SOCEDS: SOLIDARITY-BASED APPROACHES FOR THE CREATION OF COMMON EUROPEAN DATA SPACES - DR PHOTINI VRIKKI - CHARLEMAGNE PRIZE ACADEMY
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SoCEDS: Solidarity-based
approaches for the creation of
Common European
Data Spaces
Dr Photini Vrikki
FIRST
MILESTONE
Introduction
SoCEDS
*
The coronavirus pandemic has revealed the ever-increasing need for data ows within the EU
and across sectors for economic and health recovery. Likewise, the European Strategy for
Data, has outlined plans to develop an agile EU data economy, including the launch of
Common European Data Spaces (CEDS). This rst draft paper looks at the links between
CEDS and policy development to o er an understanding of how solidarity-based approaches
can advance clear and trustworthy data governance mechanisms. The concept of ‘common
data spaces’ has widely been lauded in the EU1 as a progressive alternative to traditional data
exchange infrastructures, which have faced heavy criticism in the last decade for their
oligopolistic, black-box algorithmic market, controlled by US- and China-based tech giants2.
This project argues that current and future EU policy should go beyond legal frameworks, to
include solidarity mechanisms in these newly proposed CEDS. Interrogating the social and
cultural dimensions of CEDS contributes to a growing body of literature that seeks to re-
politicise the collection, storing, processing, and use of data and promotes a transparent
policy framework for Europe’s digital sovereignty.3
As the rst part of the project, this document provides a review of the work onto which this
study will be based, by assessing and evaluating the solidarity approaches of ve options for
data spaces: 1. Data as commons; 2. Bottom-up data trusts; 3. Charitable trusts; 4. Data as
public good; and 5. Individual data ownership. This exploration identi es challenges and
opportunities for the realisation of CEDS for the EU. The project supports the bene ts of open
and shared approaches to data collection, processing, and analysis, proposed by the
European Commission, while noting the low levels of sociocultural safeguards in the current
digital policy frameworks, namely the Data Governance Act, the Digital Services Act, and the
Digital Markets Act. It also highlights how CEDS as a practice, even in the framework of
solidarity, if not infused with sociocultural mechanisms, may remain unduly in uenced by the
harmful vestiges of marketisation and corporate interests. The study proposes and
distinguishes ‘solidary data spaces’ as a speci c policy framework for the European Union
and o ers recommendations for a more trustworthy and transparent future for data
exchanges.
1 Data sharing in the EU – common European data spaces (new rules) , 2020 [Accessed December 2020]
2Broussard, Meredith. Arti cial unintelligence: How computers misunderstand the world. MIT Press, 2018.
Perez, Caroline Criado. Invisible women: Exposing data bias in a world designed for men. Random House, 2019.
Vallor, Shannon. Technology and the virtues: A philosophical guide to a future worth wanting. Oxford University Press, 2016.
3 Floridi, Luciano. "The ght for digital sovereignty: What it is, and why it matters, especially for the EU." Philosophy & Technology 33.3
(2020): 369-378.
2
ff
fi
fi
fi
ff
fi
fi
fi
fl
fl
fi
fi
Table of Contents
*
SoCEDS
1. The Culture of Solidarity 4
1.1. EU Data Governance 7
1.2. Trust the Process? 9
1.3. A Hard Act to Follow 10
1.4. Solidary Governance 12
2. Common Data Spaces for a Digital Europe 13
2.1. Data as Commons 15
2.2. Data Trusts 17
2.2.1. Bottom-Up Data Trusts 18
2.2.2. Charitable Data Trusts 19
2.3. Data as Public Good 21
2.4. Individual Data Ownership 22
3. Solidary Common European Data Spaces 24
If I were to do it again from scratch, I would start with culture’.
Jean Monnet 4
4 This statement is ascribed as a well-known statement by Jean Monnet across many of her European talks.
3
#1 The spectre of alienation is
THE CULTURE
haunting Europe.
Fragmentations between
state-members, hostility
OF SOLIDARITY between populations, the
impact of the COVID—19
crisis, the corrosion of
common values, and social
polarisation have created
new, and expedited already
4
existing, politico-economic tensions and inequalities. I started this section with Jean Monnet’s
alleged regret about the beginnings of the EU to stress the current importance of centring our
shared cultural values instead of spotlighting the common market—which has arguably been
our main concern since the beginnings of the EU. Cultural tensions in the union have been
present for more than 20 years, with the President of the European Commission in 2004, José
Manuel Durão Barroso, stating that “the EU has reached a stage of its history where its
cultural dimension can no longer be ignored”.5 Undoubtedly, the austerity measures that
resulted a few years later due to the 2007 economic crisis and our response to the refugee
ows revealed even more how much our European culture has been in a state of
disillusionment and disintegration. In the words of Pascal Gielen, our “lack of attention
towards culture [...] is the main cause of today’s political and economic crises”.6 Right now,
investing in culture is more or as important as investing in our health, environmental, and
economic prosperity.
5Speech by José Manuel Barroso President of the European Commission “Europe and Culture” Berliner Konferenz für europäische
Kulturpolitik, Berlin, 26 November 2004 [Accessed
November 2020]
6 Gielen, Pascal. No culture, no Europe: on the foundation of politics. Valiz, 2015, pp.11-12.
5
fl
In the context of this project, I argue that along with the development of CEDS it is also
imperative to cultivate and sustain a culture of solidarity for data before focusing on market
interests. Solidarity functions as a key principle of European culture, with all the signatories of
the Treaty on the European Union expressing their desire “to deepen the solidarity between
their peoples while respecting their history, their culture and their traditions” (Preamble, recital
6).7 Solidarity is presented as the sum of EU Member States and their ‘peoples’, but the
extent to which such European culture based on solidarity is also inclusive of citizens’ and
Member States’ data is far from clear. If we want to shape a European data future that builds
an open, trustworthy environment in which citizens are empowered in how they act and
interact, and of the data they provide both online and o ine, we need to support a European
way to digital transformation8 which enhances our values, our social bene t resonance,
data literacy, and techno-cultural coherence. To do that we need to advocate for a cultural
solidary paradigm that can aid us in creating a data blueprint that counters any challenges
between di erent State Members, cultures, values, and their technology infrastructures.
