Bottom-up data Trusts: disturbing the ‘one size fits all’ approach to data governance

The current lack of legal mechanisms that may plausibly empower us, data subjects to ‘take the reins’ of our personal data leaves us vulnerable. Recent regulatory endeavours to curb contractual freedom acknowledge this vulnerability but cannot, by themselves, remedy it—nor can data ownership. The latter is both unlikely and inadequate as an answer to the problems at stake. We argue that the power that stems from aggregated data should be returned to individuals through the legal mechanism of Trusts. Bound by a fiduciary obligation of undivided loyalty, the data trustees would exercise the data rights conferred by the GDPR (or other top-down regulation) on behalf of the Trust’s beneficiaries. The data trustees would hence be placed in a position where they can negotiate data use in conformity with the Trust’s terms, thus introducing an independent intermediary between data subjects and data collectors. Unlike the current ‘one size fits all’ approach to data governance, there should be a plurality of Trusts, allowing data subjects to choose a Trust that reflects their aspirations, and to switch Trusts when needed. Data Trusts may arise out of publicly or privately funded initiatives. By potentially facilitating access to ‘pre-authorized’, aggregated data (consent would be negotiated on a collective basis), our data Trust proposal may remove key obstacles to the realization of the potential underlying large datasets.