1 Introduction

Donations are common in health contexts. Crowdfunding calls through websites like GoFundMe in which patients rely on private donors to pay for unexpected medical expenses are familiar especially in the United States (Snyder 2016; Berliner and Kenworthy 2017). There are plenty of opportunities to help others not just by giving money, but also by giving parts of our bodies, such as organs or blood. We can give such parts or materials more or less directly to patients in need, or contribute samples to biobanks in which they feed into research, development, public health surveillance and other beneficial activities.

In these kinds of donations, the potential donor is in a position to seek and understand information about the need for her donation. Although some degree of uncertainty is often inevitable, she can learn about the features of potential recipients, the way in which her donation addresses a problem, and how her donation will be distributed. It is also quite straightforward what she is donating, e.g., an organ, blood, or a specimen. Moreover, the donor herself is carrying any inconveniences in connection with her donation, and burdensome effects on others are typically minimal or absent.

Databases are growing at breath-taking speeds, while tools and algorithms to process and interpret data become more powerful and sophisticated (Mayer-Schönberger and Cukier 2013; Murdoch and Detsky 2013; Raghupathi and Raghupathi 2014). Still, information that can feed into evidence bases is not always readily available. It needs to be discovered, harvested, shared, and analysed. In recent years, the roles individuals can play in data gathering processes have received increased attention. The widespread rollout of electronic health records has made it easier than ever to handle personal health data and opens up opportunities for sharing it in a variety of ways. By making their health data available, individuals can enable research and advance clinical progress (Nature Biotechnology 2015).

Two potential applications are the following. First, medical data can feed into research. By providing one’s data for such purposes, one ideally provides researchers with the raw materials for discovering unforeseen correlations and helps to pave the way for new hypotheses, preventive actions, diagnostics, and treatments. One possible source for such data is direct-to-consumer genetic testing. For example, in 2014 the online networking service PatientsLikeMe launched its “Data For Good” campaign, which “underscores the power of donating health data to improve one’s own condition, help others and change medicine” (PatientsLikeMe 2014). The campaign is motivated by survey data suggesting that “94 percent of American social media users agree with sharing their health data to help doctors improve care” (Grajales et al. 2014), provided their anonymity is secured. Further examples include the non-profit platform DNA.Land which calls for users to upload their genomic data in order to “enable scientists to make new discoveries” and to learn more about their genome (DNA.Land 2018). The open source website openSNP allows users to upload genetic information, including full genomes, which are then published under a Creative Commons Zero licence. The data can be freely copied, modified, distributed, and analysed for commercial and non-commercial purposes.

Second, an increasing number of clinical deep-learning-driven diagnostics and treatments rely on large amounts of patient data, cases, and background information. Data that is fed into such systems can guide a vast range of useful applications, e.g., the delineation of tumours in radiological images (Microsoft 2018) or therapeutic decision-making regarding metastatic breast cancer (Yang et al. 2016, 2017). Sharing one’s personal health data for such purposes directly affects treatment options and prospects of present and future patients.

The question arises under which conditions applications like these can legitimately be based on donations of personal health data from individuals. The present paper argues that some of the most pressing challenges surrounding data donations are challenges about the data sovereignty of the donor. We begin by introducing the concept of data sovereignty (2.) and propose that it encompasses more than having the power to exclude others from one’s personal space. Instead, it has a positive dimension as well. On the basis of reflections from gift theory, we propose that data donations can be exercises of positive data sovereignty. We go on to highlight potentials (3.) of data donations, before articulating several difficulties and puzzles that arise from the idea of donating personal health data (4.). We close with some suggestions on how sovereign data donations could be made possible in practice (5.). Along the way, we will devote particular attention to complications and opportunities within big data contexts.

Before we begin, a conceptual remark on the idea of donating one’s personal health data is in order. While the concept of data sharing has received a lot of attention throughout the literature (e.g., Borgman 2012), the notion of data donation is relatively new and less widespread (e.g., Prainsack and Buyx 2017, ch. 5). Data sharing and data donation both involve the provision of access to data. In our view, they differ along at least two dimensions.

The first difference relates to exclusivity: if I share a good, I can still use at least a portion of it myself. If I donate something, typically the respective portion of the good is gone. Relative to ordinary language, it is thus somewhat surprising to speak of data donations insofar as the putative donor typically does not lose even a portion of her data when granting others access (see also Barbara Prainsack’s contribution to this volume).

The second difference is motivational, and in our view provides an important reason to focus on data donations. Relative to ordinary language, the notion of donating more than the notion of mere sharing highlights the possibility of a particular kind of motivation for why we might give others access to our goods. When I exchange or trade something or a portion thereof, I expect a return. When I gift something, do I expect a return, too? As we will see in the following, this question is discussed controversially. What does seem to distinguish gifting from exchanging is that the former involves a symbolic dimension that the latter lacks. For this reason, the following discussion is driven by the suspicion that when reflecting upon data donations, we should be mindful of such symbolic aspects of granting others access to one’s data.

2 Donations and Sovereignty

Many areas in the health sector anticipate progress and efficiency gains from increasingly powerful data gathering and processing tools. The hope is that such innovations will advance a range of activities such as public health surveillance, research and development, the provision of medical care and the design of health systems. While these prospects are intriguing, novel and ever more penetrative data-processing tools can leave individuals susceptible to risks of harm and prompt us to consider at what point disproportionate intrusions into the personal sphere begin—especially if highly intimate and sensitive information is being processed. Big data applications thus bring a number of ethical questions to the forefront (Nuffield Council on Bioethics 2015; Vayena et al. 2015; Mittelstadt and Floridi 2016; German Ethics Council 2017a, b), including how individuals can make autonomous choices about where their data goes and what is being done with it, while they shall be both beneficiaries and objects of investigation of data- and computation-intensive tools that promise to speed up and to enhance knowledge generation processes.

One up-and-coming concept in these discussions is the notion of data sovereignty. Although not used uniformly throughout the literature, the concept relates to issues of control about who can access and process data (Friedrichsen and Bisa 2016; De Mooy 2017; German Ethics Council 2017a, b). For example, data sovereignty is being discussed with regards to cloud computing, and refers to what is being undermined by uncertainty about which law applies to information stored in the cloud (De Filippi and McCarthy 2012). Commentators worry that governments which use cloud computing run the risk of compromising national sovereignty by conceding control over their data (Irion 2013). Some identify data sovereignty with the ability to geolocate data and to place it within the borders of a particular nation-state (Peterson et al. 2011). Only then is it possible for users to determine which privacy protections, intellectual property protections, and regulations apply, and which risks of legal and illegal access to data exist.

In the German media discourse, data sovereignty is occasionally being perceived as a threat to privacy and a “lobby notion” introduced by the data-processing industry to hollow out data protection standards (Krempl 2018). But quite the opposite is true. While data sovereignty does indeed rest on the conviction that traditional input-oriented data protection principles like data minimisation and purpose limitation are unsuitable in big data contexts (German Ethics Council 2017a, b), two important clarifications are in order. First, proponents of data sovereignty highlight its orientation towards informational self-determination, which involves the protection of a personal sphere of privacy that sets the stage for participation in the public sphere (Hornung and Schnabel 2009). Second, the notion of data sovereignty is driven by the conviction that claims and rights like those related to informational self-determination can only be realized against the backdrop of social contexts and structures in which they are articulated, recognized, and respected. Proponents of data sovereignty highlight that digitization has the potential to transform the social core in which articulations of these claims are always embedded. This is why it is inadequate to insist upon rigid, input-oriented data protection principles (Dabrock 2018). Instead, the focus must shift to the social transformations and tensions of digitization in which individuals should be put in a position to claim their right to informational self-determination reliably and robustly.

In the following, we shall not deny that sovereignty motivates negative and protective claims and rights related to the data subject’s privacy (although cf. Goodman 2016, pp. 153–155). Instead, we will focus on the question whether the picture of sovereignty encompasses more than just the exclusion of others from one’s personal information, and instead motivates claims of individuals to share rather than hold back their data.