Currently, solidarity seems to be an afterthought not a primary responsibility for the evolution
of these new data infrastructures.
Yet, these new data infrastructures we will shape, will shape us in return. By deploying
solidarity principles from the outset, we can guarantee that CEDS will be trustworthy and
bene cial to all. Developing solidarity from the perspective of the citizens and not primarily of
the EU market, will be crucial to the development of the next stages of CEDS. This will be
particularly important for the ‘data altruism’ concept used in the Data Governance Act9 to
describe “data that is made available without reward for purely non-commercial usage that
bene ts communities or society at large” (Chapter IV & Article 2, 10). With the objective “to
create the right conditions for individuals and companies to trust that when they share their
data, it will be handled by trusted organisations based on EU values and principles”, solidarity
becomes a requirement not just a proposal. Clearly ‘data altruism’ seems to be premised on
inter-state collaboration within the EU, but we need genuine and practical solidarity towards
State Member facing particular issues with digital infrastructure and data processing,
including national policies and data literacy, if we want CEDS to be bene cial to the European
society as a whole, with no exceptions.
7 Consolidated version on the Treaty on European Union’. (09-05-2008). Online PDF. 05-05-04-2013. (C115/28) [Accessed January 2021]
8 Shaping Europe’s digital future [Accessed November 2020]
9Regulation of the European Parliament and of the Council on European data governance (Data Governance Act) COM(2020) 767 nal
2020/0340(COD) [Accessed December 2020]
6
fi
fi
ff
ffl
fi
fi
fi
1.1. EU Data Governance
In November 2020, the European Commission published their plans for a Data Governance
Act (DGA)10 which will aim “to foster the availability of data for use by increasing trust in data
intermediaries and by strengthening data-sharing mechanisms across the EU”. At its core, the
SoCEDS
*
Act is highly intricate and puts forward several policy mechanisms for succeeding in
establishing this anticipated European-wide progress through data. The shortcomings of the
Act are mostly found at its outer layers. Its prime focus, as I mentioned in the previous
section, is on data markets and commercial rights. By prioritising the economy, the DGA
neglects to incorporate the cultural and social dimensions of these European-wide changes.
By xating on the importance of the markets the Commission fails to engage with the growing
numbers of people who oppose the concentration of power onto commerce and the rising
disillusionment with digital solutions and technology determinism.11 In fact, mistrust in
technology and public institutions has been ampli ed in the past decade precisely because of
the ways in which technology has been consolidating power into ever fewer hands while
public institutions turn the blind eye.12 Setting the market, and in extension the economy, at
the centre of the Data Governance Act (DGA), the Commission sets itself susceptible to
intensifying the Union’s economic fragmentations and to scrape even more the thin ice onto
which State Members such as Greece, Poland, Hungary walk on when it comes to their
relationship with the EU. Despite its obvious innovative approaches to data-sharing e.g., the
re-use of sensitive public sector data, the Data Governance Act oundered in demonstrating
how these developments will serve all State Members equally.
Undoubtedly, the DGA is the groundwork of contemporary and much needed policy
mechanisms for data exchange. It’s a negotiated, multi-stakeholder act of binding data
governance and should be considered as a progressive move toward European and
international digital frameworks. The Act can build collaborations between local, national, and
digital actors and advance access to publicly held data, clarify the line of data ownership from
service level to the market, and estimate liability types. It also proposes the ‘best interests of
the rights holder’ responsibilities for institutions that act as brokers for public data, assigns
consent for some digital rights, and o ers individuals the control of their data privacy and
sharing for commercial purposes. These are some of the positive and innovation-led
propositions that will bene t direct accountability parameters and allow for a steady and
reliable market transformation for data. But beyond the analysis of these policies, which is not
the focus of this project, we need to consider the social impact of this innovation. The wider
population in the EU is increasingly distrusting digital platforms and data systems because of
their monopolistic and black-box nature, not because they recognise the limited extent to
which their commercial rights are carried out within these structures.13 Reading through the
Data Governance Act, the Commission repeatedly calls for “data altruism” a practice which
describes the way in which established organisations will engage with “data voluntarily made
10 Ibid.
11Goodwin, Ian, and Steve Spittle. “The European Union and the Information Society: Discourse, Power and Policy.” New Media &
Society, vol. 4, no. 2, June 2002, pp. 225–249
12 Hicks, Mar. Programmed inequality: How Britain discarded women technologists and lost its edge in computing. MIT Press, 2017
1320th Annual Edelman Trust Barometer, Special Report: Trust in Technology [Accessed September 2020]
7
fi
fi
ff
fi
fl
fi
fiavailable by individuals or companies for the common good” and which as I described earlier,
asks individuals and businesses to share their data freely and with no reward. Highlighting the
signi cance of data exchange, the Commission shows its commitment to realising the power
and value of data. In this context, the Act also epitomises and puts in use previous data
policy frameworks, such as the categorisation of ‘personal’ and ‘non-personal’ data,
anonymisation as a privacy protection, and the use of consent forms. Many of these
mechanisms have failed to get the trust of the public in the past e.g., the deployment of
GDPR, yet the Act insists on implementing them in this new movement toward trustworthy
continental data sharing. This new Act cannot mask issues that have been present in data
governance before (e.g., inconsistencies in national and European legislation we faced with
the deployment of GDPR), and which have previously forged alienating sentiments across EU
members and their citizens.
