On February 2, 2022 presenters Angie Raymond and Scott Shackelford, gave the seminar “Who Owns Your Data?”
Scott and Angie explored core questions of data governance focusing on comparing the United States, European Union, and several Asian nations with regards to their privacy, cybersecurity, and AI governance practices. They hi-lighted areas of convergence, and divergence, which in turn are giving rise to both public and private sector norm building efforts and are fueling a revolution in corporate data governance practices.
View the slides from this seminar.
Below you will find the Q&A from the seminar:
Thank you for attending the Public Lecture Series on Corporate Governance, entitled: Who Owns Your Data? We really enjoyed speaking to you! The questions were very insightful. Thank you for giving us the opportunity to respond to the questions we did not get to respond to in live time. The below responses are our opinion- and we note where it is important to know who is responding! (Scott- SS and Angie AR)
 In regard to data ownership- could you please elaborate on your viewpoint of various proposals such as “data trust” and “data commons”? How do they interact with current data protection regulatory regimes? (Such as, GDPR, CCPA…)
We both responded to this in the Q and A time at the end of the presentation.
 Shouldn’t the focus be on data use rather than data ownership using concepts like controller and processor to allocate responsibility and liability? Is there a way to regulate privacy and data protection in a way that views violations as a social harm rather than expecting individuals to protect their own social identities?
[AR] Absolutely- agree. Early in the presentation I explained that many corporate board questions do not usually arise within the context of ownership, but instead really arise in questions of ‘control.’ I use ‘control’ as a broad term to allow people to understand- if you have the data, even for a moment- you likely have responsibility and might even have liability for the way you interact with the data. Of course, that implicates things that you mention- such as use- but of course that also implicates responsibility to ensure sharing, storage, and deletion are part of the plan.
That is not to completely diminish ownership- but, focusing on ownership really allows (in my opinion) people and corporations to focus on a topic that won’t fully allow them to think through all the issues that may arise, which I think is your point what about ‘other’ potential harms.
Again, in my opinion- when we focus on ownership, we pretend that only those that own data have responsibility- which is simply not true. Moreover, as you mention- ownership places to much responsibility on the individual- as the owner- to protect their data – a point I reject. In the digital world, we are (again in my opinion) constantly nudged and influenced in ways which we are unaware. Asking people to ‘protect’ and be ‘responsible’ for their data ignores years of well-studied human behavior. Finally, reducing issues to individual actors allows us to ignore the social harms that occur in communities.
[AR] I could go on forever, join my groups at the Workshop- [ https://ostromworkshop.indiana.edu/research/data-management/index.html no matter if you agree or want to loudly disagree!
 Great presentation – but what I am missing is the answer to the webinar’s title “Who owns your data”, starting from defining what ownership means in this context, whether it can be transferred, etc.; you extensively cover protection and governance, but, if I may say so, they require these definitions. Or did I miss a pertinent statement by the presenters?
[SS] We discussed this live during the Q&A, but in brief data governance may be considered at one level as an exercise in data control – is your data controlled by you, by the corporation that collected it, or the jurisdiction under which it falls under? But in general data control is but one element here with other core questions – including the human right to privacy, and even Internet governance – pressing.
 What causes of action might be created by adoption of global standards, and how might they constrain sovereign courts (similar to issues that arose with discussion of TPP a decade ago)
[AR] For those that are unaware- Trans-Pacific Partnership (TPP) was a proposed free trade agreement among the Pacific Rim economies, which includes the U.S. In 2015, Congress gave President Barack Obama fast-track authority to move through the approval process and in 2016 all 12 nations signed the agreement. However, the initiative stalled in the US resulting in the US withdrawing from the deal. The U.S. instead elected to pursue bilateral negotiations (work with each country independently to form agreements)
[AR] Keeping my opinion of the TPP itself for another day, I think a larger push to move toward global standards in this area is likely a better choice when we speak of data. While it is possible to regulate data- and data flows- it is proving very difficult, as data flows in an eco-system. In my opinion (this is Angie) it’s not as simple as thinking of this like a garden hose- where flow can be controlled. The garden hose analogy is great thought experiment to imagine how we control trade- points of entry and exit- like a garden hose. Data likely cannot be thought of in this way as it flows- true but is not contained in a single place. Our data is everywhere- more like air or water- so YES, global standards are likely better. But it is proving very difficult and frankly is not likely anytime soon, for a host of reasons- including something as simple as what international institution will create and enforce such standards.
Scott and I have written on this- Scott has done this, a lot-
I would also like to point you to a great friend- Susan Aaronson, the Founder and Director of the Digital Trade and Data Governance Hub [ https://datagovhub.letsnod.com/ ]
She is speaking virtually during the Ostrom Colloquium on Feb 14 at noon (est)- join us! https://ostromworkshop.indiana.edu/events/colloquium-series/index.html
 Do you think that insurance will play an increasing role in the need to homogenise data and prioritise cybersecurity for businesses?
Yes. Insurance is already playing a major role in defining cybersecurity best practices for myriad sectors, though more does need to be done to pool the fractured datasets and build robust actuarial tables. The timing is particularly pressing given how much the cost of cyber risk insurance is increasing, pricing small firms and NGOs out of the market.
About the Speakers:
Professor Scott J. Shackelford serves on the faculty of Indiana University where he is Cybersecurity Risk Management Program Chair along with being the Executive Director of the Ostrom Workshop. He is also an Affiliated Scholar at both the Harvard Kennedy School’s Belfer Center for Science and International Affairs and Stanford’s Center for Internet and Society, as well as a Senior Fellow at the Center for Applied Cybersecurity Research. Professor Shackelford has written more than 100 articles, book chapters, essays, and op-eds for diverse publications. Similarly, Professor Shackelford’s research has been covered by an array of outlets, including Politico, NPR, CNN, Forbes, Time, the Washington Post, and the LA Times.
Dr. Anjanette (Angie) Raymond is the Director of the Program on Data Management and Information Governance at the Ostrom Workshop, is an Associate Professor in the Department of Business Law and Ethics, at the Kelley School of Business, Indiana University, and an Adjunct Associate Professor of Law at Maurer Law School (Indiana). Angie has widely written in the areas of online dispute resolution, data governance, artificial intelligence governance, privacy, international finance and commercial dispute resolution. Angie works with the IEEE on AI procurement standards, the ACCORD project (blockchain/smart contracts) and several health data exchange systems.
For further information on the webinar please contact Professor Jun Yang, Director of the Institute for Corporate Governance at email@example.com.