In early modern political theory, sovereignty denotes absolute and unconditional power that is neither constrained by nor accountable to other powers. The notion became prominent after Bodin (1576) applied it to absolutist rulers in order to characterize their supreme authority. For Hobbes (1651), this authority is the result of a transfer of sovereignty from the people to the ruler. Other authors attributed sovereignty to nations, countries, or peoples. Sovereignty is typically indexed to a spatial or a substantive domain. The spatial domain is the territorial region which is subject to the sovereign’s will. The substantive domain comprises the matters on which the sovereign is authoritative. Nevertheless, the claim to absolute power is one reason why the notion of sovereignty is sometimes being looked upon with uneasiness, and has led to controversies about whether the political sphere is framed fruitfully in terms of it. For example, Maritain (1951, ch. 2) worries that once the people transfer their power to the sovereign in Bodin’s or Hobbes’ model, their sovereignty is irretrievably lost. After having become the sovereign, the leader is free to determine the nature and boundaries of its power. Against this, one can invoke notions of legitimacy, and argue that sovereignty properly understood is undercut by certain claims to power and ways of ruling. The apparent sovereign becomes a despot if she is guided by arbitrariness and self-interest or proceeds without appropriate forms of recognition from the people she governs. Sovereignty, although prima facie a property of the authoritative individual, is not something which can simply be claimed and possessed independently of social or political embeddedness. It is something that is conferred upon the sovereign, a property that arises from its relation to those who are eventually subject to the sovereign power and recognize the sovereign as authoritative and legitimate.

The power of the sovereign goes hand in hand with the ability to constrain the power of others. Prior to early modern times, the historic function of the concept was not to entitle rulers to power, but to delimit the authority of worldly leaders. Sovereignty as unconstrained and absolute power was attributed to God in order to distinguish divine authority from claims of kings and emperors, and to constrain the claims to power of the latter. Modern ascriptions of sovereignty also have implications about negative freedom. For example, Mill argues that with regards to things which concern only the subject herself, she is entitled to absolute independence from interference by society: “[o]ver himself, over his own body and mind, the individual is sovereign” (Mill 1859, p. 224).

Nevertheless, sovereignty is not exhausted by negative claims. It can have positive implications about the space it determines as the domain of the sovereign. The sovereignty of a state is not exhausted by external sovereignty against outside interference. Instead, sovereignty has an internal dimension as well: within its territory the sovereign has the authority to govern according to her will. Similarly, Mill’s individual who is the sovereign over her personal sphere is not merely entitled to the right and power to exclude others from her domain of sovereignty, but also to operate within this sphere—in Mill’s case: to pursue her idea of the good life.

For either dimension, one important realizer of sovereignty is power. Sovereignty is being realized through the power to keep outsiders out of one’s domain of sovereignty and to operate within this domain. This carries with it the constraint, criticism, and repudiation of claims to power of outsiders as well as those insiders who are subject to the sovereign. Again, this isn’t crude and arbitrary power or force. Whether a claim to sovereign power is appropriate and legitimate depends on its content and the relationship between the putative sovereign and her claim’s addressees. Negotiating sovereignty and its scope is a discoursive process to be carried out in dialogue with others and society.

When individuals pursue their idea of the good life, we should take note of the fact that this pursuit need not be exhausted by an atomistic sense of one’s personal good. As Taylor (1985, p. 190) maintains: “Man is a social animal, indeed a political animal, because he is not self-sufficient alone, and in an important sense is not self-sufficient outside a polis.” The sovereign individual’s pursuit of the good life plausibly unfolds through social relations, embeddedness, and interactions. Crucial realizers of positive aspects of her sovereignty transcend the boundaries of her personal sphere, and rest on how this personal sphere is connected and related to others.

Consider now what this could mean for data sovereignty. In the case of data sovereignty, the relevant kind of power is control over one’s data: where it goes, who has access, and what is being done with it. The foregoing suggests that the individual need not always exercise sovereignty in ways that close off her personal data from others, e.g., by categorically prioritizing her right to privacy. As proponents of relational autonomy highlight, persons are not just independent, isolated, and self-interested beings (Mackenzie and Stoljar 2000; Dabrock et al. 2004; Baylis et al. 2008; Dabrock 2012; Steinfath and Wiesemann 2016; Braun 2017). Their selfhood and well-being depend on rich and complex relations to others, their community, and society as a whole. Importantly, this can mean that the data sovereign individual does not just close off her data, but shares it with others. In fact, practices of sharing one’s personal data can constitute meaningful advances and reinforcements of the social structures in which the individual seeks to realize positive aspects of her sovereignty (see also Barbara Prainsack’s contribution to this volume for a discussion of the relational nature of donations). This is a particularly fruitful option if these acts of sharing take the form of donating and endowing.

In his seminal discussion, Mauss (1950) describes a range of features which he claims are distinctive of the notion of a gift. When someone gives goods in the context of a trade, she expects a return. In contrast, while a gift might be tied to reciprocal obligations between donor and recipient, it always points to something beyond these. A gift is tied to the donor’s generosity as well as some form of obligation on the side of the recipient. In this sense, there is a similarity with economic exchange because the relationship that is being constituted through the act of giving is two-ways, mutual, or symmetrical. Still, the character of the gift cannot be captured in terms of the logic of exchange: the reciprocal obligations in question are incommensurable and cannot be set off against each other in an economic calculus. Gifts might not be incompatible with trade and exchange, but they involve much more. They provide systematic means for individuals and groups to articulate and reciprocate recognition, and thereby determine and shape identities. “[B]y giving one is giving oneself, and if one gives oneself, it is because one ‘owes’ oneself—one’s person and one’s goods—to others” (Mauss 1950, p. 59).

Other authors insist that gifts need to be distinguished more sharply from exchange. For example, Derrida argues that a genuine gift cannot involve expectations of reciprocation of any kind. The gift “interrupts economy”, “suspends economic calculation”, “def[ies] reciprocity or symmetry”, remains outside the “circle” of economic exchange, and is thus distinctively “aneconomic” (Derrida 1992, p. 7). One important consequence is that once the recipient perceives and recognizes the gift as a gift, it is “annulled” or “destroyed” as the act of giving becomes situated within a logic of exchange. Mere recognition of the gift as a gift already “gives back” (Derrida 1992, p. 13). In fact, not even the donor may be aware of the gift; otherwise the donor threatens “to pay himself with a symbolic recognition, to praise himself, to approve of himself, to gratify himself, to congratulate himself, to give back to himself symbolically” (Derrida 1992, p. 14). Because awareness and recognition annul the gift, the notion is inherently aporetic, and genuine gifts are impossible. Nevertheless, Derrida argues that it is out of the question to refrain from giving. He suggests that the gift is actually fundamental to exchange; giving is what “puts the economy in motion”. We need to

“engage in the effort of thinking or rethinking a sort of transcendental illusion of the gift. […] Know still what giving wants to say, know how to give, know what you want and want to say when you give, know what you intend to give, know how the gift annuls itself, commit yourself [engage-toi] even if commitment is the destruction of the gift by the gift, give economy its chance” (Derrida 1992, p. 30; his italics).

Hénaff too insists that the gift has certain unique features. He distinguishes symbolic from economic exchange. Drawing on Mauss, he agrees that gifts figure in symbolic exchanges whose purpose is to establish and foster social bonds through relations of recognition, honour, and esteem amongst parties. It also prompts and articulates attitudes of generosity, benevolence, and gratefulness. Such symbolic exchange is “entirely outside the circuit of what is useful and profitable” (Hénaff 2010, p. 18). He criticizes that Mauss’ discussion is not always consistent about the non-economic and non-commodifiable aspects of the gift as symbolic exchange (Hénaff 2010, p. 110). Hénaff further provides a threefold typology of the gift: ceremonial gifts which are public and reciprocal, gracious ones which are private and unilateral, and mutual aid which pertains to solidaric or philanthropic activity (Hénaff 2013, pp. 15–6). The mutual and public character of the ceremonial gift ties it to practices of recognition and attributions of equality in public space; it accounts for its central role in “identifying, accepting, and finally honoring others” (Hénaff 2013, p. 19; his italics). He proposes that these characteristic features of ceremonial token gifts ultimately culminate in political and legal institutions that protect and guarantee recognition (Hénaff 2013, pp. 21–2) and, amongst others, open up room for gracious gifts and mutual aid.