It is indeed cynical or even unrealistic to ask of State Members and their communities to
incorporate in their already stretched, fragile, and very uniquely culturally speci c processes,
data sharing processes that are not clearly bene cial to them. And here, we arrive at the three
vulnerabilities of the conception of CEDS: 1. social bene ts resonance; 2. data literacy;
and 3. techno-cultural coherence. For CEDS to result in social bene t resonance we need
to ensure that all State Members receive the same degree of bene ts from data exchange. To
reach equal data bene ts, however, we also need to advance data literacy to increase
awareness of this scheme’s importance for both citizens and businesses. This is particularly
the case with Member States that struggle with digital divides and lack knowledge,
infrastructure or resources to even begin the processes of data sharing.14 Techno-cultural
coherence then becomes crucial because we need to develop this new infrastructure through
shared cultural dimensions across State Members, that will hopefully in turn lead us to trust
this new data infrastructure. In the absence of cultural coherence, no common spaces will
ever be achieved. Social bene ts and cultural coherence are often taken as granted in the
European Union, as something that organically sources from the union. In e orts of this scale,
however, we need to return back to the foundations and do the work that brings us socially
and culturally together.
As this project will argue, clarifying the conditions onto which these new data infrastructures
of CEDS will be constructed onto, is critical to the success of Europe’s digital transformation.
Explaining the relationships between the di erent stakeholders of CEDS and between EU
citizens, businesses and CEDS will also advance participation, all of which are essential to the
development of this ambitious European-wide spaces.
14 Selwyn, Neil. "Reconsidering political and popular understandings of the digital divide." New media & Society 6.3 (2004): 341-362.
8
fi
fi
fi
ff
fi
fi
fi
fi
ff
fi1.2. Trust the Process?
The European Union has been fundamentally a geopolitical union. With its over 447 million
people15, it is currently acting as a big consumer market for data and new technology. With
the implementation of regulations such as the GDPR in 2018, which has indeed brought to
SoCEDS
*
light several data breaches, the EU imposed to a certain degree its control on the ways in
which data is collected, shared, and processed. To some extent this brought some protection
while at the same time it has failed to regulate Big Tech’s behaviour beyond enforcing
judgements and processing nes linked to data.
Lessons learned from the implementation of the GDPR regulations vary from inconsistent
national enforcement, the slow but steady deployment of data protection o cers, to a sti ing
of journalism and an undermining of the work of civil society. In Hungary, Romania, and
Slovakia, free press and investigative journalism have come under attack, while in Poland
NGOs have been targeted after one provided searchable access to public data contained in
the Polish National Court Register.16 In this light, indeed the Commission is a leader in the
deployment of digital policies, digital rights, and the digital market but at the same time it is
obvious that we are still at the edge of a policy precipice. CEDS will be built against the
backdrop of policies and frameworks that have been not just problematic and ambiguous, but
also not enforced.
There is no obvious reason the EU lags behind in enforcing data regulations, but one of the
most signi cant insights that appeared in the 2020 Digital Services Act (DSA) and the Digital
Markets Act (DMA), comes down to the Big Tech company’s size. In these Acts, platforms are
not seen as trustworthy regarding how they provide information, but they are instead
considered adversarial. The plan is to audit them and have them accountable to their actions
or inactions. China has also escalated its e orts to curb Jack Ma’s tech empire, ordering at
the beginning of 2021, an investigation into allegations of “monopolistic practices” by Ma’s
online retail giant, Alibaba, and demanded his nancial technology company Ant Group to
scale back its operations.17 In the USA, the government’s focus is on managing the digital
market through antitrust regulation, which mentions breaking companies apart,18 e.g.
Facebook Messenger and WhatsApp, Nest and Google Home; all of which merged in two
separate consolidated companies in recent years. These government actions have caused
direct reactions by Big Tech, with Facebook and Alphabet Google agreeing in December
2020, to “cooperate and assist one another” if they ever faced an investigation into their
online advertising practices.15 Chinese, USA, and European proposals seem to agree that
the problem is ‘trust’, but there are major di erences in the ways in which they enforce the
regulations they have put in place.
15 EUROSTAT. Population on 1st January by age, sex and type of projection [Accessed February 2021]
16AccessNow. Two years Under the EU GDPR: An Implementation Progress Report, State of Play, Analysis, and Recommendations
May 2020 [Accessed May 2020]
17Davidson, Helen, The Guardian, China targets Alibaba with anti-monopoly investigation [Access December 2020]
18O’Neil, Cathy, Bloomberg, Breaking Up Facebook would be Fine [Access December 2020]
9
fi
fi
fi
ff
ff
fi
ffi
fl1.3. A Hard Act to Follow
With the proposal of the DGA, DSA, and DMA, the European Commission has asserted their
ambition to be at the forefront of digital regulation and digital market development, setting in
motion not only national but also international mechanisms for similar regulations. The DGA
SoCEDS
*
places contextual liability to data use by demanding local registration for data intermediaries,
and importantly, by appointing duciary duties. These duciary duties propose that the EU
will place trust, con dence, and reliance on local registrars to exercise discretion or expertise
in acting on behalf of the EU. This law structure is unique in many European members’ legal
contexts, and embryonic in the Commission itself, yet it can be used as the foundation for
data exchange mechanisms and augment the e orts to nationalise and commercialise data
exchange.
Yet, the DGA prioritises data exchange over the provision of clear and transparent data rights
for European citizens; establishing in this way trust through bureaucratic processes, which
will not automatically add to the trustworthy and transparent structuring of that system. In
extension, this will unlock a private market for enforcing the Act’s policies, but it comes short
of giving the same signi cance to the protection of people’s rights in those same data
exchanges that will be accommodated and the cultivation of shared feelings of solidarity and
coherence through the European population. More importantly the DGA, does not
meaningfully address or recognise the importance of cultural, social, or political instance that
are not included in their de nition of data as “any digital representation of acts, facts or
information and any compilation of the same, including in the form of sound, visual or
audiovisual recording.” By focusing on the issue of ‘underutilising the data’ available to the
EU, the Commission fails to grasp or mention the equal importance of the fair use of this data
in the context of digital solidarity or equity between member states, accountability structures
or even public participation in the proposed infrastructures. Alike GDPR, DGA misconstrues
the importance of data exchange with the danger of the mishandling of these data
management systems.
