Author – Joe Hardwell, TNO

The concept of data regulation is an ever-evolving field, in which scholars are continually debating how the law which regulates this use of data can be moved forward in a realistic and progressive manner. I spoke to Linnet Taylor (LT) and Nadya Purtova (NP), both of Tilburg University to discuss their recent paper they published together, entitled What is responsible and sustainable data science?

The premise of their paper revolves around the argument that there is no clear agreement on what exactly makes data science responsible or sustainable because these concepts are tricky to clarify when applied to a global arena involving academic, commercial and governmental actors. Without clarity, problems are arising when attempts are made to set goals and boundaries for data practice, as well as for the potential in creating deep divides between various actors on the governance principles within this field. Through clarifying what exactly constitutes responsible data science, the correct regulation of the said data can become increasingly impactful due to there being a universally agreed set of standards that the data science community should adhere to. Linnet and Nadya, in their attempt to lay the foundations in reaching a solution, argue for a commons analytical framework as one approach to this problem, due to it offering signposts for how to establish governance principles for shared resources.

The framework that underpins their article is that of a Commons analytical framework, which has the goal of establishing conditions under which the shared resource is used sustainably, i.e. without degrading in quality or quantity (Ostrom et al, 1994). Therefore, if data is discussed as a resource that ought to be put to common use, this suggests commons theory as a useful analytical framework (Purtova, 2017).

In order for their suggestion of a commons analytical framework to prosper in making data science responsible and sustainable, two key problems need to be addressed. The first, is that of the problem of stakeholdership. More specifically, the problem in getting citizens to engage, both to understand the current debates around data science and regulation, and whether if it all, citizens can have some legitimate degree of influence.

I asked Linnet and Nadya if there are any methods they would suggest to get civil society involved in understanding that they are data subjects, and that the forms of data protection they are entitled to is such a myriad of obstacles and debate?

Linnet and Nadezhda’s

view on
Big Data

I asked Linnet and Nadya if there are any methods they would suggest to get civil society involved in understanding that they are data subjects, and that the forms of data protection they are entitled to is such a myriad of obstacles and debate?

LT: This is a political problem. A lot of energy is spent convincing people that their data does not pose risks to their wellbeing and opportunities, and that companies are capable of behaving ethically with data. I think we need more exposure of problematic practices and outcomes by activists and the media, so that people link the risks and outcomes to actual technical and governance practices by governments and firms. If problems do not get surfaced, described and discussed, people will have no idea of why data matters, and will not respond to policies or practices that pose risks to them.

NP: It’s a complex problem. Citizens are, pragmatically, too big a group to mobilize in a very effective way. Stakeholders are defined by their interests, so perhaps treating citizens as one big group of stakeholders is a bit too general. Perhaps looking at more narrower groups as consumers, patients or passengers, for example, would be more effective in the short run because these stakeholder groups are already formed and more defined in their interests regarding data; eg. Consumers do not want for the data to be used for misleading or manipulative commercial practices.

When we ask how you can mobilize citizens, the citizens are one of the most important groups of stakeholders, citizens are way too big a group. In the case of the Netherlands, it would involve nearly the entire Dutch population, with different sets of knowledge, interests and concerns regarding data practices. So this is one of the pitfalls in running the data commons, the stakeholders are not uniform. I don’t think we necessarily need to aim at immediately at engaging the citizens, or the entire population of the Netherlands, for the effective struggle for sustainable data science; perhaps we need to let things grow more organically. As the institutions developed more organically in the case of other Commons, such as natural resources and drinking basins, similar methods can occur regarding data management. Perhaps these smaller stakeholder groups will not encompass the entire citizen population of Europe, but they’ll start somewhere, each representing their own facet of views regarding data science.

One of the main conclusions conveyed in their article is that the key to sustainable and responsible data science may lie in institutional governance. This would involve the role of governing institutions taking a degree of responsibility in facilitating communication and trust between stakeholders, and to build agreement on rules for sustainable and responsible data use, which is a process that should be fully evident with the correct implementation of GDPR. When analyzing this suggestion from a European perspective, I was interested in whether Linnet and Nadya believed there would be a geographical divide between Member States in how responsible and proactive the institutions would be in tackling this challenge.