Ricœur is convinced that appreciating a gift need not take the form of a restitution that annuls it. What matters is the way in which the gift is received. If the gift succeeds in bringing about a kind of gratefulness that acknowledges the donor’s generosity without forcing or pressuring the recipient to reciprocate, then appearances of aporia and impossibility can be circumvented. “Gratitude lightens the weight of obligation to give in return and reorients this toward a generosity equal to the one that led to the first gift” (Ricœur 2005, p. 244). One important consequence is that ex ante, it must remain open whether this orientation towards the donor’s generosity actually occurs. If the recipient reciprocates, she does so freely and without duty. A genuine gift involves openness and contingency. It cannot be forced or guided.

As Mauss and Hénaff highlight, the gift can function as a source and catalyst for recognition. It does so by reflecting an endowment of the donor, a symbolic dimension through which the donor dedicates her gift and conveys a meaning beyond the commodifiable aspects of the good being given. In Mauss’ view, the donor blends herself with the good being given. “Souls are mixed with things; things with souls. Lives are mingled together, and this is how, among persons and things so intermingled, each emerges from their own sphere and mixes together” (Mauss 1950, pp. 25–6). If through dedications of this kind, the donor manages to establish social bonds or even—in Derrida’s words—to interrupt patterns of economic exchange, then the gift extends the individual’s room for manoeuvre in social space. It opens up options for shaping and enhancing interactions and deepening modes of integration among individuals.

The mentioned authors disagree whether gifts should be understood as being diametrally opposed to economic exchange, or whether they, too, can involve mutual expectations, obligations, and relations of reciprocity. The latter seems plausible in view of the fact that through making a gift, the donor exposes herself to others and thereby engages in a potentially precarious gamble (Braun 2017, pp. 206–7). With regards to potlach ceremonies, Mauss notes that “to lose one’s prestige is to lose one’s soul. It is in fact the ‘face’, the dancing mask, the right to incarnate a spirit, to wear a coat of arms, a totem, it is really the persona—that are all called into question in this way, and that are lost at the potlach, at the game of gifts, just as they can be lost in war, or through a mistake in ritual” (Mauss 1950, p. 50). Gifts are attempts at giving and seeking recognition. Such attempts can fail in various ways. They can be confirmed and reciprocated, but also disappoint, overburden, be perceived as coercive, or simply not be met with gratefulness. Thus, there is no need to romanticize gifts. They can open up opportunities, but they can also generate burdens or injustices. Moreover, the donor can face reactions and structures that reject her attempts to give. By making, enabling, or accepting gifts, we have not established fairness, not even ruled out violence. Gifts can only set the stage for negotiating these aspects.

In the acts of giving discussed by Mauss, Derrida, Hénaff, Ricœur and others, two dimensions can be distinguished: first, there is an aspect of exchange insofar as these acts of giving involve transfers of goods and expectations of some form of return or reciprocation, assessed against the backdrop of an economic rationale or logic. Second, there is a distinctive gift aspect which expresses recognition and valuation of the recipient and thus yields community-sustaining potentials. The appropriateness and success of such expressive acts is assessed relative to a logic of recognition. For the sake of speaking in a theory-neutral fashion and not beg any questions against authors like Derrida who think the former aspect actually undermines the latter, we suggest the term ‘donation’ as denoting acts of giving for which it is conceptually open whether they encompass exchange and/or gift aspects. Considering only one of those dimensions would fall short of capturing the complexity of the target phenomenon. In the resulting picture, donations need not be entirely distinct from exchange, yet they are something over and above it. In the words of Waldenfels (2012), donations exceed relations of mere exchange.

Practices of organ and blood donation impact recipients in an immediate, intimate, and bodily way and are sometimes characterized as instantiating central features highlighted by Mauss’ analysis: the presence and reinforcement of institutions that enable donations, expectations and even subtle pressures that motivate individuals to give, obligations on the side of the recipient to accept the gift, and recipients who are expected and feel the need to reciprocate (Fox and Swazey 1978; Vernale and Packard 1990; Sque and Payne 1994; Gill and Lowes 2008). In line with the insight that donations are risky and their effects contingent, organ and blood donations can impose undue burdens on recipients and effectively establish a “tyranny of the gift” (Fox and Swazey 1978, p. 383). Gift-theoretic insights on the entanglement between giving, gratuity, and gratification further resonate with recent work inspired by the conceptions of relational autonomy just mentioned. One of the consequences of the complex interplay between selfhood and orientation towards others is that motivations for acts of giving often cannot be straightforwardly classified as either altruistic or self-interested. Apparently altruistic donations carry aspects of self-interest and vice versa. In particular, empirical work suggests a “simultaneity of self-interested and other-regarding practice in the field of organ donation “(Prainsack 2018; cf. also Simpson 2018).

Technological innovations and their impact on research and clinical care prompt us to focus on the provision of personal health data as a new and promising way to affect others. We shall discuss some opportunities below (3.). Importantly, most people who make health-related donations do not give in these ways in order to generate a return. This suggests that a logic of exchange cannot fully explain what is happening, and the gift paradigm might be able to go some way towards explaining core features of these practices.

If we buy into the idea that sovereignty means more than the right and power to keep others from interfering with one’s personal sphere and is realized at least in part along outward-reaching, interactive and participatory dimensions, then donations could advance these positive aspects of sovereignty. Donations are surely just one amongst many ways to enter into relations with others, but their aneconomic aspects promise some distinctive community- and recognition-sustaining opportunities. Insofar as data sovereignty, and especially its positive dimension, is a worthwhile normative target notion, individuals should be enabled to donate personal health data. As we will argue, this is compatible with insisting on a range of mechanisms and safeguards to ensure that tensions between positive sovereignty and the protective aspects of its negative counterpart are minimized.

3 Reasons in Favour of Data Donations

In the following, we highlight three ways in which data donations could advance positive data sovereignty.

3.1 Solidarity

Data donations can express solidarity. Although not used uniformly throughout the literature, Prainsack and Buyx propose that the concept of solidarity involves “shared practices reflecting a collective commitment to carry ‘costs’ (financial, social, emotional, or otherwise) to assist others” (2012, p. 346; italics removed). Data donations fall under this definition insofar as they reflect the willingness to share efforts that are essential for advancing research and thereby helping those who are in need of findings and innovations. Prainsack and Buyx add the further condition that this willingness is based on the donor “recogniz[ing] sameness or similarity in at least one relevant respect” (2012, p. 346; italics removed)—a condition that distinguishes solidarity from altruism and charity, which do not necessarily rest on an understanding of symmetry between the agent and the recipient. Data donations meet this recognition-of-similarity constraint, too. This is obvious if—as on PatientsLikeMe—the donor is providing her data for the benefit of individuals who share her risk profile or illness. But even if motivations differ and/or it is not clear who exactly will benefit from the data, we can suppose that the donor’s contribution is at least partly based on the insight that she herself could one day find herself in a situation where she benefits from donations of this kind, and so recognizes similarity with the beneficiary in a relevant respect.

Two examples illustrate how the gathering and sharing of data can relate to solidarity. First, generating data about oneself, whether through genetic testing or by means of self-tracking devices like wearables and other new technologies, might appear egoistic, solipsistic, or self-centred. However, it can have an inherently social and communicative dimension (cf. Sharon 2017, pp. 111–2; Ajana 2018, p. 128). Such data gathering is being carried out not only to further one’s own ends, but also to share, report, discuss, and compare one’s data with others.

