United States

Preface

By Mozilla Insights

It’s a long-established fact: today’s data economy is not built on a level playing field. The people and communities whose data form its lifeblood are fighting to retain or regain control over their data and the value created from it. All too often, data is extracted and processed far removed from its source, serving the interests of the organizations that collect it rather than the people it impacts. This is why it’s important to explore new ways to govern data: to shift control, strengthen agency, to share value. Through the Mozilla Foundation’s Data Futures Lab and our work around data governance, we are working to challenge this current paradigm.

Reimagining, reconstituting, and rebalancing data governance requires system-level change, but opportunities to implement new ideas for better data governance often also exist within existing paradigms and legal frameworks. Just as the open source movement challenged copyright laws to introduce open licensing decades ago, builders can similarly defy existing laws and regulations to push the boundaries of how data is governed. Builders can shape new norms by leveraging opportunities present in existing rules. But to do so, they need a firm understanding of current realities. We aim to help them navigate existing legal landscapes so they can help pave the way for better data governance models and policy in the future.

The primary goal of this research is therefore twofold: 

• To provide builders with an overview of the current (and changing) legal landscape governing the collection, management, sharing, and use of data in their country; 
• to identify opportunities for what we call “alternative data governance” models within existing legal landscapes — specifically, where the regulatory status quo offers pathways to implement new approaches that shift power from data collectors to data subjects — that create meaningful incentives for the benefits of data to be shared between various parties and enable data to serve individual or collective interests. 

The guiding question is: What can be built where, and using which levers, from a legal standpoint? 

The analysis in this guide will provide builders with a map of laws and regulations relating to data and opportunities for experimentation. It will also provide concrete dos and don’ts for builders experimenting with new approaches to data governance.

Overview

This report starts with an overview of laws and regulations — and, to a certain extent, a lack thereof — governing data in the United States before presenting emerging approaches to data governance in three case studies: one on data collaboratives, another on trustworthy intermediaries, and a third on data cooperatives (or co-ops).

First, the report discusses the legal landscape relating to data in the U.S. In the absence of a comprehensive federal data protection law, a self-regulatory approach focused on notice and choice has become the dominant approach to data governance. Additionally, this overview covers sectoral data governance rules — for example in the financial and healthcare sectors — and rules passed at the state level (notably in California, Colorado, Connecticut, Virginia, and Utah).

In the first case study, the report explores the potential of data collaboratives, specifically in the context of corporate risk management. Data collaboratives can facilitate the sharing and pooling of data between participants to unlock its collective value. This can be particularly helpful in sectors where data is available, but not shared and where data sharing doesn’t create competitive disadvantages. The report then discusses the concept of trustworthy intermediaries. Inspired by trust law — under which trustees manage certain assets based on a fiduciary duty they owe to a beneficiary — the idea of trustworthy intermediaries is to help people exercise more control over their data by compelling the intermediary to manage said data in their interest.

In the final case study, the report discusses data co-ops. Data co-ops are membership-based, collectively owned, and democratically governed organizations that serve the interests of their members. They are meant to collect, manage, and leverage members’ (and potentially others’) data, for example to empower gig workers vis-à-vis labor platforms.

How to read this guide

Throughout this report, you will find a number of recurring elements that make it easy to find exactly what you’re looking for. The result is a reference that does not need to be read from cover to cover in a linear way; you can simply dip in and out of different sections as needed. The recurring elements are:

• Brief summary boxes of key themes and findings from each section.
• Case studies that dive deep into specific approaches to data governance, compete with additional resources to extend your knowledge.
• Checklists of concrete steps that may help you in your journey.

Additionally, the report contains a glossary with brief explanations of specific concepts and legal texts.

What this guide does not include is legal advice. It rather aims to provide a starting point in your exploration of this topic to help you ask the right questions and identify areas where bespoke advice from lawyers is necessary.

Overview of the legal landscape

No single, comprehensive federal law regulates how companies collect, store, or share customer data in the United States. It is rather a fragmented body composed of constitutional protections, federal and state statutes, torts, regulatory rules and treaties, and self-regulation by companies. The closest to a baseline personal data governance law that exists in the U.S. is the Federal Trade Commission Act of 1914, Section 5, which since 1938 outlawed “unfair or deceptive acts or practices” in commerce.^[1] Following this mandate, the Federal Trade Commission (FTC) enforces companies’ privacy policies on companies.^[2]

Though many domains of law are relevant in data governance, three main bodies of law govern data in the United States: privacy law, intellectual property law, and antitrust and competition law. The analysis that follows concentrates on those bodies of law, what might come next, and how they can be best used by builders to employ alternative data governance in their own projects.

