Businesses, policy makers, and scholars are calling for property rights in data. In particular they focus on the vast amounts of data generated by connected cars, industrial machines, artificial intelligence, toys and other devices on the Internet of Things (IoT). This data is personal to numerous parties who are associated with a connected device, for example, the driver of a connected car, its owner and passengers, as well as other traffic participants. Manufacturers, dealers, independent providers of auto parts and services, insurance companies, law enforcement agencies and many others are also interested in this data. Various parties are actively staking their claims to data on the Internet of Things, as they are mining data, the fuel of the digital economy.
Stakeholders in digital markets often frame claims, negotiations and controversies regarding data access as one of ownership. Businesses regularly assert and demand that they own data. Individual data subjects also assume that they own data about themselves. Policy makers and scholars focus on how to redistribute ownership rights to data. Yet, upon closer review, it is very questionable whether data is—or should be—subject to any property rights. This editorial unambiguously answers the question in the negative, both with respect to existing law and future law-making, in the United States as in the European Union, jurisdictions with notably divergent attitudes to privacy, property and individual freedoms.
Data as such, i.e., the content of information - exists conceptually separate from works of authorship and databases (which can be subject to intellectual property rights), physical embodiments of information (data on a computer chip, which can be subject to personal property rights; warning symbol painted on a road, which can be subject to real property rights) and physical objects or intangible items to which information relates (e.g., a dangerous malfunctioning vehicle to which the warnings on road markings or a computer chip relate). Lawmakers have granted property rights to different persons regarding works of authorship, databases, chattels, land and other items for the purpose of incentivizing investments and improvements in such items, a purpose that does not exist with respect to data as such.
Individual persons, businesses, governments and the public at large have different interests in data and access restrictions. These interests are protected by an intricate net of existing laws that deliberately refrain from granting property laws in data. Existing property laws intentionally exclude data from subject matter definitions. Existing data-related laws and property laws balance interests in data and access restrictions based on public policy considerations that would be impaired by a creation of property rights in data.
New property rights in data are not suited to promote better privacy or more innovation or technological advances, but would more likely suffocate free speech, information freedom, science and technological progress. The rationales for propertizing data are thus not compelling and are outweighed by the rationales for keeping the data "open." No new property rights need to be created for data.
Please click here for a detailed discussion of data ownership by Lothar Determann.
Practical steps to take
Companies embarking on the development of data acquisition, usage, monetization and protection programs should consider the complex legal landscape relating to data and resist making incorrect assumptions or assertions of property rights. As initial steps in finding an optimal approach to data usage and protection, they should consider:
- documenting their inventory of data (in records of processing activities, trade secret asset summaries or other formats);
- implementing or upgrading trade secret, data privacy and copyright compliance programs;
- conducting and documenting impact assessments before selecting data analysis and utilization tools and data commercialization models;
- ensuring lawful acquisition of new information and careful selection of data sources based on applicability of restrictions and supplier due diligence;
- observing legal restrictions on repurposing of previously acquired information;
- applying retention limits and deletion measures regarding records and data;
- implementing internal protocols regarding data use, sharing and retention;
- refining contractual restrictions on employees, customers, suppliers, website visitors and others regarding access and use of the company's own data;
- implementing technical, administrative and organizational data security measures.