to unlock the value of data, while making sure that the rights of people are safeguarded,” the first speaker clarified.
Case in point: Sidewalk Toronto
Google’s open infrastructure and technology arm, Sidewalk Labs, had entered into a public-private partnership with a neighbourhood in Toronto. Under this project, Google embedded passive sensors within urban infrastructure to decide how streets and traffic management is going to happen, what kind of neighbourhoods get developed, how do you locate the most essential communities to allocate resources to and so on. The project has now been scrapped, a speaker pointed out, but it started out as a civic data trust that “somehow downgraded” to an urban data trust, potentially to move away from the idea of civic responsibility. This trust, however, was not a legal entity, the speaker cautioned, and ended up being a data flow management entity. “There was no sense of how it would be independent. They also had ambiguous categories of the data they would steward. Urban data was defined as a public resources over which no community could exercise ownership,” they said. And hence, it wasn’t a good instance of a data trust, they concluded.
The discussion was held with support from Centre for Communication Governance (NLU Delhi), Facebook and FTI Consulting. The discussion on data trusts was held under the Chatham House Rule. All quotes have been edited for clarity, brevity and anonymity.
Relationship between data trusts, trustees and community
Definitionally, the existence of a data trust encompasses the data trustee as well. “The data trust defines the relationship between all of the stakeholders,” a speaker said. To that end, it is necessary to narrowly define the beneficiaries of a data trust because if the beneficiaries are too broadly defined, they cannot uphold their fiduciary responsibility, another speaker said.
But then we run into the problem of defining a community. “Who is the community? Can we put a boundary around it? And do people actually identify as such? It’s not necessary for a data trust to exist, but I do think it’s necessary for a good democratic data trust to exist,” a speaker pointed out. A community, as a number of speakers pointed out during the two days of discussion, is not a homogenous, static entity that exists only along one axis of identity. This makes defining data trustees for it a daunting task, at least within the restraints of the current report.
When it comes to the relationship between a community and a data trustee, that contractual relationship comes in to force even if there is no written contract. “All these special, fiduciary duties and responsibilities of a trustee will come into force whether or not that’s part of the contract,” a participant pointed out. This is similar to visiting a doctor — a doctor has to have the patient’s best interests in mind irrespective of whether or not a contract is actually signed.
Role of a data trustee and a data trust
A data trustee would work in the sole interest of the data principals or subjects, two speakers explained. This could include negotiating with technology companies on what data is required, how it should be collected, etc. As a result, data trustees could become an actual profession where non-profits specialise in understanding the conditions under which data should be collected, risks associated with that, how data can be shared, and so on, a participant said. “A quack cannot be allowed to become a data trustee. Somebody who fulfills the obligations of a data trustee will take on this liability,” they explained.
A company cannot be a data trust because as a part of its fiduciary duty, a data trust can only act in the sole and best interests of its beneficiaries, a speaker pointed out. “A company CEO’s fiduciary duty is usually to make a profit,” they said, thereby bringing it in conflict with its presumed fiduciary duty towards the community.
Similarly, large data banks, such as NPCI, should not be data trusts and the report should clarify that, a speaker said. “The report should clearly and critically define the role of a data trust so that they cannot monetise the data that they are responsible for and are structured as non-profits that can work to the benefit of people. The question of business model is also critical in this,” they said.
Although all data trusts that have been implemented right now have been implemented through philanthropic work or as a non-profit exercise, there are problems with data trusts being set up as non-profits funded by philanthropists, a speaker said. “There needs to an independent structure that allows data trusts to function in a way where they can fulfil their purpose of stewarding on behalf of the people,” they said.
Governance via data trust: Need for data trustee to represent people
A speaker pointed out that infrastructures already exist to represent groups of people and to exercise collective power. As a result, these existing infrastructures, that are already making decisions on behalf of collectives, would be better placed to be data trustees instead of building the ecosystem from the ground up, they said.
The problem here is ensuring that such data trustees actually “execute the will of the people”. “The data trustees could land up acting like benevolent dictators who ask people what they want but ultimately make the decisions themselves, or it could be a more participatory system where everyone gets to vote or have a say in a direct or indirect way,” they said. Like legal infrastructure, a data trust does not reveal how governance decisions are actually made, they pointed out.