Second, consider the importance of data gatherers and contributors for personalized medicine. Personalization of health services might appear individualistic insofar as it focuses on specific traits of a given patient, and increasingly shifts responsibility for health towards the individual. But alternatively, personalized medicine can be seen as a context in which individual and collective good are inherently intertwined. Individual health tracking, testing, and data-sharing are key towards building up the databases that enable tailor-made health services. Through this “bottom-up” process from self-tracking to the generation of common knowledge bases, there is a sense in which personalization of services rests on “the idea that the overall health […] of the population can only be improved if individuals take on more personal responsibility for their own health”; we arrive at an “intertwining of the personal and collective good” (Sharon 2017, p. 100).

3.2 Beneficence

Donating data promises “New Opportunities to Enrich Understanding of Individual and Population Health” (Health Data Exploration Project 2014). Research attains public goods such as knowledge, technology, and health. Data is one essential ingredient in research success. In the age of wearables, smartphones, and other self-tracking devices, plenty of personal health data is being generated. However, most of it remains inaccessible to medical and public health research. Data donations could allow the research community to utilize generated data and to convert it into predictions, treatments, and other innovations that potentially benefit a great number of patients, health systems, and populations. In the ideal case, these benefits come at minimal costs for the donors. Unlike organ donation , data donation doesn’t hurt. It is convenient and effortless. And unlike donations to charities, there is no financial burden for the donor.

Data donations can also lead to self-interested benefits. The PatientsLikeMe campaign claims that donating one’s data also helps “to improve one’s own condition” (2014), and (2018) promises to reveal new insights about the donor’s genome. At the very least, contributing to a common practice of data donations adds to improved evidence bases, understanding of diseases, and treatments that ameliorate clinical practice. It is also possible that the provision and analysis of data leads to the discovery of actionable incidental findings that would have otherwise remained unnoticed. Only upon receiving this information can the donor take preventive and curative steps.

There are many potential beneficiaries of data donations. Data helps foundational science, doctors, patients, healthy individuals, society as a whole, insurers, and others (German Ethics Council 2017a, sect. 4.4). Moreover, there is a plurality of services that can be ameliorated: knowledge generation and supply, diagnosis, prediction, treatment. Improvements can be achieved along several dimensions: in terms of the hedonic benefits they provide, the costs they save, and/or the contributions they make to social integration.

3.3 Participation

The significance and normative dimension of scientific research need not be exhausted by the benefits it generates. Focusing on genomic research, Knoppers et al. argue that a human right to benefit from science includes the right “to have access to and share in both the development and fruits of science across the translation continuum, from basic research through practical, material application” (2014, p. 899). In a similar vein, Vayena and Tasioulas (2015, 2016) argue that science is a central component of the kind of communal and cultural life to which all humans are entitled. The authors highlight an underappreciated participatory dimension of the right to science: human rights frameworks like the Universal Declaration of Human Rights (1948, art. 27) and the International Covenant on Economic, Social and Cultural Rights (1966, art. 15) entitle individuals to take part in scientific endeavours. Encouraging and enabling data donations would certainly be an important step towards respecting this right and including broader populations in scientific endeavours. Proponents of a participatory right to science could even insist that mere data gathering and sharing falls short of respecting the right to science in all its facets. Understood more comprehensively, it also entitles individuals to participation in financing, agenda setting, governance, and even lead roles in initiating, designing, and carrying out studies. The human right to science imposes duties

“to equip people with the basic scientific knowledge needed to participate in science or to provide citizen scientists with various forms of support and recognition, e.g. sources of research funding, access to oversight mechanisms and the opportunity to publish in scientific journals” (Vayena and Tasioulas 2015, p. 482).

According to such positions, strong reasons in favour of enabling data donations actually imply that we shouldn’t stop there, but enable much more.

4 Challenges with Data Donations

Data donations can provide great benefits, express and foster solidarity, and enable individuals to participate in scientific research. But they also raise some difficulties and puzzles.

4.1 Trust

One aspect that well-established practices of giving like financial, organ, or blood donations share with data donations is their reliance on trust. They function only if the donor can expect that her willingness to give will not be exploited by collectors and facilitators, that her donation is being handled responsibly and put to work effectively, and that no third-party interests interfere with the equitable distribution of her donation. The donor also expects that her contributions are being made against the backdrop of appropriate safeguards that protect her from harm, and that burdens arising from the donation process are minimized. Important questions arise about which institutional designs best promote that such expectations are met, trust does not erode, and the practice remains stable. Data donations presuppose trust in similar ways. One case in point is the backlash against the NHS scheme in the United Kingdom, which was intended to enable the sharing of personal health data for research, but was met with distrust due to shortcomings in communication and transparency (Sterckx et al. 2016).

4.2 Future Use

The scope and timing of financial, organ, or blood donations is clearly defined. Donations of biological specimen can be sought with a reasonably well-defined purpose in mind, but already here questions loom about admissible future uses of such samples beyond the initially intended purpose. For example, after plenty of samples were collected to speed up research and development efforts during the 2014 outbreak of the Ebola virus disease in West Africa, question arose about how to use these biobanks responsibly in a way that provides long-term benefits for the health systems and scientific infrastructures of affected countries (Hayden 2015; World Health Organization 2015). Unlike organ and blood donations, biological specimen are not exhausted once they reach a beneficiary. They can be analysed repeatedly in a variety of study designs. To harness these potentials, regulators and researchers need to think carefully about consent mechanisms, the provision of appropriate information to sample donors, and mechanisms to govern access to the biobanks in which samples are stored.

One distinctive feature of data donations is that the possibility of future uses familiar from biobank donations is driven to the extreme. Consider the de- and recontextualization processes which datasets tend to undergo in the age of big data. Donated health data is likely to be processed and analysed by means of algorithms and applications that are designed to discover and examine unforeseen correlation hypotheses (cf. Mittelstadt and Floridi 2016, p. 312). From a normative perspective, this raises at least three issues.

First, the protective value of anonymization is limited. Some data, such as genomic information, is essentially personalized and cannot be anonymized. But even for other kinds of information, the possibility of de- and recontextualization entails that deanonymization cannot be ruled out. Giving data might be relatively convenient and effortless, but depending on the kind of data and context, such linkages can have quite significant consequences. Surprising inferences can be drawn from personal information especially once it is combined with and set in relation to other data sets. The problem is that individuals are less and less in a position to foresee and take into account potential harms and/or disadvantages that can accrue on the individual or the collective level.

Second, because future uses and possible inferences about the data subject are to some extent unclear at the point of data collection, it is challenging to design consent mechanisms that inform individuals appropriately. The problem is not just that non-experts lack the competence to foresee the possibilities of recontextualization and linkage with other data sets, and that this leads to deep asymmetries of information between data donor and users who have the expertise and technology to process it. At the point of donation, the range of possible recontextualizations, linkages, and inferences can remain inaccessible even to experts. In other words, the exact quality and character of the donation is in constant flux. The question arises how under these conditions, an individual can meaningfully deliberate upon whether or not to donate her health data. There is a tension between the very idea of making such a donation, and the fact that it must remain somewhat opaque to both donors and collectors what exactly is being donated.

Third, the availability of greater sets of data by itself does not guarantee improvements in the quality of data and/or the inferences drawn from it. The complexity of big data sets and the tools used to analyse them poses a range of epistemic challenges for data collectors and researchers that complicate the evaluation of big-data-driven hypotheses (cf. Mittelstadt and Floridi 2016, p. 327). The beneficent potential of data donations is directly tied to the scientific soundness of their analysis, processing, and conversion into research and development. Providing her data entitles the donor to reasonable expectations towards the scientific institutions whom she authorizes to use and leverage her donation, for example the expectation that her data is being used responsibly and effectively in a way that reflects her philanthropic intentions. These expectations will get frustrated if scientific virtues like rigour, care, and modesty are not enacted consistently throughout data collection, analysis, and interpretation.

