BIG DATA GOVERNANCE NEEDS MORE COLLECTIVE RESPONSIBILITY: THE ROLE OF HARM MITIGATION IN THE GOVERNANCE OF DATA USE IN MEDICINE AND BEYOND

,


I. INTRODUCTION
These brief vignettes demonstrate the potential for individuals to be harmed by data use in the big data era particularly, given the pervasive nature of such data. The 'pervasiveness' 2 of data means that in the context of large, digital, connected or connectable, and often fast-changing datasets, harms are often systemic and cannot be captured by linear cause and effect. Downstream harms arising from digital data use can fall outside of the remit of traditional legal remedies because they do not fit the traditional chain of causality which legal actions often require-such as under the tort of misuse of private information in the UK context, 3 or for some actions under the new European Union's General Data Protection Regulation (GDPR), 4 or for the right to private and family life (Art 8 European Convention on Human Rights). Specifically, people who experience harms that they can plausibly assume stem from data use may not have access to legal remedies for two reasons: First, because the action that led to the harm was lawful-such as in the case of Mustafa, who was affected by personalised pricing practices that many people may consider unfair, 5 but that are not unlawful. Secondly, even if it is apparent that the action that caused the harm must have been unlawful (such as in Paula's case, where somebody must have infringed data protection laws and passed on her information to retailers), it may be impossible to prove that a specific instance of data use caused a specific harm, and therefore the chain of causation required for some legal remedies may be lacking. 6 This may be because the harm was caused not only by a single specific use of that individual's data but also by the use of data from different sources in combination, or where harm to a specific individual resulted from the use of another individual's data, without the former being at all aware of this usage. Digital data are also multiple in the sense that they can be in more than one place at once, and that they can be interlinked in various ways, 7 which makes it extremely difficult to trace the movements of data in specific cases. These circumstances can leave individual data subjects, such as Mustafa and Paula, and third parties unable to prove causal links between data use(s) and the harm suffered, leaving them to bear the downstream costs in the form of harms arising from increasingly complex forms of data uses-without clear legal remedies.
At the same time, downstream costs on data controllers, who often derive significant commercial benefits from such uses, are limited. This amounts to a significant imbalance of benefits and harms, and, more broadly speaking, of power between data users and data subjects or third parties.
In view of this situation, a recalibration of data governance is necessary. As part of a larger programme of thinking about data governance, 8 this article makes the case for suffered based on Google's use of these characteristics without their consent/knowledge to send targeted advertisements, and the risk that such personal characteristics could have come to the knowledge of third parties who used/saw their devices. 4 art 82(1) GDPR 2016/679 provides that: 'Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.' The GDPR became directly applicable on 25 May 2018. harm mitigation tools to complement existing legal frameworks. In doing so, we put forward a normative and practical rationale for why individuals should be offered support in such contexts, and why systems for monitoring such 'harms' should be established. We envisage these functions being conducted by 'Harm Mitigation Bodies' (HMBs), which could also establish financial support mechanisms. While two of the authors have sketched the general idea of such bodies in previous work, 9 we set out the role and form of these HMBs for the first time in this article. At the outset, we also acknowledge that the adoption of the GDPR takes positive steps to address some of the issues caused by big data practices. For example, the GDPR's principle of accountability of data controllers moves the onus of proof onto data controllers, thereby reducing the need for data subjects to demonstrate causation in many contexts. However, as will be demonstrated, gaps remain and the GDPR's remit is still too narrow to provide effective harm mitigation for all data subjects. To address this, the proposed HMB framework could provide support for harms caused through data use: (i) in cases where data use did not breach the GDPR and (ii) in countries where the GDPR is not applicable. Moreover, HMBs would not focus on policing (and placing fines on) data controllers but on providing support to data subjects. They thus complement, rather than duplicate or compete with, the institutions and instruments of the GDPR.
In making these arguments, the article is structured as follows: Section II sets out the value of 'big data' in today's world and the challenges it poses for governance. It puts forward a normative and practical case for a renewed focus on the need for harm mitigation, and our novel tool to do so, the HMB. Following this, Section III describes the main functions and legal adaptations of such HMBs, setting out an operational overview illustrating how these bodies would work within the national data protection context, their structural composition, etc.
While the arguments were initially developed in the context of the governance of data for biomedical research and practice, the harm mitigation framework spelled out here is not limited to the medical domain, but is, in principle, applicable to any instance of data use.

II. BACKGROUND: BIG DATA AND THE NEED FOR NEW GOVERNANCE FRAMEWORKS
A. The Context: Big Data in Biomedicine 'Big data' 10 are a key resource for medical research and increasingly also medical practice in the digital era. Owing to advances in information technologies, it has become easier to link data from multiple sources and datasets in recent years, 11 with many knock-on benefits for medical research. In the definition of the Garter IT glossary, which the UK Information Commissioner's Office refers to, big data are '. . . high-volume, highvelocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making'. 12 Big data practices and epistemologies are hoped to help improve the efficiency and effectiveness in fostering healthy habits/practices, 13 to enable more precise prediction and more successful prevention of disease, and aid the development of medical interventions, 14 both from a commercial point of view as well as from a public health perspective. Artificial intelligence 15 and machine learning 16 techniques are useful to accelerate these benefits and fully 'unlock the value of big data'. 17 Personal data-understood, in line with Article 4 of the GDPR, as information relating to an identified or identifiable natural person-play important roles in this endeavour.
At the same time, traditional distinctions drawn by data governance frameworks, such as the distinctions between identified (or identifiable) and anonymous data, 18  sensitive and non-sensitive data, 19 are increasingly difficult to operationalise in the big data era given the increased sharing, copying, and linking of data and datasets, and because of the aforementioned multiplicity of digital data-the fact that they can be in more than one place at the same time. If combined with sufficient additional data and information, virtually any data point is identifiable. Moreover, data representing even the most innocuous kind of information could be used in conjunction with other data to reveal sensitive information, thereby increasing the risk of harming people. 20 It has been argued that in the digital era, any data should be regarded as potentially identifiable, health related, and sensitive. 21 In addition, big data allows greater emphasis on 'insights obtained at the aggregate level to be used to make probabilistic "predictions"' about individuals and groups, 22 leading to challenging questions about who gets to make-and further use-such predictions, for what purposes, and under which safeguards.
B. The Problem: Challenges for the Governance of Human Data Left Unaddressed by the GDPR The regulatory response to challenges posed by big data has tended towards the fossilisation, imitation, or mimesis 23 of traditional concepts and instruments such as privacy, informed consent, and risk management. Broadly speaking, it has so far sought to address challenges from big data use by trying to minimise and manage risks of data use as much as possible, and at the same time, by attempting to increase individual control over how specific data types are used. This has led to what some have termed 'privacy protectionism' 24 or a 'whiplash effect' 25 where 'overly restrictive measures (especially legislation and policies) are proposed in reaction to perceived harms, which overreact in order to re-establish the primacy of threatened values, such as privacy'. 26 At the societal level, an overt focus on risk management can increase burdens for data processing that has the potential to limit data uses, thereby hampering the potential benefits of big data-while such measures may not necessarily protect individuals either.
