Community Data Trusts — Governing Shared Information Collectively

In 1549, Robert Kett led thousands of Norfolk peasants in a rebellion against the enclosure of common land. They tore down fences. They demanded the old rights back. They lost. Kett was hanged from the walls of Norwich Castle, and over the next three centuries the English commons — land that had been used collectively for grazing, gathering wood, and growing food — was privatized almost completely. The peasants who had lived on it became a landless workforce. That workforce, displaced and desperate, became the labor supply for the Industrial Revolution.

Every student learns about the Industrial Revolution. Almost nobody learns that it was built on a specific political act: the transfer of commons into private hands.

We are living through the digital version of this right now.

The commons this time is data — the information that flows from daily life. Your medical history. Your location at 3:14 PM last Tuesday. The fact that your kid searched for "am I depressed" three weeks ago. The pattern of your heartbeat at night. The route your garbage truck takes. The temperature in the server room of your neighborhood's credit union. This data is generated by us collectively, and it describes us collectively, but almost all of it is owned by a small number of companies that extracted it for free and now sell it back to us.

Shoshana Zuboff named this "surveillance capitalism" in her 2019 book. The mechanism is specific: behavioral surplus (data beyond what's needed to provide the service) is captured, processed into prediction products, and sold in what she calls "behavioral futures markets." Your future actions are the commodity. You are not the customer. You're the livestock.

A community data trust is a structural response to this. Not a technical fix. Not a privacy setting. A structural, legal, political response that re-establishes collective governance over a collective resource.

A trust, in common law, is a three-party relationship: a settlor who puts assets into the trust, a trustee who manages them, and beneficiaries who benefit from them. The trustee has a fiduciary duty to the beneficiaries — a legal obligation to act in their interest, not the trustee's own.

Apply this to data. A community — say, residents of a neighborhood, or members of a health cooperative, or an Indigenous nation — places their collective data into a trust. A trustee governs it. The beneficiaries are the community itself. The trustee has a binding legal duty to steward the data in the community's interest, not to sell it to the highest bidder.

The UK Open Data Institute, led by Jeni Tennison and Sir Tim Berners-Lee, ran three data trust pilots in 2019. One dealt with illegal wildlife trade: multiple organizations pooled data about poaching and trafficking so law enforcement could see patterns no single dataset revealed. Another dealt with food waste. A third dealt with urban mobility in Greenwich. The ODI's final report was clear: the technical infrastructure is not the bottleneck. The governance is.

In Barcelona, the Decidim platform — Catalan for "we decide" — has been running since 2016. Over 3 million users worldwide. More than 400 organizations deploying it. The data generated by citizen deliberation (proposals, votes, comments, meeting participation) is stewarded under a legal framework that's explicitly public, not corporate. Francesca Bria, who led Barcelona's digital strategy, articulated the principle: "technological sovereignty" means the city owns its infrastructure and its data, and uses them for public good rather than private extraction.

The Indigenous data sovereignty movement has pushed further. The CARE Principles — developed by the Global Indigenous Data Alliance and published in 2020 — stand alongside the FAIR principles (Findable, Accessible, Interoperable, Reusable) that govern open science. CARE stands for:

- Collective benefit: data use must produce benefits for Indigenous peoples, not just researchers - Authority to control: Indigenous peoples have rights to govern the collection and use of their data - Responsibility: those working with Indigenous data have ongoing responsibilities to the community - Ethics: Indigenous rights and well-being are the primary concern at every stage

Notice what CARE assumes that FAIR does not: that data is not neutral information but embedded in power relationships. A genomic dataset from a Māori community isn't just numbers. It's the biological record of ancestors. Who gets to use it, and for what, is a political question.

Corporations have not ignored this. They have a response, and the response is brilliant in its cynicism: "data philanthropy."

A company gives researchers "access" to a slice of their data for a social good project. Everyone gets a headline. The company gets reputational capital. The researchers get a dataset. The community whose data it is gets a research paper, maybe, published in a journal they don't read.

This is to data trusts what corporate social responsibility is to unionization. A pressure-release valve designed to forestall actual power-sharing. When Facebook offered researchers access to platform data for election integrity research, the access was so limited and so heavily constrained that the lead researchers, Solomon Messing and Nate Persily, publicly complained about the terms. The company controls what questions can be asked and what answers can be published. That is not sovereignty. That is sharecropping.

There's no single template, but the pattern across successful attempts has four stages.

Stage 1: Name the data. What information does your community generate that's currently being extracted? Start with the mundane. In Detroit, the Detroit Community Technology Project mapped digital infrastructure block by block and discovered that the city itself didn't know where broadband access existed. In rural Appalachia, the Southeast Rural Community Assistance Project mapped well-water contamination. In South Side Chicago, residents mapped police stops and catalogued which intersections generated the most complaints.

The first act of a data trust is cartographic: making visible what has been invisible.

Stage 2: Establish the legal vessel. In the US, common forms include nonprofit public benefit corporations, cooperatives under state co-op statutes, and — for Indigenous nations — tribal data governance bodies with sovereign authority. In the UK, Community Interest Companies (CICs) have proven popular. In the EU, data cooperatives under the Data Governance Act are now a recognized legal form as of 2022.

The vessel determines what you can do. A trust with charitable status can't charge for data access in certain ways. A cooperative can distribute surplus to members but has to be careful about securities law. A tribal entity can assert sovereign immunity from many external demands. Match the vessel to the mission.

Stage 3: Define the contribution and access rules. Who contributes? Who decides? Who can access? On what terms? The Seattle-based nonprofit Digital Impact Alliance developed a helpful taxonomy: data trusts range from "fully open" (data is published) to "carefully stewarded" (access granted by trustee on case-by-case basis) to "sovereign" (community controls every use). The MIDATA co-op in Switzerland lets members share health data with medical researchers and returns a portion of any proceeds to the co-op for member-voted health initiatives.

