Data Trusts for the Automotive Sector

29 JANUARY 2020

| 8 min read

The automotive industry has seen a growth in the number of inter organisation collaborations. These collaborations have seen a dramatic rise in the quantity of data being shared in order to solve complex problems. As a result, there is now a growing need for the industry to resolve the issue of how it will share such large quantities of data in a transparent and ethical manner. One approach to this issue is the use of data trusts.

With the general rise in interconnected technologies, the automotive sector has also seen an increase in the use of interconnected technologies and big data such as in connected cars and the development of autonomous vehicles.

A report by Deloitte stated that 64% of consumers now consider privacy of data a key factor when purchasing a car. The report also stated that if consumers perceive that their data will be handled in a transparent and ethical manner, then they are much more likely to engage with new technologies. With the development of autonomous vehicles the need for sharing vast quantities of data increases. Therefore, it is important for companies in the automotive sector to demonstrate that their customers’ data is handled in an ethical manner to ensure that the uptake of new technologies is positive and customers are reassured that any concerns may have about how their data is being shared are put to rest.

What is a Data Trust?

The Open Data Institute (ODI) defines a data trust as: ‘a legal structure that provides independent stewardship of data’. However, the concept of data trusts is relatively new, and the operation of data trusts is still not fully understood so it is yet to be seen exactly what form a data trust will take.
Why use a data trust?

As the use of big data increases in society, the need for trustworthy data stewardship becomes increasingly important. With this increase in data, the need to establish different approaches to deciding who should have access to data, for what purposes and to whose benefit also increases. The ODI suggests that data trusts could be one approach to address the need for greater data stewardship.

One way in which the ODI envisages data trusts could help achieve greater data stewardship, is that data trusts will have trustees who are responsible for deciding when data will be shared and to whom, as well as what data is shared and on what terms. The ODI envisages that the creation of data trusts will allow the public to have greater access to and control over the use of their data, which in turn will increase public trust in data-collecting and holding organisations.
Legal issues arising under data trusts

Structure of a data trust

One of the main constraints on the use of data trusts at present is that there is no definitive structure of a data trust. A legal report commissioned by the ODI suggests that there are five potential legal structures for data trusts. We have provided a summary of each potential structure below.

1. Traditional Legal Trust

This model would adopt the traditional model of a legal trust in that the data is administered by the trustees on behalf of the beneficiaries. However, there are two issues with this approach, the first is that the law does not currently recognise data as property and so cannot be held under trust, and the second is that for an ordinary legal trust, trustees are required act in the best interests of the beneficiaries when dealing with trust property. This means that trust property cannot be used for a socially beneficial purposes if that use does not also benefit the beneficiaries of the trust.

2. Contractual Framework Model

This model would be similar in nature to a standard data sharing agreement, which would form a contractual agreement between the data provider, data users and any third parties who accede to the agreement. The benefit of this method is that it is flexible and the agreement can be varied in accordance with the needs of the parties entering into. However, as there would be no centralised management of the data, this method could lead to the governance of the data being problematic, which could then cause the public’s faith in such arrangements to diminish and as such an increase in the public’s reluctance to share their data.

3. Corporate Model

Under a corporate model, it is envisaged that a separate entity (e.g. company or partnership) would be established to manage the data and the access granted to it. With this model most entities would be able to hold assets (such as a database of data) and representatives of the stakeholders could make up the board who would manage the day-to-day operations of the corporate body. Additionally there are established forms of governance which would dictate the running of the company. That being said, in the case of limited companies, its directors have a duty to act in the interest of the company. This means that the directors may be forced to disregard the benefit to the public in favour of that of the company.

4. Public Model

The legal report commissioned by the ODI states that this model does not yet exists but it hypothesises a public regulator either similar to or being the Information Commissioner’s Office (ICO) being set up to regulate data trusts and enforce breaches of such regulations. The benefit to this model is that with a public regulator acting in the public interest, the public’s fears of the unscrupulous use of their data to an organisation may be waylaid. The main disadvantage of this approach, is that such a regulator does not yet exist and the cost of establishing and continual funding may not be deemed necessary by the government.