In addition, at an individual level, focusing on risk management and relying on traditional concepts such as informed consent is problematic because it could give false assurances. Even with the highest safeguards and best intentions in place, no data usage in the digital age will ever be entirely risk-free; 27 nor can there be a guarantee against predictive use of individual and collective health (and other) information in ways that can harm people. The emphasis put on increased individual control and risk minimisation in many current health data governance systems, as useful as this approach has been to date, is likely to also engender problematic expectations for data subjects in the new 'big data' context, who may feel falsely assured that they have meaningful control over how their data are used. 28 A more explicit focus on harms and harm mitigation would be in line with the principle of veracity in the governance of personal data in the digital era. 29 More effective harm mitigation mechanisms are particularly important and timely also because big data usage can lead to harms that have so far not been recognised, such as those described in Paula's and Mustafa's case in the beginning of the article. Predictive analytics could also lead to poor consumer ratings which in turn result in the denial of mortgages; predictive health profiles could make finding employment more difficult or raise insurance premiums, etc. 30 Studies have also shown the risks of 'credit worthiness by association' 31 such as where an individual's credit card limit was reduced due to predictions based on repayment histories of other people who shopped in the same stores as that individual had. 32 Importantly, harms can occur also when data processing is lawful, such as in Mustafa's case, which is a situation that existing legal remedies do not address. 33 Legal systems have tried to adapt to some of the challenges posed by big data. At a European level, the GDPR under Recital 71 protects against the processing of data which causes discriminatory effects on people on the basis of 'racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or processing that results in measures having such an effect'. However, there are clear limitations to such measures given the way big data works. The Information Commissioner's Office (UK) has stated that big data analysts ''will need to find ways to build discrimination detection into their machine learning systems to prevent such decisions being made in the first place'' 34 to comply with issues of accountability under GDPR. Given the way the technology works, not all potential discriminatory effects will be reasonably foreseeable to allow pre-emptive action. 35 The GDPR also gives natural persons the right not to be subjected to decisions based on profiling under certain circumstances. 36 There are, however, numerous exemptions, and limitations to this, discussed in further detail below. 37 It is also noteworthy that the respective articles of the GDPR (Articles 4(4), 9, and 22; see also Recitals 71-2) do not protect individuals from their personal information being used for automated purposes per se; rather it protects them merely from being subjected to decisions based solely on such automated purposes, eg profiling, without human intervention. 38 The result is that the prohibition can potentially be bypassed by involving humans at some stage in a largely automated process of decision making, for example, by signing off results suggested by an algorithm. 39 Furthermore, under the GDPR, data can only be processed in line with the purpose it is collected for (purpose limitation), 40 but subsequent processing is permissible provided that it is compatible with this purpose. One such compatible purpose is processing for statistical purposes; however, uncertainty remains around how this exception will apply in the big data context. 41 To be deemed a statistical purpose, the results should not 34 Information Commissioner's Office (n 12) para 116. 35 See discussion of risks of discrimination in Rhoen and Feng, 'Why the "Computer Says No": Illustrating Big Data's Discrimination Risk Through Complex Systems Science' (2018) 8(2) International Data Privacy Law 140. 36 Profiling, here, is defined in art 4(4) of the GDPR as 'any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements'. However, the human involvement must be meaningful -as noted by the Art 29 Working Party guidelines, p. 21: "To qualify as human involvement, the controller must ensure that any oversight of the decision is meaningful, rather than just a token gesture. It should be carried out by someone who has the authority and competence to change the decision." 40 art 5(1)(b) GDPR and art 6(4) GDPR. 41 For a discussion of the likely difficulties, this will pose for big data, see Zarsky be used 'in support of measures or decisions regarding any particular natural person'. 42 However, in practice it may be impossible to prevent data users to use findings from data analytics that identify an association (or even a causal connection 43 ) between two parameters in such a way that they apply to specific individuals. Either as part of implementing the GDPR into their national legal systems, or additionally, many countries currently attempt to introduce legislation curbing or at least limiting the use of predictive analytics in healthcare systems. 44 Although these solutions are a welcome step, they are not sufficient to address the problem described above for four reasons: first, potential harms caused by the use of data in this way often fall outside the remit of governance frameworks using traditional legal concepts. 45 As demonstrated by Metcalf and other colleagues' work on the pervasive nature of big data, harms are often systemic in nature and may have effects on multiple individuals downstream. 46 For example, a person who is harmed by a predictive analytics system that makes probabilistic inferences regarding an undesirable trait on the basis of generic information about hersuch as the postcode she lives in-does not have access to legal remedies if the data that were used to make these inferences are not her own personal data. Secondly, even when it is clear that a particular harm must have resulted from a breach of the law-such as in the case of Paula described in the beginning of the article-individuals might not be able to prove the relevant causal link required for traditional tort-based remedies to apply, or for the purposes of establishing a right to compensation under the GDPR. This is because multiple digital copies of data sets may exist whose movements cannot be traced, or because the pervasive nature of digital data may make it easier for data controllers or processers to prove they are not responsible for the event. Thirdly, according to the GDPR, even when data controllers fail to take sufficient steps to avoid discrimination against people and, as a result, they can be held accountable for breach of the GDPR, existing frameworks impose penalties for mis-and abuse of data that are often too low to deter bad practice on the side of data controllers. 47 And fourthly, Article 80 GDPR provides that non-profit bodies active in the privacy context can initiate claims of infringement by data subjects, and allows for the potential for group actions-if such bodies gather multiple claims on similar issues from data subjects. 48 This measure could be used as a collective support mechanism for individuals, but shortfalls remain, namely: first, it will be left to each Member State to devise such mechanisms for non-profit actions in national jurisdictions, which could lead to variance of approaches; secondly, such bodies would also still only be able to take actions based on the infringement of the GDPR.
All these aspects underscore the need for additional mechanisms of support, namely for the introduction of HMBs. Such HMBs would complement regulation by focusing on supporting data subjects who were harmed by data use, irrespective of who caused the harm, of whether or not they are able to prove a causal connection, and irrespective of whether the action or omission that led to the harm was unlawful.

C. Why Better Harm Mitigation Is Needed in the Digital Era
Alongside other colleagues we thus argue that the current approach to data governance needs to change. 49 In previous publications, two of the authors of this article (Barbara Prainsack and Alena Buyx) 50 have argued that new approaches to big data governance should be based on the concept of solidarity, 51 and that they should include three main pillars: (i) greater emphasis on whether or not specific instances of data use are in the public interest, (ii) the strengthening of harm mitigation instruments, and (iii) new legal mechanisms to ensure that significant parts of financial profits created on the basis of data use go into the public purse (eg via a corporate data use tax). In this article, we will focus on pillar (ii) harm mitigation. As noted, the account of harm mitigation that we develop in the following sections can be adapted to, and support, the governance of any data use, not limited to health, and within any kind of regulatory and governance landscape. In other words, although the idea of HMBs and their accompanying financial support mechanisms was conceived in connection with solidarity-based governance, 52 enhancing harm mitigation is an essential task in the era of digital data, irrespective of whether other instruments of solidaritybased governance are employed or not.