4.3 Invasiveness

The implications about asymmetries of information become even more significant once we consider how invasive data can be in the age of big data, genomics, and continuous and holistic tracking. When we speak of data that can be donated, we are referring to a vast number of biological markers such as an individual’s complete and unique set of genetic information, physical parameters such as location and movements, lifestyle data, and even data about emotions, moods, and states of mind. Moreover, linkages amongst datasets lead to cumulative effects (Braun and Dabrock 2016a, pp. 316–7). First, the combination of clinical records with data from medical research, self-tracking technologies like fitness apps, lifestyle data, financial data, etc. results in levels of invasiveness which individual datasets do not achieve. Second, distinctions between seemingly discrete data kinds and spheres begin to vanish. The fact that companies like Apple, Google, and Microsoft are already active in all these domains underlines that linkages between them are only a matter of time.

The penetrative character of data and devices means that what they extract from us transcends concepts like parthood or possession. The German philosopher Helmuth Plessner (1980) has drawn a distinction between physical body (Körper) and living body (Leib). According to Plessner, one distinctive feature of human life is eccentric positionality, i.e. a particular mode of relating to its own positionality in space: humans can conceive of themselves as both physical bodies existing in the corporeal, outer world of things and as experiencing selves occupying the centre of a spatially delineated physical body, the locus of perceptions, actions, and experiences (cf. also de Mul 2014). Qua physical body, humans live, but qua living bodies, humans are subjects of experienced life. This double aspect is reflected by the two simultaneously instantiated modes of being a living body (Leibsein) and having a physical body (Körperhaben). In view of these concepts and distinctions introduced by Plessner, we might wonder whether, once individuals and their experiences are seen as complex conglomerates of algorithmic processes (for example Harari 2016 chs. 2, 10, 11), captured in their entirety by holistic, rich datasets and invasive devices, the difference between what we are and the features we have has collapsed. In this case, some kinds of data donations—the ones paradigmatically enabled by novel big data technologies—would involve much more than donating merely a part of me, or merely something about me. The question arises what about me is not being captured by data. As long as it remains unanswered, we are left with a sense in which the data donor can give all of her, all she is. The scope of the potential donation is unprecedented.

4.4 Ownership

In order to donate something, it must be mine. I cannot donate things that belong to you, such as your blood or organs. My personal health data is certainly about me, but is it also mine? Much seems to depend on the sense of ownership in question. For example, it is contentious whether personal health data can be seen as private property. Montgomery offers several reasons to reject the suggestion. He notes that in the context of health data, intuitions about privacy “sit uneasily with property ideas”: even if we commodify personal health data, “information ‘about me’ does not cease to be connected to my privacy when I give (or sell) it to others” (Montgomery 2017, p. 82). This suggests that ownership in the sense of private property is not primarily what motivates the regulation of health data.

Moreover, according to a broadly Lockean account, private property results from mixing labour with resources. This idea undercuts rather than supports the view that my health data is mine. While I might have “invest[ed] bodily samples” (Montgomery 2017, p. 83), it is the medical service provider who analyses specimen and data, compiles it into evidence bases, and generates value based on the raw materials I am providing. If labour is any indication, then “[i]f anyone may claim proprietary rights over the information on the labour theory of property, it would seem to be the health professionals or service for which they work” (Montgomery 2017, p. 84).

Montgomery suggests that if we really want to regard data like genomic information as property, it should not be considered private. One alternative is to regard such data as common property, i.e. property shared by a group of people (such as families) and outsiders being excluded. But Montgomery himself prefers the paradigm of public property: genomic data is like the air we breathe in the sense that everybody is entitled to it, the resource is not exhausted by universal access, and the benefits connected to its usage motivate obligations of stewardship and preservation.

We might have to complement such an account with the additional thesis that privacy- rather than property-related claims could still exclude access to personal health data, especially given the degree of invasiveness and comprehensiveness described above. What matters for our purposes is that data donations are disanalogous to other ways of giving in that they do not involve a transfer of something the donor owns in a straightforward way (on this issue, see also Barbara Prainsack’s contribution to this volume). In fact, as Montgomery also notes, data donations need not even involve a transfer: the data donor need not lose anything. Instead, her donation might be best understood as a suspension of certain privacy claims.

Considerations about ownership become highly relevant once calls for data donations are addressed not only at individuals, but also at data-processing organizations and institutions. In this context, data philanthropy refers to the provision of data from private sector silos for the public benefit, e.g., development aid, disaster relief efforts, and public health surveillance. Social media data can be key in the detection and monitoring of disease outbreaks. Organizations could share data of this kind not only on the basis of corporate social responsibility, but because they recognize the need for a “real-time data commons” (Kirkpatrick 2013). One necessary condition is that the privacy of individuals can be protected through measures like anonymization and aggregation. Even in cases where this is not possible, the hope is that “more sensitive data […] is nevertheless analysed by companies behind their firewalls for specific smoke signals” (Kirkpatrick 2011). Since such data is generated by the private entity, typically on the basis of some form of consent, there is a sense in which this entity is the owner. However, the owner and envisioned data philanthropist is not the data subject. It must be ensured that the interests of the latter are not compromised when data is being made available.

4.5 Affected People

In organ or blood donations, the identity of the beneficiary is often somewhat unclear: unless I am donating to a relative or friend, the recipient will be some indeterminate or unfamiliar other who is in need of the materials I am providing. Still, I have at least a vague idea about certain features and needs of the recipient, e.g., that she is in need of an organ. Something similar applies if I disclose personal health data for the benefit of people who share my illness or risk profile, e.g., on PatientsLikeMe. But note that once data is either decontextualized as described above or not being donated with such a specific purpose in mind, e.g., when uploading one’s genome on openSNP, the potential beneficiary and the way in which she benefits from the contribution become increasingly abstract.

Not only does the range of beneficiaries of the data donation broaden—it is also less clear who is carrying the burdens and consequences connected with the act of sharing. The donation of my kidney is a sacrifice which I make myself. Setting aside the beneficiary, the effects of my donation on others are minimal. In particular, any burdens related to the donation are carried almost exclusively by myself. In contrast, consider how submitting my genome to a public database could reveal information not only about myself, but also about my children or relatives, e.g., on hereditary risk factors. The range of people being affected as well as the precise consequences of the donation are much less transparent to the donor than in other health-related donations.

4.6 Voluntariness

Donations are conscious, deliberate, uncoerced acts of giving, informed by beliefs about a need that is being addressed through the donation. Data donations can be made by means explicit provision of information towards research projects and platforms, or by accepting terms and conditions of platforms that gather, evaluate, and maybe even publish data of its users (Kostkova et al. 2016). In any case, the informed will of the donor cannot be bypassed. In this context, at least two challenges arise.

First, there is a risk of opacity or even deception about the purpose of data gathering, especially if the sharing of data offers significant benefits to private sector service providers. The question arises how societies and individual donors choose to evaluate the activities of commercial entities who convert philanthropic data donations into products that might improve lives to some extent, but in the first place generate non-altruistic, self-serving revenues. For example, the biotechnology company 23andMe (2018) motivates customers to become “part of something bigger” and make contributions that “help drive scientific discoveries” by allowing the company to use data from its direct-to-consumer genetic testing services for research purposes. At the same time, 23andMe is generating intellectual property from its biobank, such as the patent of a gene sequence which it found to contribute to the risk of developing Alzheimer disease (Hayden 2012), and a method for gamete donor selection that allows prospective parents to select for desired traits in their future child (Sterckx et al. 2013).

