Abstract
Abstract In our data-driven society, personal data affecting individuals as data subjects are increasingly being collected and processed by sizeable and international companies. While data protection laws and privacy technologies attempt to limit the impact of data breaches and privacy scandals, they rely on individuals having a detailed understanding of the available recourse, resulting in the responsibilization of data protection. Existing data stewardship frameworks incorporate data-protection-by-design principles but may not include data subjects in the data protection process itself, relying on supplementary legal doctrines to better enforce data protection regulations. To better protect individual autonomy over personal data, this paper proposes a data protection-focused data commons to encourage co-creation of data protection solutions and rebalance power between data subjects and data controllers. We conduct interviews with commons experts to identify the institutional barriers to creating a commons and challenges of incorporating data protection principles into a commons, encouraging participatory innovation in data governance. We find that working with stakeholders of different backgrounds can support a commons’ implementation by openly recognizing data protection limitations in laws, technologies, and policies when applied independently. We propose requirements for deploying a data protection-focused data commons by applying our findings and data protection principles such as purpose limitation and exercising data subject rights to the Institutional Analysis and Development (IAD) framework. Finally, we map the IAD framework into a commons checklist for policy-makers to accommodate co-creation and participation for all stakeholders, balancing the data protection of data subjects with opportunities for seeking value from personal data.
Highlights
This section is split into four parts: First, we describe existing collaborative data stewardship frameworks by empirically assessing their attempt to support better data protection for data subjects through direct engagement
1990) and applying engagement mechanisms to innovations in our digital economy (Fung, 2015), we suggest that a commons for data protection, a “data commons,” can be created to allow data subjects to collectively curate, inform, and protect each other through data sharing and the collective exercise of data protection rights
We conclude that a co-created data protection-focused data commons can support more accountable data protection practices, management, and sharing for the benefit of data subjects, data controllers, and policy-makers to overcome the limitations of laws and technologies in protecting personal data
Summary
This section is split into four parts: First, we describe existing collaborative data stewardship frameworks by empirically assessing their attempt to support better data protection for data subjects through direct engagement. New data stewardship frameworks, such as data trusts, data foundations, and data cooperatives, have been devised in order to protect data subjects as well as to involve them and other stakeholders in the co-creation of data protection solutions (Data Economy Lab, 2021b; Ada Lovelace Institute, 2021c). While these data stewardship frameworks may help mobilize data protection rights, there are significant organizational, legal, and technical differences between them. While data subject vulnerability and their limited ability to engage with the day-to-day choices underlying data governance is acknowledged by these (Delacroix and Lawrence, 2019), many data trusts remain top-down in nature and overlook the data subject’s perspective
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
