Do we really want to “sell” ourselves? The risks of a property law paradigm for personal data ownership.
Who owns your data? It’s a popular question of late in the identity community, particularly in the wake of Cambridge Analytica, numerous high-profile Equifax-style data breaches, and the GDPR coming into full force and effect. In our view, it’s not only the wrong question to be asking but it’s flat out dangerous when it frames the entire conversation. While ownership implies a property law model of our data, we argue that the legal framework for our identity-related data must also consider constitutional or human rights laws rather than mere property law rules.
Before explaining what’s wrong with the property law model, it’s worth examining why we jump from the topic of identity to a conversation about data. There are a couple of explanations for this. Firstly, in many ways, our digital identity is just an accumulation of data points — while no single data point may reveal much about who we are, a collection of data points certainly does. Over time, this digital footprint in the form of data becomes a proxy for expressions of our identity. Secondly, the separation between our offline and online selves is increasingly blurring, resulting in more data points and thereby heightening the risk that our digital footprint includes identity-related or identity-revealing data. This means that our data falls quantitatively and qualitatively on a spectrum according to its potential to reveal things about us — and this is where viewing our data as mere property to be owned puts us at risk.
Under common law, ownership in property is a bundle of five rights — the rights of possession, control, exclusion, enjoyment, and disposition. These rights can be separated and reassembled according to myriad permutations and exercised by one or more parties at the same time. Legal ownership or “title” of real property (akin to immovable property under civil law) requires evidence in the form of a deed. Similarly, legal ownership of personal property (i.e. movable property under civil law) in the form of commercial goods requires a bill of lading, receipt, or other document of title. This means that proving ownership or exerting these property rights requires backing from the state or sovereign, or other third party. In other words, property rights emanate from an external source and, in this way, can be said to be extrinsic rights. Moreover, property rights are alienable in the sense that they can be sold or transferred to another party.
Human rights — in stark contrast to property rights — are universal, indivisible, and inalienable. They attach to each of us individually as humans, cannot be divided into sticks in a bundle, and cannot be surrendered, transferred, or sold. Rather, human rights emanate from an internal source and require no evidence of their existence. In this way, they can be said to be intrinsic rights that are self-evident. While they may be codified or legally recognized by external sources when protected through constitutional or international laws, they exist independent of such legal documents. The property law paradigm for data ownership loses sight of these intrinsic rights that may attach to our data. Just because something is property-like, does not mean that it is — or that it should be — subject to property law.
In the physical realm, it is long settled that people and organs are not treated like property. Moreover, rights to freedom from unreasonable search and seizure, to associate and peaceably assemble with others, and the rights to practice religion and free speech are not property rights — rather, they are constitutional rights under U.S. law. Just as constitutional and international human rights laws protect our personhood, they also protect things that are property-like or exhibit property-like characteristics. The Fourth Amendment of the U.S. Constitution provides “the right of the people to be secure in their persons” but also their “houses, papers, and effects.” Similarly, the Universal Declaration of Human Rights and the European Convention on Human Rights protect the individual’s right to privacy and family life, but also her “home and correspondence.”
Less than a year ago, in Carpenter vs United States, the Supreme Court held that mobile location data held by service providers should be treated as the modern equivalent of the physical papers and effects held by or for a person. As the court recognized, this is because mobile location data “provides an intimate window into a person’s life, revealing not only their particular movements, but also their ‘familial, political, professional, religious, and sexual associations.’” In Carpenter, the court held that because of the “deeply revealing nature of [mobile location data], its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection, the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection.”
Obviously some personal data may exist in property-form just as letters and diaries in paper form may be purchased and sold in commerce. The key point is that sometimes these items are also defined as papers and effects and therefore subject to Fourth Amendment and other legal frameworks. In other words, there are some uses of (and interests in) our data that transform it from an interest in property to an interest in our personal privacy — that take it from the realm of property law to constitutional or human rights law. Location data, biological, social, communications and other behavioral data are examples of data that blend into personal identity itself and cross this threshold. Such data is highly revealing and the big-data, automated systems that collect, track and analyze this data make the need to establish proportional protections and safeguards even more important and more urgent. It is critical that we apply the correct legal framework.
Increasingly the activities and behaviors of our lives occur online, in digital environments and exist as data. As we all know, our data is the lifeblood of the modern digital economy. Because of the tremendous commercial value of this data when viewed as property, the question of data ownership is usually one of the most contentious aspects of a commercial contract negotiation. But viewing this data as property that is capable of being bought, sold, and owned by others is in large part how we ended up with a broken internet funded by advertising — or the “ad tech model” of the Internet.
A property law-based, ownership model of our data risks extending this broken ad tech model of the Internet to all other facets of our digital identity and digital lives expressed through data. While new technology solutions are emerging to address the use of our data online, the threat is not solved with technology alone. Rather, it is time for our attitudes and legal frameworks to catch up. The basic social compact should be explicitly supported and reflected by our business models, legal frameworks and technology architectures, not silently eroded and replaced by them.