I recently responded to the Government’s  Call for Evidence on Data Intermediaries. I welcome the opportunity to contribute to this important call for evidence which centres around unlocking the value of data whilst exploring mechanisms that facilitate responsible data sharing and at the same time empowering individuals.

Data is increasingly integral to people’s lives and fuels most modern business. Citizen data holds tremendous potential for economic and societal benefit through innovative products, improved public services, and research advancements. However, cumulative failures, such as the backlash to both Care.Data and subsequently the General Practice Data for Planning and Research programme, and the response to the Cambridge Analytica scandal, have resulted in tenuous public trust in data sharing. Data misuses, breaches, and sharing scandals highlight the need for models of data stewardship that safeguard privacy while enabling innovation guided by public input. Increased legitimacy and trustworthiness of data and AI use are needed to reverse this trend.

Data intermediaries are broadly defined as entities facilitating data sharing or access between data holders (including individuals exercising their rights) and data users. They act on behalf of or for the benefit of data subjects when dealing with personal data. They can potentially empower individuals to exercise their data subject rights more easily and enable responsible and straightforward sharing of quality data. Data Communities represent a specific proposed model within this landscape, focused on empowering individuals by enabling them to collectively exercise their data rights.

Defining Data Communities and Their Purpose

Attempts were made during the passage of the Data (Use and Access) Bill to define a “data community” as an entity established to activate data subjects’ data rights under Chapters III and VIII of the UK GDPR on their behalf. This concept was part of a proposed set of amendments intended to establish the ability for data subjects to assign their personal data rights to a third party. This would have expressly enabled data subjects to mandate a community to exercise specific rights over designated data, for defined purposes and durations, with respect to specified data controllers—all while retaining ultimate control.

Relationship to Other Data Intermediary Models

Data Communities need to be understood as a specific type of data intermediary or data institution. While related to concepts like data trusts and data cooperatives, Data Communities need to be specifically defined by their function of exercising the individual data subject rights granted under the UK GDPR on behalf of their members They are distinct from, for example, a data trust that might hold legal rights over data assets themselves, or a data cooperative focused on collective ownership or bargaining. The OECD’s concept of ‘community-based data sharing agreements’ appears conceptually related to the aims of Data Communities.

Potential Benefits of Data Communities

The establishment and effective operation of Data Communities will in my view yield many benefits:

•Empowering Data Subjects: Data intermediaries, including Data Communities, have the potential to empower individuals to exercise their data subject rights more easily. This is particularly relevant for rights like data portability, which are currently under-exercised. The collective exercise of rights can provide greater leverage in the data ecosystem.

Rebalancing Power Asymmetries: By enabling collective action and representation, Data Communities can help rebalance asymmetries of power between individuals and large data controllers, and between technology companies, government and the public.

•Increasing Public Confidence: Involving people through mechanisms like Data Communities can contribute towards increased public confidence in the use of data. This is crucial given the current low levels of public trust.

•Facilitating Responsible Data Sharing: They can facilitate responsible and straightforward sharing of quality data, potentially enabling data use for wider societal gains or public benefit as specified by the community members. Data communities can enable analysis through data access and sharing, supporting areas like public health, innovation in commercially sensitive environments, quality assurance of data/AI, matching skills to jobs, and achieving Net Zero targets. They can absorb some of the costs and risks associated with data processing activities and provide assurances around data quality. Data communities may also go beyond legal requirements around data protection and apply additional measures to protect against unethical use of data and ensure it is only used for agreed purposes.

Supporting Collective Action: The Data Communities model allows for collective action on data issues, as seen in the example of UK Uber drivers attempting to establish a data trust (related concept) for collective bargaining purposes. This is a practical application for achieving economic benefit that is difficult for an individual data subject to achieve alone.

•Enhancing Transparency and Accountability:  Regulatory requirements can ensure that Data Communities operate transparently and are subject to regulatory oversight.

Key Considerations and Regulatory Framework

Implementing Data Communities effectively requires careful consideration of practical challenges and a robust regulatory framework:

•Establishing and Operating Data Communities: There is a need for practical guidance on how individuals can establish, operate, and join Data Communities. Making complex issues transparent and understandable requires considerable time, resources, and skills.

Interaction with Data Controllers/Processors: Clear guidance is needed for data controllers and processors on how to respond to requests made by Data Communities exercising rights on behalf of their members. This includes defining “good practice” in engaging with Data Communities

•Transparency and Oversight: The proposed requirement for the Information Commissioner to maintain a public register and establish complaints mechanisms for both data subjects and Data Community controllers is essential for ensuring accountability and addressing potential issues.

•Effective Data Portability: The viability of Data Communities heavily relies on the effective and technically feasible portability of data. Challenges in exercising the right to data portability need to be addressed. There is a need to monitor reasons for refusal of portability requests. Technical infrastructure can enhance interoperability and data portability. Users might prefer controller-to-controller transfer, which should be made simple.

Ensuring Inclusivity and Uptake: Careful consideration is needed to encourage uptake beyond the most engaged or digitally literate groups. A bottom-up approach relying solely on citizen demand might be skewed. Achieving a viable market requires a sufficient number of participants.

•Avoiding Risks: Mechanisms must be in place to mitigate risks associated with data intermediaries generally, such as distrust, the creation of dominant entities or new data monopolies, conflicts of interest, and increased demands on regulatory oversight.

Crucial Role of Appropriate Legal Frameworks

The identification and clarification of appropriate legal frameworks are fundamental for the effective operation and trustworthiness of Data Communities, regardless of their specific scope. Regulatory and legal opacity and uncertainty are significant barriers for data intermediaries generally.

•Building Trust and Accountability: A clear legal framework is a necessary foundation for building trust and accountability around data intermediation models like Data Communities It ensures that these entities operate transparently and are subject to regulatory oversight.

Clarifying Roles and Obligations: Legal frameworks need to define the roles and obligations of Data Communities (e.g., whether they act as controllers or processors) and their relationship with data holders, data users, and regulators. This clarity is essential for the legal certainty needed by all parties involved.

Enabling the Exercise of Rights: we need to clarify explicitly the ability of data subjects to legally mandate a Data Community to exercise their data rights on their behalf and address current legal ambiguities that hinder intermediaries from acting effectively on behalf of an individual.

•Ensuring Responsible Stewardship: Legal frameworks can incorporate requirements for good practice and responsible data management. This should go beyond mere compliance with existing data protection laws and could help ensure data is used only for agreed and ethical purposes.

Providing Regulatory Oversight and Complaints Mechanisms: There should be a requirement for the Information Commissioner to maintain a public register of Data Communities and establish complaints mechanisms.

Interfacing with Existing Law: Data Communities need to operate within the existing legal landscape, including comprehensive frameworks like the UK GDPR. The legal framework for Data Communities needs to clearly articulate how they interact with and build upon these existing frameworks.

Conclusion

In summary, Data Communities, represent a promising mechanism for empowering individuals and fostering more responsible data stewardship by enabling collective exercise of data subject rights. This model aligns with the broader goals of increasing participation and rebalancing power in the data landscape. Integrating the Data Community concept into the broader data intermediary landscape, supported by the proposed regulatory measures, is a valuable step towards a more trustworthy and equitable data ecosystem in the UK. Realizing the potential of Data Communities will depend on developing clear practical guidance and ensuring robust regulatory oversight. Addressing challenges related to effective data portability and ensuring inclusive access will be key to their success. Further exploration and piloting of this model, alongside other forms of data intermediaries, should be encouraged and facilitated to understand their full potential and identify contexts where they are most impactful.