LT: There are huge differences between countries in how they address the need for data protection. I think that institutional ways of addressing data protection will progress at the same rate that democratic practices and institutions progress, as this is a question of responding to public concerns, and having a dialogue with the public about what those concerns are. Data is not a unique question of governance, it cannot be governed responsibly unless institutions are in place for responsible (and responsive) governance in general.

NP: Data protection laws allow for the freedom of civil society to self-organize and manage data. Some states may be less active in creating institutions, but they can also emerge spontaneously. Throughout Europe, some states are generally more innovative in governance models, for example, the Netherlands. Whereas there are other states are still traditional in these practices.

Looking to the future, if these institutions to govern data science were to become prominent, what measures can be put in place to enable them to exert formal authority over these powerful technology firms in how they use data?

LT: This will vary by institution. We need a variety, ranging from institutions to formalize social debates into political or human rights claims; institutions that can set rules and boundaries (legislative, academic, governmental), and institutions that can watch and enforce the observance of those rules.

One of the drawbacks to the power of institutions was that of the giant technology firms, and how they circumnavigate data protection laws (think Cambridge Analytica). Are there are other measures apart from fines that can be put in place against those tech firms regarding data protection laws which they break?

NP: Firstly, we should not underappreciate the effectiveness of the fines under the new GDPR, with firms being charged up to 4% of their global turnover per offense. Second, reputation for some is very important. It’s no coincidence that a lot of these big tech companies, such as Microsoft, fund and are involved with privacy and protection conferences. Their (big tech) most important resource is not the data, it’s the users. They are the golden cow who keep producing the milk. If they don’t have these users the data they are left with quickly becomes irrelevant.

Reputation is important overall, as is better enforcement. If a fine once doesn’t have the desired impact, repetition of it will eventually. Take Cambridge Analytica for example, it has no positive reputation left once the scandal broke. It may have popped up somewhere else with a different name, but Cambridge Analytica itself in that form no longer exists.

In conclusion, I was interested in what Nadya and Linnet would recommend to policymakers and big data actors alike in wanting to move forward in achieving responsible and sustainable data science.

LT: I would recommend profound skepticism about the ability of big businesses to govern and regulate itself in the public interest when profit is at stake.

NP: For data science actors on a practical level, let’s just try to abide by the law we have, it’s not perfect but its good enough for now. As for the more long-term recommendations for the policymakers, something that stems from my research is that perhaps its counterproductive to see data protection law as the universal law of the internet, as it is often seen today. When a problem has something to do with digital technologies and data, actors immediately try to pull it within the scope of data protection law, thereby making a data protection problem out of it. This blows up the scope of data protection law, it makes it the law of everything that has to do with digital technologies.

So my message to policymakers would be to really think about what it is exactly about digital technologies that is problematic, and perhaps some of it can be addressed by other existing laws, such as competition or labor law. Basically, by making everything digital a matter of data protection law, we are breaking data protection law because it results in it becoming the law of everything.


Interested in contributing to this blog series?
You can contact myself through: or here.

Do you want to contact with Linnet Taylor and Nadya Purtova?

Linnet TaylorTilburg University / Twitter

Nadya PurtovaTilburg University / Twitter


  • Ostrom, E., Garder, R and Walker, J (1994) Rules, Games and Common-Pool Resources. Ann Arbor, MI: The University of Michigan Press.
  • Purtova, N (2017) Health Data for Common Good: Defining the Boundaries and Social Dilemmas of Data Commons in Ronald Leenes, Nadezhda Purtova, Samantha Adams (eds) Under Observation – The Interplay Between eHealth and Surveillance. Springer International
  • Taylor, L and Purtova, N (2019) What is responsible and sustainable data science? Big Data and Society. July-December Ed, pp 1-6