Data trusts in Germany and under the GDPR

The report by Anouk, Ruhaak, Mozilla Fellow at AlgorithmWatch, considers alternative approaches to data governance, specifically data trusts.

The ongoing collection of personal data and the use of this data in automated decision-making systems (ADMS) raises questions about the effectiveness of current approaches to data governance. Personal data is collected and used to automatically predict and prescribe our actions. There is much to be said about the accuracy of such predictions, but while their benefits may be unclear, their harms are certainly not. The vast majority of use cases of data-driven, automated decision-making systems recorded in the Automating Society 2020 report tend to endanger, rather than help people.

Depending on where you live, you may now have the right to allow or prevent the collection of data about you. These rights are vital, but on their own, they are insufficient to protect individuals and society against the worst harms of mass data collection and use. In addition, they do little to promote the collection of data for uses that benefit us. We need data governance models that emphasize both the individual and collective risks of data sharing and help us decide when and how we want to make data about ourselves available.

The European Commission’s most recent proposal for a Data Governance Act takes the first steps towards the creation of such governance models. It proposes a regulatory framework that allows independent third parties to act as intermediaries between data holders and data users. However, this proposal falls short in at least two ways. On the one hand, it does not allow for intermediary services to represent the data rights of data subjects. As a result, the ability of data intermediaries to act on behalf of others is severely limited. On the other hand, the regulatory requirements for these new organisations do not provide sufficient safeguards against abuses of power.

In this report, we consider alternative approaches to data governance, specifically data trusts.

We discuss three major points:

  • The shortcomings of our current approach to data governance that mainly focuses on individual data rights.
  • How the reduction of the collective harms of data sharing and the simultaneous activation of collective benefits of our data require approaches to data governance that rely on greater democratic control over our data.
  • The specific role of data trusts as independent intermediaries with a fiduciary duty to act on behalf of data subjects.

Key recommendations:

  • We recommend greater clarity on the various legal uncertainties that currently undermine the creation of data trusts and similar data intermediaries.
  • We argue for the creation of a new legal role: an intermediary that can represent the data rights of data subjects that would have to adhere to a strict set of safeguards and duties.
  • We recommend a series of trials within the safe confines of a regulatory sandbox.

With support from