We may need a whole new approach to data protection

There is a tension between data collectors and data subjects regarding ownership and value of their data. WHile traditional ownership concepts have not really succeeded when it comes to data regulation, contained within the idea of either collector-centric or subject-centric data trusts we might find an alternative approach to data governance.

This article was first published in The Mint. You can read the original at this link.

Data is all around us in everything we do and in every object we use. In the information age, there is no person or object that does not generate data and, since we are all connected, there is nothing to stop each of us from accessing it. If there is no limit to the amount of data that exists and no additional cost to the creation of each unit of new data, it stands to reason that the value of this data should be zero. The reality, however, is quite different. Data is one of the most valuable resources of the modern economy, and, among the many debates it has sparked, is the question of who actually owns it and is entitled to claim its value.

If you think about it, data actually has no value unless someone decides that it is worth being collected. Even after a data collector decides to invest time and effort in collecting and processing it, any individual item of data actually becomes valuable only when it is aggregated with others like it into truly large data sets. It is in this state that data has value.

As much as we may want to believe that data has value from the get go, the fact of the matter is that without the efforts of data collectors, no data would have had any. Very few data collectors actually say this out loud, as this is not a statement that would go down well with most people. In today’s data-rich world, data subjects genuinely believe that they are and should be the rightful owners of their own data, and so also the last word on what can or cannot be done with it. They believe that data is valuable in the aggregate and, therefore, there must exist some appropriate fractional value attributable to each data element solely by virtue of it having individually contributed to the whole.

This is the tension that frustrates all attempts to regulate data the traditional way. On one hand, data collectors argue that had they not put in the effort to collect and organize data, or develop algorithms to extract insights out of the large volumes of data they hold, there would be no value whatsoever. Data subjects, on the other hand, argue that since it is they who have provided the information in the first place and it is they who will be affected by the use of this information, the ability to exert ownership rights over how it is eventually used should vest with them.

The reason we are having this debate at all is that we believe we need to think of data in terms of who owns it. We have operated on the assumption that the secret to effective data governance is identifying the owner of a given item of data so that we can impose upon them a set of rules as to what they can and cannot do with it. This approach has not worked so well for us. Ownership leads to monetization and eventually to fraught questions over who deserves to benefit from it.

Perhaps we need a new approach.

One alternative that has been suggested is to conceptualize the issue in terms of [[data trusts]]—constructs that treat data as a pooled resource, with data aggregated in such a manner that the sum of its discrete elements has value greater than any individual item. Trusts allow data to be shared, breaking down silos that place data under the exclusive control of a data collector, and, instead, sharing them between data collectors and/or data subjects to let the value generated flow across a larger group of users without cleaving to traditional notions of ownership.

There are broadly two distinct types of [[data trusts]] that are spoken about: collector-centric and subject-centric. Collector-centric [[data trusts]] are established by data collectors so that they can establish the terms under which the data they have collected can be pooled into a common resource. This pooling allows them to share the benefits of the larger data set without having to negotiate transfer arrangements between each other.

By encouraging the sharing of resources across collectors, who would have otherwise kept this data siloed and apart, collector-centric data trusts ensure greater data sharing than would otherwise have taken place. However, since collector-centric trusts only work to the benefit of incumbent data controllers, they deny new entrants market access, which could result in their being mistaken for monopolistic constructs that are designed to preserve the advantage that existing data collectors have.

The second type of data trust allows data subjects to pool their data in this trust and then make this pooled data available to collectors on terms negotiated by the trust on behalf of the contributing data subjects. By banding data together in a single pool, data subjects are able to aggregate their data assets so that the pool has more value than any individual element of data ever could. With a sufficiently large number of data subjects, the entire trust would be in a far better negotiating position than if each of them had to deal with data controllers on an individual basis. Subject-centric trusts vest in trustees the responsibility to deal with the data in the best interests of all members of the trust—as opposed to data collectors—making it one of the few constructs designed to work for data subjects.

As India gets to the final stage of conceptualizing its data protection regime of the future, the country would do well to examine these alternative models and facilitate their inclusion in any legislation on the matter. The world has tried data ownership as a model, and it has not worked. Perhaps it’s time to try something different.