Self-regulation and notice and choice

Companies have written privacy policies (or “notice and choice” documents) — in which they describe the various ways they collect, use, and share users’ personal information — since the early days of the commercial internet. These privacy policies stem from the Fair Information Practice Principles (FIPP), first stated in 1973 in a report by the U.S. Department of Health, Education, and Welfare, and restated and expanded in the OECD Guidelines of 1980.^[3], ^[4] One of the most prominent FIPP is the individual right to be given notice about the data gathered about oneself and the right to know how it will be used. Another main FIPP is the individual right to consent to the collection and use of personal data.^[5]

Privacy policies were introduced as a largely voluntary measure adopted by companies on the internet to promote their privacy practices and to promote a self-regulatory order.^[6] This remains the case, but in most states, data collectors can use, share, or sell the data they collect from an individual without telling them that they are doing so, or how they are using the data. Similarly, no national law regulates if or when a company must notify individuals if their data is subject to a breach or exposed to unauthorized parties.^[7] However, since 2001, virtually all the most popular commercial websites have privacy notices. Under this regime, as long as companies give users notice and choice of their data practices, they are judged to be following the law.

The academic consensus is that given the size of the digital information economy and the reach of data markets and all forms of surveillance, this notice and choice regime leaves consumers with little protection. Not only do individuals rarely read privacy policies, which are often incomprehensible and full of legal jargon, but they also rarely have real choices.

There are, however, some important exceptions to the notice and choice regime. There are stricter rules that apply to particular sectors, in certain states, and that apply to the collection of data by the government. However, these rules are often also insufficient to meet the challenges of the digital age: Fourth Amendment protections don’t extend to information gathered by the government by browsing or scraping the internet, as this is information that individuals have already given away. Similarly, sectoral rules are outdated — most were enacted in the 80s and the 90s. For example, health tech apps like 23AndMe are not covered by the rules that apply to traditional health care institutions. We will go over the basics of those rules and identify opportunities for builders to do better.

Additional privacy rules that apply to specific sectors

Several sectors of the economy have so-called “sectoral privacy rules” that govern the collection, use, and disclosure of personal information by the key actors participating in them. If you are building something in any of these sectors, you should study them in depth — or, better, get some legal advice. Here’s the general idea.

Protections to credit history: The Fair Credit Reporting Act (FCRA)^[8] regulates how consumer reporting agencies can treat the information they collect. Consumer credit reporting agencies include credit bureaus, medical information companies, and tenant screening services. The FCRA limits who is allowed to see a credit report, what information the credit bureaus can collect, and how information is obtained.

Financial institutions: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.^[9] Typical financial institutions are companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.^[10] Indeed, according to the law, only a company that is “significantly engaged” in financial activities is considered a financial institution. Key to its application, therefore, is the definition of whether a company is a financial institution, and some fintech companies are not covered. The act doesn’t cover how information can be used by the financial institution itself.

Traditional health care institutions: The privacy rule of HIPAA — the Health Insurance Portability and Accountability Act — addresses the use and disclosure of individuals’ health information, and their right to understand and control how it is used. A key goal is to ensure that health information is protected while allowing it to flow within the health system. Covered entities include health care providers and health plans, as well as the people working in these institutions, such as hospitals, pharmacies, and insurance companies. The law contains a list of permissible disclosure of information without individual authorization for treatment, payment, and (with certain limits) research and public health-related purposes.^[11]

School records: The Family Educational Rights and Privacy Act (FERPA), gives parents and eligible students control of their educational records. It prevents educational institutions from disclosing “personally identifiable information in educational records” without written consent.

Email and other telecommunications providers: The Electronic Communications Privacy Act (ECPA)^[12] restricts the real-time interception of a wire, oral, or electronic communication. A forbidden interception can be committed by using an electronic, mechanical, or other device (but not mere eavesdropping) and intentional access of a facility where electronic communication services are provided and obtained (such as emails that are not in transit). It also prohibits the installation of “pen registers” — devices that provide non-content information about the origin and destination of communications, such as the destination phone numbers.

