Stop Speaking About Personal Data ‘Ownership’
Legal scholars have debated for decades if the concepts of property and ownership are suitable to be used with data (non rival good) or not. This debate is ongoing also in the EU policy making level. In the EU Free Flow of Data Initiative (which artificially, un-practically and arbitrarily claims of treating only non-personal data) the ‘data ownership’ is bundled under emerging issues with other hard topics such as interoperability, usability and access to data. Emerging issue seems to be euphemism for saying that the topic is too hard to be solved right now in the current phase of developing new regulation.
When reading the impact assessment for the Free Flow of Data initiative it seems that the biggest problem is insufficient legal certainty with regard to the rules on data access and usability along the value chains.
For example when a car manufacturer builds a smart vehicle that is full of sensors and real time data collection capabilities, who should have access and rights to use that data? If there is no regulation the manufacturer can in practice control the data flow and restrict access from others including the customer who bought the car (see. http://mycarmydata.eu).
In the EU debates the question of who has rights and practical means to do what with some particular data is for the convenience of many but in my opinion misguidedly dubbed as “data ownership”. In the MyData white paper we wrote:
MyData addresses the concept of data control rather than data ownership. It is tempting to proclaim that individuals should own their data, but the concept of ownership as an exclusive right is difficult to apply to data. In most cases, multiple parties, including both the individuals and the organizations, have legitimate interests in the same datasets. For example, retail stores have rightful claims to use customer data that they collect using loyalty cards, while the individual card owners also have rights to the same data.
The convenience that many are looking from the ‘data ownership’ comes from the traditional economic understanding of property rights as residual rights. It means that we can contractually or otherwise (generally applicable rules and regulations) agree on certain specific rights and limitations, but whatever is unspecified is up to the owner to decide. We understand intuitively that it is very costly (transaction costs) and complicated to agree about all sorts of rights with contracts. Furthermore it is impossible <sarcasm added>even with blockchain smart contracts</sarcasm> to make perfect contracts that would cover all possible future situations. Therefore it would be convenient to just somehow designate who owns the personal data and then the owner would have all rights that are not agreed otherwise, wouldn’t it be elegant?
No ‘Data Ownership’ in EU Legislation
In the EU legislation the protection of natural persons in relation to the processing of personal data is a fundamental right, but at present there is no EU legislation that regulates the question of ownership in data. The case-law at EU level does not recognise explicitly an ownership right in data and at national level there are also no legislations relating to data ownership (César, Debussche, & Van Asbroeck, 2017)
A recent working paper by the the European Commission’s in-house science Service claims that in a sense, the GDPR de facto (but not de jure) assigns property rights on personal data to the data collector. The GDPR gives data subjects certain specific rights including the right not to be subject to data processing without a legal basis (e.g. “informed consent”), access, limited re-purposing, the right to be forgotten and the right to data portability. The granting of specific rights to data subject implies that any remaining residual rights not included in the specific rights in the GDPR accrue to the data controller. (Duch-Brown, Martens, & Mueller-Langer, 2017)
Yes it might be elegant and convenient to have a default rights holder. However, my experience is that usually the discussion gets very unproductive whenever someone opens the Pandora’s box and tries to define exactly, which party that ‘data owner’ would be. Data can be collected, copied, generated, aggregated, analysed, verified, modified, stored, transformed… what after all is ‘the data’ that we are assign property rights on?
The interpretation that GDPR would de facto assigns property rights on personal data to the data collector sounds really weird and bad to me. But I do not feel also any urge on claiming that the data subject should have the property rights either. I like the existing European thinking of privacy and personal protection as fundamental rights and the GDPR as baseline for what rights individuals have over their data and what the the data collectors can and cannot do with personal data.
Instead of debating over ‘data ownership’ we should focus on solving current barriers on data portability and interoperability. As it is written in the MyData declaration there should be clear shift from formal rights towards actionable rights.