How can we reap the shared societal benefits that massive aggregated data can unlock, without opening the door to the abuses that are possible with any large concentration of sensitive data?
One effective solution would be a data trust: a piece of legal infrastructure that separates those collecting and using data from those holding custody over the data. Instead of sharing directly with a government or company, data is sent to a data trust, an independent, trusted non-profit entity.
A data trust is created when someone or a lot of someones hand over their data assets or data rights to a trustee. That trustee can be a person or an organisation, who will then hold and govern that data on behalf of a group of beneficiaries and will do so for a specific purpose. The beneficiaries could be those who handed the data to the trust, or anyone else (including society at large).
Importantly, the trustee has a fiduciary responsibility to look out for the interests of the beneficiary, much like your doctor has a fiduciary responsibility to do what is best for you. That also means that the trustee is not allowed to have a profit motive or, more generally, a conflicting interest in the data or data rights under its custody.
Some of the core responsibilities of the data trusteer are to decide on: Collection rights: who can collect and who can decide over future collection? Access rights: who can access and who can decide over future access? Use rights: who can use (eg withdraw benefits) and who can decide over future use?
The trustee’s decision on what data can be collected, shared and used is based on the preferences and consent extended by the individual data subjects, ranging from citizens to platform users and the interests of society at large. When sharing data affects more than just the privacy of an individual, we need mechanisms in place to negotiate between individual and group interests.
What is more, we need better mechanisms to help individuals make educated decisions about data sharing. One option would be to rely on consent proxies: institutions we already trust to make decisions about other aspects (e.g. medical professionals, community groups, trade unions) of our lives could inform our consent decisions, by providing us with clear guidance (in the form of a consent profile, or pre-filled privacy statements) on what to (not) agree to.
Companies, researchers, or policymakers wanting to make use of the data must request access from the data trust, making clear how they intend to use the data, and for how long. Their data usage will be audited by the data trust.
Through a data trust, data that is currently enclosed by single platforms would be made more widely available. In principle, if company A can license specific data for a specific purpose and duration, then company B should be able to do so as well. In addition, data could also be made available to researchers or governments.