Reclaiming Data Trusts

Large-scale data sharing is not the only way — or even the most important way — to use data trusts in the public interest

Published: March 5, 2019

Author: Sean Martin McDonald

For most people, “data trust” is a new term. Yet, over the past year, it has been increasingly and frequently referenced in technology and policy circles. This quick move out of obscurity — driven at least in part by Sidewalk Toronto’s proposal to use a civic data trust as part of their smart city development — has inspired a small explosion of documents taking a position on what, exactly, a data trust is.

Data trusts, like any tool with the potential to affect power, are occupying a politically contested space, and the private sector is taking note too; a consulting and software market focused on trusts is quickly emerging. As a result, the public dialogue is being shaped by large, well-financed interests trying to maximize data sharing. But, large-scale privately-driven data sharing is not the only way — or even the most important way — to use data trusts in the public interest, and those practices certainly shouldn’t define the policy environment around fiduciary data governance.

What Is a Data Trust?

Trusts are legal instruments that appoint a steward (trustee) to manage an asset for a purpose — such as conservation of land or maximizing value — on behalf of a beneficiary or beneficiaries who own the asset. Data trusts are legal trusts that manage data, or the rights to data. Civic data trusts move beyond single trustees and build models of fiduciary governance over the management, use and sharing of rights to data. By contrast, civic digital trusts are civic trusts that hold digital assets, like code or a subset of digital rights. Trusts are also common law instruments, although they don’t exist in many legal jurisdictions, and aren’t perfectly standardized, even where they do exist. Some jurisdictions use the term trust to refer to multiple things, including organizations, and most jurisdictions have at least slightly different requirements. Despite that, legal trusts are the most common and harmonized private law instrument for fiduciary management of assets in the public interest — and data trusts are best understood as the legal instrument applied to data rights management

While real-world data trust use cases are rarely neat, they are best explained by the problems they already solve, rather than viewing them as a product capable of solving all problems.

Data trusts are not a Panglossian solution to issues raised by digitization; there are many things data trusts do not accomplish. Data trusts do not implicate a just governance model — they can be designed to be democratic, autocratic or plutocratic. Data trusts do not automatically generate sustainable revenue — they manage assets, but do not inherently solve capitalism’s asymmetries. Data trusts do not implicitly solve abuses of power — no matter the asset put in trust, trustees still need to develop strategies and operations to realize its impact. Data trusts are not permissions management software. Data trusts do not need to hold data themselves — they may act as rights clearing houses or process management. Data trusts are also not singular products; as with most legal instruments, a significant part of their value emanates from their flexibility. And, while real-world data trust use cases are rarely neat, they are best explained by the problems they already solve, rather than viewing them as a product capable of solving all problems.

A Recent History of Data Trusts

The idea of using trusts to improve data governance is relatively new, but it shouldn’t come as a surprise; in a time of waning public trust for mass data collection and use, people are looking to scholarship and legal precedent for new solutions. Thankfully, there is no shortage of either when it comes to the concept of trusts.

The first and largest institutional proponent of data trusts was the United Kingdom in its quest for advantage in the race to lead on artificial intelligence (AI). In October 2017, the United Kingdom’s government published a report, Growing the Artificial Intelligence Industry in the UK, which became the defining policy framework for a £1 billion investment in artificial intelligence. The independent report, commissioned and issued by the government, emerged around the time that another trust, the National Health Service (NHS) Trust experienced public backlash for sharing data with Google’s DeepMind. The report identified that to foster AI, the United Kingdom needed to invest data governance and sharing infrastructure without alienating the public. Artificial intelligence products require extraordinary amounts of data to train and test, which are basic preconditions for developing and launching commercially viable products. The report recommended using data trusts, but was vague in its use of the term. The government, in turn, has been trying to reverse-engineer an implementable framework from that recommendation ever since.

One year later, in 2018, the public and the political establishment woke up to the challenges, both real and potential, of data sharing. The highest-profile example was the European Union’s implementation of the General Data Protection Regulation, as an attempt to consolidate and harmonize digital regulation across their market. For global technology companies, however, the problem isn’t the imposition of a single regulatory regime, but rather the need to navigate many, potentially conflicting regulatory regimes to maintain their cloud-hosted, global and growingly data-intensive businesses.

