When Europe’s General Data Protection Regulation (GDPR) saw the light on the 25th of May 2018, any European citizen who had, consciously or not (mostly not) shared their data with a company in the course of their life, saw their inbox overflowing with petitions. In these petitions, ranging across all degrees of creativity, companies asked for permission to continue, what had been until then, an inequitable relationship.
GDPR: The miracle solution for data privacy?
For the first time, users seemed to be granted some control over the terms of this relationship. The regulation, which was 7 years in the making, had been designed to give European citizens power over their data and also to offer a common landmark to grant a unified and strong response by the state members in case the regulation was breached.
Nevertheless, to evaluate how efficient GDPR is in actually handing control of the data to its rightful generator-owner, we need to explore how data itself, privacy, and most importantly control and property are defined in this regulation.
GDPR definitions of privacy, control and property
To begin with, GDPR gives a direct definition of what personal data is: “anything that relates to an identifiable, living individual whether it actually identifies them or makes them identifiable”.
It subsequently goes on to affirm that “Natural persons should have control of their own personal data” . More individual control over personal data emerges as the logical response to the growing threads over data privacy. According to this idea, privacy is guaranteed when the user becomes the steward of its own data. Self-management and self-determination are, therefore, to be granted by GDPR
Nevertheless, what we see is that this idea of self-determination, supposed to grant control and consequently privacy, is diluted in the European regulation. Certainly, GDPR sets higher standards when it comes to obtain consent compared to prior legislations. Companies need to clearly and unambiguously explain to the user what they are about to consent to when it comes to their data. On their side, individuals need to engage in “a clear affirmative action” to confirm their decision. In practical terms, this means that the prior pre-ticked boxes are now to appear blank so as to, in theory, provide users the chance to control and decide over their data.
At this point, however, we need to ask ourselves if a change from “checked boxes” to “unchecked boxes” is enough to hand data control over to the user. Is this really the only and most effective way to exercise a de facto self-determination over our data?
Do users really own their data?
While users are, indeed, made aware of the fact that they are giving up their data to use a service, this awareness does not equal control. Control would only be fully obtained if citizens were to be in the negotiation end, that is, if they could set the terms and conditions under which and how they want to give up their data.
Instead of shifting the data power paradigm towards the individual, GDPR seems to chaperon European citizens’ data. The citizen is a semi-passive individual whose rights over their data are determined by the EU and executed by the different companies. While focusing on privacy GDPR fails to specifically regulate the only right that can guarantee data protection and privacy in the first place: property.
Bentham defined property as “a foundation of expectation—the expectation of deriving certain advantages from the thing said to be possessed, in consequence of the relations in which one already stands to it”
Bentham also highlighted that property did not exist without law “Property and law are born and must die together. Before the laws, there was no property: take away the laws, all property ceases. With respect to property, security consists in no shock or derangement being given to the expectation which has been founded on the laws, of enjoying a certain portion of good”[1] Therefore, to become property, data ownership needs to be legally claimed.
Who benefits from the data?
In Europe, we find those who ideologically oppose the idea of data property by claiming that data is universal and therefore, is to be distributed and used freely on the grounds of public interest. Nonetheless, this idea becomes flawed when we observe companies actively exercising and benefiting from property-like roles as they leverage our personal data. At this point we need to leave behind utopian and unrealistic views, and take measures to ensure that data-generated wealth is distributed fairly.
The concept of data portability
The closest approach to data property that we can find in GDPR refers to data portability. Article 20 of the GDPR, “aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another”[2] According to Article 29 Working Party of the EU Advisory Authority on Data Protection “The primary aim of data portability is enhancing individual’s control over their personal data and making sure they play an active role in the data ecosystem”
In this context, data portability is considered a means of distributing the wealth created from personal data with the individuals by, theoretically, enabling property-like actions such as trading, exchanging, or selling data. Nevertheless, as data becomes commoditized, regulating the subject’s legal claim to its property needs to precede the regulation of its transaction. Given the high economic value of personal data, it is little surprise that currently, the generated wealth is not distributed equally.
Many scholars reflect on the views proposed by Kenneth Laudon, Professor of Information Systems at New York University. “Professor Laudon favors commoditization of personal information, with a property right vested in data subjects in respect of their personal data. Such a model reasons that the rights of data subjects to deal with their personal data for a value. Laudon posits a National Information Market and a National Information Exchange which would aggregate personal information and lease it on a regulated information market thus creating economic stakes for data processors or data controllers and data subjects”[3]
Where GDPR is not enough
Unfortunately, and even if regulating and granting data property rights is viewed by many as a key to grant an equal relationship between individuals and corporate entities, data property rights are not directly treated by GDPR.
This deficiency becomes even more worrying when we consider that every human being is constantly producing data. From family social media to EMRs, a person starts to passively generate data, and therefore value, the minute they are born. This data trail accompanies them for the rest of their lives and arguably even after. It is therefore, essential to regulate an individual’s right to legally claim its perpetual data property. Furthermore, to guarantee the compliance of third parties to an individual claim it is necessary that this claim remains immutable and non-erasable.
A perpetual claim seems to directly oppose GDPRs principles. Nevertheless, with the jurisprudence set by cases like the Manni’s case or by the grounds of Article 17 Right to erasure (‘right to be forgotten’) 3(e) of the European Union, GDPR, it is possible to argue for an immutable and trusted record of an individual’s legal claim to its right to data property. The properties of this right are rooted on the grounds of public interest, which should always prevail upon derived rights, like the right to be forgotten.
The new data privacy paradigm
The new data revolution has just started, and as data increases its value and market share both governments and private entities would have to adapt. Governments will need to make sure that regulation prioritizes and protects its citizens’ rights, both to privacy and to property. On the other side, companies will need to build a new, service relationship with the source of their data.
Even if the media interest in and around this new relationship is totally focused on privacy, we cannot forget about property. Plundering data is no longer a viable or fair option. Regulating data property is the only way we can guarantee that an equal share of wealth is created for the individuals. Furthermore, and most interesting, one could argue that regulated data property could establish the basis for a future passive income with the potential to safeguard basic social services in the dawn of the social states and protect citizens as “FAAMG” corporations power grows limitless.
[1] Principles of the Civil Code Jeremy Bentham Part 1 Objects of the Civil Law. Chapter 8 Of Property.
[2] Article 29 Working Party, ‘Guidelines on the right to data portability’, 5 April 2017, 16/EN WP 242 rev.01., 4, fn 1
[3] Kenneth C. Laudon, “Markets and Privacy”, 39 (9) Communications of the ACM, 92-104 (Sept. 1996) quoted in Atul Singh Protecting Personal Data as a Property Right. ILI Law Review. Winter 2016
Scrypt.Media guides emerging tech projects on their way to change the world. We bring the revolutionary ideas of our customers to life through the refinement of strategy, communication and usability. We help our customers navigate the difficulties of early stage organization, development and funding. In doing so, we help them to focus on the important thing – changing the world.
If you need help with GDPR compliancy, please feel free to contact us!
[…] [19] C. Fernandez, “When GDPR is not enough: who owns the data?”, 3 aprile 2019, https://www.scrypt.media/2019/04/03/when-gdpr-is-not-enough-who-owns-the-data/ […]