The issue here is that plans for handling any con icts between data solidarity, data rights and
commercialised data use are not mentioned or implied. For instance, if citizens are required to
participate in CEDS in order to have access to other rights, this will automatically bring up or
intensify inequalities and injustices that currently exist between populations, State Members,
and techno-cultures. We can already see this happening in the ways in which the COVID—19
crisis is being handled, with discussions about digital vaccine passports and shared database
across Europe.19 This performative approach to data governance and the permeating
insistence of the sector on ‘bias’ and ‘ethics’ guidelines20 on the one hand has led to criticism
from both sides of the sociopolitical spectrum; and on the other hand, has led to the
realisation that these regulations can only be applied and eventually deployed to only a
portion of the State Members’ infrastructures and data systems. Certainly, this is one of the
19 Illa con rma que habrá un registro de quienes rechacen la vacuna que se compartirá "con otros socios europeos” [Accessed December 2020]
20 Ethics guidelines for trustworthy AI, European Commission [Accessed June 2020]
10
fi
fi
fi
fi
fi
fi
ff
fl
fiaims of DGA—to kick-start the development of these frameworks—but there is no
transparency in regard to the investment needed to cover the costs of any issues that may
arise nationally or continentally.
Here it is essential to acknowledge the reasonable limitations of all policy frameworks,
especially one that is working with unknown parameters. The DGA has created a world-
leading basis onto which further sophisticated and technocratic legal and digital architectures
can be founded upon as we move into a more digital decade. What is left to see is rst, how
national institutions of each member state and their markets will respond to these policies
and moves; and second, what kind of impact this will have on the rising mistrust on
governments, data, and technology.
11
fi1.4. Solidary Governance
SoCEDS
The DGA proposes that “Companies and data subjects should be able to trust that the re-use
*
of certain categories of protected data, which are held by the public sector, will take place in
a manner that respects their rights and interests” (preamble, para. 14). This claim is inherently
awed, as it assumes that all member states are adept in adjudicating the issues that may
arise from a growing market dependent on data exchange. Unequivocally, the issue here is
that each State Member has di erent interests and concerns that can often be con icting or
competitive with each other. In these circumstances we need to consider whether the court
system and laws are the appropriate way to establish these relationships. A solidarity
approach that will elevate citizen participation and trust may be a more coherent and trusted
approach than regulations and laws.
In paragraph 15, where the
conditions for future adequacy for
third-party countries are put forward, The weight of the Act falls rst on
the Commission states: “The
existence of e ective legal remedies
building a market infrastructure
for data holders, public sector while access or securing digital
bodies or data sharing providers in cohesion or a solidary culture
the third country concerned is of between the members and EU
particular importance in the context
citizens comes as an afterthought
of the transfer of non-personal data
to that third country. Such
safeguards should therefore include
the availability of enforceable rights and of e ective legal remedies.” The authors have
obviously thought of the expansion of this act into further countries without considering
whether all EU state members are prepared or willing to be part of this new market. The
weight of the Act falls rst on building a market infrastructure while access or securing digital
cohesion or a solidary culture between the members and EU citizens comes as an
afterthought.
Ultimately, the vulnerability of the DGA can be summarised to its potential to collapse under
the weight of balancing commercial interests with public resistance and distrust. From where
the DGA stands now, solidarity, transparency, and fairness are of less importance. This can
only embolden and sustain the already uneven and fragmented systems in the EU, which will
be further enhanced by the impact of Brexit18 and struggles to adequately transfer data from
Britain to the EU.
12
fl
ff
fi
ff
fi
ff
fl#2
COMMON DATA
SPACES FOR A
DIGITAL EUROPE
13Common Data Spaces can contribute to the digital progress of the EU. CEDS will be able to
manage the ways in which data will be exchanged, how it can be accessed, and by whom.
With the current legal frameworks proposed in the DGA, the aim is to empower data users,
citizens and data institutions while holding entities such as stakeholders and intermediaries
legally responsible for data exchanges. Data insights may allow for evidence-based decisions
and policies to be developed across the continent and respond to health care emergencies,
such as future pandemics, or to make Europe more environmentally friendly, and help our
ageing population live more comfortably. Research across the spectrum in the EU, from
health, to social life and public services, can bene t heavily by bigger and more diverse data.
Advanced research can also be steered by this wider availability of data. CEDS can provide
the means to combine and explore the wider value of our data, regardless if it is personal,
corporate, or public data and provide a secure and safe storage space for processing this
data. Here I explore the solidary conditions that can make their governance more transparent
and trustworthy across Europe by interrogating the dimensions of current and conceptualised
data spaces.
As the previous sections have argued, in order to deploy data spaces, we need sound data
strategies and solidary data governance. The obstacles hindering their realisation go beyond
the legal parameters and bleed into the cultural and technical values and data literacy of
European citizens. In the popular consciousness, ‘data sharing’ is usually construed as
sharing one’s data with private companies, such as Google, Apple, Facebook, and as return
gaining access to their digital services. However, the data exchanges envisioned by the
European Commission for CEDS refer to spaces a ording the sharing of data that is
considered closed, between speci c people/intermediaries/companies, but no digital service
will be o ered as a return—at least not instantly. As a matter of fact, CEDS can eventually
become a signi cant resource for sharing data between member states in the EU and
beyond, but they rst have to create the right conditions for individuals and companies to
trust that when they share, their data will be handled based on shared cultural values and
technical principles that bene t everyone. This project hence also aims to inform this aspect
of CEDS by exploring the di erent solidary approaches we can deploy in their governance to
make them more appealing to citizens.