Calls for data donations may allude to philanthropy, altruism, solidarity, and the good a donation can do, but in fact they might at least partly be driven by the self-interest of the data collector. The question of whether to share data in view of private sector benefits becomes particularly pressing in contexts where the latter conflict with the donor’s beneficent aims. For example, consider a situation in which data provision that is intended as philanthropic advances medical research while enhancing and stratifying insurers’ knowledge about risk profiles of donors and customers. Such prospects can ultimately deter individuals from sharing. If not, it provides opportunities for private sector entities to freeride upon philanthropic dispositions.

Second, the informed will of the potential donor can be challenged by apparent moral pressures. Understood charitably, headlines like “Our Health Data Can Save Lives, But We Have to Be Willing to Share” (Gent 2017) can be seen as raising awareness for so far unrecognized, readily available, and effort-efficient means for the individual to improve the lives of others. But there is a somewhat questionable flipside to such statements. They might be taken to suggest that an individual acts wrongly if she ultimately prioritizes her privacy over the presumed benefits of a data donation, and/or if she judges the privacy risks to be disproportionate relative to the utility that would be generated by her donation. In other words, a perceived duty to participate might result (Bialobrzeski et al. 2012). In view of rhetoric that declares data a common good and public asset, Ajana sees a risk of pitting data philanthropists against privacy advocates when

“in the name of altruism and public good, individuals and organisations are subtly being encouraged to prioritise sharing and contributing over maintaining privacy. […] First, it reinforces […] the misleading assumption that individuals wishing to keep their data private are either selfish and desire privacy because they are not interested in helping others, or bad and desire privacy to hide negative acts and information. Second, this binary thinking also underlies the misconception that privacy is a purely individual right and does not extend to society at large” (Ajana 2018, pp. 133–4).

A parallel can be drawn to worries regarding self-imposed surveillance and disciplining mechanisms (Foucault 1977) through self-tracking devices (Sharon 2017, pp. 98–99). Voluntary tracking and provision of personal health data can turn into liberty-constraining expectations that data is not only shared, but also that individuals take measures to improve their health markers (Braun and Dabrock 2016a, p. 323). The prospect of doing good with one’s data can similarly be turned into a disciplining narrative that conveys implicit expectations that data should not be withheld. What initially appears to open up options for the individual ends up delimiting them.

These dynamics would be unfortunate from a normative perspective. Data donations might be beneficial and morally commendable, and these features provide some reason to donate. But they hardly provide an all-things-considered reason—let alone a strict duty—to do so. Consider two examples: first, for the Kantian, the duty to help others is an imperfect one, i.e. it remains entirely up to the agent to what extent she helps others (Kant 1785, p. 423). Second, consider effective altruism according to which there are strong moral reasons to give, e.g., donating money to charity, organs to patients in need, or time and labour to good causes (Singer 2009, 2015; MacAskill 2015), but also to ensure that the good your efforts bring about is being maximized. To our knowledge, effective altruists have not yet explored data donations, but they could be intrigued by the benefits that can be realized through such acts of giving. Still, effective altruists agree that although once you donate, you should donate as effectively as possible, there can be optionality about whether to donate at all. Strong normative reasons to give money to charity can be outweighed by the costs such donations incur to the donor. In such cases, “it would not be wrong of you to do nothing” (Pummer 2016, p. 81). According to these positions, it is far from unreasonable or immoral if an individual decides to be restrictive about her data. It is a fine line between holding her contributions in esteem and implicitly sanctioning or generating a burden of proof for the individual who decides to keep her information restricted.

To sum up, donating personal health data offers alluring opportunities (3.), but a number of challenges lurk along the way. Genuine donors typically have some idea about what they are donating, what the donation will be used for, whom it benefits, and who carries burdens related to the donation. However, in big data contexts, potential data donors are bound to have a limited grip on the nature of their donation, the future use of their data, and the people affected by their decision to share. Further disanalogies come from the invasive and comprehensive character of state-of-the-art data gathering and processing, and the fact that the relevant sense of ownership is far from straightforward. Finally, the voluntariness of data donations can be undercut by opaque or deceptive information and/or moral pressures that appear to deflate individual privacy claims.

Earlier, we suggested that donations can advance positive data sovereignty as they foster social bonds and open up room for manoeuvre in social space. Specifically, we suggested that through data donations, individuals can enact beneficence, solidarity, and play an active role in scientific processes. The challenges just characterized aggravate the uncertainties that are inherent to any act of giving. Important aspects of the good being given are in constant flux—what it will be used for, whom it benefits, and who carries burdens. If the donor decides to give nevertheless, she embarks on a venture into the unknown that can become precarious. Not only might the donation be in vain, fail to accord with the donor’s intentions, and remain unsuccessful in advancing positive sovereignty. Even worse, the donation could backfire and end up compromising negative aspects of the donor’s sovereignty that relate to protective claims and rights, for example against untoward interferences from others, disadvantages, discrimination, or exploitation.

5 Donations, Consent and Control

As mentioned earlier (2.), one important realizer of sovereignty is power. In the case of data sovereignty, the relevant power is control over one’s data. The question arises how data donations can be facilitated and regulated in a way that guards and strengthens the data sovereignty of potential donors. We now suggest three governance areas that are crucial towards this goal. Ideally, mechanisms in these areas enable potential donors to contribute their health data for the benefit of others and scientific progress as a whole without leaving them susceptible to undue harms arising from the aforementioned challenges.

5.1 Consent

Several initiatives highlight a considerable degree of willingness on the side of individuals to share their data (Wellcome Trust 2013; Health Data Exploration Project 2014; PatientsLikeMe 2014). However, it has also been recognized the willingness to share data, and especially preferences about what kind of data may be shared, is expected to vary amongst user groups (Weitzman et al. 2010). The example of the scheme shows that sharing and connecting health data can prompt scepticism as soon as insufficient attention is being devoted to the consent of data subjects. It is thus necessary to focus on the conditions and mechanisms for meaningful, informed decision-making. As mentioned, many uncertainties surround the future use of one’s data. In big data contexts, the informedness of one-time consent to data gathering and processing inevitably remains incomplete (Mittelstadt and Floridi 2016, p. 312). Given the prospective benefits of data donations outlined earlier, and the potentials of big data methods more generally, it stands to reason to not simply refrain from useful activities in the absence of fully informed consent, but to rethink and redesign informed consent in a way that makes these activities possible and honours the data subject’s self-determination. Even if data is already collected and in principle available for analysis, it is highly questionable whether informed consent can legitimately be bypassed (Ioannidis 2013). And needless to say, for our context it matters that data crawling and processing without consent undermines the very idea of a data donation.

A range of new consent forms are under discussion in the literature. Reliance on opt-out mechanisms in biobanks and online data gathering (CIOMS 2016, chs. 11, 22) is already widespread. Blanket consent poses little to no constraints on future uses. Broad consent allows a wide range of future uses (Petrini 2010). Tiered consent can take several forms, from the specification of a range of approved uses, to the exclusion of certain uses, to requiring re-consent if usage for a new purpose is intended (Eiseman et al. 2003, pp. 134–7; Master et al. 2015).

Each of these options can enable valuable research, but also compromises the ideal of informed consent to some extent. For example, they do not satisfy the standards of informedness laid out in the Declaration of Helsinki (World Medical Association 1964). Some thus argue, e.g., that “blanket consents cannot be considered true consent” (Caulfield et al. 2003) since it is provided on the basis of information that is way too vague and does not allow the individual to act on her continuing interest in her health information. Others even conclude that informed consent is inapplicable to contexts like biobanking where uncertainty about future use is unavoidable (Cargill 2016).

In fact, we must highlight a further problem. Inherent to alternative consent models is typically a more or less explicit distinction between sectors. Information and samples are being given for a certain range of future uses or certain tiers of research. Oversight mechanisms and committees are thus needed to determine whether a particular usage request of a researcher accords with the consent provided at enrolment. But note how given our earlier remarks about future use and de- and recontextualization, these sectorial distinctions are in jeopardy in big data contexts. For example, consider the consent to the processing of one’s social media data, given through acceptance of terms and conditions (Kostkova et al. 2016, p. 2). Once analysed by suitable algorithms and linked with other data sets, certain social media data (or metadata) effectively becomes health data. Of course, this can be seen as a challenge already for single-instance consent, given that it becomes increasingly less transparent to the individual what can and will be done with her data. But novel consent forms become even more tricky once the sectorial distinctions inherent to broad or tiered consent forms fade.

