Data trusts to support participatory data governance in South Africa?

In South Africa, one of the most popular ways of saving money is through a stokvel scheme. With a stokvel, small groups of individuals collectively agree to contribute weekly or monthly to a shared savings pool. The practice has a long history, emanating from the country’s system of apartheid, when access to formal banking was denied for non-whites. Members benefit from the collective scheme by being able to access larger sums of savings, on a rotational basis, than they would otherwise be able to accumulate individually. While it remains a largely informal practice, it’s reported that there are almost R50 billion in savings, across over 11 million members, and South African banks increasingly are offering stokvel products and services.

Around the world, new tools – not too dissimilar in objective to the South African stokvel – are being explored and tested to provide collective and participatory means of governing data. The idea is to promote the management of data in ways that benefit those from whom data is collected. Data trusts are one such tool that have received much attention globally. While there are many iterations of what a data trust is and how it can function, the key premise is that it is a legally enforced governance structure wherein members pool their personal data and entrusts a data trustee, who has a fiduciary responsibility to act in the best interests of the members of the trust, to determine how this data is to be used and managed.

As new mechanisms are developed to strengthen the responsible governance of data in an increasingly datafied society, we must critically assess the applicability of tools such as data trusts in parts of the world, like South Africa – and more broadly the African continent.  With different legal structures, social contexts, and data needs, it is important to ensure that the outcomes of the deployment of such  data stewardship instruments for people and communities contribute to data justice.

Data governance in South Africa and Africa

The idea of data trusts arose as a means to better and more fully ensure that individuals could access and claim their rights with respect to the collection and processing of their personal data. They exist as a sub-structure to broader data governance and personal data protection laws and oversight institutions, and are legally constituted as a “trust” – that is, a legal entity or relationship established to hold property, rights or claims of another and make decisions in relation to those rights, claims or property solely in the best interests of its members. Data trusts, therefore, have been mooted as an important way of facilitating responsible data sharing as the very idea of a trust implies that that which is held by the trust is of value.

On the African continent, many countries are adopting personal data protection laws, and developing broader data governance policies. African Union member states recently adopted the comprehensive African Data Policy Framework covering both personal and non-personal data, for which Research ICT Africa has provided technical assistance.

Heat map of data protection laws in Africa (as of 2021).Source: International Bar Association.

While these laws serve as an important basis for determining further personal data governance structures, such as data trusts, provisions would need to be further interpreted or extended to provide a legal basis for some of the data-sharing activities associated with data trusts. For example, the consent model under the South African Protection of Personal Information Act (2013) has been the source of some disagreement amongst legal scholars with regard to what models of consent the law provides for. Whether a broad consent model – where a data subject consents to their data being processed further, including shared, for a purpose not specified at the time of collection – is permissible is one of the issues of contention. In addition, none of the data protection laws on the continent currently provide for a right of data portability, which is provided for under the General Data Protection Regulation of the European Union, and considered technically useful for many data trust arrangements. It is however one of the core data governance principles in the Africa Data Policy Framework, which could enable alternative forms of data stewardship in the domestication of the data policy at the national level.

Independent data protection authorities, which most African data protection laws provide for, will play an important role in interpreting current data protection provisions on the continent and overseeing the operations of data trusts, or similar mechanisms. However, many of these bodies are currently vastly under-resourced and are stretched in fulfilling their current mandates to monitor and enforce compliance. New structures must not, therefore, place further burdens on such authorities. 
An additional policy trend on the continent is in the adoption of policies or provisions that require data localisation – a trend evident in Kenya, Nigeria and South Africa. Data localisation can refer to various kinds of policy measures that encourage or mandate the retention of data within the physical territory of a country. This can be a technically complex – and even impossible – task when data is stored on a cloud, but it is also politically and economically contentious. In South Africa, a recent draft policy on Data and Cloud services put forward data localisation measures, stating that the lack of policy “to guide localized data acquisition, ownership, storage, use and analytics […] is a threat to both national security and social and economic growth”. Accordingly, the draft policy set out the following:

10.4.4 To ensure ownership and control: 

  • Data generated in South Africa shall be the property of South Africa, regardless of where the technology company is domiciled. 
  • Government shall act as a trustee for all government data generated within the borders of South Africa.