We argue that there are important normative and practical rationales for establishing HMBs. At the normative level, harm mitigation forms a key step that governance frameworks need to shift towards strengthening not only individual but also collective control and responsibility in the context of data use. We take it as a given, in the interests of social justice and fairness, that significant inequities in the distribution of benefits and burdens, as well as large power imbalances in societies, need to be remedied. Improved mechanisms and instruments of collective control and responsibility for data use are necessary to counteract the growing imbalances between those who give data and those who use them. Strengthening collective responsibility also includes improving the support of individuals and groups of people who are harmed by data use. And this, in turn, leads us to emphasise the need for better harm mitigation instruments. 53 In our view, HMBs will help to protect people from the downstream costs-in the widest sense of the word-of personal data use in the digital era to a greater extent than is currently the case. For individuals, big data entails upfront costs (the costs related to curating and using datasets, which they share with public and private corporations that provide the technologies and infrastructures for the generation of data) and downstream costs in terms of harms caused by data use. Under current regulatory frameworks, as described, these downstream costs for data use in the digital era are carried largely by individual members of the public and by publics, whereas the commercial benefits unfold mostly for such privately owned corporations. HMBs would seek to reduce the downstream costs for individuals/publics, and thus contribute to a mitigation of imbalances in power and benefits and burdens between publics and private actors. While this is not an argument against private corporations making profits from personal data use in principle, the difference in power, agency, and costs borne by corporations that use data on the one hand, and the people who contribute data on the other, is a problem in need of addressing. In some of our other work, 54 we have suggested solutions to ensure that a larger share in profits come back into the public domain (eg via a data tax). These monies paid by corporations benefitting from the use of people's data could and should be used to support the operation of HMBs.
There is also a practical rationale for HMBs: we argue that HMBs are practically mandated because no matter how hard we try to reduce risks emerging from novel ways of data use, some individuals and groups will still inevitably be harmed by these practices, either intentionally or unintentionally, and both by lawful and unlawful data use. As noted, existing legal remedies, 55 which only protect from the downstream costs of data use which is unlawful, eg infringes the GDPR, 56 and (in some cases) only if those harmed can prove a causal connection between an act or omission by a specific entity and the harm incurred, are not sufficient to address this problem. 53 Having said this, we anticipate group claims to be the exception. Furthermore, depending on the size of the group, it may already have collective agency to a certain extent. In such cases, issues are likely to be resolved more quickly by a data controller than cases of individual harm given the likelihood of increased concerns about the public image/legitimacy of the data controller. 54 Prainsack and Buyx, 'Thinking Ethical and Regulatory Frameworks' (n 8); Prainsack (n 8). 55 For example, the tort of misuse of private information in the UK, or data subjects' rights under ch 3 GDPR and remedies in cases of unlawful processing art 8 GDPR. 56 Furthermore, scenarios could potentially arise where fines were imposed for breach of GDPR processes, but individuals would not necessarily obtain compensation unless the infringement led to damage.
Further difficulties stem from the fact that costs often arise not only for primary data subjects but also for third parties, ie, for other individuals downstream. 57 To address these issues on a practical level, we need an instrument ancillary to traditional legal mechanisms, with an explicit focus on harm mitigation. For this system to be effective, it must be easy for people to use, low on bureaucracy, and flexible enough in its decision-making system to support people where and how they most need it. Moreover, although it might be possible that other avenues could be developed to address the issues described, such as strict liability for data misuse or any use which causes harm, it is well known by now that serious harms can stem from data use that does not break any laws. While the harm experienced by Mustafa in the beginning of the article could be seen as very minor, other legal practices can cause serious harms, without effective and accessible legal remedies being available to those harmed: a man whose driver's licence was revoked after facial recognition technology wrongfully 'identified' his photograph as similar to another licence holder and there was suspicion of identity fraud. 58 Another person who typed something into Google that the company's autocomplete function added the word 'bomb' to was visited by government investigators and lost his job as a result. In both cases, 59 serious harm occurred without either of the men having access to effective legal remedies to provide financial support for the harm suffered. 60 We argue that a harm mitigation model is the most appropriate in the context described. This is because it could operate flexibly and would offer an important balance of supporting individuals who may suffer harms and seeking to limit these harms, regardless of whether these harms stem from lawful or unlawful data uses, and irrespective of whether the harmed individuals can prove a causal connection between a specific act or omission and the harm incurred. Furthermore, the more informal nature of HMBs, as laid out in the following sections, may help to address the problem that it is often the most socio-economically deprived groups that are most likely to be harmed by data uses. These groups regularly have fewer resources (both in terms of financial resources and access to legal advice) to avail themselves of traditional legal remedies and mount legal challenges against particular data uses, thus potentially further worsening the aforementioned imbalances. Finally, the HMB model would provide an avenue for individuals (and groups) to feed issues of 57 See also PERVADE project <https://pervade.umd.edu/about/data-ethics-regulators/> accessed 8 April 2019. 58 See discussion in Luke Dormehl, 'Algorithms Are Great and All But They Can Also Ruin Lives' (Wired, 19 November 2014) <https://www.wired.com/2014/11/algorithms-great-can-also-ruin-lives/> accessed 8 April 2019. 59 See discussion of these and other similar cases in Luke Dormehl, The Formula: How Algorithms Solve All Our Problems . . . and Create More (Random House 2014). 60 The victim of the facial recognition mistake was told by authorities that he had the right to request a hearing but the onus was upon him to prove his identity if he wanted his licence restored. The hearing was held 11 days after the licence suspension, where he submitted relevant documentation and his licence was reinstated. Nonetheless, the fact that the licence was suspended in the first place due to algorithmic misidentification caused unnecessary harm for him. His subsequent claim for damages based on the incident against the Register for Motor Vehicles was rejected. See Gass v Registrar of Motor Vehicles 12-P-205 (Mass App Ct 7 January 2013). The fired employee who wanted to build a radio-controlled airplane and was accused of trying to build a bomb subsequently commenced litigation to try to claim compensation for the job loss suffered. Even where successful, litigation tends to be both highly expensive and time-consuming.
big data usage back to regulators, thus forming an important element of reflexive governance. 61 This is vital given the evolving nature of data uses, and how, relatively, little we know at this point about the nature and severity of harms that stem from these uses, as well as their prevalence and distribution within and across populations.
III. HMBS : FUNCTIONS AND LEGAL ADAPTATIONS This section introduces HMBs and expands on their main functions in reference to the GDPR to highlight the complementary nature HMBs could play in addressing gaps in existing frameworks. We expect these ideas to be developed further over time by and in response to the community within which HMBs would operate and apply.