Some of the challenges to build trust through solidarity—of which I have referred to at the
start of this paper—are obvious e.g., the impact of COVID—19 and the cultural
fragmentations in the union. Yet the opportunity to build these data bonds between Member
States and their peoples is invaluable to the data future of Europe. In this section I explore
solidary approaches to data spaces by interrogating: 1. Data as commons; 2. Bottom-up data
trusts; 3. Charitable trusts; 4. Data as public good; and 5. Individual data ownership. In what
follows I give an overview of these di erent approaches to data in an attempt to identify the
strengths and weaknesses of current options and concepts and uncover any solidary traits
that may bene t this European e ort. To kickstart this discussion, I begin from the ‘commons’
as a valued approach to solidary data governance.
14
ff
fi
fi
fi
ff
fi
ff
fi
ff
fi
ff2.1. Data as Commons
The concept of ‘data as commons’ relies entirely on work by Elinor Ostrom, who throughout
her life has explored the ways that people organise themselves to manage common
resources such as land and forests.21 Ostrom never talked about ‘data’ per se but I borrow
SoCEDS
*
her work on collective forms of ownership to discuss the opportunities presented in exploring
this option for CEDS. More speci cally, the sustainable design of governance that is crucial to
commons’ survival and which require a collaboration between several actors, many of which
may be competitors, is a good parallel to data exchange spaces.22 Keeping these forms of
collaboration in a working order demands trust, a sense of community, and reciprocity.23
Hence, adapting her work, we can think of data as commons—and as a resource like
groundwater basins—so as to move away of the concept of data as private property, or the
property of big corporations and instead as a resource that can have collective ownership.
Conceiving data as commons o ers us a way to imagine how citizens in small or large groups
on local, national, or even European level, can govern their own data beyond the control of
the state and market needs. The governance of these commons should be enveloped in
Ostrom’s principles for governance for commons:
1. De ne clear group boundaries: Commons necessitate exclusion. This exclusion
ensures that the bene ts sourcing from the participants’ contributions will only bene t
them, and not those with no contribution.24 These clear boundaries between insiders
and outsiders provides clear limits within which we can de ne the resource, who can
and who can’t use it. When boundaries are established, what is also concurrently
secured are clear rules for using and contributing to the commons.
2. Fit the governance rules of commons to local conditions and needs:
Governance’s design is adjusted and formed on the local conditions of its participants,
which should organically strengthen the secure and fair use of the resource. The
resulted certainty on the use and governance of the resource can also introduce
collective action when necessary, for the protection of the commons and beyond
them.25
3. Guarantee that those a ected by the rules can participate in modifying them:
Contributors to the commons should be able to participate in the rule-making and rule-
modi cation processes, and the commons have to be constantly audited so as to
ensure compliance with their rules and boundaries.
4. Develop a responsibility system for monitoring community
members’ ‘behaviour’: Each member needs to make sure that the commons are used
to everyone’s bene t and in just means.
21 Elinor Ostrom, Governing the Commons, Cambridge MA: Cambridge University Press, 1990.
22Frischmann, Brett M., Michael J. Madison, and Katherine Jo Strandburg, eds. Governing knowledge commons. Oxford University
Press, 2014, p. 477.
23Ostrom, Elinor, and Charlotte Hess. "Private and common property rights." Encyclopedia of Law and Economics. Edward Elgar
Publishing Limited, 2007, p.43.
24 Ostrom, 1990, p.91
25Ostrom, Elinor, and Michael Cox. "Moving beyond panaceas: a multi-tiered diagnostic approach for social-ecological analysis."
Environmental Conservation (2010): 451-463.
15
fi
fi
fi
fi
ff
ff
fi
fi
fi5. Use graduated sanctions for rule violators: Sanctions have to be graded from soft
to more severe to ensure that unconscious violations are not equally sanctioned as
intentional ones.
6. Con ict resolution should be mediated through a low-cost con ict resolution
plan. The interpretation of the rules may be di erent for each member, therefore a
judicial body (even if it is informal) can help in resolving con icts and avoid the elite
taking over the control of the commons.
7. Ensure the rules of the commons are respected by outside authorities: For the
commons to remain sustainable, outside authorities should respect and recognise their
governance mechanisms.
8. Build responsibility for governance in multilevel tiers from the lowest level up to
the entire interconnected resource: Complex common resources require governance
mechanisms that are multi-levelled, e.g. on local, regional, and national, so as to
successfully manage the multiple interconnected components of the resource.26
Obviously CEDS, have many di erences in their current governance structures with the notion
of ‘data as commons’. First and foremost, CEDS have to exist nested in the web of States
and markets, which are partly against the practices that make commons what they are—i.e.
sharing, opening, trusting. This is usually due to what Garrett Hardin coined as ‘the tragedy of
the commons’27, suggesting that collective property is doomed to fail, because it will
inevitably be abused by users. Similarly, often the commons are seen and linked as the basis
for communism.28 Ostrom’s concept of ‘the commons’ was not necessarily anti-State or anti-
market, but she insisted that the more power people had to make decisions that impacted
their lives, the better those decisions would be. Thinking then beyond Ostrom’s
conceptualisation of commons, which demonstrate “how local property can be successfully
managed by local commons without any regulation by central authorities or privatisation”29,
we can make two solidary take-aways from ‘data as commons’ for the bene t of CEDS: 1. To
deploy transparency in the processes of shared value creation between the di erent
participants, and respect any competition and commercial interests between them; and 2. To
recognise that CEDS will be embedded in already existing state, social and cultural structures
with their own communities, rules, and complexities. These communities may not be data
commons per se but CEDS may be impacting their governance and structures. European
markets and states have an important role to play in realising common data spaces and the
dichotomy between market/state is unhelpful for thinking about their governance.
I now move to exploring ‘data trusts’ as data spaces that in the past decade have been
popularised in the elds of technology and policy to describe the legal mechanisms that
assign stewards or trustees to manage the data or data rights of their bene ciaries, i.e.,
individuals, governments, private and public companies.