Services for children: The Children’s Online Privacy Protection Rule (COPPA) imposes certain limits on data collection for websites and companies that collect personal information from kids under 13. The rule makes it mandatory to post a privacy policy that clearly and comprehensively describes how and what data is collected, how it is used, and a description of parental rights (which include reviewing their child’s information, directing companies to delete it, and refusing the collection). Parents must also be directly notified, and websites must get parental consent.^[13]

Video or streaming: The Video Privacy Protection Act (VPPA) prevents the disclosure of VHS rental records. Courts have applied it to streaming services too, which basically means that they cannot share personal identifiable information, except for purposes provided in the law, to third parties.^[14]

State privacy bills

In addition to the self-regulatory notice and choice regime and the sector-specific rules above, at least five states in the U.S. have introduced comprehensive privacy laws: California, Colorado, Connecticut, Virginia, and Utah. At the time of this writing, at least five more states are discussing privacy laws. You should keep an eye on those depending on where you plan to launch your service and product and where your clients or users will be. A good way to do so is via the International Association of Privacy Professional’s U.S. State Privacy Legislation Tracker.

Most state privacy laws are rather similar. They include provisions that give users a right to some type of notice, and create extra rights for users and obligations for the companies collecting data. With certain variance, consumers in these states typically have a right to:

• Access information has been collected about them and shared with third parties
• Rectify incorrect or outdated personal data about them
• Request deletion of personal data about them under certain conditions
• Request that their personal data be disclosed to them in a common file format, called data portability
• Opt-out of sales of their personal information to third parties

Privacy laws in California, Colorado, Connecticut, and Virginia include a right against automated decision-making, which prohibits businesses from using an automated process as the sole way to make a decision about a consumer without any human input.

These laws also create additional obligations on businesses to:

• Provide notice to consumers about certain data practices, privacy operations, and privacy programs
• Treat consumers under a certain age — usually 13 or 16 — with an opt-in default for the sale of their personal information

With certain variance they also oblige companies to:

• Conduct formal risk assessments of privacy and/or security projects or procedures
• Create a prohibition to discriminate against consumers who exercise their privacy rights
• Comply with a purpose limitation obligation that prohibits the processing of personal information for purposes other than those for which it was collected

Fiduciary duties in the privacy law literature: are data holders like doctors or lawyers?

There is a movement in American privacy scholarship to view digital privacy in relational terms of trust and trustworthiness. Scholars in this strand have proposed creating a legal fiduciary or loyalty duty in information societies.

These fiduciary duties would be like those that doctors and lawyers have to their patients and clients. According to the law, fiduciary obligations go beyond the ordinary obligation of good faith that applies to all commercial transactions. They are duties of care, confidentiality, and loyalty toward those being served in each context — medical patients, legal clients, children. Professor Jack Balkin, amongst other scholars, has suggested that “duties of confidentiality and care require digital companies to keep their customers’ data confidential and secure.”^[15]

Most fiduciary duties are created by law because they often have important reach beyond the parties of the relationship. But there is an academic discussion on whether fiduciary duties could be created by contract. Builders, in any case, could thus adopt contracts that bind them to act like a fiduciary to their users, and commit themselves to act with confidentiality and the utmost care when processing their users’ data.

Government and law enforcement

The Fourth Amendment protects “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”^[16] In the context of data privacy, this has come to mean a “reasonable expectation of privacy” protects the people from a government search. If the government wants to look into your house, your papers or emails or text messages, or your effects (belongings), then it will need a warrant.

The reasonable expectation of privacy refers most immediately to a person in their home, but the case law has evolved to recognize that people take their reasonable expectation of privacy with them. They take it into phone booths, as in Katz v. United States, where the Supreme Court found that the defendant enjoyed a reasonable expectation of privacy while making private calls in a phone booth (and ruled that the FBI’s warrantless tapping of the phone was illegal),^[17] and they take it with them in their cars and geolocational movements, as in United States v. Jones, where the Court ruled that planting a GPS device on a suspect’s car required a warrant.^[18]

While this may seem reasonable and expansive, there is a catch: If a person voluntarily gives information to a third party, then the recipient can do whatever they want with that information, as can recipients going forward. This includes sharing it with the government. For instance, imagine that Jack and Jackie are penpals and that the government wants to read their letters on the suspicion that Jack smuggles and trades contraband. Government agents cannot read the letters in Jack’s possession without a warrant, but they can read Jackie’s letters if they ask Jackie and she lets them. This is called the third-party doctrine.^[19] It’s important to note that while the Electronic Communications Privacy Act does impose several limitations on the government’s ability to collect information from a third party, it hardly prevents the government from using information that a third party voluntarily gives to the government.

One more important note on “privacy” itself: While these basics of Fourth Amendment jurisprudence focus on privacy as a kind of nondisclosure (protecting your data from the government’s prying eyes), another kind of privacy courses through the Constitution, too. That is privacy as noninterference, the notion that people can make decisions about fundamental rights for themselves without any government interference (e.g., take contraception or marry whomever they please). The two are of course related, but distinguishable.^[20]

A federal privacy law on the horizon?