A. Introducing HMBs
We envisage HMBs as instruments that specifically address harms to individuals that are plausibly connected to data use. HMBs have two primary functions, namely: (i) to provide financial support to individuals who can plausibly make a case that they suffered significant and undue harm by data use (without needing to prove wrongdoing or direct legal causation due to an acknowledgement that this is increasingly not possible in the era of digital data) 62 and (ii) to monitor harms reported as being caused by big data practices reported to and within HMBs. This information can then be fed back to data controllers and to public agencies and inform how the operation of systems of data governance could be improved.
HMBs would be established at national levels, for example, as independent statutory arms of national data protection bodies. They would have oversight for data uses pertaining to all data controllers resident (in the case of individuals) or established (in the case of corporate entities) in that national jurisdiction. All data controllers established in a country in question would need to sign up to the national HMB and pay a certain percentage of their profits (in case of for-profit entities) or their funding (in case of non-profit entities) to the HMB. HMBs would use these funds to cover their operating costs, and to establish a financial support mechanism from which people harmed by data use could make individual petitions to. HMBs would have a reporting branch and an investigative branch. The latter would also deal with petitions for financial and other support provided for by the HMBs. The two branches would communicate and coordinate with each other, and indeed a central role of the individual petition system would be to provide information to the HMB about the nature and severity of experienced harms. This information could be used to assess patterns of harms caused by data uses and inform policy around good practice for big data. To respond adequately to individual petitions, there would be multiple investigation panels within the HMB governed by a group of people who are independent from the data controller(s). This group-the steering committee-would consist of legal and data protection experts, but also include lay members, to ensure a varied membership and reduce the potential for regulatory or institutional capture. There would also be an appeal board within the HMB, where rejected petitions to the financial support mechanism could be appealed to and considered.

Individual petition procedure
Anyone who perceives that they experienced significant and undue harm by data use-either through the lawful or unlawful use of their own data, or somebody else's data-and who wishes to report this, and/or who wishes to apply for financial support can do so via an informal individual petition submitted to the HMB. The petition will be assigned to an investigative panel within the HMB, which will conduct a first review of the case to establish whether the case has the potential on the balance of probabilities to meet three requirements. These requirements are that (i) the claimed harm is significant, (ii) undue, and (iii) there is a plausible connection between the harm arising and the data use.
If these criteria have the potential to be met, then the HMB would invite the applicant to provide further information, which the HMB then uses to make a decision on: (i) whether the case does indeed include significant harm to the applicant. Here we take significant harms to be those that would be considered significant to a reasonable person in the individual's position, or harms that a data controller could reasonably foresee that a particular data subject would consider to be significant. We adopt this hybrid subjective/objective test in recognition of the fact that the impact of a particular harm suffered is dependent on the personal characteristics and factors relating to the data subject. The assessment of (ii) whether harm is undue depends on whether it can be justified by a legal requirement that can be considered fair. For example, if an individual experienced harm on the basis of being included in a criminal investigation on lawful grounds, and these grounds were fair in that they did not include an implicit bias against certain groups of people (eg penalising practices that are associated with poverty), this harm would not necessarily be considered undue. Similarly, harm might not be undue if somebody signed up to a web service in full knowledge that the web service did not adhere to good data practice standards (if no laws were broken). While these are examples of considerations that would have bearing on the decision, whether or not a specific instance of harm is undue, including the fairness criterion must be assessed on a case by case basis by the HMB. Discretion, we argue, is needed because HMBs should be flexible to respond to harms stemming from big data practices, which are still being uncovered, and which we cannot list in an exhaustive sense at the outset. Therefore, to maintain a responsive HMB system we cannot, a priori, prescribe a detailed framework for the assessment of harms. To mitigate against potential risks arising from such discretion, we envisage there being strong procedural transparency around how HMBs make decisions. This acts as a counterbalance to the lack of stringent a priori prescriptive rules to determine the significance of harm, which will be assessed on a case-by-case basis. Once HMBs have been in place for several years it will then be possible to revisit the framework for assessing harms, and to distil greater guidelines around what should be considered a significant harm.
Finally, (iii) whether it is plausible to assume a connection between the harm and specific instances of data use-this is a lower standard than would be employed within traditional legal remedies, and entails proving whether a reasonable person would view on the balance of probabilities that it was plausible that the harm could have resulted (but not proving that it necessarily did result) from the data use outlined.
When first established, we suggest that petitions to HMBs would be confined to claims from natural persons. This is because HMBs are envisaged to mitigate harms for individuals and addressing power imbalances, which arise between individuals and data controllers. Nonetheless, in saying this, we acknowledge that power imbalances may also negatively affect small-and medium-sized enterprises. Therefore, once established for natural persons and operating well in this context, at a later point the role of HMBs might be revisited to consider whether it would be feasible to expand the remit of HMBs to cover claims from such entities.
In terms of what types of harm(s) we expect people to report, this could include eg: discrimination, stigma, or the loss of income following unauthorised reidentification. 63 But harm can also occur without undue reidentification of data, and even without any data having been taken from the person who was harmed. The practice of predictive analytics, for example, uses insights from one group of people to discern patterns that will then be applied on other groups of people. 64 As a result, those with 'risky' or otherwise undesirable characteristics can be excluded from certain offers or services, or they can become a target for heightened scrutiny or surveillance (eg patients who are identified to be particularly likely to overuse emergency rooms on the basis of predictive analytics). 65 Whenever such harms do not give grounds to a claim within data protection or tort law systems because they are lawful or because it is impossible for affected parties to prove what act or omission exactly caused the harm (eg due to data having been used by many different entities and having been analysed in ways that are not open to scrutiny), individuals could be encouraged to approach a HMB. 66 Alternatively, some people may wish to report harms that they have experienced which they think are due to data use but may not wish to seek financial or other support, eg if the harm experienced is not significant but they still want it recorded and its causes addressed to prevent possible harms to others. A simple, informal feedback form would be set up for this purpose and would enable the HMB to fulfil an important monitoring role. This informal process could be used to prompt investigations for HMBs and if harms were found to be significant and repeated, findings could feed into regulatory frameworks to address these harms. To increase public knowledge of the potential for harms arising from data use, public awareness campaigns would need to be established by the government to educate the public, so they can identify possible harmful practices.
Importantly, HMBs would thus be subsidiary to rather than replace existing legal protections, thereby filling the aforementioned regulatory gaps created by the digital era. Regulators and data controllers would still be required to minimise risks as far as reasonable and practical. Alongside this, HMBs could offer financial and/or other support to those who are harmed by data use but the claimed harms suffered would not meet thresholds for legal causation under existing legal remedies-for example, because no direct causal link between an action of a data controller and the experienced harm could be proven. In this way, HMBs would fill the existing gaps in traditional legal systems, whilst also serving an important reporting function as patterns of harms caused by data use investigated can then be assessed and issues identified and fed back to regulators. HMBs thereby seek to complement available legal remedies in mitigating potential negative effects of data use, and also by providing feedback to data controllers on how systems and procedures could be improved. In EU Member States, HMBs would complement, rather than compete with or duplicate, the role of the relevant Data Protection Authority (DPA), which is the independent public authority in each state that supervises the application of data protection law. While the main role of the DPA is to police data controllers, and while they are limited to cases that infringe existing laws, HMBs main role would be to support data subjects, and they would not be limited to instances of unlawful data use. In this area, HMBs could assist in collecting evidence on the frequency, nature, and severity of harms occurring, and by analysing this information to help improve data protection, HMBs and DPAs could and should collaborate on this.

