A data trust enables organisations to securely share and access information that might otherwise be unavailable (or might be available only from diverse or not readily accessible sources) to apply advanced analytics and Artificial Intelligence (AI) to it. To achieve that, the trust receives and holds a bank of digital information which is then managed independently and made available to specific parties for specific purposes in order to facilitate the superior delivery of projects, goods or services. The scope is extremely wide, with existing and pilot examples ranging from tackling the illegal trade in wildlife, prevention of food wastage, and urban planning and development management.
Data trusts are integral to growing the UK’s digital economy. An independent report commissioned by the Government in 2017 [i] recommended that “To facilitate the sharing of data between organisations holding data and organisations looking to use data to develop AI, Government and industry should deliver a programme to develop data trusts - proven and trusted frameworks and agreements - to ensure exchanges are secure and mutually beneficial” [ii] Following that, in 2018/2019, the UK Open Data Institute (the ODI) joined with the Office for Artificial Intelligence and Innovate UK to investigate whether data trusts were suitable for increasing trust in and access to data. Their conclusion [iii] was that they were, and also preserved the essential element of trust: that is, the confidence of those contributing and sharing data that the structure is sufficiently resilient (and those independently managing it of sufficient integrity) to be sure the data is kept securely and used only for the purposes for which it was provided. The most suitable vehicle, they thought, was the English law trust, where the “independent person, group or entity stewarding the data takes on a fiduciary duty. In law, a fiduciary duty is considered the highest level of obligation that one party can owe to another – a fiduciary duty in this context involves stewarding data with impartiality, prudence, transparency and undivided loyalty”.
There remains, however, uncertainty as to the form a “data trust” should take, with not everyone agreeing a traditional (English form) trust is the most suitable. The independent report in 2017, for instance, concluded that data trusts were “not a legal entity or institution, but rather a set of relationships underpinned by a repeatable framework, compliant with parties’ obligations, to share data in a fair, safe and equitable way”.[iv] And more recently, in a legal report commissioned by the ODI, [v] lawyers working in conjunction with Queen Mary’s College, London, thought that, whilst superficially attractive, a trust was not appropriate and a contractual or corporate model was preferable, [vi] because
“The key disadvantage to the traditional model is that the law, as it stands currently, does not consider data to be an asset capable of being held under a legal trust, i.e. as property. Additionally, traditional equitable trust of physical assets, as it stands, can only be managed for the benefit of the beneficiaries under the legal trust. This not only means that the public benefit of the trust data is at best a secondary aim, but it equally means that trustees themselves cannot benefit from administering the legal trust unless the legal trust deed expressly permits this, although they can be indemnified out of trust assets for all costs, charges and expenses that are properly incurred. This therefore means that the trustees would have to be independent of the beneficiaries (in this case the data providers as well as data users), otherwise the providers would not be able to receive a benefit from this model”. [vii]
In a report in 2020 [viii] the ODI acknowledged the ongoing controversy about the legal form a data trust should take but concluded its ongoing work was not reliant on the controversy being resolved. Some might take issue with that for certainty’s sake but in fairness, arrangements similar to data trusts have been established as corporate vehicles such as charitable companies [ix] and even the ODI has never been wedded to the idea that trusts are the only way to create one.
Maybe this is where Guernsey comes in. As a jurisdiction with established expertise in administering trusts for all purposes (including commercial ones) and a modern system of trust law, it seems worth considering to what extent Guernsey can offer a solution to the debate.
Let’s look at the concerns identified in the legal report more closely. As to the first, some doubts may now have been removed since academics, such as Professor Ben McFarlane, [x] concluded that under English law, data can be held within a trust. In Guernsey, legislation clarifies the position, as section 7(1) of the Trusts (Guernsey) Law, 2007 (the Trust Law) says that any property may be held on trust, and where “property” means “real and personal property of any description, wherever situated, and any share, right or interest therein, and includes tangible or intangible property and any debt or thing in action, [and] ..in relation to rights and interests, includes rights and interests whether vested, contingent, defeasible or future”. That broad definition extends to assignable and non-assignable rights [xi] which can be trust property under English law.
As to the second concern, the availability in Guernsey of an independent professional (fiduciary) trustee should address any perceived difficulty in the data providers and users deriving benefit. A typical trust structure, in which data owners “settle” or transfer their data to the trustee which then holds and manages it for the benefit of a class of beneficiaries or data users which may include the trustee or the “settlor” [xii] and which may be added to as and when new data users come forward,[xiii] is readily available. Guernsey also offers an alternative model should concern remain about who may be beneficiaries, as (unlike English law) it permits non-charitable purpose trusts [xiv] with a trustee and with or without beneficiaries, but where the purpose is enforced by a separate (fiduciary) “enforcer” [xv] (which may not profit from its office [xvi]). This would allow a data trust to be established there for one or more particular purposes, whether charitable or not, but without fear of invalidity or inadequate independent supervision.