5. Community Interest Company (CIC) Model

A CIC is a type of company that focuses on a social purpose. That being said, it can still operate like a company in that it can distribute profits. The benefit of the CIC approach is that there is a governance structure in place as with limited companies. However, a CIC still has a social purpose which the CIC would have to demonstrate that it is operating towards. There are drawbacks to this model. It has not been confirmed whether or not the regulator of CICs would accept a data trust as qualifying as a CIC. Additionally, CICs are subject to an “asset lock”, this prevents members from using assets of the CIC for their benefit unless the use of that asset is incidental to the CIC’s social purpose. There are “legal” workarounds to bypass this issue. However, whether these are viable alternatives from a commercial perspective are yet to be seen.

As can be seen from the above summaries, the current structures may not be suitable for the novel issues caused by data sharing on such a large scale. How this issue is resolved remains to be seen.
Other legal issues
In addition to the issues with the structure of data trusts discussed above, the ODI commissioned legal report states that there are additional legal issues that data trusts face. The two issues of particular importance are:

Personal data

It is likely that the datasets utilised by a data trust will contain personal data, i.e. data which relates to an identified or identifiable living human individual. If that is the case, then those individuals have rights which include privacy, non-discrimination and data protection. One of the key responsibilities of a data trust is to ensure that the sharing of data does not infringe those rights.

Under EU data protection laws there are significant restrictions on when it is possible to share personal data. If data is collected for one purpose then it unlikely that the same personal data can be used for a different purpose, unless there is a lawful ground for such further processing. Under EU data protection laws, the lawful grounds for processing are:
- obtaining the consent of the data subject;
- the processing is necessary for the performance of a contract between the data subject and the organisation;
- the organisation has a legal obligation to process the data;
- the processing is vital to protect someone’s life;
- the processing is necessary to perform a task in the public interest; and
- the processing is necessary for the legitimate interest of the organisation or a third party (unless this is overridden by privacy interests).
If none of the above grounds apply to the processing of personal data then such processing is likely to be unlawful.

One possible solution to this issue is that data providers should consider whether or not they require personal data to be collected to give the full effect of the service they wish to provide. If the data providers choose a data minimalist approach i.e. where they collect little to no personal data, this may remove barriers to data sharing in a data trust and allow data to be shared more efficiently.

Confidentiality

The issue of confidentiality can be broken down into two further sub-issues. These are (1) the law on confidentiality more generally and (2) commercial confidentiality. We have commented on both of these issues below.

Whilst one of the main barriers to data trust is the public’s perception of how companies will use their data, the same is true for the companies who are sharing their data and their data sets that they have collected. These companies are likely to be concerned about the potential use of that data by competitors. This may lead to companies providing incomplete data sets or withholding more commercial sensitive data if they take the view that sharing that data could be used in a means that is detrimental to the interests of the company.

The law protects the confidentiality of information where its disclosure imposes on the recipient a duty to preserve it as confidential. It is likely, by its very nature, that personal information will be subject to obligations of confidence when it is disclosed (for example medical or financial data). Company data, such as sales figures or customer locations, is also likely to be confidential. Sharing would disclose that confidential information to other researchers and thus be in breach of the law unless there were consent or some other legal justification for the sharing.

As with the issues around the legal structure of data trusts, there are numerous other issues that will need to be addressed in order to ensure the smooth operation of data sharing in data trusts.
One final point to consider
Stakeholder Engagement

One of the key themes of data trusts is to ensure that all stakeholders are represented when it comes to the sharing of data. Consider engaging with the following stakeholders to ascertain what their concerns are and to avoid any potential disputes in the future:
- Data holders - From the private, public and third sectors. These entities could increase access to the data they hold. Could the sharing of data that has already been collected be a more efficient and less intrusive way of sourcing data?
- Groups working with data holders - Are there groups that are currently establishing data trusts? Could you help them scope, design and operate a data trust, or independently assess it so that other people know whether to trust it?
- Citizens and consumers – These groups might advocate for a data trust to be created because they want the decisions about how data about them, is shared or used to be more transparent manner.
- Data users – Who might want to engage in a data trust? Do they have a legitimate reason to access the data held by a data trust?
- Governments – Is the data that is being collected potentially sensitive or is there a need for balance between citizens and data users/holders? If so, then a government might mandate a data trust, for example because data holders are unfairly restricting access.
Conclusion

Even though data trusts are still in the early stages of development, we suggest that sound data stewardship and engagement with stakeholders should always be considered by companies who utilise data in their day to day business. Not only will it assist in the uptake of new technologies but it can also help to avoid any reputational damage that can be caused by the wrongful use of data.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Data Trusts for the Automotive Sector

Our content explained

Further reading

Simplified sustainability reporting standards on the horizon for SMEs

Visitors

Existing clients

Staff