B. Financial Support Function
As noted, HMBs-particularly as institutions that people can appeal to also for financial support-do not aim to replace existing legal mechanisms for compensation or redress. Instead, they seek to complement legal systems by providing a low-threshold instrument for people who feel that the legal system did not, or cannot, address the harm that they suffered. HMBs could make positive decisions on appeals even if data users did not infringe any laws or rules. Moreover, if HMBs gave financial support to applicants, these would not claim to provide full restitution or compensation for all losses resulting from the harm. In cases where the claimed harm could be quantified in financial terms, money paid out by HMBs would not necessarily correspond with those figures either. Instead, money paid by HMBs would be understood as financial support, not necessarily corresponding with the extent of the actual harm. The amount provided would, however, aim to reflect the degree and type of harm suffered. In other words, the more significant the harm suffered, the higher the financial support offered. This would be assessed on a case-by-case basis. When the system is first set up, if concerns arose initially on the affordability of the system, the financial supports offered could be set out as a percentage of losses/costs borne by the individual, eg 60% of the actual loss/costs, which would reflect the fact that it is a supportive measure to the individual. It also reflects the informal nature of system, which does not require legal costs, requires a minimal application process in terms of the data subject, etc.
Liability under the HMB model is on a no-fault basis such that financial support is not dependent on proving a violation of law by the data controller. Instead, it is based on proving a plausible connection between the actions (lawful or unlawful) of the data controller and the harm suffered. As noted, awards could be made from HMBs even if the actions of the data controller did not fall foul of any laws, which addresses concerns raised elsewhere on the need to have broader systems of accountability for data uses in the biomedical context. 67 In this way, HMBs' financial support mechanisms are distinctly different from traditional constructions of liability, eg in tort law where liability is generally premised on a breach of duty and standard of care, with a direct proof of causation between the act in question and harm arising. Instead, in the HMB context, if an individual experienced harm, they could appeal to an HMB that would assess whether financial support is warranted based on the abovementioned criteria. In theory, claims could also be made in cases where data controllers' actions were not unlawful.
Three key legal questions arise under this framework, namely: (i) the definition and construction of harm for the purposes of the HMB; (ii) the subsidiary nature of HMBs and how the system is also designed to address harms falling outside existing protections, (iii) in cases where the response of the HMB takes the form of support, including eg financial payments, how the amount of financial support would be awarded. Taking each of these aspects, in turn, the following can be said.

Definition and construction of harm for purposes of HMB
This section uses the European data protection framework as a case study to illustrate how the conception of 'harm' in HMBs differs from existing legal frameworks under the GDPR and the previous framework under the Data Protection Directive 95/46/ EC. The precise role and influence of the GDPR over UK data protection laws after the UK leaves the EU are still uncertain, and will depend on the outcome of any Brexit deal. 68  still being negotiated. Furthermore, the UK's Data Protection Act (DPA) 2018 came into effect in May 2018. This Act replaces the previous DPA 1998, applies GDPR standards and complements the GDPR by setting out specific rules to supplement its application in the UK. Therefore, the domestic act will ensure continued application of provisions contained therein which are related to the GDPR in the UK post-Brexit. Moreover, even if the GDPR does not apply directly within the UK post-Brexit, the territorial scope of the GDPR is broader than the previous Data Protection Directive 95/46/EC, and the GDPR applies to all data controllers/processers who are processing personal data of individuals resident in the EU, which is regardless of the controllers/processers place of establishment. Given the proximity of the UK to EU markets, this is still likely to apply to many UK data controllers/processers. This section briefly sets out the relevant provisions and remedies provided previously by the Data Protection Directive 1995 (by reference to how these were applied in the UK under the DPA 1998) considering how the GDPR improves upon these, and also noting the gaps remaining. The UK's DPA 1998, which brought the EU Data Protection Directive 1995 into national law, stipulated that harms from data use/misuse were legally sanctionable under UK law if recognised under the relevant statute (DPA). Other legal actions were also relevant in this context, eg data use/misuse may be subject to common law action for breach of confidentiality or tort of misuse of private information; or it may in some cases breach rights under the European Convention of Human Rights, of most relevance here is Article 8 (right to respect for private and family life). 69 Data controllers who did not abide by standards set out in the DPA 1998 were liable to sanctions. However, the threshold required to prove harm and the penalties imposed when harm was established left gaps for data subjects. For example, the penalties imposed were arguably not severe enough to effectively deter data misuse. 70 Moreover, and importantly in the context of big data, the provisions of the DPA 1998 did not apply to anonymous data, so no legal remedies were available if the use of anonymous data caused harm. The GDPR improves this situation by expanding the concept of personal data to include (at least some instances of) 'pseudonymised data', ie data that are neither anonymous nor identifying, 71 whereby one attribute in data (usually a unique identifier) is replaced with another as an extra security measure to reduce the risk that the data subject can be identified. 72 It thereby extends the potential for legal remedies for individuals who did not have access to them under the Data Protection Directive. 73 It remains to be seen, however, how this will be implemented in practice. 74 Also, the GDPR does not include fully anonymous data (ie data where it is assumed that no link to specific individuals can be made) 75 under the remit of personal data and thus leaves those who are harmed by the use of such data without redress. Furthermore, in distinguishing between anonymised and pseudonymised data, a key question will be whether the risk of reidentification is reasonable, 76 which could provide a potential gap in protection, depending on how 'reasonable' is interpreted in such contexts, and particularly given ongoing advances in technology. 77 More generally, Laurie and others previously highlighted the narrow framing of harm under the DPA 1998 whereby individuals had to prove that harm experienced by them caused either financial damage or distress (emotional suffering) and that this was of a sufficient degree to constitute a breach of the DPA 1998. 78 Under the GDPR, Recital 82 provides a right to compensation for any person who suffered 'material or non-material damage as a result of an infringement of this Regulation', and compensation can be obtained from the data controller or the processor. There is no definition of non-material damage; however, Recital 85 GDPR provides guidance, defining potential harms as: physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional 72 art 29 Working Party, 'Opinion 05/2014 on Anonymisation Techniques' 0829/14/EN WP216 (10 April 2014) 20. 73 Laurie and others (n 69) 33-34. In this report the authors discuss the proposed Data Protection Regulation, as it was then at the time the report was written. 74 For instance, Laurie and others (n 69) 34, who state at n 50 that '. . . there is concern over how the Regulation would impact (negatively) upon the processing of personal data for health and biomedical purposes. The Wellcome Trust has consistently opposed drafts of the GDPR, which purport to turn pseudonymous data into a subset of personal data that would interfere with publicly beneficial research from being carried out.' 75 Information that 'does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable'. 76 Gabe Maldoff, 'Top 10 Operational Impacts of the GDPR: Part 8 -Pseudonymization' (12 February 2016) <https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/> accessed 8 April 2019. 77 There is a recognition that as technology develops data that have previously been annoymised may become identifiable. The Irish Data Protection Commission states it is: 'likely that more advanced data processing techniques than currently exist will be developed in the future that may diminish any current anonymisation techniques. It is also likely that more data sets will be released into the public domain, allowing for cross comparison between datasets. Both of these developments will make it more likely that individual records can be linked between datasets in spite of any anonymisation techniques employed, and ultimately that individuals can be identified.' See <https://www.dataprotection.ie/en/guidance-landing/anonymisation-and-pseudonymisation> accessed 21 May 2019. Reasonable measures must be taken against reidentification, but arguably this could not extend to pre-empting future specific technological advances. 78 Laurie and others (n 69) 3B and 3B3. secrecy or any other significant economic or social disadvantage to the natural person concerned. 79 It remains to be seen how such definitions of damage/harm will be applied under the GDPR, but arguably, although broader than the DPD by the inclusion of nonmaterial damage, the GDPR could retain a relatively narrow construction of these terms in practice. Article 82(3) also provides an exemption for controllers/processers from liability if they can prove that they are 'not in any way responsible for the event giving rise to the damage'.
