Legislating on Data Commons: What It Should (Not) Be

Alternative governance arrangements revolving around concepts such as the (data or digital) ‘commons’, ‘cooperatives’, ‘stewardships’ and ‘trusts’ have recently gained traction in discussions around the governance of digitized societies. Such forms of collective governance are often presented as more ‘democratic’ and ‘sustainable’ alternatives to the currently Big Tech-dominated economy. Their role has been seemingly recognized by the EU legislature with the introduction of the notion of ‘data cooperatives’ within the data legislation (Data Governance Act or ‘DGA’). In light of this momentum, in this blog we examine one of the often discussed models of alternative governance, i.e. the ‘data commons’, and critically evaluate its intersection with the law. 

For present purposes, we understand data commons – in a non technological-oriented way –, as a group of people, a community, or a collective that governs data and the related relationships they have as a group in a sustainable way. Our provisional definition of sustainability, to be unpacked in future research, has three dimensions: how the resource is being provided for, the conditions for community’s self-governance,  and its ecological/environmental impact. We thus move beyond interpretations of the commons that center around the alleged nature of data as a (common-pool) resource, such as Ostrom’s. In line with the broader discussions on the ‘commons’, our definitional endeavor has the advantage of situating data commons to the core of activities that relate to them (e.g. data-related practices) and the ways in which they are governed. This conception of data commons is broad enough to capture a wide variety of forms of collective data governance, including for example certain types of data cooperatives, data activism, Indigenous Data Sovereignty, irrespective of how they may intend to define themselves. 

In this blog post, we analyze the interplay between data commons and the law, following the two following questions. First, to what extent do recent laws recognize (and perhaps support the development of) data commons? We hereby focus on the EU data legislation that explicitly aims to structure the ‘European way for data governance’ (DGA, recital 32). Second, if we assume that the law has, should or at least could play a part in enhancing data commons, what should legislating for data commons look like?

The contested interplay of EU data legislation and data commons: the DGA…
In the DGA, the EU legislator explicitly recognizes a role for ‘data cooperatives’. Its introduction into EU data legislation thus begs the question of whether, by doing so, EU law now also recognizes data commons as defined here and (even more fundamentally) whether it endorses them as a governance model, advancing their causes and nurturing their development.

Many academics and activists expect data cooperatives, as bottom-up initiatives, to allow for promising forms for democratic data governance mechanisms to flourish as an alternative to the Big Tech-dominated economy. Although the term ‘cooperatives’ does not attract a consensual definition, it generally denotes a legal dimension, taken from corporate law, that enables activities to be democratically driven by social objectives rather than profit.

The DGA regards data cooperatives as data intermediation service providers that have as their main objective the supporting of data transactions. Such data cooperatives aim to ‘empower’ weaker parties by strengthening their bargaining position. They do so through the sharing of knowledge – e.g. on terms and conditions of data acquirers and on how to best preserve the weaker parties’ interests when trading data. Put differently, they leverage the collective as a bargaining tool in data transactions. 

From a legal point of view, the support that data cooperatives can furnish to their members or parties is procedural at best. Data cooperatives merely facilitate the procedure for reaching ‘fair’ data transactions between relatively independent actors. They are thus of limited use for substantively affecting both the content and outcome of data processing activities. In fact, data cooperatives under the DGA do not have data as the object of the jointly conducted activities. They engage neither in the joint production of data, nor in the joint management of the use of data. This means that both the original and secondary use of data lie outside of the activities of such data cooperatives. They do thus not – or little – contribute to the empowerment of weaker parties in digital environments frequently invoked by advocates for alternative data governance. Hence, data cooperatives under the DGA do not qualify as data commons as defined here. They are more resemblant of data unions.

It is noteworthy that the DGA’s lack of endorsement of data commons under its understanding of ‘data cooperatives’, however, does not mean as such that it hinders their coming into existence and flourishing. On the contrary, this protects them from the stringency of the legal regime laid down by the DGA. This nonetheless raises the question to what extent other sites of EU data legislation relating to data and data governance have the potential to support the development of data commons. The next section will turn to this matter.

… and the broader EU legislative framework on data
As stated by the European Commission in the European Data Strategy, its greater goals are to establish data markets while in check with ‘European values’ – such as data protection and fair competition. This translates, in particular, into the allocation of subjective rights to – or in relation to – data – such as data access, data portability, etc. under the Data Act and the proposed Health Data Space Regulation. Such rights then form the basis upon which data can be exchanged through various types of data transactions However, such legislation does not recognize the possibility for collective or community rights to – or in relation to – data, whereas these types of rights are frequently considered to be of high importance in the development and flourishing of forms of collective data governance like data commons.