In October of that year, Sidewalk Labs, a subsidiary of Alphabet, proposed using a civic data trust to govern the data that might be collected as a part of its flagship smart city project in the Quayside area of Toronto. Like the United Kingdom’s proposal, Sidewalk Labs’ de facto endorsement of civic data trusts substantially raised the profile of trusts as a legal mechanism for data governance in Canada, and the technology sector more broadly. As with the United Kingdom, a number of public, private and mixed organizations are stepping forward to define data trusts through analogies and examples.

Over the last 18 months, two Group of Twenty governments and one of the world’s largest companies have committed an impressive amount of capital and political will to incorporating data trusts into their data-sharing relationships. Predictably, those have given rise to a significant amount of attention and attempts to productize the resulting market, and, concerningly, corner the market for legally and publicly acceptable data sharing.

The Intellectual Foundations of Data Trusts

The idea of data trusts as a vehicle for data governance is based, at least in part, on the concurrence of three trends:

  • the encroachment and unbundling of technology companies in increasingly public roles;
  • the evolution of privacy toward individual agency; and
  • the resurgence of trusts, specifically, and the idea of fiduciary governance, generally.

These structural and legal trends position trusts as a private, publicly and legally accountable organizational structure, capable of balancing complex interests to serve a unifying purpose.

As large groups of individuals and public institutions adopt and rely on technology, it has gotten harder to draw the line between public and private digital spaces. As a result, the margins between public rights and private accountability are a contested political space, and the associated liabilities are shaping the rights, companies and markets that underpin digital platforms.

That contested space is further complicated by organizational unbundling — essentially, the disaggregation of traditional companies into a series of their component functions, each of which are separate companies. As a result, a growing diversity of companies play a role in public spaces, with decreasing accountability for maintaining basic standards for public well-being. Companies are not designed to arbitrate public good in politically contested spaces at scale. They are designed explicitly to avoid liability, to be bought and sold and most of all, to maximize value for a narrowly defined group of people. In the absence of harmonized legal guidelines about how to do those things, they are building public governance themselves.

Arguably, the most developed field of public data governance in technology markets is content moderation. As platforms grew to scale, their tools were used to pirate copywritten content, harass and assault people, and, eventually, influence elections and genocide. Companies suddenly had to govern competing political interests all over the world. Content moderation is far from settled practice, but the associated liabilities have driven technology companies to prioritize operational, multi-stakeholder decision-making systems.

Similarly, privacy has evolved significantly in the last 25 years, from a focus on blanket prohibitions on information sharing toward the idea of user-controlled data sharing. As a result, some privacy scholars branched into agency theory, focusing on ways that an individual might exert their privacy rights, and in 2004, Lillian Edwards wrote “The Problem with Privacy,” which explored using trusts as a way to broker privacy rights. While there is enormous breadth and depth to privacy law, across a range of jurisdictions, there’s a near-universal recognition that traditional approaches of privacy aren’t working as intended, in no small part because it’s being left to technology companies. Technology companies are rarely legally responsible for upholding public rights — privacy, free speech or due process for example — meaning that public spaces owned by companies often lack fundamental legal protections.

The imbalance of rights and power in digital platforms, particularly around free speech protection in the United States, was the impetus for a growing chorus of calls for regulators to treat technology companies as information fiduciaries (a person or organization that assumes a duty to represent the best interests of another person). Over the last 20 years, there’s been a significant debate about the nature of fiduciary duties, with unfortunately little agreement on whether there’s a coherent logic that unites their exceptional legal protections. Jack Balkin and Jonathan Zittrain were two of the earliest voices arguing for platform fiduciaries, though, a range of critics point to the practical and structural limitations of statutorily created fiduciary duties that aspire to shape the data governance practices of global platforms. Fundamentally, the idea of information fiduciaries represents users’ understandable desire to hold private companies accountable for the ways they use data we create, but it lacks a practical approach and a clear set of definitions.

