Who owns data?
A core issue for the data economy is how to define the legal status of data. Can data be the subject of ownership? If not, what rights can be exercised with respect to data? Future models for management of data will depend on the answers to these questions.
Not so fast!
In
commerce we increasingly encounter notions like “my data,” “ownership
of data,” and “acquisition of data.” Concepts alluding to notions of
ownership are also used in formal statements by public administrative
authorities to refer to data. For example, the Communication from the
Office of the Polish Financial Supervision Authority (UKNF) on
processing by supervised entities in public or hybrid cloud computing
states that one of the mandatory elements in contracts with cloud
computing providers is to specify “ownership of the processed
information during the term of the contract and after its completion or
termination.” The European Banking Authority Guidelines on outsourcing
arrangements also require that provisions be included in certain
outsourcing agreements ensuring access to data “owned” by a financial
institution.
It turns out that references to ownership in the case
of data are a great oversimplification, and sometimes can generate
major misunderstandings. First and foremost, under Polish law, data, in
the sense of intangible content, are assumed to be incapable of being
the subject of ownership. Only “things,” defined by the Civil Code as
“material objects,” can be owned in this sense. Thus a physical medium
on which data are recorded can be the subject of ownership, but not the
data themselves, which do not have a material form.
This situation
gives rise to a number of crucial consequences. The first challenge is
to determine the content of rights to data. If it is not the right of
ownership, what entitlements with respect to data are enjoyed at all by
an entity that asserts “ownership” of the data? What sorts of legal
protections are available to that entity when its rights are infringed?
And what is the legal status of data in the event of the death of an
individual, or liquidation of a legal entity, that has asserted rights
to data?
Fundamental distinctions
Essentially, the
existing provisions of Polish civil law do not directly provide for a
right to data. The provisions on protection of personal data, primarily
the EU’s General Data Protection Regulation, function as something of an
exception. The GDPR is undoubtedly the most systematised set of
provisions concerning data. However, it applies only to personal data.
Moreover, the civil-law status of personal data is not the main subject
of these provisions (an issue that will be the subject of a separate
article in this series).
The basic scheme for systematising
subjective rights assumes that rights are divided into property rights
and non-property rights. It seems that data, depending on the type, can
be regarded as the subject of property rights, and in some instances
also as the subject of non-property rights. The criterion for this
distinction is the degree to which a given right is conditioned on an
economic interest on the part of the rightholder.
Property rights
are traditionally divided into several types, in particular tangible
rights, claims, and rights of an economic nature to intangible goods.
Given their intangible nature, data cannot be the subject of many
tangible property rights. They could be the subject of claims, however,
as well as certain rights of an economic nature to intangible goods.
Non-property
rights, in turn, including moral rights held by a natural or legal
person for the purpose of protecting the holder’s personal interests. It
appears that personal data could be assigned to this category of
rights.
From the practical perspective, there is also an important
distinction between absolute and relative rights. The criterion for
this distinction is the scope of protection afforded to the holders of
these rights. It is recognised that absolute rights are effective
against the whole world (erga omnes); in other words, basically
anyone, even if not connected with the holder of the rights by any
contract, must respect these rights. Relative rights, in turn, are
effective only between the parties to a specific legal relationship. It
is also accepted that the legal system recognises a fixed catalogue of
absolute rights; such rights must arise expressly out of the regulations
and cannot be freely created by the parties to legal relationships.
Some
data will be the subject of rights of an absolute nature. This will be
the case for example with data that could constitute the subject of
copyright or the subject of protection based on regulations concerning
databases. The scope of rights with respect to such data will be
established by the regulations governing the specific category of
absolute property rights. We will provide more remarks on this category
of data in articles discussing the specific types of property rights for
which such data can qualify.
But the properties of a large
portion of data do not allow the data to fall within any of the
recognised categories of absolute property rights. For the purposes of
this article, we refer to such data as “uncategorised data.” Such data
present the most legal doubts. They also constitute a significant
portion of all data that now are or can be generated. The rest of this
article addresses this category of data. For the purposes of this
discussion, personal data have been excluded from this category
(although in practice personal data may also fall into this category).
Uncategorised data
Examples
of uncategorised data include machine data generated from various types
of sensors, which often are not the subject of copyright protection or
protection of databases. However, such data can be the subject of
civil-law dealings. The holder of such data may, for example, conclude a
contract with other entities providing for transfer of such data,
including for a fee. Such contracts may also provide for certain
limitations in disposing of the data.
