The European Union has long been a trendsetter in privacy regulation. Its General Data Protection Regulation (GDPR) and stringent antitrust laws have inspired new legislation around the world. For decades, the EU has codified protections on personal data and fought against what it viewed as commercial exploitation of private information, proudly positioning its regulations in contrast to the light-touch privacy policies in the United States.
The new European data governance strategy (pdf) takes a fundamentally different approach. With it, the EU will become an active player in facilitating the use and monetization of its citizens’ personal data. Unveiled by the European Commission in February 2020, the strategy outlines policy measures and investments to be rolled out in the next five years.
This new strategy represents a radical shift in the EU’s focus, from protecting individual privacy to promoting data sharing as a civic duty. Specifically, it will create a pan-European market for personal data through a mechanism called a data trust. A data trust is a steward that manages people’s data on their behalf and has fiduciary duties toward its clients.
The EU’s new plan considers personal data to be a key asset for Europe. However, this approach raises some questions. First, the EU’s intent to profit from the personal data it collects puts European governments in a weak position to regulate the industry. Second, the improper use of data trusts can actually deprive citizens of their rights to their own data.
The Trusts Project, the first initiative put forth by the new EU policies, will be implemented by 2022. With a €7 million budget, it will set up a pan-European pool of personal and nonpersonal information that should become a one-stop shop for businesses and governments looking to access citizens’ information.
Global technology companies will not be allowed to store or move Europeans’ data. Instead, they will be required to access it via the trusts. Citizens will collect “data dividends,” which haven’t been clearly defined but could include monetary or nonmonetary payments from companies that use their personal data. With the EU’s roughly 500 million citizens poised to become data sources, the trusts will create the world’s largest data market.
For citizens, this means the data created by them and about them will be held in public servers and managed by data trusts. The European Commission envisions the trusts as a way to help European businesses and governments reuse and extract value from the massive amounts of data produced across the region, and to help European citizens benefit from their information. The project documentation, however, does not specify how individuals will be compensated.
Data trusts were first proposed by internet pioneer Sir Tim Berners Lee in 2018, and the concept has drawn considerable interest since then. Just like the trusts used to manage one’s property, data trusts may serve different purposes: they can be for-profit enterprises, or they can be set up for data storage and protection, or to work for a charitable cause.
IBM and Mastercard have built a data trust to manage the financial information of their European clients in Ireland; the UK and Canada have employed data trusts to stimulate the growth of the AI industries there; and recently, India announced plans to establish its own public data trust to spur the growth of technology companies.
The new EU project is modeled on Austria’s digital system, which keeps track of information produced by and about its citizens by assigning them unique identifiers and storing the data in public repositories.
Unfortunately, data trusts do not guarantee more transparency. The trust is governed by a charter created by the trust’s settlor, and its rules can be made to prioritize someone’s interests. The trust is run by a board of directors, which means a party that has more seats gains significant control.
The Trusts Project is bound to face some governance issues of its own. Public and private actors often do not see eye to eye when it comes to running critical infrastructure or managing valuable assets. Technology companies tend to favor policies that create opportunity for their own products and services. Caught in a conflict of interest, Europe may overlook the question of privacy.
And in some cases, data trusts have been used to strip individuals of their rights to control data collected about them. In October 2019, the government of Canada rejected a proposal by Alphabet/Sidewalk Labs to create a data trust for Toronto’s smart city project. Sidewalk Labs had designed the trust in a way that secured the company’s influence over citizens’ data. And India’s data trust faced criticism for giving the government unrestricted access to personal information by defining authorities as “information fiduciaries.”
One possible solution could be to set up an ecosystem of data stewards, both public and private, that each serve different needs. Sylvie Delacroix and Neil Lawrence, the originators of this bottom-up approach, liken data trusts to pension funds, saying they should be tightly regulated and able to provide different services to designated groups.
When put into practice, the EU’s Trusts Project will likely change the privacy landscape on a global scale. Unfortunately, however, this new approach won’t necessarily give European citizens more privacy or control over their information. It is not yet clear what model of trusts the project will pursue, but the policies do not currently provide any way for citizens to opt out.
At a recent congressional antitrust hearing in the United States, four major platform companies publicly recognized the use of surveillance technologies, market manipulation, and forceful acquisitions to dominate the data economy. The single most important lesson from these revelations is that companies that trade in personal data cannot be trusted to store and manage it. Decoupling personal information from the platforms’ infrastructure would be a decisive step toward curbing their monopoly power. This can be done through data stewardship.
Ideally, the Trusts Project would show the world a more equitable way to capture and distribute the true value of personal data. There’s still time to deliver on that promise.
Correction: In the original piece, the author suggested Sidewalk Labs sought to “control” citizens' data. That description has been amended to “influence.”
Anna Artyushina is a public policy scholar specializing in data governance and smart cities. She is a PhD candidate in science and technology studies at York University in Toronto.
What’s next for AI regulation in 2024?
The coming year is going to see the first sweeping AI laws enter into force, with global efforts to hold tech companies accountable.
Three technology trends shaping 2024’s elections
The biggest story of this year will be elections in the US and all around the globe
Four lessons from 2023 that tell us where AI regulation is going
What we should expect in the coming 12 months in AI policy
The FTC’s unprecedented move against data brokers, explained
It could signal more aggressive action from policy makers to curb the corrosive effects that data brokers have on personal privacy.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.