Received with much criticism, and subsequently retracted for further consultations and drafting, the draft policy clearly indicates the notion that data is to be owned, and it is therefore in the ownership of data that value from it can be gained – a premise which is economically unsound. This also stands in contrast to good data governance and a key premise of mechanisms such as data trusts which emphasise that data is not owned by the party collecting, storing or processing it, but stewarded. The stewardship of data and related legal and ethical responsibilities are also embedded in South Africa’s own data protection law.

Context matters!

In addition to assessing the applicability of the current and emerging regulatory conditions surrounding data governance in an African context, attention must be paid to broader social and cultural factors that may hinder the effectiveness, or render unsuitable, mechanisms such as data trusts. 
One of the major hindrances to the use of data trusts, as they are currently being imagined within a broadly Western context, is the limited reach of the formal system of law in many African societies. The efficacy of data trusts, as they are currently imagined, lies in trusted legal regimes that place enforceable fiduciary duties and responsibilities on data trustees. In South Africa, at least 16 million people (over 25% of the population, and over a third of South Africa’s black African population) live under customary legal systems where disputes and grievances are handled by traditional community-led processes. While customary law is recognised under the formal Roman-Dutch legal system of the country, the legal system of data protection and trust laws is neither the proffered nor common means with which many South African individuals and communities seek refuge from the exploitation of power or to resolve their issues.

This also translates into a broad lack of awareness of digital and data-related rights, a key finding of our book Human Rights and the Fourth Industrial Revolution in South Africa. Indeed, major policy efforts are required to support digital literacy, education and access, and to address the rampant digital inequality experienced on the African continent – all of which are a critical precondition for good data governance generally, and data trusts in particular. In doing so, substantive measures must be taken to address the differential gendered experience of access to digital tools and understanding of data rights.

The power imbalances that can play out in structures like data trusts, where a trustee is responsible for making decisions on behalf of others, must be taken into account. In a South African context, where there is limited understanding of data rights, or how personal data is accessed and collected through digital technologies, and where there is limited trust in the formal legal system, data trusts could simply exacerbate existing knowledge asymmetries. They could even provide opportunities for further data colonialism if data trustees are blindly trusted to act in the best interest of the trusts’ members who have limited access to legal recourse.

The ties with historical colonialism where local and indigenous populations were exploited under the pretence of the colonial trustees of their land and personage acting in their best interest cannot be forgotten, nor the role of the legal order in legitimising these practices and forms of governance. Moreover, given the knowledge asymmetries described above, data trusts could facilitate easy access – particularly where granted exemptions from particular provisions of data protection law to bypass more restrictive consent models – to all kinds of personal data, including the data of marginalised and vulnerable communities, for unethical and exploitative AI and data companies.

How do we move forward?

Data trusts may very well not be the best structure in a South African context to address major issues with regard to data exploitation, but could, instead, create a new mechanism through which the data of individuals and communities is extracted and exploited for the benefit of an elite few.

As exploitative data practices are on the rise across the continent, efforts are needed to decentralise the control of data and ensure that the use of data benefits those from whom it is collected and, as was outlined by Jeni Tennison, also those on whom? the use of data impacts. At Research ICT Africa, we are exploring different data governance mechanisms and policy options that may better serve our citizens and communities and their needs. This work includes studying African jurisprudence on collective rights and responsibilities, and the ways in which African societies have practised the participatory and collective management of resources. Our work also includes assessing how data trusts-like models could be imagined and constructed to fill the gap in access to remedy for data-related exploitation, and – critically – offer opportunities to support new kinds of communities that are not tied to the patriarchal traditions of many customary structures, such as data communities formed to advance the realisation of women’s rights in a particular area.