The intellectual foundations of data trusts share the recognition that platform companies, governments and individuals all need clearer and more dependable data supply chains. At present, those supply chains are exceptionally difficult to trace — and even if we could, they’re largely comprised of organizational structures that are minimally accountable under the law. Trusts, on the other hand, create fiduciary duties between trustees and beneficiaries, and are flexible enough to adapt to a wide range of functions and governance models. Sylvie Delacroix and Neil Lawrence penned “Disturbing the ‘One Size Fits All’ Approach to Data Governance” in late 2018, suggesting a broader, bottom-up approach to building data trusts as a way to model use cases. Regardless of legal basis or practical function, data trusts have the potential to do something more powerful than creating a legal justification for high-volume data sharing: they could create digital organizations worthy of societal trust.

Data Trusts in Practice

The recent popularity of data trusts isn’t due to their newness, it’s due to the ratcheting regulatory requirements and liabilities around data sharing. As data, AI and the internet become increasingly contested markets, public policy institutions are torn between positioning for competitive commercial advantage and creating data rights frameworks that build public confidence in digitization. Recent advances in machine learning, neural networks and automation are driving an almost bottomless thirst for large data sets with which to train AI products. In the face of regulatory competition and instability, data trusts are one way to proactively define the terms and conditions of data-sharing relationships; they could use private law infrastructure without being overly dependent on government action.

In the face of regulatory competition and instability, data trusts are one way to proactively define the terms and conditions of data-sharing relationships.

While we’re far from settled practice, there are currently at least three prevalent types of use cases for data trusts:

  • multi-stakeholder data and intellectual property-sharing relationships for individual gain;
  • organizations building functional infrastructure to support the development or distribution of shared digital assets; and
  • groups using data, infrastructure or services to align a group’s interests around a common purpose. Each of these use cases represents a functionally different relationship context and set of resulting operational requirements.

Interestingly, the faster-moving use cases are the ones focused on pooling resources for an open-ended purpose, like open data portals — whereas purpose-driven uses, such as advocacy movements, are struggling with how to use data to advance their cause.

There are a range of important legal questions posed by data, and also by data trusts. Most of the criticisms of individual approaches to data governance are based on ambiguities in the legal enabling environment around data. Rather than assume we’ll arrive at one, normative solution for digital relationships, policy makers should be designing for data governance experimentation, public resilience and inter-jurisdictional harmonization.

Among many others, here are five priority policy issues in question:

Data and data rights valuation: Monetization has been a red herring in the conversation around data’s value and ownership, but it points out the fallacy of understanding data’s value as an object, instead of basing valuation on data’s use. That distinction adds complexity to the idea of ownership models, and very few tax authorities clearly or consistently explain their approach to valuing data, or the rights to use data as an asset. There are a range of large, normative questions embedded in that approach: is there speculative value in the right to use data in a particular context, or in the right to represent a person using data? The entire data ecosystem would benefit from clearer guidance on sovereign approaches to digital asset valuation.

Jurisdictional harmonization and arbitrage: Trusts, and fiduciary law more broadly, are a common law instrument, meaning that they don’t exist in a large part of the world. While there are a growing number of countries that have developed fiduciary and trust adaptations, there are not globally accepted standards on fiduciary law or fiduciary data governance. The liquidity of data and remote capacities afforded by technology add additional layers of complexity, because trusts might manage data in a beneficial jurisdiction for use in a more antagonistic context. Digital jurisdiction is a contested space, and a data trust’s choice of law — and how well trust law is harmonized in general — will influence its politics and function.

Beneficiary definition: There’s an ongoing debate between jurisdictions and scholars about the comparative merits of how specifically a trust must define a beneficiary group. The more specific the group definition, the more limited the liability and the easier it is to justify decisions. Conversely, the more broadly defined the beneficiary group, the more complex it is to clearly justify fiduciary action.

Licence limitation: One of the underlying assumptions of data governance generally, and data trusts specifically, is that there is still room for meaningful negotiation over data rights. In order for data governance to matter, the status quo in data licensing will need to move from open and unlimited licensing to more use- and context-defined data licensing.

