Designing Data Trusts. Why We Need to Test Consumer Data Trusts Now

Policy Brief

Data about individuals, about their preferences and behaviors, has become an increasingly important resource for companies, public agencies, and research institutions. Consumers carry the burden of having to decide which data about them is shared for which purpose. They want to make sure that data about them is not used to infer intimate details of their private life or to pursue other undesirable purposes. At the same time, they want to benefit from personalized products and innovation driven by the same data. The complexity of how data is collected and used overwhelms consumers, many of whom wearily accept privacy policies and lose trust that those who gain effective control over the data will use it for the consumers’ benefit.

At the same time, a few large companies accumulate and lock in vast amounts of data that enable them to use insights across markets and across consumers. In Europe, the General Data Protection Regulation (GDPR) has given data rights to consumers to assert their interests vis-a-vis those companies, but it gives consumers neither enough information nor enough power to make themselves heard. Other organizations, especially small businesses or start-ups, do not have access to the data (unless individual consumers laboriously exercise their right to portability), which often inhibits competition and innovation.

Governments across Europe would like to tackle the challenge of reconciling productive data use with privacy. In recent months, data trusts have emerged as a promising solution to enable data-sharing for the benefit of consumers. The concept has been endorsed by a broad range of stakeholders, including privacy advocates, companies and expert commissions. In Germany, for example, the data ethics commission and the commission competition law 4.0 have recommended further exploring data trusts, and the government is incorporating the concept into its data strategy.

There is no common understanding yet what consumer data trusts are and what they do. In order for them to address the problems mentioned, it is helpful to use as a working definition: consumer data trusts are intermediaries that aggregate consumers’ interests and represent them vis-à-vis data-using organizations. Data trusts use more technical and legal expertise, as well as greater bargaining power, to negotiate with organizations on the conditions of data use to achieve better outcomes than those that individual consumers can achieve. To achieve their consumer-oriented mission, data trusts should be able to assign access rights, audit data practices, and support enforcement. They may or may not need to hold data.
The wide endorsement that the concept of data trust has received might also be related to the fact that there are only a few practical examples or ideas for implementation. There is no consensus on how data trusts can be designed in order to fulfill the expectations they are raising. Policy-makers should address the complexity of data trust design by first solving the most imminent challenges for implementation:

First, how can we make sure that the interests of the trust are aligned with those of the consumers it represents? The legal and financial set-up must reassure consumers that the trust will act in their best interest. For this purpose, initial funding from public sources, a data tax or levy or a trust membership fee could finance data trusts.

Second, how can we make it easy for consumers to express their interests? For consumers to use a data trust, it must translate the heavy burden of ”informed consent” into decisions that consumers feel confident making. For data trusts to represent consumer interests, consumers must be able to delegate their data rights, possibly more than is currently compatible with the GDPR. Options for making such delegation possible include extending the possibility for representation (Article 80) to include exercising data rights and allowing consumers to delegate the right to provide (and withdraw) consent while assigning data trusts a privileged status.

Third, how can organizations be motivated to work with data trusts? Data trusts should be designed to enable organizations to use data in line with consumers’ interests. The prospect of access to more data and more legal certainty may be enough for many organizations, in particular small companies, to engage with a data trust.

Real-world tests and pilots are necessary to determine whether data trusts give power to consumers to assert their interests more effectively than they currently can, and how exactly they need to be designed for that purpose. Only then does it make sense to consider further steps, such as guidelines, regulation or other forms of legislation, for example, to make sure that also vulnerable consumers benefit from data trusts and firms cannot undermine them. Testing data trusts may be difficult in the current legal framework that does not allow for a sufficiently broad delegation of consent and data rights to a trusted entity. Regulatory sandboxes could provide the appropriate safeguards for testing data trusts under close supervision and with high transparency requirements. This can allow us to take this opportunity to try and make more data flow for the benefit of consumers.