At the time of writing this report, the U.S. Congress is discussing the American Data Protection and Privacy Act (ADPPA). As explained by Professors Neil Richards and Woodrow Hartzog, pioneers of the privacy as trust movement, this is “the most significant bipartisan privacy legislation introduced in more than a decade, and it represents an attempt to move beyond the ineffective notice and choice approach to privacy that has been the hallmark of U.S. legislators since the days of dial-up modems.”^[21]

Perhaps the most interesting provision of the bill is its duty of loyalty: Title I — “Duty of Loyalty.” The section starts by creating requirements for data minimization, which require entities collecting data to limit the information they collect, process, and transfer to that which is “reasonably necessary, proportionate, and limited to” only what they need to provide or maintain specific products or services.^[22] Professors Hartzog and Richards explain, however, that the bill falls short in this duty, even if strong data minimization rules are a key part of data loyalty. As they explain, “... data minimization is merely one aspect of acting in the best interests of trusting parties. Data loyalty rules should also cover manipulation, breaches of confidentiality, wrongful discrimination, and reckless and extractive engagement models. Data minimization rules only indirectly confront many of these issues.”^[23]

Nevertheless, there seems to be some convergence in Congress on data loyalty, as earlier bills and proposals were also anchored in duties of loyalty. Though the future of the bill remains unsure, it’s a safe bet to prepare for a future where data processors have something similar to duties of loyalty toward users and data subjects.

More: https://iapp.org/news/a/were-so-close-to-getting-data-loyalty-right/

Opportunities

As explained above, builders must be careful to comply with specific rules if their operations or product fall within one of the sectors that are specifically regulated or take place or have clients in one of the states with horizontal privacy laws. If this is not the case, however, there are few — if any — privacy protections that apply to builders in the U.S. (except whatever you are saying in your privacy policy, if you have one).

That does not mean there is little for builders to do. On the contrary, the self-regulatory approach invites builders to adopt good data governance practices in their operations. Through privacy policies and contractual arrangements, builders can create legal arrangements around data collection, processing practices, and operations that turn them into better data stewards in the digital information economy.^[24]

In the sections that follow, we draw from the existing academic and policy literature on ways to improve the digital information economy and adapt it to what builders could do with their own privacy policies. We dive deep into three opportunities: data collaboratives for risk management, data trusts for health data, and data commons for gig workers.

Before we go into our case studies, and if you want to keep it simple, the first thing builders could — and should do — is comply with the very basics of good and fair data governance principles that have been identified by documents like the Fair Information Practice Principles (FIPP) we briefly described above or other insights from other privacy rules. To do so, and in the interest of simplicity, we present a checklist for builders interested in adopting good, simple, data governance practices in their operations.

Case Study #1: Data collaboratives for risk management

What is it?

Data collaboratives are platforms that facilitate data exchanges for public interest goals.^[25] The philosophy behind data collaboratives is that sharing data can generate public value in key areas such as risk and safety management,^[26] prediction and forecasting,^[27] and the design and improvement of public services.^[28] They are seen as a potential solution to situations where data is available but is not pooled due to high transaction costs and lack of trusted intermediaries.^[29]

Data collaboratives are typically nonprofit organizations that operate and run the data collaborative platform.^[30] They have a clear mission, ranging from improving road safety to ameliorating disease prediction. They provide a platform for individuals, firms, and public bodies to share their own data in a trustworthy and safe manner in exchange for a service. The service can either take the form of data intelligence (e.g., insights on fire risks for tourists)^[31] or access to each other’s data (e.g., research collaboratives that enable researchers to share their datasets).^[32] To incentivize data supply, access to the data held by the collaborative or to the insights derived from the data is limited to the data providers.^[33]

Data collaboratives are based on two principles: 1) voluntary data sharing by data producers/holders and 2) reaping the combinatorial benefits of data. The data shared can be personal, non-personal, or both. It ranges from personal disease records to traffic data collected by navigation apps. Whilst this data is already out there, in the absence of sharing incentives, it stays with the data producers and holders. Thus, a key contribution of data collaboratives is that they solve coordination problems by creating a trusted third party that holds and/or processes data. However, it is for the builders to identify the possible data suppliers and incentivize them to contribute. After a certain reputation is built, data suppliers may approach the data collaboratives directly, but in the beginning, it is for the collaboratives to create a community of data providers.