But the rules for
administering uncategorised data will generally arise exclusively out of
contractual relations and will be binding on, and enforceable by, only
the parties to those relations. In other words, an entity wishing to
limit the use of uncategorised data can impose such restrictions and
enforce them only as against entities with which they are bound by a
valid legal relationship (particularly a contract).
The practical
consequences of this state of affairs are huge. First and foremost, the
protection of entities holding relative rights is greatly restricted
compared to the protection enjoyed by holders of absolute rights. An
entity coming into possession of uncategorised data and not also a party
to a contract limiting the use of the data generally has great freedom
in disposing of the data. This leads to a clear fracture in the economic
interest, which increasingly ties the economic value of data to the
legal status of the data. In the case of uncategorised data, the
economic interest with respect to the data is not protected in a degree
comparable to other types of assets.
This leads us to ask more and
more often whether uncategorised data should nonetheless be the subject
of some new absolute subjective right that would reflect the growing
importance and value of such data in the economy. This would require
creation of new regulations as well as a deeper reflection on the scope
and content of such potential rights. The economic interests of the
generators of such data would have to be weighed against the general
societal interest, which assumes that easy access to data can result in
creation of great added value in the economy.
Until such time as a
new absolute subjective right to data is created, we will have to deal
with the challenges posed by the absence of such a right in the legal
system. In subsequent articles in the data economy series, we will
discuss several of the most serious consequences of the absence of such a
right (for example involving establishment of security interests in
data and inheritance of data).
The technological context
The
technological dimension of administering data is also relevant for
these issues. In discussions about the possible need to create a new
absolute property right to data, the argument has often been raised that
there is no technical possibility to administer such an absolute right.
It has been pointed out, among other things, that there are huge
quantities of such data, they are generated under various technological
standards, and the possibilities of duplicating such data are boundless.
All of these properties of data mean that deliberations over an
absolute right to data, comparable to a right of ownership, may remain
purely abstract, because even if such a right existed there would be no
way to effectively enforce it.
Many of these arguments seem valid.
However, we must also factor in the dynamically evolving technological
context. Some tech solutions could potentially lead to a state where the
model for trading in data approaches familiar models for trading in
material objects. For example, thanks to “tokenisation” of data using
blockchain technology, we are potentially capable of turning specific
data or bundles of data into an identifiable subject of commercial
relations and effectively controlling the trade in data in this sense.
Consequently, from a technological perspective, it is possible to
imagine introduction of models for trading in data and conceptions
similar to models for trading in material objects based on a conception
of ownership.
It cannot be ruled out that the availability of
solutions enabling the “tokenisation” of data will force the creation of
regulations governing the legal status of data. Appropriate
technological solutions may also prove essential for a potential new
property right to be applied to data. Administration of huge data sets
derived from various entities may simply prove too burdensome without
automation of this process. Thus a potential new property right to data
may prove to be one of the first examples of a right whose very
existence requires technological support.
The socio-economic context
When
considering the legal status of data, their socio-economic dimension
also cannot be ignored. Along with the growth in automation of
manufacturing and services, we are beginning to seek ideas for
guaranteeing sources of income to people who lose their jobs as a result
of automation or are condemned to very low-wage occupations. Among
other things, we are considering more and more seriously a system of
guaranteed income.
In this context, the idea arises of using data
as a source of passive income. Such notions are also growing bolder as
technological solutions appear potentially creating the possibility of
efficient management of such data. You will find further commentary on
this dimension of the debate in subsequent articles in this series.
An
effect of realisation of these ideas may be the creation of special
types of rights to data. This may prove essential to properly secure the
economic interest tied to data by these concepts.
Summary
The
current legal system does not yet offer clear answers to many
fundamental questions about data, particularly the status of data under
the civil law. Thus basic legal rules for administering data have yet to
be determined. Thanks to this, we can still exercise a high degree of
flexibility in developing models for administering data. But over the
longer term, the lack of clarity on the legal status of data may pose a
barrier to the growth of the new economy. Moreover, technological
progress and the socio-economic dilemmas facing us may spark the
creation of new types of rights to data. Consequently, huge changes may
occur in the near future in the legal status of data.
Krzysztof Wojdyło,