In contrast to this approach-and in addition to the aforementioned differences between HMBs and DPAs acting under the remit of the GDPR-HMBs would seek to employ a broad definition and application of harm arising from data use. 80 HMBs would recognise physical, psychological, and financial harms experienced by individuals if on the balance of probabilities, it is plausible that this harm is connected to data use. Instead of looking towards a strict traditional legal classification of harm which generally relies on causality to the loss suffered, the HMB (i) would adopt a lower threshold to prove causality such that the individual need only to prove that there is a plausible link between the harm suffered and the data use(s). It would also not need to be a proven link between an action by a specific data controller and the harm. Instead, in recognition of the pervasive nature of data, it would be enough to prove a plausible link between multiple data uses and the harm(s) arising. (ii) Drawing on Laurie and others' findings and recommendations, 81 HMBs would look at harm in the sense of how individuals were 'impacted' by data use when assessing the significance of the harm looking at the extent to which this was harmful to the individual(s). This broader classification of harm is needed to support individuals in an era where decisions are increasingly supported-or even driven-by data. Also, whilst Article 82(1) refers to compensation being awarded based on 'damage suffered', HMBs could go beyond this because the financial support that HMBs can offer is not limited to damage suffered but extends to other harms. Furthermore, although harms arising outside . . . for example, an individual might experience an impact if her/his data are used without permission, even if this is perfectly legal. Equally, organisations handling data might suffer an impact in trust and allegiance if individuals or groups whose data are held and used perceive an adverse impact through uses of which they disapprove. This is not to suggest that groundless concerns or abstract fears should drive information governance practices. Rather -as our soft evidence base suggests -the range of considerations about what might be construed as harmful is far wider than the law alone recognises. As such, the lesson is that due attention should be paid to possible impacts when using health and biomedical data, and to ensuring that governance mechanisms and actors within them have the ability to assess and, where appropriate, respond to data subjects' expectations.
the GDPR may be actionable in other ways, eg as breaches of human rights under the ECHR, HMBs provide a more expedient and less costly way for individuals to report and request support for such harms. 82 Nonetheless, as noted above, the HMB system is complementary to existing legal protections under data protection frameworks and is expected to be used by individuals who do not have claims under traditional legal remedies. For instance, the HMB would take claims that fell outside the scope of current laws where, eg harm resulted from anonymised data, harm resulted to a secondary data subject, or harm occurred from lawful data use. In such cases, affected individuals could bring a petition to the HMB. However, to avoid duplication, although individuals who have a traditional claim are not barred from applying to the HMB, individuals are not be able to appeal to HMBs if other legal actions are in progress, eg human rights claims or claims under the GDPR. Instead, if a legal claim started in the course of a petition to the HMB, a stay on the petition would operate until the legal action was concluded. The HMB could then continue to consider the petition. However, as it is intended as a support mechanism for individuals and does not act as compensation, therefore if someone was compensated by the legal framework, the HMB petition would be unlikely to lead to further financial rewards as that individual's harm would already be financially mitigated against by law. Nonetheless, other supports might be granted to such individuals 83 and petitions would also be used to inform the governance feedback loop created by HMBs.
2. HMBs and subsidiarity: addressing harms falling outside existing protections As mentioned, despite provisions in the GDPR which seek to address some of the challenges posed by big data, important gaps remain, which HMBs could help address. For example, as noted above, Article 22(1) GDPR states that: the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (emphasis added).
Where profiling is defined in Article 4 GDPR as: any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. 82 In this respect, the administrative costs of running HMBs would be monitored particularly at the initial stages of the system and would need to adapt accordingly. For example, if it transpired that individuals were more inclined to use the informal HMB facility rather than look to traditional legal remedies, then there would, for instance, need to be a percentage increase in the amount that each data controller would pay to the HMB. 83 Examples would include the recommendation by an HMB to reinstate credit worthiness that was negatively affected by association.
However, the effect of the provision is limited by the fact that it refers only to processing of an individual's 'personal data' used in a manner to 'evaluate certain personal aspects' relating to that person 84 and is only applicable where there is no human intervention evident in the processing. Only fully automated data analytics fall within this, and those not fully automated-even if they include humans in an relatively insignificant manner, eg to sign off the decisions of the machine-do not fall within the remit of the protection (for further exceptions see below). 85 As Article 4 also relates to personal data as defined in the regulation it is unlikely-given the specific use of 'that natural person' in the article-that this would apply to data of individuals used to make predictions which impact upon a secondary data user. Furthermore, the right does not apply if covered by the exceptions in Article 22(2) that allow automated processing if the decision is necessary for the performance of a contract between data subject and controller based on the data subject's explicit consent; or if it is 'authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests'. 86 Whilst the Article 29 Working Party guidance has highlighted limits placed on these caveats, such as having a narrow construction of necessity in the context of performance of a contract, 87 nonetheless, the practical effect of Article 22 is significantly curtailed by such caveats. The GDPR also explicitly prohibits using sensitive data (or special categories of data) for automated decision-making purposes, unless the data controller has implemented measures to safeguard the data subject's rights, 88 and that the data subject has explicitly consented to processing, and the processing is for a legitimate aim. 89 Nonetheless, this fails to address the fact that even with such safeguards in place, harm can still occur, in view of the aforementioned effect of big data where people do not know what actions exactly led to harm, and where they sometimes do not even know that data were used that proved harmful to them. 90 Moreover, individuals may not have access to legal remedies, eg if it is a secondary data subject who is harmed.
