What is the right to personal data?
When seeking inspiration for the future legal status of data, it is worth taking a closer look at how the right to personal data has been shaped. In particular, we could consider whether it is a property right and whether the current legal framework for the right to personal data corresponds to reality and meets our needs.
The attempt to define an absolute right to personal data is mainly driven by Art. 1(2) of the EU’s General Data Protection Regulation, which states that one of the objectives of the regulation is to protect the “right to the protection of personal data.” The right to protection of personal data is also enshrined in the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union.
The source of this right is found in European legislation. For this reason, an attempt to determine the substance of the right to data protection is difficult, as we cannot simply and directly refer to structures known from the different legal systems of the member states.
The essence of the right to data protection seems to be indicated in recital 7 of the GDPR preamble, which states, “Natural persons should have control of their own personal data.” Thus, the right to protection of personal data is primarily intended to give data subjects control over their data. The specific content of this right is defined by the protective instruments provided for in the GDPR. Among other things, these instruments consist of a guaranteed right to information about processed data, the right of control, but also the right to object to data processing. Many of these rights are similar to the bundle of rights also found in classical property law structures. However, important differences also exist.
First and foremost, the rights arising out of the GDPR do not include the exclusive right to possess personal data (ius possidendi). The GDPR only addresses the right to “protect” data, guaranteeing the data subject the possibility to control the data, but not regulating ownership of the data. The same data may be processed simultaneously by different entities. Moreover, in many cases, these entities will be able to process data without the data subject’s consent, and sometimes also without his or her knowledge. The right to data protection also does not provide for the exclusive right to reap the benefits of the item (ius utendi et fruendi), typical of ownership rights. Data may be used commercially by entities other than the data subject, without the data subject benefitting from use of the data. The classic right to dispose of a thing (ius disponendi) is also significantly restricted. While individual personal data may be transferred by the data subject to other entities, the entirety of the data protection right cannot be divested.
From both a theoretical and a practical point of view, it is important to determine whether the bundle of data protection rights provided for by the GDPR is a property right or a non-property right in its nature. The GDPR seems to lack mechanisms guaranteeing the data subject independent authority and control over the economic benefits from personal data. It is not the data subject’s economic interest that is the primary focus and protection of the GDPR. From this perspective, the right to data protection under the GDPR is more akin to non-property rights than to property rights. This also seems to be confirmed by recital 4 of the GDPR preamble: “The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society….”
The practical significance of this distinction arises in the context of Polish law primarily from Art. 44 of the Civil Code, which states: “Property includes ownership and other property rights.” Non-property rights will not constitute a component of property and, according to the common view in the legal literature, is also not heritable or transferable. Assuming that the right to data protection is not of a property nature would consequently have to mean that this right is not a component of an asset, and cannot be inherited or transferred.
It also seems that this approach is beginning to have a presence in the Polish legal doctrine. A good example of this is the tax interpretation of 21 February 2020 (ref. 0113-KDIPT2-3.4011.717.2019.1.PR), in which the director of National Revenue Information refused to classify income from temporary access to personal data as income from property rights. He took the view that personal data are non-property rights, and any income from the disposal of personal data should be treated as “income from other sources.” Under this approach, personal data qualify as a personal interest, and any rights relating to that data are non-property personal rights. Personal rights are rights that an individual or legal person has for protection of personal interests. In this case the protected personal interest is the sphere of human privacy, an inherent element of which is the data subject’s personal data.
In line with this interpretation, the right to data protection provided for by the GDPR would be a specific type of absolute subjective right of a non-proprietary nature. While such data rights undoubtedly contribute to the protection of the personal interest represented by personal data, they may not prove sufficient to meet the demands of new models of the data-based economy. First, today’s model of the right to data does not create an adequate legal framework for commercialisation of data, which is the basis for concepts calling for example for generation of passive income from the use of personal data (more in “What’s the MyData movement all about?”). Understood in this way, data commercialisation may require a clearer legal definition of property rights to personal data. The duality of rights with respect to intangible property would be nothing new in this regard. Intellectual property rights also provide for the parallel existence of property and non-property rights.
Assuming that the right to personal data is limited to a non-property dimension also greatly complicates the possibility to inherit personal data. As a result, data subjects’ heirs may be deprived of the opportunity to derive economic benefits from assets that more and more often include personal data generated during the data subject’s lifetime. At the same time, the data subject’s death does not deprive other entities (in particular digital service providers holding the data) of the possibility of benefitting from the processing of the data. At this point, the GDPR seems to confirm this narrow understanding of the right to data protection by expressly stating in the preamble that the regulation does not apply to personal data of deceased persons. At the same time, the preamble indicates that member states may adopt rules on the processing of deceased persons’ personal data, but such rules have not been introduced in Poland. In the context of deceased persons, it is conceivable that heirs will invoke the right to protect their own personal interests, such as cultivating the memory of the deceased, which in no way brings us closer to the commercial exploitation of the deceased’s personal data.
Understanding the right to personal data too narrowly and limiting it only to a non-property dimension may not be sufficient to implement some models of the data economy. It may become necessary to create some kind of right to personal data of a proprietary nature or further develop the doctrine of data protection law towards identifying property rights under the existing personal data regulation. In the latter context, it is interesting, for example, to attempt to interpret the rights to data erasure (Art. 17 GDPR) and data portability (Art. 20 GDPR) as some kind of rights of a proprietary nature. As the EU’s Article 29 Data Protection Working Party stated in its “Guidance on the right to data portability” (2016), “The new right to data portability aims at empowering data subjects regarding their own personal data…. This right also represents an opportunity to ‘re-balance’ the relationship between data subjects and data controllers, through the affirmation of individuals’ personal rights and control over the personal data concerning them.”
Thus it seems that the need to equip data subjects with tools also allowing them to derive financial benefits from personal data concerning them is slowly starting to be recognised.
Krzysztof Wojdyło, Katarzyna Żukowska, Karolina Romanowska