The Data Strategy also requires the strong involvement of public authorities. This is for example visible with the proposed framework for ‘digital product passports’ (DPPs) under the proposed Ecodesign Regulation. At the crossroads of the data and circular economy, DPPs are expected to feed the demand from both private and public players for product-related data and information that are needed for circular strategies. The Commission aspires to require product manufacturers to make a broad array of such data and information available to the relevant players through a unique electronic passport. On the one hand, private players will store and manage data and information intended for other private entities in a decentralized manner. On the other, the Commission will run a centralized ‘registry’ concerning the use of such data and information that are intended for public authorities. The Health Data Space Regulation, which seeks to harmonize the conditions and stimulate the reuse of health data, also relies on the role and tasks of public authorities. Especially, national ‘health data access bodies’ will be entrusted to decide upon the access to and reuse of health data, based on the issuance of ‘data permits’. Once more, forms of collective or community-based data governance informed by our definition of data commons are not even discussed as a viable form of data governance. Public authorities, in other words, are expected to become the gatekeepers of an increasingly commercialized digital market.

The expected cumulative result of the above legislation is the reinforcement of old patterns of data production and the simultaneous related potential disempowerment of collectives and communities with an interest in governing their data sustainably such as through data commons. There thus seems to be little to no support reserved for the development of data commons in the existing recent EU data legislation. This begs the question of how legislation could (and perhaps should)  support data commons initiatives, as explored in the below section.

How laws could (and should) support data commons 
While some advocates and theorists of the commons may outright reject the idea that the law can have any place in the development of the commons, we take an open-ended position on this question. Based on three case-studies that illustrate in different ways the various roles data could play in collective governance arrangements, we explore the potential roles that laws could (and perhaps should) have to support data commons.

First, the ‘shared server model’ is one of the options envisaged to empower weaker actors – including independent car repairers – against the data-driven dominance that car manufacturers have acquired on car industrial ecosystems through exclusive appropriation of in-car data. The model intends to empower actors by instantiating collective governance procedures over both the generation and processing of such data. This attempt to collectively govern the data and tech-related sides of car manufacturing makes this model qualify as a data commons. In order to transition from ‘data commons in the books’ to ‘data commons in the street’, the law appears to be necessary, for example to establish data commons and require participation of relevant actors – especially car manufacturers – in it. 

Our second case-study involves the many interrelated ‘Indigenous Data Sovereignty’ (IDS) movements that fight for rights to control, access, and analyze their data. In general, IDS movements are initiated by specific Indigenous communities with an interest in the governance of datasets by or about themselves, and see their efforts as part of more encompassing effort to counter (data-related) harms inflicted to them by settler States – for instance, concerning the health of Maori peoples). For such forms of data commoning, rights to, for instance, ownership of data, are only a single element of the rights they fight for in their decolonial struggles. The law could thus play some role in recognising and furthering the social and political justice considerations underpinning the development of these data commons through, for instance, the establishment of communities’ political independence.

A third example concerns the attempt of a neighborhood in Detroit to deal with a structural problem affecting them. Multiple black children were killed by white drivers in a short period of time on the same street corner. To be able to make a case that these casualties were not incidents but a structural problem, the community started to gather and produce data about these deaths themselves, transform these into a map, and by doing so, engaged in a form of collective data governance as a means to visualize oppression and challenge (governmental) power. The legal and political recognition of the – including: evidentiary – validity of the data thus gathered and produced, are for this data commons of existential importance

Beyond Data Governance?
Now, what can we learn from the above case studies concerning the role that laws could play to support data commons? First, ‘data’ does not stand as the sole focal point or the economic resource being collectively governed. Data look to other purposes. They are functional to fulfilling other objectives, with the community or collective potentially varying in its level of involvement in pursuing these. Being incorporated into such a broader ecosystem, data are governed to help strengthen or empower the concerned community vis-à-vis other actors or to equalize members within a community. A crucial component is the generation of data, including the technological design and the agenda setting for deciding about what – and whose – data should be generated in the first place, and for which purpose. Enabling communities (and members thereof) to make such decisions in connection to – but not necessarily centered head-on on – data, is considered key to empowering them.