HiLo — sharing fleet data for maritime safety

An example of a data collaborative is HiLo, a nonprofit organization that invites shipping companies to provide monthly data about their fleet in exchange for both tailored and industry-wide analytics on risks and safety.^[34] The goal of the platform is to “unlock the power of data to save lives.” It pools data received from subscribing fleets, processes it using predictive analytics, and delivers individualized and collective insights based on the data provided. Instead of paying for the risk and safety analytics, fleet owners provide their data; this creates a circuit where the data of each fleet is used to enhance the safety of all participating fleets. Aligned with its public interest mission, HiLo exhibits good data security practices, as none of the individual fleet data is shared with any other participating fleets. The only information shared is in the form of high-level industry aggregates that do not mention the performance of any specific fleet.

Building a data collaborative might be for you if…

Data collaboratives might be most useful in sectors or business functions where data is available, but is not shared due to high transaction costs, and data sharing might create value for many actors without creating threats for competition. This is the case for industries like public utilities and medical research or cross-sectoral business functions like risk and safety management.

Data collaboratives address the problem of insufficient data resources and lower the costs of data gathering, thereby enabling innovation by small and medium market players who are routinely trapped in ecosystems where big players amass outsized datasets and restrict data access.^[35] Data collaboratives can further reduce the transaction costs of data sharing, such as the cost of gathering information about potential sharing partners, and the cost of establishing a trustworthy infrastructure for exchanging data.

NetHope, for example, has gathered data from the private and the public sector in order to model the trajectory of the Ebola outbreaks in West Africa, hoping to materially contribute to the containment of the outbreak.^[36] California Data Collaborative (CaDC) compiles data from California-based water utility agencies, providing an overview of how much, when, and where water is used with the ultimate goal of informing superior water management policies.^[37]

The design of data collaboratives is centered around a data sharing protocol that specifies how the data is collected, aggregated, and processed (if applicable). Infrastructurally, this can take the form of a pigeonhole where data is manually updated, or of an API that enables the automatization of data sharing. Legally, this means that the data providers should be asked to sign a data licensing agreement that lays down the rights and obligations of both parties (more on this below).

Why do this? What are the potential benefits, limitations, and risks?

Data collaboratives are mechanisms to unlock the collective value of data. Their primary advantage is that they democratize access to data for stakeholders that would otherwise face difficulties, either because it is unavailable or too expensive. A further benefit of data collaboratives is that they do not only collect and aggregate data, but may also process it to generate insights that can lead to better policies, decisions, and design choices. Seen through this lens, collaboratives facilitate the production of knowledge.

A key limitation, however, is that the only data gathered is that of participants in the collaborative.^[38] Consequently, if the player with key insights is, for example, a platform who is a predominant participant in the market and they do not want to join a collaborative, the collaborative might not really deliver on its promise. It is important, for collaboratives to work, that they are adopted in sectors where data is dispersed and not primarily controlled by one actor.

Given the fact that data collaboratives collect, aggregate, and process data that can be highly sensitive, they are exposed to several risks:

• Private actors sharing data must be careful not to engage in cartel-like behavior. If you are building a data collaborative that is open only to a few, it could look like you are behaving like a cartel in a market. Indeed, competition law prohibits competing firms from coordinating actions amongst themselves. Thus, sharing information on the business — instead of security or the weather — such as goods sold, prices, and future projects can form the basis of collusive behavior and might be risky.^[39]
• The data shared can be sensitive. Developers need to make sure that the data is provided by parties that have the right to do so. Whilst tracing the pedigree of data may not be feasible, data exchanges can ask data providers to sign DLAs specifying that they had the right to transfer the data at stake. Similarly, it may be best not to share personal or sensitive information, but if it is shared, data collaboratives must ensure that the actor sharing the data has the explicit authorization to do so.
• Pulling data together into one repository creates different forms of cybersecurity risks. Make sure you adopt good architectures and risk models that ensure the safety of your information. For the same reason, the less personal and sensitive information is involved, the safer the situation may be.

Case Study #2: Trustworthy intermediaries for health data

What is it?

A data trust is a (potential) legal mechanism that has been proposed by scholars by which individuals could pool the rights over their data so that another person can manage those rights for their benefit.^[40] The idea of establishing data trusts comes from the experience with trusts in other spaces, where one person (the settlor) places the rights associated with an asset in trust to be managed by another (the trustee), who holds and manages the rights associated with an asset for the benefit of a third (the beneficiary). Trusts are typically used when the rights holder has some difficulty managing their own rights (maybe a minor with a big inheritance or business partners who establish a trust to manage the funds of a joint venture), making it beneficial to have a third party managing the assets for them.