26 Ostrom, 1990, p.101.
27 Hardin, Garrett. "The tragedy of the commons." Journal of Natural Resources Policy Research 1.3 (2009): 243-253.
28 Hardt, Michael. "The common in communism." Rethinking Marxism 22.3 (2010): 346-356.
29 Ostrom’s talk in 2009 upon receiving her Nobel price, Nobel.org.
16
fl
fi
ff
ff
fl
fl
fi
fi
ff2.2. Data Trusts
Similar to the ways in which we use the term ‘land trusts’, the use of the concept ‘data trusts’
in this section describes the means of maintaining and mediating how data is collected,
handled, and used. A data trust is established when an individual or a group entrust their data
*
SoCEDS
assets and/or data rights to a trustee. The trustee can be an individual or an institution (e.g., a
university, a government body, or a private company) who hold the data and govern it to the
bene t of the individual, the group or other bene ciaries, such as the wider society.30 Similar
to how a lawyer has a duciary responsibility toward their clients, the trustee has a
responsibility toward their bene ciaries. At the same time, it is prohibited for a trustee to pro t
from the trust or have any con ict of interest that relates to the data or the rights of the data
that is in their trusteeship.
In their updated 2020 de nition, the Open Data Institute de nes ‘a data trust’ as an entity that
“provides independent, duciary stewardship of data”.31 Earlier work by Edwards32,
McDonald and Porcaro33 have helped de ne data trusts as negotiated spaces of data
exchange in which data stewardship sets the legal conditions under which one can collect,
maintain, share and more importantly, access data. The use of data trusts is often talked
about as people’s opportunity to have a say in how their data is collected, accessed, and
used by others. In practice, however, they are not just mechanisms that allow us to protect
our data privacy, but also extend into promoting and accommodating the bene cial use of
data across society. Data trusts are responsible to control who collects data, who can access
the data, who can use the data and subsequently, the future of this data, their archiving
processes and who can access and distribute data once it is collected. If an interested party
given access to the data fails or refuses to comply with the terms and conditions of the trust,
the trustee can revoke access to that party. By separating the bene ciary from the trustee,
any decision-making is o -loaded from the bene ciary and is placed on the trust and
concurrently empowers the bene ciary with more control over their data and their data rights.
A data trust that merges data from multiple sources or bene ciaries, opens the door to a
trustee’s power to mediate for the bene t of the collective, rather for the individual.
Yet, it is my conviction that discussing data trusts in just legal terms, limits both the work we
have ahead of us with CEDS and their possibilities for solidary governance mechanisms.
Legal frameworks, such as work by Hildebrandt34, are undoubtedly important but they are
beyond the focus of this project. Hence, this project moves from data trusts as law
instruments (despite their absence from many legal European jurisdictions and adequate
standardisation processes), to seeing data trusts as spaces that hold social responsibility and
trustworthiness as a duty. This brings me to versions of data trusts that are more open and
solidary, such as ‘bottom-up’ data trusts.
30Ruhaak, Anouk, RSA, Data Trusts: What are they and how do they work? [Accessed July 2020]
31 Data Trusts in 2020, ODI [Accessed March 2020]
32Edwards, Lilian. "Reconstructing consumer privacy protection on‐line: a modest proposal." International Review of Law, Computers
& Technology 18.3 (2004): 313-344.
33McDonal, Sean and Porcaro, Keith, The Civic Trust [Accessed
April 2018]
34 Hildebrandt, Mireille. "Law as Information in the Era of Data‐driven Agency." The Modern Law Review 79.1 (2016): 1-30.
17
fi
fi
fi
fi
ff
fl
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi2.2.1. Bottom-up Data Trusts
According to Sylvie Delacroix and Neil Lawrence,35 ‘bottom-up data trusts’ can return the
power that sources from aggregated data to the individual “whereby data subjects choose to
pool the rights they have over their personal data within the legal framework of the trust”
SoCEDS
*
(p.240). In such a data ecosystem, multiple private and public funded trusts will be available
to the individuals to choose and alternate between, based on their social or economic
interests and needs. Delacroix and Lawrence suggest that a bottom-up designing of data
trusts may “reverse the power imbalance that currently exists between individuals and the
corporations that use their data for their bene t”36. This ‘shop around’ adaptability of data
trusts can be sustained through four conditions:
1. The requirements for entry must be limited—this will encourage the creation of
new trusts.
2. Every individual’s data must be secure.
3. An individual’s personal data must be portable between di erent computer
systems. This will give the trustees power to exercise portability rights on the
individual’s behalf, which would include the ability to share the trust’s data with other
data trusts, as well as other public and private sector entities that conform with the
policies of the trust.
4. An individual’s data must be erasable from any particular system.
The idea behind bottom-up data trusts is to build an ecosystem with multiple data trusts, with
each governed by di erent frameworks, that would empower the individual to choose the
data governance that ts their own values and privacy concerns. The writers, however,
recognise several limitations and challenges of such a data trust ecosystem that range from
the level of data management required of individuals, as they assess their participation in
di erent trusts suited to di erent purposes; and the viability of the market for the trusts,
since the proposed model depends on the trusts attracting big numbers of individuals to
establish negotiating power; to data portability rights and trustees’ ability to cover costs of
any damages caused. These help us envision some of the challenges we may come across in
the deployment of EDCS. Indeed, perhaps the biggest relevant challenge we may face in
Europe is the urgency for public awareness campaigns for the bene ts of data exchange—
while also clearly informing the public about the risks and challenges inherent in data sharing.
Clearly, the need for data literacy is crucial to the implementation of EDCS if we want to
encourage people to handover their data.
35 Delacroix, Sylvie, and Neil D. Lawrence. "Bottom-up data Trusts: disturbing the ‘one size ts all’ approach to data governance."
International Data Privacy Law 9.4 (2019): 236-252.