Second, the law is often anticipated and expected to recognize communities, putting their role, legitimacy, interests and prerogatives front and center to pursue specific actions and practices. Second, the law is often anticipated and expected to recognize communities, putting their role, legitimacy, interests and prerogatives front and centre to pursue specific actions and practices. This may include specific rights or provisions to – or in relation to – data, pertaining for example to their evidentiary role, to the very right and means to generate data in the first place (for example, with respect to data concerning public roads), etc.

Third, in light of the existing significant power imbalances, which data commons aim to overcome to some extent, the law may prove useful or even necessary to navigate the transition towards – more established renditions of – data commons, for example by requiring, facilitating and/or supporting the participation in the data commons or by contributing to their governance in case of power unbalance between the members.

At this point, it is clear that ‘data commons law’ does not – and arguably, should not – exist. Various legislations may be called upon to intervene, depending on local needs, that (may) include but cannot be limited to ‘data-related’ ones. They may range from municipal decrees to allow for and recognize road safety data collection on public roads, to technical harmonization and certification of vehicles, evidentiary law, the legal status of indigenous peoples or of civil society organizations to engage into certain activities. 

Another finding is that EU data legislation is not only not conducive to data commons, but it could undermine their development. This is because EU data legislation endorses data as the primary regulatory subject-matter -subject to mandatory transactions – and relatedly the legitimacy of the steady exclusive control of the data technological environment by powerful actors such as car manufacturers (for a similar argument predating EU data legislation, see here). This makes it more difficult both materially and discursively for data commons to flourish sustainably and autonomously. 

Finally, data commons can be considered as an avenue to address certain issues and empower weaker actors, such as in the context of the examined case studies. However, we do not see evidence that data commons are capable of and that they should thus be construed as a cure-all-tool for all tech or data-related problems. For example, data-driven predictive policing raises not only – and maybe not mainly – the question of who governs and how, but also and primarily whether we, as a society, want the associated permanent surveillance of (innocent) citizens or not.

Conclusions
In this blog post, we have provided a first exploration of the relationship between data commons and the law. 

In its attempt to structure an EU way of data governance, EU data legislation gives prominence to data markets to which states may lean a hand in case of ‘market failures’. The notion of ‘data cooperative’ recognized in the DGA does not refer to data commons as defined above, but rather to a market-oriented form of data unionism. Other legislative initiatives referring to practices that could have been associated with the data commons stop short of recognising such an idea. They end up advancing (re-)allocative data governance models (Data Act, Health Data Space Regulation), or putting public authorities and institutions in the forefront as a piecemeal solution to mitigate the dominant firms’ data power (DPPs). As a result, EU data legislation does not recognize data commons. It rather sidelines them by making other governance mechanisms more prominent.  In certain cases, it prevents or at least complicates data commons to arise and/or develop. 

Yet, the picture is not altogether grim. We have shown how the law can (and perhaps should) support data commons through the analysis of three case studies. Very much in contrast with the established course of action of the EU, we found that data commons initiatives do not necessarily put ‘data’ front and centre. Data are instrumental to broader societal goals which, in our case studies, pertain to various forms of empowerment of communities (and their members). The local nature of data commons implies that the role expected to be played by the law differs from one to the other and does not necessarily (only) have to do with rights to – or in relation to – data. 

We do not argue in favor of a ‘data commons law’ – a new ‘law of the horse’! Of course, data commons serves as a conceptual and analytical tool and helps to emphasize the local conditions of data. The adequate regulatory level should be that of the purpose of data commons. Concerns about local situations does not prevent any further generalization of the law’s potential for supporting data commons. Instead, we advocate for thorough empirical research that identifies shared principles for legal frameworks that help data commons bourgeon. That data commons are inherently local does also not imply that they shall necessarily consist of mere standalone initiatives. Out of sustainability concerns and in order to deliver on their empowerment goals, they may also have to consider how they relate both to one another (‘inter-community’ relationships) and to the rest of the world. Using data commons as an analytical tool leads to asking questions as to what the ‘data governance’ framework means and implies, for example whether it necessarily implies that ‘data’ be considered (solely) as a resource and what implications this has for the understanding of ‘governance’.

About the authors: Charlotte Ducuing, Gijs Van Maanen, Tommaso Fia

Acknowledgements:
Parts of Gijs van Maanen’s and Charlotte Ducuing’s contributions to the writing of this blog post were part of the project ‘Understanding Information for Legal Protection of People Against Information-Induced Harms’ (‘INFO-LEG’). This project received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (grant agreement No. 716971). The blog essay reflects only the authors’ views, and the ERC is not responsible for any use that may be made of the information it contains.