Problems like these motivate consent forms that are dynamic. Different individuals possess different preferences depending on the kind and context of data in question. Moreover, preferences can be expected to change over time, for example if technological advances open up new possibilities for drawing inferences from a given dataset. This calls for refined and dynamic control mechanisms that allow individuals to provide and withdraw data in accordance with their evolving preferences—a demand which has found its way into legislation on data portability, e.g., in Article 20 of the EU General Data Protection Regulation (GDPR). Once individuals become equipped with effective means to access and transfer their data, they turn from mere data subjects to active data distributors (Vayena and Blasimme 2017, pp. 507–8).

One example for what this could mean for data donations is provided by Schapranow et al. (2017). While organ donation passes are common, similar mechanisms are lacking for data donations. The authors thus introduce a data donation pass, which can be maintained through a smartphone app in which individuals can choose in real-time whether and for how long they would like to provide their data to research projects, what kind of projects they would like to support, what kind of data is being shared, and when it shall be withdrawn. Besides highlighting potential benefits, the authors explicitly construe the data donation pass as a means for the individual to exercise data sovereignty.

5.2 Representation

Innovative consent forms can be complemented by representatives who express or represent the donor’s will in governance processes. For example, trustee or honest broker models authorize a neutral and unbiased individual, committee, or system to manage access requests by researchers and function as a firewall between the database and potential data processors (Vaught and Lockhart 2012). The purpose of honest brokers is typically to secure the privacy and anonymity of individuals. We can easily imagine extending its scope to representing further interests of the donor. In this context, we might also invoke the concept of custodianship, which aims at ensuring accountability to the data donor across the full spectrum from data collection to database maintenance and access permission.

“Custodianship does not entail the right to ownership but acknowledges that a biospecimen is provided to research as a ‘gift’ to be used only with consent to advance science for the benefit of society” (Yassin et al. 2010).

Going one step further, one can take on board some of the ideas from citizen science indicated earlier. For example, Shirk et al. (2012) distinguish several models of public involvement in scientific research. Such models could also be applied when including data subjects in governance processes: on one end of the spectrum, individuals are merely contributing data or specimen to research projects. In collaborative projects, donors or members of the refine research project designs together with investigators. In co-created projects, researchers and donors work as equals. And in collegial contributions, non-credentialed individuals even carry out research independently.

5.3 Organizations

Data sovereignty appears as a feature of individuals, but consent structures, participatory designs, and organizational self-control set the stage for it. Shaping these structures in a way conducive to data sovereignty is indispensable. This requires organization-level commitments and rules prompted by a thoughtful mix of incentives and frameworks along at least two dimensions. First, mechanisms of voluntary self-control, either on the level of corporate social responsibility, or by setting up industry-wide, impartial licensing and control agencies should be considered. Second, the state can intervene by reshaping legislation for the operation of data-processing institutions, e.g., through the mentioned EU GDPR. Either way, data sharing requirements need to be designed with care. For example, there is a potential tension between mandatory publication of publicly funded data and the willingness of individuals to donate. The former can speed up research, but also—especially in the case of genomic data—increase privacy risks and thus deter potential donors.

5.4 Observation I

In the literature, it is sometimes noted that data donations solve problems with research in which standard informed consent is impracticable. The idea is that in view of looming deanonymization, de- and recontextualization, and future uses, research is bound to rely on “information altruists” (Kohane and Altman 2005) who are aware of these risks, but share their data nevertheless. On the far end of the spectrum is probably the OpenSNP case where whole genomes are freely accessible. The upshot is that people who are willing to take risks facilitate research that would otherwise be impossible or very hard to carry out, while the consent requirements for the general, less risk-seeking public remain uncompromised.

We saw earlier that sovereignty can indeed be transferred and delegated to others. But we also saw that considerations about the legitimacy of the sovereign indicate that obligations of representation and accountability are tied to such transfers. Sovereigns who fail to represent their people are despots. Moreover, on reflection we might become convinced that certain fundamental aspects of individual sovereignty resist transfer to others. As Judith Butler puts it, when people vote, “[s]omething of popular sovereignty remains untranslatable, non-transferable, and even unsubstitutable, which is why it can both elect and dissolve regimes” (2015, p. 162). The implication for our purposes is that even if data sovereigns delegate power and authority to representatives and trustees, suspend their own authority through novel consent mechanisms, or renounce authority through blanket consent, some ethical constraints still remain in place. For example, individuals who upload their genome on OpenSNP do not thereby become fair game. Despite their broad consent, we can still raise questions about which use of their data is legitimate. Such questions arise from an ethical, but also from a legal perspective, e.g., when we debate which ways of discriminating against data subjects are unlawful. And in cases where consent procedures are tied to mechanisms of representation, Butler’s remark suggests that representatives might be authorized to speak on behalf of data subjects, but can fail to articulate their voice. In some instances, the authority of representatives might “dissolve”. These points illustrate that it remains an open and pressing question what researchers and data collectors owe to ‘information altruists’ and others who suspend their claims to full-fledged control over future use. The mere broadening of consent forms is not a surrogate for reflecting upon responsible institutional designs.

5.5 Observation II

There is considerable variation across the mentioned consent and representation models with regards to how well they cohere with the idea of a data donation. For example, in the above-mentioned picture of collegial research by Shirk et al., there is a sense in which data subjects are not donating any data at all. Their data does not go anywhere. It is merely channelled into a research process which the subjects themselves are designing and carrying out.

Broad consent might secure a link between self-determination and the process of sharing and subsequent analysis of personal health data. But here, some of the earlier challenges strike back. Precisely because the consent is broad, questions arise about how the apparent donor can meaningfully endow her data. After all, crucial aspects of her donation must remain open, including what exactly it is for, who benefits from it, and whether only she carries burdens related to the donation.

Tiered consent to data sharing, i.e. donating data towards specific purposes and/or with re-consent conditions in place, need not be strictly incompatible with the idea of a donation. But notice how when being provided by means of tiered consent, data is not simply given to others—researchers, developers, or the general public. Instead, claims to power remain attached to it, and are not renounced by the apparent donor. Similar points apply to trustee or honest broker models. One of their purposes seems to be the extension of the donor’s will to future situations and applications she cannot foresee in the present. These mechanisms allow the apparent donor to remain in command, if only indirectly and through representation, to ensure that use fits intended purpose. To put it bluntly: it is a little odd to make a donation or gift, but to tell recipients what to do with it. This request is driven to the maximum with dynamic consent, where the subject never actually ceases to be in control. All these mechanisms and models certainly hold alluring promises with regards to the protection and autonomy of individuals. But the question arises whether the apparent donor is actually put into a position where she clings onto what she has promised to let go off when entertaining and committing to the idea of a genuine data donation.

Taken together, the foregoing results lead to a puzzle. If I am giving some broad form of consent to use my personal health data, I lose my grip on the sense of endowment which authors like Mauss, Derrida, Ricœur, and Hénaff highlight as a distinctive feature of gifts. If I cling onto my data through various models of extending my control, I am not actually letting go.

Part of the puzzle might depend on the extent to which we regard donations as being more than exchange. It appears that all the aforementioned conditions are suitable means for the individual to retain power and control over her data and to constrain access and use it when this process is thought of as an exchange whose conditions the individual seeks to govern. But earlier (2.), we were suspecting that when being considered through the lens of gift theory, donations can be seen to exceed this logic, to point to something beyond economic exchange, and involve the acceptance of risks and uncertainties about the consequences of their endowment. If so, there is a tension between conditions to facilitate data donations as exercise of data sovereignty—in particular the resulting claims to power and control—and the idea of what it means to donate, gift, and endow something to others.