The MyData movement, based in Finland, has articulated a principle called "human-centric data": individuals have agency over their data but may choose collective stewardship. You can be a member of a trust without surrendering individual control. Think of it like a credit union — your money is yours, but it's pooled into something that has more power than any individual account.

Stage 4: Build the deliberation infrastructure. This is where most attempts fail. It's not enough to have a legal trust. The community has to actually deliberate about how the data is used. That requires meetings, translation, childcare, stipends for participation, and decision rules that aren't captured by whoever shows up most often. Barcelona's Decidim has this built in. The Zwolle data co-op in the Netherlands uses sociocracy. The Cleveland COLTAFF model uses neighborhood-based councils.

Without deliberation, a data trust is just another opaque entity that makes decisions behind closed doors. With it, you get actual community governance, which is slow and frustrating and the only thing that works.

Health data. Individual medical records are regulated under HIPAA in the US and GDPR in Europe. But aggregated, anonymized community health data is different. It can reveal environmental injustice patterns that no individual case would show. In Louisiana's "Cancer Alley," the stretch of Mississippi River dense with petrochemical plants, community-based participatory research — led by groups like Rise St. James and the Louisiana Bucket Brigade — pooled health data that researchers and state officials had refused to collect or publish. The result: EPA proceedings, denial of air permits, and in 2024, a federal consent decree against one of the worst polluters.

This did not happen because of data alone. It happened because a community owned its data and used it as a political weapon.

Environmental data. The PurpleAir sensor network — crowd-sourced, community-owned air quality monitors — now has over 20,000 sensors worldwide. During the 2020 California wildfires, PurpleAir data was often more accurate and more granular than official EPA readings. Why? Because official monitoring was designed for regulatory compliance, not public health. It placed sensors where compliance needed to be measured, not where people lived. PurpleAir inverted this: sensors went where residents cared.

Community environmental data trusts take this further. The West Oakland Environmental Indicators Project has collected environmental data in a Black neighborhood hit hard by diesel trucks from the Port of Oakland for over two decades. That data fed into California's AB 617 legislation on air quality and made West Oakland one of the first designated communities to receive enhanced monitoring and emissions reduction plans.

Economic data. This is the least developed category and maybe the most important. Banks have every datapoint about your financial life. Landlords have your rental history. Gig platforms have your work history. You, collectively as a community, have none of this in aggregate — which is why rent-gouging, wage theft, and algorithmic discrimination are so hard to prove.

The Tenant Data Collective in New York has been trying to change this: pooling rental data from tenants' own records to identify patterns of illegal rent increases. The Workers' Data Collective has done similar work for gig economy labor. These are early efforts. They face huge legal headwinds (what counts as the tenant's data versus the landlord's?) but they represent the frontier.

Exercise 1: The Inventory. Spend a week noticing, without doing anything about it, what data your daily life generates that's captured by an entity you don't control. Your phone's location. Your grocery loyalty card. Your car's telemetry. Your kid's school's learning platform. Write it down. The list will be longer than you expect. Most people stop counting at 50.

Exercise 2: The Question. Pick one category from your inventory. Ask: what decision has someone made about me, or my neighborhood, based on that data, that I had no input into? If the answer is "I don't know," that itself is the answer.

Exercise 3: The Coalition. Identify three organizations in your community that already collect community data in some form — a health clinic, a tenant organization, a community garden, a school. Ask: what would it take to pool this data in a way where the community governed it? Not to create the trust yet. Just to see what conversation it sparks.

Framework: The Three-Layer Check. Before any data goes into a trust, ask three questions:

1. Legitimacy: Does the community consent to this being collected and shared this way? Not "did they click agree." Did they actually consent. 2. Purpose: What is this data for? Trusts with vague purposes ("general community benefit") get captured by whoever has the most time to attend meetings. Specific purposes ("reducing childhood asthma hospitalizations in this ZIP code by 30% over five years") stay accountable. 3. Exit: Can members withdraw their data? Can the community dissolve the trust? Exit rights are what distinguish a trust from a hostage situation.

- Zuboff, S. (2019). The Age of Surveillance Capitalism. PublicAffairs. - Tennison, J. (2020). "Data trusts: ethics, architecture and governance for trustworthy data stewardship." Open Data Institute. - Global Indigenous Data Alliance. (2020). CARE Principles for Indigenous Data Governance. - Bria, F., & Morozov, E. (2018). Rethinking the Smart City. Rosa Luxemburg Stiftung. - Delacroix, S., & Lawrence, N. D. (2019). "Bottom-up data trusts: disturbing the 'one size fits all' approach to data governance." International Data Privacy Law, 9(4). - Ada Lovelace Institute. (2021). Exploring legal mechanisms for data stewardship. - MIDATA Cooperative documentation. midata.coop - Decidim platform documentation. decidim.org

The enclosure of the commons made the Industrial Revolution possible. The enclosure of data is making something else possible — a world where the surveillance industry has more information about you than your family does, and uses it to decide what you see, what you pay, and sometimes whether you get out on bail.

A community data trust is not a solution to this by itself. It's one move in a longer game. But it's a move that does something no individual privacy setting can do: it establishes a collective, legal, democratic claim over what our lives together produce.

That's the ground you have to stand on before you can fight for anything else.

If every person said yes to that claim — yes, we govern this together — the machinery of extraction would hit a wall it hasn't hit yet. Not regulation. Not a lawsuit. A refusal. Collective, organized, legally structured refusal.

Start with the inventory. See what your life actually produces. Then start asking who owns it, and why.