Data and digital diligence standards: Data trustees will need to be able to make decisions with a basic degree of certainty, in order to perform their fiduciary responsibilities. This requires the definition of basic diligence standards and enforcement capacities that empower trusts to vet and hold their partners accountable.

Thankfully, public policy makers are engaging in the dialogue around data governance at nearly every level. Rather than continue trying to define an ideal end state for data governance, policy makers should focus on building certainty in the areas that will enable experimentation with different approaches to data and rights management. Without building the legal foundations for more equitable negotiations around data, data trusts will continue to facilitate the problematic power dynamics already at play.

The legal history of trusts is replete with examples of monopolies, sheltering dynastic wealth away from taxation and hiding ill-gotten gains in sympathetic jurisdictions. Data trusts are a legal infrastructure where those things are possible but certainly not inevitable. Like any instrument, their governance will be far more influential in determining whether they’re used with the public’s interests, or against them. 

Civic Data Trusts in Practice

Civic data trusts are the same legal instrument as trusts, but instead of appointing a single trustee, they design a governance structure. In fact, one of the key values of designing a civic data trust instead of a data trust is that it requires a direct articulation of purpose, beneficiary and governance model; this transparency is lacking in many data ecosystems. Civic data trusts capitalize on the flexibility of trust governance to educate and engage communities around the issues that go into data governance.

Civic data trusts are based on trust law’s pre-existing move toward using the legal form to build fiduciary governance. In unstable markets, one of the easiest ways to build mutual accountability is through contractually defined duties, and the way to scale that across parties is to represent those duties through governance. The uncertainty also exists at the local level, where data trusts are often used by actors with co-dependent and mutual interests to band together. All data governance mechanisms will create rules, but the importance of civic data trusts is the move from static rules to dynamic evolution. Civic data trusts build mechanisms that define incentives, leverage and enforcement capacity.

Civic data trusts raise a number of interesting legal questions, which will require adaptation in a range of common law countries — even more so, in legal cultures where fiduciary duties and trusts are newer ideas. In contrast to many of the recent efforts to productize data governance, civic data trusts are decidedly long-term investments in building the legal infrastructure and capacity to meaningfully participate in a world characterized by data. They aren’t perfect solutions now, but they offer the potential to experiment with, understand and build the foundations of more perfect solutions amid one of the largest geopolitical shifts of the last century.

Data Trusts and Power

Every great leap in democratic governance started with a distribution of power. Whether through revolution or resolution, the broad arc of the history of governance is toward collective self-determination. That is, in no small part, because of how increasingly interconnected our lives, and our impact on each others’ lives, are. The rise of automation, paired with the connective tissue of the internet and the liquidity of data, is almost inarguably the most complex governance challenge of a generation. Our collective approach to data governance must start with the recognition that the largest governance achievements were not defined by the consolidation of absolute power, but rather by the creation of systems that enable others to exercise their own agency.

While it’s impossible to predict what the defining moment in data governance will be, there are tensions mounting around the historically unprecedented concentrations of wealth and power held by the largest technology companies in the world. Increasingly, those companies face mounting instability as governments politicize ad hoc approaches to data rights and regulation; the shift is stressing the limits of organizational structures, which were not designed for data protection, let alone on a global scale. The need for common standards, reliable norms and accessible institutional infrastructure has galvanized people around the world, and their leaders, to act on the importance of, and opportunity for, international data governance.

The question is, how do we know what that governance should look like?

Data trusts and civic data trusts are tools that can, at the very least, begin answering that question. As with most instruments, the way that data trusts are used will shape their future, for better or worse. If data trusts are going to live up to their hype, we must move past the idea of a singular, simple solution and engage earnestly in the messy politics of building a shared future. The existing tools of democratic governance are only as powerful as we make them through recognition, reform, maintenance and adaptation. Similarly, data trusts and civic data trusts will only be as powerful as the precedent and foundations they are built upon.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Sean Martin McDonald is a CIGI senior fellow and the co-founder of Digital Public, which builds legal trusts to protect and govern digital assets.