36 Ibid., p.240.
18
ff
ff
fi
ff
fi
fi
ff
fi2.2.2. Charitable Data Trusts
Winicko and Winicko formed the idea of the ‘charitable data trust’ for healthcare data with
the scope to help health research advance through data structures that are more open and
accessible.37 A charitable trust inclusive of biobanks and health data, would be formed by a
*
SoCEDS
trust agreement under which the participants would “formally expresses a wish to transfer his
or her property interest in the tissue to the trust”38. By donating their data to the trust, the
donor automatically appoints the recipient as trustee of the data, who then gains legal
duciary duties to keep or use the data for the bene t of the bene ciary. Winicko & Winicko
suggest that in the case of a genetic biobanking the general public can act as the bene ciary
of the charitable trust. Extending this to a wider charitable trust, society may be considered
the bene ciary of the trust. In their conceptualisation, a charitable trust has the following
characteristics:
1. Permission is necessary for the data to be considered part of the trust, but they
intentionally do not mention this as an informed-consent process; informed consent
would require going back to the participant every time the data was used for a di erent
reason/research and that would limit the success of the trust. In their own words
“Without knowing what research will be done, one can only speculate on the risks and
bene ts. For this reason, it might be better in this context to talk about ‘permission’ for
research uses of patient data”.39
2. A donors committee and a group or population committee has to be set up to
ensure that the interests of the participants are directly taken into consideration in
managing the collection.
3. An institutional review board (IRB) has to approve any follow up research/use of
data. Hence, even if individuals give permission to the trust to use their data, it can only
be used multiple times if the IRB approves it. This process can be skipped if the
participants are regularly informed on where their data is being used.
4. Individuals have ‘an absolute right’ to withdraw anytime they want. Withdrawing
permission of one’s data, prevents the charity form using the data in the future.
5. Any commercial arrangements that source from the data are on full disclosure
and the participant’s con dential data has to be protected by encrypting all identifying
information.
Notably, a charitable trust can protect the rights of its participants by serving the interest of
the bene ciary and ‘the general public’. By empowering the participants through the donors
committee and a group/population committee, participants can have a direct impact on the
governance of the charitable trust. At the same time, as a charity, the primary goal of the trust
is the maximisation of the data use for the bene ciaries of the trust, not pro t, as is with
private data trusts. Yet, similar to the ‘absolute right’ to withdraw your data from the trust is
37 Winicko , David E., and Richard N. Winicko . "The charitable trust as a model for genomic biobanks." (2003): 1180-1184.
38 Ibid. p.1180.
39 Ibid. p.1182.
19
fi
fi
ff
ff
fi
fi
ff
fi
ff
fi
fi
fi
fi
ff
ff
fi
ffproblematic. What if the trustee refuses someone’s request to withdraw their data because it
goes against the interests of the bene ciaries—which may include the wider society? What
comes rst? The society’s interests or the individual’s right to withdraw? And where do we
draw the line? Additional issues can be observed in the encryption of data. Studies have
shown that full anonymisation of data is impossible. In fact, Rocher et al.40 suggest that “even
heavily sampled anonymised datasets are unlikely to satisfy the modern standards for
anonymisation set forth by GDPR and seriously challenge the technical and legal adequacy of
the de-identi cation release-and-forget model.” Admittedly, these are issues data trusts face
across the governance spectrum and which CEDS may also need to tackle.
In the context of charitable trusts then, CEDS can borrow participants’ empowerment
governance mechanisms. Establishing a donors committee and a group or population
committee, will involve citizens in the governance of the spaces and boost the public’s
awareness and involvement with them. At the same time, what becomes apparent at the
same time, is that the common European consent form the Commission will develop for data
altruism to allow the collection of data across Member States, needs to also inform
participants about the limitations and exibilities of CEDS. A simple consent form, despite the
altruism clause, may not cover every aspect of data exchange and the rights of the individual.
40Rocher, Luc, Julien M. Hendrickx, and Yves-Alexandre De Montjoye. "Estimating the success of re-identi cations in incomplete
datasets using generative models." Nature Communications 10.1 (2019): 1-9.
20
fi
fi
fi
fl
fi2.3. Data as Public Good
The concept of “data as a public good” has been discussed broadly in response to the
massive deployment of data analytics by technology companies whose digital services we
use every day and whose users range from a few millions (e.g., Twitter, Baidu) to billions of
SoCEDS
*
users (e.g. Google, Facebook). Current work suggests that considering data as a public good
is a twofold process: First, is to consider data as a good that can aid international
organisations to advance social good and social impact. The second focuses on how data
should be formally labelled as a public good, for its potential to crash health inequalities and
poverty.41 However, Purtova42 points out that there is a distinction between considering
knowledge as a public good and claiming digital data as equally public. Nonetheless the
notion of data as a public good has already been appropriated by private companies and
public institutions to describe the freedom of choice individuals may have to surrender their
data. Strikingly, the World Economic Forum is
already using the term ‘personal data ecosystem’
to describe the ways in which digital data depicts
there is a distinction between the interaction between individuals and rms and
considering knowledge as a how personal data can be analysed to produce
commercial value.43
public good, and claiming
digital data as equally public
Discussing data as a public good is valuable for
the assessment of who controls data and to
ascertain who holds the power for data production and data outputs. Indeed, in the EU’s
plans for CEDS is to make speci c corporate datasets available and that has the potential to
redistribute some of the control to individuals, intermediaries, and organisations. But what
can also happen in this case is individuals surrendering all their data in order to participate in
the decision-making processes while corporations limiting the data they share while at the
same time bene tting from the availability of data from individuals. Despite the value of
considering data as a public good, power imbalances and corporate in uence in the
decision-making processes have to be carefully evaluated so as to secure not just equal data
control between individuals-intermediaries-corporations-EU, but also to ensure that the
current institutional proposal for CEDS audits is to be handled by independent bodies.
Current proposals in the DSA, for independent auditing of digital services and platforms does
not go far enough. The solidary approach of seeing data as a public good, pushes us to
consider the need to create a public sector audit regime so as to avoid the take-over of CEDS
by private entities.
41Taylor, Linnet. "The ethics of big data as a public good: which public? Whose good?." Philosophical Transactions of the Royal
Society A: Mathematical, Physical and Engineering Sciences 374.2083 (2016): 20160126.
42 Purtova, Nadezhda. "The illusion of personal data as no one's property." Law, Innovation and Technology 7.1 (2015): 83-111.
