Trade in data is becoming crucial for economic growth in Europe. In this context, creating data ownership rights is one way to provide a clear legal framework for the emerging data economy. However, to circumvent privacy issues spurred by the General Data Protection Regulation (GDPR), the subject-matter of trade-oriented debates is typically restricted to non-personal data, ie to data that presumably fall outside the GDPR scope.
My latest research shows that this approach overlooks one major issue, namely that the dichotomy between personal and non-personal data is false. As I argue in the article ‘Ownership of personal data in the Internet of Things’, this problem is rooted in a reverse definition of personal data in the GDPR and further magnified by the fact that current legal debates do not conceptually distinguish between ‘data’ and ‘information’. I therefore suggest replacing this dichotomy by a more fruitful distinction between intrinsically and extrinsically personal data, and I show how the concept of ownership can be applied to extrinsically personal data.
Trade in Data
Data are often described as the ‘new oil’ that fuels growth in the digital economy. Indeed, they are increasingly vital for delivery of services on the gamut from personalised healthcare to more efficient use of electricity in ‘smart’ cities. Internet of Things (IoT) ‘smart’ devices generate and collect a wealth of personal data, whose management poses serious ethical and legal questions, especially if these data are to be traded. Ownership of personal data underpins these issues, which is why debates on introducing the concept of ownership of data as a legal right have recently emerged at the EU level and beyond. In 2017, issues concerning ownership of data occupied regulators’ minds in the United Kingdom, Australia, India, as well as the European Union.
The growth of the Digital Single Market is one of the EU priorities and it resulted in, inter alia, the recent proposal for a regulation on a framework for the free flow of non-personal data in the European Union. Processing of data is, however, a strongly regulated area, mainly thanks to the GDPR. This brings privacy advocates at odds with trade advocates, because personal data, ie data subjected to privacy regulations, cannot be traded as freely as non-personal data. In addition, the line between personal and non-personal data is unclear, because data that are now seen as non-personal data may become (thanks to analytical and technological advancements) personal data in the future. This extends the scope of the clash between privacy and trade advocates to data at large.
Constructive Limits of Personal Data Ownership
In my article, I analyse, define, and refine the concepts of ownership and personal data to explore whether, and to what extent, the concept of ownership can be applied to personal data in the context of IoT. I critically examine the traditional dividing line between personal and non-personal data and argue for a strict conceptual separation of personal data from personal information, because information per se cannot be given proprietary legal protection.
After denying the claim that personal and non-personal data are conceptually incompatible categories, I offer a more refined distinction between intrinsically personal data (such as a full DNA sequence) and data that are personal only extrinsically (such as GPS data). According to my research, while extrinsically personal data can in theory be subjected to ownership rights, intrinsically personal data must be excluded from ownership considerations by default. This is mainly due to ethical and conceptual limits according to which trading intrinsically personal data would be like trading humans.
In order to fully understand trade in data, we still need to have some concept of data ownership. In line with this premise, my article offers a systematic review of both legal and non-legal literature regarding ownership of personal data to explore the limits of the data ownership concept. I structure the review alongside two main approaches shaping all ownership theories: a bottom-up and top-down approach. Via these dual lenses, I explore why the law should allow someone to control and protect personal data, and to whom these valuable data should be allocated. In other words, I look at the reasons supporting introduction of personal data ownership.
My aim is to unveil the explanatory advantages and disadvantages of the two approaches in relation to the elements of control, protection, valuation, and allocation of personal data in IoT environments. As regards the element of allocation, I reject the overwhelmingly popular belief that personal data should belong to the data subject and I show that this belief is framed primarily around privacy consideration and not around considerations of ownership.
After exploring various legal, philosophical, and technological limits of personal data ownership, the last part of my article identifies the key challenges that any future model of data ownership will need to address.
Václav Janeček is reading for a DPhil in Law at the University of Oxford.
The research leading to the journal publication was funded by the Engineering and Physical Sciences Research Council (EPSRC), grant agreement no EP/N023013/1 – ‘PETRAS – Cybersecurity of the Internet of Things’, and was conducted during the author’s appointment at the Oxford Internet Institute (Digital Ethics Lab).