A trust is a legal relationship, often explicitly allowed by a trust law. In the data governance space, data trusts have been proposed as alternatives to solve the problem of “privacy self-management” and information asymmetries, the problem individuals face when trying to understand the terms to which they agree when they consent to privacy notices, and more generally, when trying to exercise their privacy rights, such as whether they want to withdraw consent from a particular firm.^[41] In the health tech space, for example, these kinds of structures allow individuals to contribute their personal and highly sensitive data for research purposes. A trustee, whose main job is to look after the interests of users or clinical study subjects, can give them some assurance of proper data handling. Similarly, since these structures are often set up to last for many years, this assurance can survive changes in personnel, projects, or company ownership.^[42] Comparing these arrangements with other data sharing schemes, the particularity of data trusts is that an intermediary body is in charge of making the decisions about how the data is shared with others, and this intermediary has the particular duty to uphold the data rights holders’ interests first. It may thus be particularly useful if the data you are pulling together is sensitive, or if you are dealing with vulnerable communities.

There is no law yet that explicitly allows for or creates data trusts. This section thus examines a few trusted intermediary bodies that act as we just described in the health data space. Because they act like trusts but legally actually aren’t trusts, we call these “trustworthy intermediaries.” When trusts or other fiduciary relationships are created by law there are strict legal requirements about how the assets and information held by the trust can be shared, especially with actors such as law enforcement. There is an academic and judicial debate on whether trusts can be established only by contract, but because the question is not settled, we will refer to the examples we present here as trustworthy intermediaries.

These all have functioning intermediaries that create a trust-like environment to improve the data management environment for users and builders. Thus, legal ambiguity shouldn’t stop interested builders from setting up an intermediary and independent institution, with certain clear obligations and freedoms, whose main task is to guarantee the interests of the data subjects.

The Genomic Data Commons — an intermediary that facilitates cancer research

The Genomic Data Commons (GDC) is an initiative of the U.S. National Cancer Institute (NCI) to provide cancer researchers focusing on precision medicine with a repository and information base that enables data sharing across different cancer genomic studies. GDC was established to lead the NCI’s effort in generating critical datasets for cancer research — supporting different large-scale programs, but also providing the research community at large the receipt, quality control, integration, storage, and redistribution of standardized cancer genomic datasets derived from various NCI programs.

Individuals who want to access the data must apply for permission from the National Center for Biotechnology Information (NCBI) Database of Genotypes and Phenotypes (dbGaP) and must also promise to not attempt to identify individual human research participants. Only senior investigators at a level equivalent to a tenure track professor and National Institutes of Health investigators can apply.^[43] Similarly, dbGaP has a mandatory data management and sharing policy that establishes mechanisms and rules to keep data confidential and to limit its use to the research purposes approved by the intermediary.^[44] These rules help address the highly sensitive nature of health, genomic, and phenotypic data. Consequently, while research participants consent to their data and samples collection and agree that it will be shared for research, GDC has an embedded mechanism where NIS acts like a trustworthy intermediary who ensures the rights and interests of patients, while contributing to the wider goal of making data available for research.

Building a trusted intermediary might be for you if…

If you work with data that warrants an intermediary to ensure the interests of data subjects, trustworthy intermediaries might be a good fit for you. This could be the case for very sensitive data. It may also be for builders trying to bring groups together and give them more control over their data by setting up rules about what gets shared, with whom, and under what conditions, and for builders who wouldn’t mind appointing an independent actor to enforce said rules.

An example of an intermediary that gave users more control over their data was Data Does Good, a “consumer data collective” that “tried to help people pool together the value of their data” to provide a source of funding for charities.^[45] They did so by setting up a browser extension that gathered anonymous information about the products people shopped for on Amazon, and then monetizing the insights of those shopping trends to fund the nonprofit organizations of their choice. At the same time, they had a separate tool called Loofa that continually monitored and scrubbed people’s exposed personal information from the web. Data Does Good thus acted as a technical and institutional intermediary through which people could better assert and manage the interests they have over their data and shopping history by delegating some of that management to an intermediary. Through its interfaces, Data Does Good held and managed data and some of the insights associated with their shopping data and did so to benefit a party agreed to by data subjects. The project ran for two years before dissolving in 2018.

Why do this? What are the potential benefits, limitations, and risks?

Having a trusted and independent intermediary managing data promises two substantial improvements over some of the power imbalances present in the digital age. First, because data has almost no value unless in aggregate, individuals have almost no leverage in the modern data environment. Aggregating rights into a trust or a trust-like pool can give the manager of that pool the bargaining power inherent in aggregate data (importantly, this requires some technical form to collect the data at source). Second, people delegating the management of some of their data rights to a trusted intermediary get to decide exactly what rights they are delegating and the conditions under which the trusted intermediary can exercise those rights. This gives people the power to specify what data they want out there, and what exactly “out there” means.