43World Economic Forum. 2014 Rethinking personal data: trust and context in user-centred data ecosystems. Geneva, Switzerland:
World Economic Forum. [Accessed November
2015]
21
fi
fi
fi
fl2.4. Individual Data Ownership
SoCEDS
Privacy policies such as GRPR that have emerged in the past ve years have strived to hand
individuals the right to decide how to share their data and how much of it. However, in order
to exercise such rights, we need to be given the freedom to do so. Our dependence on
*
technology companies and social media have substantially diminished any notion of consent
to our data being used by technology companies. Consent is a hollow signi er when the
supposed freedom to choose which and how your data will be used by such companies is
translated as the binary option of exclusion or inclusion in their platforms. The unspoken
agreement between big tech and users is that in order to access “free” internet exists and the
social service platforms they provide us with, we need to give up the data we generate to
them. This is the delusion of the data-driven world, where the society and its communities are
part of a feudal system of nancial gains that only bene ts technology companies. At the
same time, in the EU the enforcement of these privacy policies is inadequate, as we have
seen with the deployment of GDPR, relying primarily on complaints instead on proactive
audits. If the EU does not knuckle down to the latent power imbalances between users and
digital services, we will remain un t to protect or exercise our digital rights. This worry has led
researchers and policy makers to jump-start debates on alternative models33 of data
exchanges, data economic models, and data privacy.
One of the debates focuses on the concept of “individual data ownership”44 or the concept of
a “personal data market”.45 In Lanier’s
conceptualisation of a humanistic
information economy, participants gain
“economic dignity” by being
compensated based on their a personal data market would
contributions to the web’s gigantic translate into a system in which the
information assemblages, which are rich can a ord privacy, while the
today referred to as ‘big data’. For
example, if your supermarket shopping
less fortunate will have to surrender
data is statistically analysed to identify a their their data rights and privacy
consumer’s need for a product, you
should receive royalties for the use of
your data in the happenstance of that
shopper actually buying the product. In an economy supported by nano-payments users
would be nancially supported through the di erent forms of data they produce, input, or
surrender online. According to Srnicek, however, a personal data market would translate into
a system in which the rich can a ord privacy, while the less fortunate will have to surrender
their data rights and privacy. According to him, being paid individually for your data is a clear
neoliberal strategy that is doomed to fail because of the inequalities and power structures it
will perpetuate and produce.
44 Lanier, Jaron. Who owns the future?. Simon and Schuster, 2014.
45 Srnicek, Nick. Platform capitalism. John Wiley & Sons, 2017.
22
fi
ff
fi
ff
fi
ff
fi
fi
fiIn his book Who owns the future? Lanier put forward a type of a data economy that functions
on the assumption that “information is people in disguise, and people ought to be paid for
value they contribute that can be sent or stored on a digital network.” Following this principle,
information outweighs the undoubtedly problematic approach to data as “the new oil”, i.e. an
in nite resource to be exploited, and instead proposes an approach through which the data is
indistinguishably connected to the people who produce or supply them. In this context, this
form of economic transparency is consistent with personal privacy: assigning a value to
personal data, automatically protects it too. Yet, ‘individual ownership’ indeed succumbs to
the neoliberal notion of individualism. An economy of individuals in which we simply sell our
online data—and therefore commercialising our online experiences—may have a completely
negative impact on our freedoms and our privacy per se. The constant surveillance and
tracking structures that such an approach would demand would create massive
consequences that would render the governance of such a system, practically and more
importantly socially, marketed.
23
fi#3
SOLIDARY EUROPEAN
COMMON DATA
SPACES
24CEDS will expect organisations to surrender some of the control they hold over their data,
similar to how land trusts authorise trustees to control their assets. As this paper has
discussed, currently data spaces around the world work in a number of ways, with some of
them surrendering limited control on their assets or sharing other elements of stewarding,
such as legal or technical settings. The Commission aims to create a single market for data,
where data from public bodies, business, and citizens can be used safely and fairly for the
common good. This initiative aims for common European data spaces to:
1. Make better use of publicly held data for research for the common good.
2. Support voluntary data sharing by individuals.
3. Set up structures to enable key organisations to share data.
In this section, I took these three parameters set by the Commission as the approach to
review and explore the lessons learned from spaces that consider data as commons; bottom-
up data trusts; charitable trusts; data as public good; and individual data ownership to
envision the limits, exibility and opportunities for more solidary CEDS. In summary the
primary recommendations that have risen from the review are as follow:
1. These spaces need to account transparency and trust in the collection,
management and use of data.
2. There is an urgency for public awareness campaigns related to the bene ts of
data exchange; information campaigns informing the public about the risks and
challenges inherent in data sharing; and data literacy needs across State Members.
3. The common European consent form the Commission will develop for data altruism,
to allow the collection of data across Member States, needs to also inform
participants about the limitations and exibilities of CEDS. This should also
include any intricacies related to the withdrawal process and data anonymisation/
pseudonymisation.
4. The governance needs to be participatory in nature, i.e., engage public, private,
and civic stakeholders. This can happen with a citizens’ committee, a group
committee, or population committee.
5. A public sector audit regime for CEDS may ensure that they serve both the public
and the data economy.
The European Commission has expressed their intent to increasing access to data to boost
the digital market and have indeed provided some assurances for social impact and to
mitigate any harms that may arise from data exchanges. What the EU aims to do with
common data spaces shares characteristics with the idea of data trusts, speci cally
persuading small and big corporations to put their data in a trust that would be managed by a
third-party trustee (an organisation, an institution, or a local agent). For example, an
organisation34 such as TRUSTS35 (Trusted Secure Data Sharing Space), is a EU-funded
programme that functions as a data trust. Currently, the large corporate in uence in the set-
up of data trusts underlines the high interest of big tech in data exchange and sharing. Yet,
large-scale, corporate-controlled data sharing does not often centre public interest, and as
25
fl
fl
fl
fi
fiYou can also read