A hypothetical example of a data trust for Uber
A speaker gave the example of there being a hypothetical data trust for Uber drivers. The aim of this trust would be to work with drivers to steward their data. This trust could serve as a point of contact between the drivers and the data controller or Uber itself. This data trust would represent the community of Uber drivers, say in a certain city. This could potentially give drivers greater control over their data and if third parties should have access to it? Although the speaker suggested that a union could focus on negotiating with the platform on issues of labour while the data trust could negotiate on the issues of data use, access, collection, etc., it was not clear why a labour union could not look after data issues as well.
Concerns in the Report on Governance of Non-Personal Data
- Data trusts and trustees have not been assigned fiduciary responsibility: Two speakers pointed out that data trusts and trustees have not been assigned any fiduciary responsibility, and instead weak duty, under the rubric of “duty of care” has been assigned to data custodians. “This is like saying, ‘don’t be negligent’,” a speaker said. And assigning it to a data custodian, which is usually a private company, would be futile because a private company cannot act in the sole interests of people when its primary goal is to maximise profit.
- Relationship between different stakeholders is not clearly defined: The report has only defined data trustees as representatives of data principals and not elucidated upon it further. “How do I, as an individual, engage with my data trust? How does my data trust engage with the data custodian?” a speaker asked.
- Government entities are considered the de facto data trustees: Multiple speakers had a problem with assigning government ministries, departments or agencies as data trustees. “At least in our imagination, we think of a data trustee as closer to the community, as a representative of the community,” a speaker said. With a government agency, it is not clear how that distance between the community and the trustee would be overcome, and how decisions would be made in a consultative manner.
- Functions of data trust will differ based on purpose: One of the speakers pointed out that the report does not define the data trust would be actualised. “The report also needs to recognise that the functions of the data trust would likely differ on the basis of purpose and the platforms it engages with,” they said.
- A lot is currently unknown: The speaker also pointed out that a lot is unknown: the relationship between the community and the data trust; the relationship between data fiduciary and data trust. It is also not known how hierarchies between and within communities would be addressed via decision-making around data. “Data trusts are currently very ambiguous,” they said.
How could a data trust work?
A speaker joked that they had lost track of the terms in the reports: data trusts are called infrastructure, and at times data is called infrastructure. But they said that since data trusts are a legal structure, they can be used to govern data rights as well. The first step towards governing these rights and preventing data from becoming property is to have a personal data protection law, they said. Non-personal data rights, however, are unprecedented, they pointed out.
The second step, they said, it to mandate those data rights to the trust. “And that means that we can say, ‘Hey, I have all these rights, but I am kind of tired of making all these decisions on my own behalf. Also, a lot of these decisions affect other people. So, I would like to do that collectively and I would like a data trustee to execute them on my behalf. But equally, I don’t want Facebook to have those same rights, right; I don’t want Facebook to execute my rights on my behalf’,” they said.
How can data trusts be regulated?
- Establish principles: A speaker warned that these need to be actionable princip.es that assign responsibility and define independence. They also need to lay down the protocols for every data trust to follow. Another speaker pointed out that these principles should also define what “good” is, and if a data trust wants to be a data trust, it has to adhere to these principles.
- Set up oversight boards: Although they have not weeded out corruption, the speaker acquiesced, oversight boards require constant vigilance.
- Set transparency standards: Data trusts cannot be allowed to make decisions in closed rooms without being held accountable for them, they said. “What I would like to see is for data trustees to publish all their decisions every day. Like, we allowed this company to collect XYZ, we allowed this person to share data with that person, etc. so that all the watchdogs and civil society can monitor the decisions,” they said.
- Forbid data trusts/trustees from seeking employment with data fiduciaries, at least for a period: The speaker compared data trusts to elected officials. “Our elected officials have a fiduciary duty to look after us; that’s why we elect them. And we frequently see politicians leave office and work for companies that we sought protection from. That’s one of the risks I see for data trust as well. What is to keep a data trustee from cease being a data trustee and start working for the Facebooks or Googles of the world?” they asked.