At this juncture, several strands of the foregoing discussion flow together. Data donations can reinforce the social structures in which individuals live their lives (2.). Specifically, data donations allow the individual to enact solidarity, beneficence, and participation (3.). Exercises of data sovereignty will thus not categorically result in restrictions to data access. Privacy must be ensured by default, but respecting individuals as data sovereigns further involves implementing responsible governance mechanisms to enable data donations. As we have seen, sovereignty is being realized through power and control. Data sovereignty in particular involves control over one’s data: where it goes, who has access, and what is being done with it. Such control matters especially in view of the challenges and puzzles surrounding data donations (4.). Hence the three governance areas proposed above. However, on the one hand, gifting involves endowing and donating means letting go of what one gives. On the other hand, sovereignty involves power and control. The latter might undermine the former.

In view of this tension, should we not refrain from applying the sovereignty and gift paradigms, which we have claimed are inherently related, when trying to better understand the practice of data donations? Not necessarily. One intriguing way to resolve the tension just described is to regard data donations as data loans . When deciding whether or not to give an item, asset, or commodity, my options certainly include keeping all my claims to the object in place, i.e. not giving at all, or renouncing the entirety of my claims and giving without any remaining strings attached. But in between, a continuum of acts of giving is conceivable where only some kinds of claims to the object are renounced or suspended. Loans are instances where certain claims are being suspended and can be reclaimed at the conclusion of the loan (on the significance of this picture for understanding public attitudes towards scientific research, cf. Starkbaum et al. 2015; Braun and Dabrock 2016b). Other claims can remain in place throughout, e.g., when there are expectations about the purpose of the loan. As this illustrates, it is not inconsistent to give while keeping certain claims to the item, asset, or commodity in place. Loans as well as donations are something the lender gives, and her aims can include conveying recognition, fostering bonds of solidarity, and reinforcing social structures.

In our context, providing one’s data to researchers need not be seen as a donation of the data itself. What is being given, potentially with all the aspects of endowment aspects described earlier (2., 3.), is a loan of this data. Individuals might want to retain certain powers, for example the ability to cancel or modify access if the challenges and evolving circumstances described earlier (4.) increase precarity or shift the nature of their data loan. If the motivation is genuinely non-self-interested, the loan carries no economic interest or benefit, no expected return in the light of which the lender’s action pays off for her, other than putting her in a position to offer symbolic appreciation and contributions to others, her community, the scientific enterprise, and society as a whole. As an exercise of sovereignty, the loan comes with only one condition: that it may be retracted or at least the consent be modified if and when the individual requests it.

The picture of data donations as data loans does not resolve all challenges. Loans emphasize the precarious aspects of donations as they carry risks of exploitation and default. Lenders might strive in vain for control and security. Moreover, the question remains how individuals can lend something that they do not own in a straightforward way, and give a loan that in view of penetrative data processing is incredibly invasive. Nevertheless, the appeal of the picture is that it reflects both the ability to grant access to data and the implementation and justification of control mechanisms such as those outlined above. The latter might remain imperfect, but still be promising enough to set the wheel of giving in motion.

6 Conclusion

We have defended the thesis that donations of personal health data can advance individual sovereignty. The elements of gift theory have been used as a descriptive heuristic to gain a better understanding of donations. Gift theorists maintain that there are cases in which an analysis that focuses solely on exchange aspects elides important features of the target phenomenon. Instead, they invite us to look for what Derrida calls aneconomic aspects in order to grasp acts of giving in all their complexity: whether or not these acts involve a sense of endowment, are being carried out without the intention to prompt a return, transcend the individual’s self-interest, and/or convey a symbolic, non-commodifiable aspect that encodes the donor’s dedication and investment of a part of herself into what she is giving. Note that these suggestions are descriptive. It does not follow that it is normatively desirable to make gifts, just that considering these aspects ameliorates our understanding of acts of giving.

Once donations are examined through the lens of gift theory, it becomes apparent that they can generate social bonds, convey recognition and open up new options in social space, for example by interrupting patterns of economic exchange and enabling activities and interactions that would have otherwise remained unlikely or impossible. If these potentials are realized, donations can be fruitful advances of individual sovereignty. Sovereignty is sometimes being reduced to negative and protective rights and powers, but we suggested that it also encompasses positive entitlements to pursue one’s notion of the good life through connecting and interacting with others. Our claim was not that donations are the only way to advance sovereignty. However, if data subjects are to be sovereigns about their health data, the positive dimension of sovereignty calls for ways to facilitate the sharing of data as an expression of the individual’s informational self-determination. Such donations can enact solidarity and beneficence and enable donors to participate in scientific processes.

The foregoing neither motivates a duty to donate nor deflates the importance of protections. Even though donations can advance positive sovereignty, we must not lose sight of potential conflicts with the negative, protective aspects of sovereignty. Data donations in particular have a range of features that exacerbate risks and uncertainties. In big data contexts, data donations become more invasive than other kinds of donations. Potential data donors are bound to have a limited grip on what they are giving, the future use of their data, and the people affected by their decision to share.

We thus proposed that tensions between data donations and the negative, protective aspects of sovereignty shall be minimized through consent procedures, the representation of data subjects, and organization-level constraints and commitments. These mechanisms complement one another and apply to a plurality of agents on different levels (Braun and Dabrock 2016a, pp. 324–5; German Ethics Council 2017a, sect. 5.3): individuals who become empowered to share and withdraw their data, representatives and brokers who mediate between individuals and data processors, data networks which provide means for data subjects to govern the flow of their information, and regulators who set formal and enforceable frameworks. These mechanisms seek to ensure the controllability of data donations for individuals as well as the accountability of data gatherers and processors. Ideally, the intentions of data donors, including those related to gifting and endowing, can then be introduced and unfold within the governance of the institution.

Special attention should be paid to technological infrastructures. First, data interoperability (Nature Biotechnology 2015) is necessary to transfer data, e.g., from electronic health records or direct-to-consumer genetic testing to data networks. Second, our call for dynamic consent mechanisms requires user-friendly interfaces in order to make users aware of new developments and allow them to control, submit, and withdraw data in real-time. Third, developing such interfaces and/or setting up representatives, typically software data agents, to serve as data trustees presupposes a sufficient degree of standardization of programmatic data interfaces.

Nevertheless, in the end all these measures might fall short. Recall Derrida’s claim that gifts set the circle of the economy in motion. We can set up efficient infrastructures and implement controllability for donors as well as accountability of data-processing institutions. Still, Derrida’s claim can be taken to remind us that institutions of giving will be set in motion only if individuals are ready to engage in this risky enterprise—an enterprise that opens up opportunities, but in which frustrations and harms can never be ruled out. That is, a particular kind of endowment is required: individuals need to trust and engage in the act of giving despite the risk that it will not have its intended effects. This is not a normative demand that potential donors shall trust the system that seeks their contribution. The claim is, again, descriptive: trust is what sets the system in motion, and if trust is lost, everything comes to a halt. This insight is perfectly compatible with the further claim that once donors trust and decide to give, mechanisms that implement accountability, controllability as well as norms of transparency remain indispensable to keep the process functional and sustainable. The necessity of such momentums of endowment highlights a strength of gift theory: it helps us to discern certain aneconomic working principles of our institutions that might have otherwise escaped our attention.

If the donor transfers authority over her data by means of broad consent, it becomes hard to get a grip on future uses and beneficiaries, which appears to be in tension with the idea of meaningfully endowing such data. If consent is dynamic or tiered, one is not actually letting go of what one appears to donate, and thus deflates the sense in which one makes a genuine donation. These observations could be seen as reasons to refrain from applying the gift paradigm to data donations. However, we have argued for a different approach. Data donations—at least those that are cognizant of the claims of sovereign individuals—come in a particular form: unlike other forms of donation, they are most plausibly understood as loans rather than transfers.