Digitization and collection of data sets spans through horizons of human institutions including but not limited to state, society, marriage, business, crime and so on. Data points for the umbrella of data sets like financial data, sensitive personal data, biometric data, genetic data, personal data, health data etc. are constantly being shared through different platforms without live regulation of the same. Data sharing has increased in leaps and bounds. The phased onset of 5G, rapid adoption of digital tools during the pandemic, monopoly of tech-conglomerates, digitization of small and medium scale businesses has tremendously increased the overall data sharing between all the entities. Today, data is involved in almost every dealing, transaction and engagement. There exists a wave of conscious approach towards data security and individual privacy, at least in developed countries.
Considering the role, powers and attributes of the State, some peculiar data sets of its populace pertaining to biometrics, financial and health data is usually collected. Privacy and the State go beyond how States process the data which is collected. Mistrust and disobedience with respect to mandatory data collection might lead to illegal arrests, data breaches, national surveillance threat and other anomalies. The peculiarity of data sets does not accord for a separate category of privacy-related solutions, in fact it can be covered through monotonous measures adopted in other arenas. After the data collection by the State, all other hierarchical components can be substituted in the sense that data can then be misused by the State, corporate bodies, local municipal authorities and so on through a similar or a distinct methodology. Hence, this article shall propose a data trust as a plausible ubiquitous solution to our pressing issues pertaining to data breaches, right to privacy, fundamental right to exercise choice and so on.
What is a Data Trust
A Data Trust might just be one stop solution for our privacy concerns with the State as well as other entities. Open Data Institute defines data trust as “A legal structure that provides independent stewardship of data”. To fully comprehend this concept of data trust, imagine any other charitable or educational Trust and substitute monetary trust funds with data. Very simply, the idea is to have all the data sets stored in a data repository whose disbursement shall be at the discretion of Trustees/Custodian based on the data subject’s predetermined preference or agreement with the Trust.
There are not only legal, regulatory and policy considerations for establishing a data trust but also technical obstacles involved which will be explored in this analytical piece. This research shall attempt to lay out the background, technical realities, advantages and practicalities pertaining to a data trust.
What Advantages does a Data Trust bring with itself compared to its counterparts?
At present, there are self-regulatory personal data protection laws across the globe for securing individual privacy. The General Data Protection Regulation (GDPR) in the European Union and State-wise laws in the U.S are just a few examples of implemented privacy policies. India has also tabled a Personal Data Protection Bill, 2019 in the Parliament which is hugely based on the EU’s version of the GDPR. Although these policies extend protection to data subjects not only from data processing frauds but also from illegal data collection, the matter of concern here is that the methodology proposed in these privacy policies only supplement protection and not facilitate active engagement in exercising dissemination of data.
Data subjects till today do not have separability or severability of choices with respect to decisions relating to one’s data collection and processing. To avail a service, the data subject has got only two options, both submit the data and access the product or refuse to submit the data and get disentitled to use the product. A data trust in turn will be an enabler in executing choices with a two way effort of clustering the rigid exchange of data. With this core feature at the nucleus, following are inter alia benefits of data trust:
- Greater choice of data distribution with retainment of data subjects’ autonomy
- Personalized maintenance of right to privacy
- Implementable and practical solution averse to a theoretical self-regulatory policy
- Regulatory trust in tech companies and reduction of privacy related risks
- Better public research prospects through the data repository
- Legal Structure
Data trust has a whole gamut of tasks which it needs to perform to pose itself as an effective alternative to self-regulatory policies. Laying out aims and objects, taking decision on election of the management and operations team, qualifications of a data provider and processor, financing and commissions for exchange of the data, policy for disbursement of data under different circumstances like charitable, educational, obligatory, law enforcement etc. are some of the significant issues one needs to deal with. In a scenario where it is established that a straightjacket formula for the legal structure of a data trust is not possible, flexible legal structure seems to be the way forward.
A legal analysis conducted in collaboration with Pinsent Masons, Queen Mary University of London and BPE Solicitors reveals that a Trust established under the Laws relating to Trusts might not be a totally viable option for a data repository. There are several reasons as to why a corporate structure or a contractual structure would be a better alternative for a mechanism like this. Some of the fundamental reasons are as follows:
- Data is not yet recognized as a property, hence cannot be a subject matter of a Trust
- Collective interest of the group rights might trump individual autonomy in a Trust. This would lead to further non-alignments between intra-data trust interests of the data subjects.
- The Trust Deed might be an inflexible governing document and personalization of data disbursement would not be possible.
Hence, as per the Report, different legal models for data trust repository is proposed, like Community Interest Company Model, Contractual Framework Model, Corporate Model and Public Model. These are put forward taking into consideration that different models shall specialize in different kinds of data, some bulk and some complex. The legal structure must not only be in consonance with rights, liabilities, terms & conditions but also practical realities, commerciality and overall consent. Data being a new ‘product’ in a closed environment and an established arena, more flexibility in law is going to increase acceptability of a possible data trust mechanism.