The GDPR also recognises the risk of discriminatory decision-making arising from profiling. 91 These include Recital 75 which recognises that algorithms can be used in a way that causes indirect discriminatory effects for certain individuals 'even if those organisations had no knowledge of the discrimination and did not intend to discriminate' 92 and legal protections against discrimination could be employed in such contexts. Guidance from the UK Information Commissioner's Office emphasises the need for data controllers to take steps to prevent bias and discrimination resulting from profiling. 93 However, in this context, the focus is again on the processing of 'personal data' 94 and the scope and effect of this provision in the 'big data' era remain to be seen. Moreover, as is well known, despite the GDPR's goal to remove national differences in data protection standards, it leaves ample room for national derogations, and for different interpretations of key terms such as 'public interest' or 'appropriate safeguards'. In sum, the GDPR leaves room for individuals to be harmed in a big data context which HMBs could help address.
3. Financial support fund: appeals process Turning next to the practical operation of the financial support function, three main questions arise which will be addressed briefly here.
a. Who could apply to the HMB for financial support and on what grounds? Given the focus on collective risk management/benefits, any natural person could apply for financial support if they could make a plausible case that they have experienced significant and undue harm by data use. An important feature of HMBs is that it they would also be open to appeals from secondary data subjects-individuals whose own data have not been used, but who have been harmed by the use of other people's data. Since there is no recognised relationship between the data controller and a secondary data subject under traditional legal approaches, it is questionable what duties the controller would have to such subjects within existing frameworks. However, third parties have been recognised as having rights in other contexts, such as within contract law, 95 or insurance law. 96 In the big data context, where 'secondary harms' will occur more frequently, effective protections are imperative in the recognition of individuals' commitment to big data, and to ensure fairness given the power disparity between individuals and data controllers. The openness of HMBs to providing support to secondary data subjects is an expression of collective responsibility for harm resulting from any kind of data use. Importantly, as noted, the HMB would initially only allow claims from natural persons and not from corporate entities.
There would also be no time-limit on claims to the HMB. This is because general statutory limitation periods are designed for public policy reasons, namely: (i) it is unfair for companies or individuals to be challenged on basis of old allegations of wrongdoing as evidence to prove or refute a civil action may become difficult to verify/obtain if a substantial period has elapsed between the alleged wrongdoing and time of the action being raised and (ii) there should be a certain period of time after which a wrongdoer should not have the threat of legal action. 97 However, HMBs are designed on the basis of no-fault and as noted applicants apply for support from the HMB not the data controller, and the requirement is based on plausible connection to the data use in the HMB context which will be a lower requirement to establish than the chain of legal causation required for traditional actions. Moreover, HMBs would be an instantiation of a collective commitment to support those who were harmed by (lawful or unlawful) data use and an acknowledgement that not all risks are foreseeable in the context of big data. In this spirit, depending on the severity of the harm and reasons for not taking a claim earlier, financial support could still be made at a time removed from the initial data uses. However, there would need to be a justifiable reason for the delay in making a claim to the HMB in cases where the harm was discovered long before the claim was applied for.
b. How would a claim be made to the HMB, and how would payments (if any) be assessed? As briefly sketched above, a key feature of HMBs and their financial support mechanism is that they simple to use, and thus bureaucracy would be kept as low as possible as a key objective. Therefore, a simple letter describing how a person has been harmed and how the person thinks this harm was caused (at least in part) by data collected or used by the data controller would be sufficient to be considered by the HMB. The HMB would then conduct an investigation into the matter. This could mirror the approach adopted by bodies such as the Motor Insurance Bureau (MIB) compensation system that offers financial support to individuals involved in a motor accident where the other party was uninsured, or where the other party is untraceable (eg if they left the scene of the accident) or for UK residents involved in accidents with foreign registered vehicles either in the UK or EU. 98 Under the MIB scheme, claimants must submit a claim form 99 including details of the incident where they are claiming injury/ loss arose from, and supporting documents/details including witness/police reports, etc. Following receipt of the form the MIB then conducts an investigation which includes: 'establishing the facts; confirming the identity of those involved; obtaining independent reports from motor engineers or witnesses; obtaining a police report; contacting other bodies such as the DVLA, your insurer or a foreign bureau'. 100 Claims are dealt with within 3 months generally.
Similarly, under the HMB, an individual would submit a claim form to the national HMB, providing a description of the harm suffered and circumstances of this, 97 The relevant legislation is the Limitations Act 1980 (as amended) applicable in England and Wales, which provides for a 3-year limitation period for claims for compensation for personal injury. For claims in tort other than for personal injury, the limitation period is generally 6 years from the date of the damage is sustained. 98 See <https://www.mib.org.uk/making-a-claim/what-we-do/> accessed 25 June 2019. It remains to be seen how Brexit and leaving the EU will impact upon this. 99 <https://www.mib.org.uk/media/418096/mib_claim_form_v0618_v2a.pdf> accessed 8 April 2019. 100 <https://www.mib.org.uk/media/216242/your-guide-to-making-an-mib-claim.pdf> accessed 8 April 2019, 11. alongside supporting evidence including, for instance, medical reports, etc depending on the harm allegedly suffered. The HMB would then consider such supporting evidence and could request independent assessments/opinions from data experts in deciding on the claim, and/or enter a dialogue with the applicant to obtain further evidence or information. A key difference between the MIB scheme and the process envisaged for HMBs is that under the former, compensation is fault based-it is only paid where fault is established on the part of driver that the claimant considers responsible and if the claimant is wholly/partly responsible, compensation may be reduced or not paid. 101 The HMB, in contrast, would work on a no-fault basis and financial support could be paid even if the data use was outside the scope of relevant laws, provided sufficient harm arising from data use could be demonstrated, and that it was plausible this resulted from the data use.
If the HMB was satisfied that the harm suffered was significant, that it was undue, and that there was a plausible causation to data use, it could do any or all of the following (i) acknowledge the harm and issue an apology to the applicant on behalf of the data controller(s); (ii) feed information back to data controllers and policy makers, with the aim of improving procedures and rules to avoid such harm from occurring in the future; (iii) make financial payments to support the harmed party under the financial support mechanism.
c. How would the decision-making process operate? HMBs would be governed by an independent steering committee who would develop a framework of criteria for decision-making by the HMB. This framework would be made publicly available. As noted above, HMBs would have appeals panels who hear and decide on appeals from residents of that country who complain of harm. Members of HMB appeals panels would include 'lay' members in their capacity as patients, etc, but also experts in data protection, marketing, security-depending on the size and remit of the HMB. Based on the decision-making framework, members of appeals panels would be free to consider any aspect that they deemed relevant provided the following conditions were met: (i) evidence of physical, psychological, financial, or reputational harm (ii) a plausible case, on the balance of probabilities, would be made that the harm resulted, at least in part, from data collected or used by an organisation within the remit of the HMB. They would then decide what response would be adequate to the harm experienced by the appealing party, as noted above: an official acknowledgement of the harm with an explanation of what will be done to avoid similar issues happening in the future, and/or providing financial support. HMBs would need adequate financial resources to manage such a system and to ensure the independence of members to avoid issues of regulatory capture.

