Data Trusts

Sovereignty in handling your personal data


6 December 2020

Out now: Read our publications The compatibility of data trusts with the General Data Protection Regulations (GDPR) and Data trusts in Germany and under the GDPR on the topic of Data Trusts.

When it comes to our personal data, the positions seem irreconcilable: on the one hand, there are the heralds of salvation in the wonderful world of "Big Data", where data-driven processes using so-called artificial intelligence are helping to end the corona pandemics, overcome (social) injustice and stop climate change. On the other hand, the apocalypticists who foresee the end of democracy should not succeed in putting surveillance capitalism in its place. Between these fronts, there is little room for differentiated proposals on how to protect the right to privacy, while at the same time using the knowledge that data provides to benefit us all. The idea of data trusts, also called data trustee models, is one such proposal. Now, it needs to be filled with life.

In recent years, interest in data trusts has increased considerably. The German "Datenethikkommission" (Data Ethics Commission) and the "Kommission Wettbewerbsrecht 4.0" (Commission on Competition Law 4.0) (p. 44) recommend "investigating the feasibility of setting up data trusts and in this respect examining various models". In its key points of a data strategy, the German government has announced that it will "analyze" what "prerequisites need to be created and what contribution trustworthy data spaces and structures of data trustees can make to strengthening voluntary data sharing". On the basis of these findings, it should be decided which instruments can be used to promote the emergence of such trustees, if possible at the European level.

All this remains very vague. No data trusts have yet been established in practice in Germany, only case studies have been discussed. In order to understand whether and how this instrument could be applied under German law, we have worked out concrete questions for a legal opinion together with our Mozilla Fellow Anouk Ruhaak and with the support of the ZEIT Foundation. This expert opinion paper on the compatibility of data trusts with the General Data Protection Regulation, which is now available, is a first, important step towards understanding what is currently achievable - and which laws would have to be changed if we want to implement more comprehensive data trust models.

Based on this, we will analyze whether we can establish a data trust within our DataSkop project.

Data Trust - what is it?

A data trust is a fiduciary relationship in which one party grants a data trustee the right to hold data or data rights in its name and to make decisions about them. One variation is to create data trusts, like other trust instruments, for a specific purpose (e.g. "cure cancer"). Decisions are made with a view to a specific beneficiary or group of beneficiaries.

For example, a cancer patient may wish to provide data for medical research that focuses on curing a particular kind of cancer. The patient delegates the power to decide who gets access to his or her data to a trustee rather than making his or her own decisions. The trustee has a duty of care and loyalty when handling the beneficiary's data. This means that it only makes decisions that are in the sole interest of the beneficiary (in this case the patient).

Data trusts could be particularly useful in situations where we cannot rely solely on the individual consent of the individual to decide how data should be collected, made accessible, and used. This is the case, for example, when data involves more than one person. Take DNA data, for example: When an individual decides to share his or her DNA, decisions are also made on behalf of family members, as their DNA-data is likely similar.

Furthermore, the collection, use and access to data often involves risks and benefits not only for the individual to whom the data relates, but also for society as a whole. Collective bodies, such as data trustees, are better placed to address these challenges. Finally, as the "Datenethikkommission" also emphasizes, data trusts can help to create consent mechanisms that do not place the entire burden of decision-making about data on the individual, while fiduciary duties help to ensure that data trustees always act in the interest of the data subject.


Dr. Michael Funke
November 2020

Anouk Ruhaak
December 2020

Sign up for our Community Newsletter

For more detailed information, please refer to our privacy policy.