Trusted intermediaries also offer organizations — companies, hospitals, governments, etc. — promising opportunities to set up trust-like relationships with the data subjects of information they would like to process for legitimate interests. A company would sponsor the creation of a data trust, for instance, to realize its commitment to customer privacy, while simultaneously having a third party make sure that the data processing is done in a fair and responsible way.

As we said earlier, though, data trusts mostly exist in legal academic literature. One reason may be that they pose a set of important challenges that builders trying to set up trusted intermediaries may also encounter. First, articulating the data rights to be conferred to the intermediary entity and, second, ensuring the intermediary has actual control over the data. Indeed, the idea of data trusts stems from concerns over how personal data is being monetized online and whether and how that can hurt individuals and societies by, for example, manipulating different forms of choice or inciting polarization. It is unclear, however, how these bodies could work without the agreement of big tech platforms. Social media platforms, for example, are the ones that produce data about users’ browsing history and then immediately store it in their servers for analysis. It is difficult to know, in this example, when and where an independently built data trust could intervene.

There are other instances, however, where data sharing is less ubiquitous, must be explicitly shared by individuals, and where the actors involved have a clear interest in ensuring users trust how their data is being processed and used. Here they may have great potential. The Genomic Data Commons, presented above, is of this kind.

A hypothetical example: Reproductive health apps

Reproductive health apps, for example period tracking apps, are enormously popular in the United States; researchers estimate that about one third of women, transgender men, and nonbinary people who menstruate use them during some period in their lives.^[46] But the vast majority, and certainly all of the most popular apps, have inadequate privacy protections for the user data they store on their servers and rely on to provide better products to their users.^[47] Even if the app makers don’t sell users’ data to third parties, just storing user data on company servers could expose them to nefarious actors or — after the Supreme Court overturned Roe v. Wade — prosecution and bounty hunters. This issue is particularly pressing as period trackers are not covered by HIPAA, because they are considered lifestyle apps.

Consequently, if an app decided to create a trusted intermediary, or become itself a trusted intermediary (using the user’s data only for the user’s benefits, and for purposes specifically agreed to) some of this risk could be averted. The terms of the intermediation could limit what kind of data is collected and processed and dictate the conditions under which the company could access and use it. Because data trusts are not recognized by a law in the U.S., and it is still unclear whether they’d be recognized in court, it is likely that establishing such an arrangement would not insulate user data entirely from law enforcement. They could still access it with a judicial warrant. The terms of the trusted intermediation could, however, preclude the company from selling the data, which would in turn make it hard for malicious actors or governmental actors to access this sensitive information in the data market.

It may well be that in instances where data is sensitive and unprotected, having a trusted intermediary manage that data could accomplish important things to isolate data subjects’ interests from any eventual commercial interests and could keep users’ personal health data safer than it is now. This would happen by virtue of having a trusted and neutral intermediary through mandatory bylaws and data governance policies that determine what — and under what condition — data can be used and shared, and whose main job it is to look out for users.

Case Study #3: Data co-ops and the platform economy

What is it?

A cooperative (or co-op), in general, is an association of persons who gather to meet a common economic or social goal through a collectively owned and democratically controlled entity. A data cooperative is such an entity; it’s a legal construct that facilitates the collaborative pooling of data by individuals or organizations for the economic, social, or cultural benefit of the group. In data co-ops, the legal entity usually administers some sort of software and interface — an app or website, for example — that gives insights or manages the data in the ways defined by the entity.

Worldwide, there are a few data cooperatives that pull data from the participants and, in doing so, try to solve for their members some of the issues often associated with the platform economy. These range from personal concerns — like privacy or labor rights — to societal and economic concerns — like who gets to benefit from the insights that pooled data delivers. Data cooperatives are collectively governed, and they seek to benefit each member individually, and empower all members as a collective.

Driver’s Seat — A data cooperative to empower gig workers through transparency

Driver’s Seat is a cooperative of on-demand drivers who gather their own combined driving data in an app to help them have more leverage and gain insights that are usually kept secret by employers. Indeed, since the early days of the gig economy, professional drivers have found ways around some of these new forms of control by sharing information on pricing for individual rides, salary disparities, and other information in online driver forums and WhatsApp groups.^[48] Since drivers often work alone, these forums are also very useful and primarily used to communicate routine workplace matters, like what to do in unsafe situations.^[49]

Driver’s Seat is a parallel app that collects data from drivers and analyzes it to help them understand their performance and earn more. Users can enable automatic tracking, which connects the platform to the rideshare and delivery platforms they use for work and automatically imports their gig activities and earnings into Driver’s Seat. The option to log data manually also exists. Additionally, the app accesses workers’ location to track their mileage.