Data Subject’s Autonomy
The group which provides the data, more often than not, does not have the basic choice regarding the manner in which his/her data will be processed or administered. For instance, the data provided for app registration might end up staying with the data processor throughout the existence of the processor entity without data subject’s say in the retention period of the same. As mentioned earlier, there are policies in place. These policies are complicated and stodgy to the user who has come to avail certain services and expects quick results. Even if one manages to read through the complex code pertaining to privacy for one particular service, the data provider is not left with a lot of options to exercise. He can either accept and avail service or reject and not avail the service at all. There is no choice of providing some data and accessing some services or reserving the data which is not relevant and still having access to the service.
With a data trust mechanism, several options can be exercised. Time frame, choice of data, manner of use, selective sharing with third party etc. would be some of the options available at the touch of a button; disbursement of data sets can be personalized and configured to data provider’s needs.
From the locations/ placing of servers to specific categorization of data sets to guidelines and instructions with respect to data disbursement, all in a swift manner is a complex affair. It shall require determination of rights at various levels from policy to individual to group rights. The categorization of data sets itself is a complicated issue and must require immense organizational capabilities to get it up and running. To give an idea of how complex data sets can turn, a case in point is a discontinued project of Sidewalk, which intended to collect data through passive sensors of Google on urban infrastructure amenities in a neighborhood in Toronto. It intended to collect data to measure which neighborhood shall develop, how streets respond, traffic management etc. The project was discontinued specifically because of ambiguous categories of data which was being processed.
Another example of a real-life data trust is a pilot project by Open Data Institute known as UK’s first data trust to tackle illegal wildlife trade and food waste. A data repository containing data sets pertaining to illegal wildlife trade, image data relating to endangered species and data pertaining to gunshots in protected area is proposed. These valuable data sets will be made easily accessible for wildlife community and relevant patrol units. AI and machine learning coupled with sensor technology is proposed to be highly used, complementing in getting valuable real time data sets. A part and parcel of the same project is reporting the nature of food waste and where that food ends up. This shall help the policy makers reduce the losses incurred on account of food waste. These experiments will surely clear some clouds and reduce the complexity of data anatomy.
Means of launch
The concept of data trust will flourish only with mutual efforts from all sectors i.e. the government, data provider and processor. In order to establish the same, a fool proof mechanism with profitability for all, without hassle needs to be emphasized. A step backwards where the root of this jurisprudence might take birth is shared conscience and possessiveness about one’s data. Not dump data but, structured data is the new gold and mind you, that is not being sold or shared for free. It is famously stated that when you are not paying for the product, then you are the product. In the garb of over-the-board and quicker services, a greater chunk of users are not out of complacency with respect to their personal data yet. More conscious approach towards data privacy in general would ensure more liability for violation of data rights and no doubt self-regulatory policies are a great step towards it but it is a very small step considering the stakes at hand.
The exchange of data could have been said to be a non-interferable commercial transaction between two private parties but it is not so. A consortium of data providers while sharing their data to one entity, form a conical bias system where the outlet is restricted at the choice of one entity. Together, the processing of huge amounts of data forms patterns, builds monopoly and subdues bargaining power. Only when there will be greater liability, there will arise a need for a better mechanism, which could be data trust. Then all the sectors including tech companies will be on board because mechanisms like data trust would provide for a secure channel and reduce risks associated with data breaches. This is naturally so because a robust environment of data trust shall not only ensure better availability of data sets but also lead to development of technologies like AI and ML. Technologies like distributed ledger, federated machine learning and homomorphic encryption can be embraced and developed. For several conventional technologies, there has been an element of disruptiveness. Instead of reacting to the disruptive technologies, an ideal policy should be accommodating. Data trust as a solution to disruptive technologies at least addresses a crucial stake in the commercial fraternity i.e. misuse of data.
To get and remain relevant, a data trust could mold itself to be autocratic, plutocratic or democratic. It needs to implement a revenue model on ethical basis. Unless and until a sustainable strategy is formulated, a data trust will not automatically address the problem of hierarchical bias and bargaining deficit. The structural decision making is crucial in a data repository. For instance there could be two entities managing data where one would be responsible for collection and other may be responsible for processing or disbursement. Structure is amendable and flexible. Hence, in the latter kind of entities, think tanks shall play a huge role in policy implementation without having to deal with the repository technicalities. Data trust is incomprehensible as a singular product and at least in initial stages, hence its success shall depend on flexibility and acceptability.
(This article is authored by Akash Manwani. He is the Chief Innovation Officer at the Indian Society of Artificial Intelligence and the Law and a recent law graduate of the University of Mumbai)