Legal uncertainties surrounding data trusts go beyond the form they should take. There is also the question of how data owners’ rights and interests will be protected. Unlike the settlors of private trusts, who cede their rights to enjoy property they settle on trust, most data owners will want to use and improve their data when held by the trustee; and they will want their personal and property rights in the data fully respected when it is made available to and used by others. That a data trustee owes a fiduciary duty in respect of the data is only a partial solution, as trust law says that duty is owed to the beneficiaries, not the settlor. Making the data owner settlor a beneficiary is one answer, as it permits its use of the data; and if as seems likely, the Guernsey trust law duties to act “en bon pere de famille” [xvii] and to preserve the trust property, [xviii] embrace maintaining confidence [xix] and protecting any database or Intellectual Property (IP) rights in that property, the data owner’s interests will be represented by the trustee in its dealings with the data and the beneficiaries. The same applies if the data trust is a non-charitable purpose trust, as the purpose of having the owner make the data freely available (which the trustee must promote) would not be served by the trustee administering the data contrary to the owner’s interests. Even if the owner is not a beneficiary, a Guernsey trust can give it a managerial role, [xx] and if the data trust is revocable or terminable by the data owner settlor, it could (to protect its own interests) properly call for the return of the data if its rights were not respected.
That leaves General Data Protection Regulation (GDPR). Data owners want their data protection rights preserved. Here, it is said, lies a problem which is that as it seems data subject rights cannot be assigned, [xxi] they cannot be held on trust; indeed, the very act of giving away one’s data subject rights to a third party would amount to giving up the fundamental protections afforded by Art. 8 of the European Convention on Human Rights (ECHR). If that is right, then, potentially there may be a problem for data trusts. Again, however, Guernsey may offer a solution. If one thinks of a trust as a gift on terms, there seems nothing to prevent a data owner from assigning data to a Guernsey trustee on terms that it will process any personal data either as a processor on behalf of the data owner or more likely as a joint controller. So either way, whilst it will have parted with ownership of the data, it will retain its data subject rights which will become exercisable against the trustee under Guernsey’s data protection legislation which mirrors GDPR.
[i] “Growing the artificial intelligence industry in the UK”, Professor Dame Wendy Hall and Jérôme Pesenti.
[ii] Ibid, p.4.
[iii] “Data trusts; lessons from three pilots”, 15 April 2019.
[iv] Fn1 above, p.46.
[v] “Data trusts; legal and governance considerations”, April 2019.
[vi] Ibid, Section 2.
[vii] Ibid, page 17.
[viii] “Data Trusts in 2020”, 17 March 2020.
[ix] See e.g. the UK Biobank example given by the ODI.
[x] McFarlane, B. (2019). “Data Trusts and Defining Property”. Available at https://www.law.ox.ac.uk/research-and-subject-groups/property- law/blog/2019/10/data-trusts-and-defining property
[xi] E.g. Don King Productions Inc v Warren  Ch 291.
[xii] Section 8(4) of the Trust Law.
[xiii] Ibid, section 8(2).
[xiv] Ibid, section 1 (b), and where (section 80) a “purpose” is defined to include “the holding or ownership of property and the exercise of functions”.
[xv] Ibid. section 12 (2).
[xvi] Ibid, section 13 (1).
[xvii] Ibid, section 22.
[xviii] Ibid, section 23.
[xix] See In re B, Guernsey Court of Appeal, 35/2012.
[xx] Section 15 (1) (d) of the Trust Law says a Guernsey law trust is not invalidated by the reservation to the settlor or any other person, “a power to give directions to the trustee in connection with the purchase, retention, sale, management, lending or charging of the trust property or the exercise of any function arising in respect of such property”.
[xxi] See, for instance, Roohak, “Data Trusts in Germany”, December 2020, referencing (p. 14) the European Commission’s proposal for a Data Governance Act where the Commission states that: “It is important to acknowledge that the rights under Regulation (EU) 2016/679 can only be exercised by each individual and cannot be conferred or delegated to a data cooperative” - European Commission (2020), Regulation of the European Parliament and of the Council on European Data Governance (Data Governance Act), p. 18.
Paul qualified as a solicitor of the Supreme Court of England & Wales in 1995, since then he has worked in London and Guernsey specialising in contentious trust and pensions work. Prior to joining Trust Corporation International, Paul was a group partner with two leading Guernsey law firms and in house legal counsel at a Guernsey utility. On the trust side, Paul specialises in managing complex disputes, having previously advised on a number of the most significant trust cases in Guernsey in recent years. Paul also works on contentious pension matters, having acted, before joining Trust Corporation, in a number of major pension disputes in Guernsey. Paul has over twenty years’ experience in structuring and establishing complex trusts and pension schemes, and working with their trustees and advisors. As well as his trust and pensions work, Paul is also a prolific writer and has published numerous articles on trust and pensions law in practitioners’ and academic journals and has contributed chapters to a number of books.