Driver’s Seat’s business model is around selling data. To provide free data insights and services to gig workers, they pool and sell shared data to customers who support and understand their “driver first” mission. Clients include cities and transportation agencies that use the pooled data to understand work and transportation issues in the city.

Driver’s Seat is a cooperative owned by rideshare and delivery drivers. Its members elect and serve on the co-op’s board and are eligible for a share of its profits. From the information that is available, it doesn’t seem like all users are members of the co-op, but all members and users are ride-hailing or delivery drivers.

Building a data co-op might be for you if…

Data cooperatives may be particularly relevant for sectors where information asymmetries play a significant role in creating a problem. This is the case for students in surveilled and remote educational environments, all sorts of gig workers, and workers in widely digitized warehouses, who could use better insights into the data they are co-producing on these platforms to improve their bargaining position. At least theoretically, even small and medium enterprises (SMEs) that rely on platforms’ digital marketplaces to sell their products could be members of a co-op (but participating in a co-op may be against their bylaws, so SMEs could be better off establishing a data collaborative as discussed in Case Study #1).

The gig economy is an industry where data cooperatives may have important potential because it’s very data-intensive and data is used by companies to run experiments and improve their gains at the margin, often in ways that are hard for workers to understand.^[50] Indeed, one of the main challenges for individuals working in the platform economy is their further disempowerment vis-à-vis algorithmic management, digital surveillance in the workplace (whether in an office or a car), the gamification of work, and lack of control and information about when their work contracts might be terminated.

Antonio Aloisi and Valerio De Stefano, in Your Boss is an Algorithm, and Alex Rosenblat, in Uberland: How Algorithms Are Rewriting the Rules of Work, have identified that companies increasingly track a variety of personal and personalized statistics — such as ride acceptance rates, cancellation rates, and hours spent logged into the app — and then display them selectively to individual drivers to nudge them into actions. Similarly, through policies like surge pricing and rating systems, companies have further control over driver’ income and contracts. There is little accountability and transparency about how algorithms — and the companies behind them — make decisions, which disempowers workers.

Data co-ops thus offer a valuable remedy for participants in the platform economy who could benefit from understanding how decisions are made — insights that can be derived from collective data-pooling.

Why do this? What are the potential benefits, limitations, and risks?

Data co-ops can offer members and users the service of pooling information, analyzing it, and delivering it back synthesized — something that is hard to do in many online forums. A co-op can also participate in the marketplace for data on behalf of its members (as in the case of Driver’s Seat), upholding its mission and increasing the community of beneficiaries’ bargaining power and the value of their aggregated data.

Despite their advantages, it is important to keep in mind co-ops’ limitations and risks. A key limitation is that data co-ops will likely not solve the systemic or labor issues at play. They have the potential to give users and members some tools to derive value from their collective data and increase their leverage and bargaining power in their current situation, but not necessarily to tackle those situations themselves. As for the risks, it is important to keep in mind that collective governance and ownership is not equivalent to good governance. While it is true that collective governance may lead to a better representation of stakeholders’ interests, groups and leadership should also be treated carefully. To avoid problems downstream, it is important to have clear governance covenants that set out the mission of the co-op, clear limits on what can be done with the pooled data, and clear procedures about how decisions are made to ensure due process.

Where do you start?

Start by clearly identifying your problem and community. Remember that data co-ops are particularly beneficial to address issues where information asymmetries exist. Further, you should get legal advice and explore extensive resources like Co-opLaw.org to set up the cooperative, its governance structure, and its data governance rules. In general, though, the checklist below outlines the main steps you should take.

Additional resources

Acknowledgements

The author wishes to thank Giovanna Hajdu Hungria da Custódia for excellent editorial assistance and research assistance. We would further like to thank Stefan Baack, Lisa Gutermuth, Solana Larsen, and Kasia Odrozek, who provided valuable feedback on this work. We also thank Kristina Shu and Nancy Tran from Mozilla Foundation’s design team for their support in designing this report. Ran Zheng created the illustrations you’ll find throughout these pages. Thanks are further due to J. Bob Alotta, Champika Fernando, Mehan Jayasuriya, EM Lewis-Jong, Jackie Lu, Anouk Ruhaak, Udbhav Tiwari, and Richard Whitt for informing the direction of this project.

This work was led by Mozilla’s Insights team. Eeva Moore led design and engagement work, Kenrya Rankin edited the research, and Neha Ravella provided project management support. Maximilian Gahntz was the project lead.

Disclaimer

The content of this report does not constitute legal advice. Please seek the advice of a qualified attorney.