C. Evaluation and Feedback on Governance Systems
As noted, alongside the financial support mechanism, HMBs would have an advisory role and would be required to produce an annual report providing an overview of the types and distribution of claims to the fund that it investigated and the outcomes of these. This should be used to feed into good practice recommendations on data use as the HMB would be in an ideal position to assess how harms materialised in the previous year by having an overview of such challenges. In this role as a collector and analyst of the evidence on the frequency, nature, and severity of harms resulting from data use, HMBs could collaborate with DPAs-although also here, their role would go beyond the remit of the DPA which is limited to harms arising from unlawful data use.
The feedback role of HMBs would form part of a process of reflexive governance. 102 If, for instance, multiple claims were received in relation to a specific harm being caused by a data practice, this should highlight a pattern which would be identifiable by the HMB. HMBs could further investigate and highlight harm causing practices and could also seek to develop strategies of improvement and/or mitigation.
The feedback role is an important reason for having HMBs at a national level, since this would allow patterns of use to be identified across the country which should lead to deeper insights than for instance if HMBs were to operate on a specific industry or organisational level. Moreover, as harms are increasingly being triggered by issues that arise when data sets are shared across different areas and the combination of multiple data sets, having such an overarching national body would allow a more coherent and comprehensive picture to be drawn. This should also help avoid the risk of some problems being missed, since a too narrow focus on a particular sector/industry might lead to ignoring the pervasive nature of the data use and harms triggered in the context of big data.
In addition, having a national body would allow comparisons to be made in terms of the types of petitions which are refused support by HMBs. If a pattern of refusals occurred in a particular context over time, it might require HMBs to reconsider how such petitions are being evaluated, or what should be fed back to corporate data users in such contexts to ensure that a gap between what individuals feel is acceptable and data uses occurring would be recognised. Where petitions were refused because harm was not plausibly connected to the data use, but multiple petitioners complained about the same practice, this could illustrate misplaced fears individuals might have about data use-which, if allowed to continue, could hamper beneficial progress of big data. If such patterns were detected by HMBs, they could be addressed by reassuring individual petitioners that harm was not plausibly connected with data use and also by further educational campaigns demonstrating how big data operates.
Article 35 GDPR provides that for processing using new technologies likely to result in high risks to the rights of natural persons, controllers are required to conduct assessments on the protection of personal data. 103 However, gaps will remain, given the difficulties in fore-sighting technologies and the challenges specific to big data. The feedback role intended by HMBs fills this gap and is intended to complement the forward-looking role of such impact assessments. This feedback role would also complement the role of Supervisory Authorities in each country under Article 57 GDPR. Such authorities are responsible for monitoring and enforcing the GDPR, and also 'monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices'. 104 HMBs would complement this role, as while the Supervisory Authorities are likely to focus on issues arising due to failure to comply with the GDPR, HMBs look beyond this by considering harms arising regardless of the lawfulness of processing under the GDPR, and for all data uses not just uses of personal data.

D. Operational Overview
As noted, HMBs could be established at the national level, in which case they would be tax-funded (on the understanding that corporate data users would contribute to this through the tax that they pay). 105 Key feature is that they would be independent of the organisation, that is, the data controller, using the data and who review appeals from people who claim they have been harmed by data use. In the latter case, HMBs would be funded by a set percentage of the budget of each research project or of the overall institutional budget (depending on the form of organisation in question) being set aside for this, initially set, eg, at 1%.
We also recognise that part of the issue with the governance of big data is that the sharing and integration of data sets between institutions and organisations can give rise to harms that may occur from the combined use of data sets from different people across borders. In recognition of this, and of that fact that data given to one organisation (provided appropriate consent was given) can be used for other purposes which could create knock-on benefits in other contexts and jurisdictions, we suggest that if data users reside in several countries, the individual would apply to the one where she herself is a resident. 106 (While in this article we have used UK/European laws as an exemplar, we would hope that gradually other countries would adopt similar harm mitigation institutions and instruments.) We envisage that a national HMB would be an independent arm of, and overseen by, the Information Commissioner's Office in the UK and equivalent bodies in other jurisdictions. Furthermore, there would be a national advisory committee/board dealing with HMBs which would have annual meetings and issue annual reports to the 104 art 57(1)(i) GDPR. 105 Over time as HMBs develop, it may be decided that alongside national HMBs, institutions/organisations could establish their own HMBs. A key feature is that they would be independent of the organisation, that is, the data controller, using the data and who review appeals from people who claim they have been harmed by data use. Such HMBs would be funded by a set percentage of the budget of each research project or of the overall institutional budget (depending on the form of the organisation in question) being set aside for this, initially set, eg, at 1%. 106 This model rests on the assumption that on balance, the proportion of petitioners claiming harms for which financial support would be paid out corresponds with the proportion of funds coming into national HMBs via corporations residing in these countries (for example, Finnish users would experience harms from data use by a company residing in the USA). When this is not the case, an international mechanism to balance costs between countries would need to be implemented. Within Europe, this could be addressed by EU law.
public. Representatives of data controllers would be invited to attend such meetings, and this would provide a forum for delegates to meet and exchange experiences or address common issues arising. Over time subcommittees might also be established to provide a more specific forum tailored to particular industries, eg the health context. However, given that many harms are systemic, these committees would not replace the national meetings and instead would be designed more as awareness raising meetings translating the overarching issues into relevant contexts for each sector. The advisory board would receive annual reports from the HMB steering committee and appeals panels and use these to develop national standards/guidance documents. Ultimately, HMBs at a European or even international level could also be established, recognising that much research is not nation specific, and data flow across jurisdictions.
IV. CONCLUSION Novel practices of curating, storing, and using digital data require new ways of thinking about data governance. The individual focus in legal frameworks is no longer sufficient to capture the interests at stake or tackle the power asymmetries and inequities in costs and benefits of data use in the digital era. Moreover, key requirements of traditional legal remedies for corporate misuse of data-such as proving fault or causality-are no longer feasible in an era, where data use is regularly not traceable. In addition, significant harms regularly occur from lawful data use. In an effort to increase collective responsibility for harms that people experience from data use, whether lawful or not, we have sketched out the instruments of HMBs. We argue that HMBs provide a mechanism to address some of the power asymmetries that mark data use in the digital era. They provide support for individuals harmed by data use/ misuse by offering mechanisms of financial support to individuals, where no existing legal remedies are available. They also provide a mechanism for the reporting of data governance issues, thereby offering a reflexive governance tool that is vital for emerging areas of data governance and particularly for big data in the digital context given the pace at which this area is developing. We expect there to be aspects of HMBs that need further elaboration and refinement before these bodies can be considered for implementation. Towards this end, we hope this article will stimulate debate and inspire colleagues to help us to improve and develop this idea further.