Do you remember the last time you ‘sold’ your personal data for some digital content or digital services? Google, Uber, Facebook, Netflix, Spotify—you name it. They all accept data as a ‘payment’ method or some kind of counter-performance. Yet, for all the great promises offered by the data-driven economy, a lot of people think that certain types of data should be put ‘extra commercium’. This concerns primarily personal and sensitive data.

In our recent paper, titled ‘Data Extra Commercium’, we survey the legal limits on trading data in the digital economy. We ask whether, and to what extent, a set of principles can rationalise (1) when data qualify as extra commercium and (2) who is to be held responsible for the illicit trade in the data extra commercium. By answering these two questions, we fill an important gap in the existing legal scholarship.

When data qualify as extra commercium

In Roman law, a thing (res) was excluded from commerce when the values and interests embodied in the thing would be compromised by sale. This applied to free humans (liberi homines), things of divine interest (res divini iuris) and things of secular public interest (res publicae). A purported sale of any of these things was first deemed void as legally impossible, except where the purchaser, without fault on his part, was unaware of their real nature. So if the purchase was based on the seller’s fraud, the law granted the buyer a remedy for mischiefs such as eviction, confiscation and misapprehension induced by the seller.

As Roman law exemplifies, the nature of the things, and consequently their alienability, is usually determinable ex-ante. Yet, data are of a different nature—they can dynamically change and the values and interests they embody are not baked in the data ex-ante but are highly dependent on ex-post data analytics. The same data can dynamically acquire status of personal and non-personal data, depending on how they are analysed. In the first part of our paper, we argue that since the dynamic nature of data is unparalleled in the physical world, data cannot be easily thought of as things (res) or tradable goods.

We also argue that while the nature of data dynamically changes, the rationales for excluding some data from trade remain unaltered. In other words, what dynamically changes is whether data encapsulate values and interests that would be detrimentally affected by trade, not whether we want to protect those values and interests. Building on the existing literature, we submit that human flourishing is regarded one such fundamental value that can justify inalienability of personal and sensitive data.

Then our paper surveys positive law. We observe that no legal provision expressly addresses the question of (in)alienability of data, although data protection laws seem clearly to protect human flourishing. One thus cannot easily ascertain whether and when trade in data is illicit due to those data being qualified as extra commercium. We fill this gap by identifying and compiling legal rules that limit alienability of data, namely personal and sensitive data. In our research we analyse sources such as the EU Charter of Fundamental Rights, GDPR, Regulation (EU) 2018/1807, Directive (EU) 2019/770, UK Data Protection Act 2018, and California Consumer Privacy Act 2018.

To help advance the EU law and transnational data trade, and while ensuring protection of the fundamental values that the law excludes from trade, we formulate what we call a ‘dynamically limited alienability rule’. This rule is reliant on two variables that limit alienability of data: the nature of data (personal data, special categories of personal data revealing eg sexual, political, health-related information) and the legal basis for trading these types of data (eg, the consent of the data subject according to the GDPR).

The rule is formulated as ‘dynamic’ because the existing law does not sufficiently address questions related to dynamic ex-post changes in the nature of the data as explained above. Further, the law leaves open some important questions regarding the alienability of data when the legal basis for processing and trading of data ceases to exist, such as when the data subject withdraws her consent. We address this dynamism to help determine when data qualify as extra commercium.

Who (if anyone) is to be held responsible for the illegality of the trade

In the second half of the paper, we seek to help legal practitioners, judges and law-makers in considering who (if anyone) shall be held responsible and eventually also liable for this mischief. Building on Roman law and modern contract law principles, we thus propose a general two-stage test that satisfies our goal. The test looks as follows.

Stage 1: A party is responsible for trade in data extra commercium if and when, given the current state of knowledge and technology that is normally available to a person in a similar position, it is reasonably likely that the relevant data reveal personal (or other restricted) information.

Stage 2: If those conditions are met, the party cannot succeed in arguing that they are not responsible for infringing the values and interests in which trade is (or should be) legally prohibited, unless they have a special justifying reason (eg the data subject’s free consent) that serves as a defence to their liability for consequences caused by transactions concerning data extra commercium.

Finally, we discuss how the two-stage test and the limited alienability rule may help link the EU data protection law with contract law rules and principles, and help enforce legal principles of data extra commercium in fully automated and autonomous data trading systems.

Václav Janeček is reading for a DPhil in Law at the University of Oxford.

Gianclaudio Malgieri is a doctoral researcher at the Law, Science, Technology and Society Research Group, Free University of Brussels (VUB).