Taking Data Ownership Seriously

William Chan
November 10, 2023

European governments (including the UK government) have been actively seeking to maximise the economic value of data and promote innovation. In 2015, the European Union announced the Digital Single Market (DSM) Strategy, the aim of which is to

ensure the free movement of persons, services and capital and that individuals and businesses can seamlessly access and exercise online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence. [1]

Policymakers in the EU have had considerable discussions about whether the EU digital economy can benefit from the introduction of data ownership. Among legal scholars, there are also heated debates over whether data ownership would produce a digital economy leading to socially desirable outcomes.

This article will introduce to you how data ownership is to be understood according to various views, and the major arguments for and against it. It is crucial to pay close attention to this concept and the surrounding arguments, even if there is not yet a comprehensive legal framework for data ownership in Europe. Developing an awareness of how data regulatory frameworks might change, and the reasoning underpinning different data policy proposals, will enable you to respond to legal and political changes concerning data governance more effectively. For those participating in the policymaking processes of data governance, the arguments presented here will be even more important and relevant.

My aim, however, is not just to provide an overview of existing debates over data ownership. It is my concern that existing discussions of data ownership are too legalistic, and sometimes disregard the contributions that moral/political philosophy can possibly make. Another purpose of this article, therefore, is to pinpoint some possible ways in which perspectives in moral/political philosophy can contribute usefully to the discussion of data ownership.

Types of Data

It is less helpful to talk about data per se since different types of data call for different considerations over questions about ownership. At the very least, it is important to draw a distinction between personal and non-personal data. Personal data, also known as personally identifiable information (PII), is defined by the UK GDPR as

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[2]

Someone’s name, address, passport number, income, data held by a doctor are personal data, for instance.

In contrast, non-personal data (known also as non-identifiable data) refers to:[3]

data which does not relate to an identified or identifiable natural person, such as data about weather conditions.
data which was initially personal data, but was later made anonymous and cannot be attributed in any way to a specific person.

Here are two common forms of non-personal data: aggregate data and anonymised data. Aggregate data refers to ‘high-level data that I obtain by combining individual-level data’[4], but it is summarised in a way that blocks individual identification. The average salary of a group of people in an organisation is aggregate data, for instance.

Anonymised data is personal data initially, but it is processed in a manner that makes it impossible to re-identify individuals from it. For instance, some organisations set retention times for all staff records they keep. Once that retention time is passed, they can remove the names, addresses and staff numbers from those records. But the remaining staff records can be kept as long as there is no way for individual staff to be identified through other means.[5]

However, there is one special kind of data that seems to fall within the boundary between personal and non-personal: pseudonymised data. According to the GDPR, pseudonymised data is personal data processed

in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual.[6]

Here is an example. Suppose you remove people’s names from a dataset about the members of your organisation, but you keep their staff number. The information has not been fully anonymised, since it is possible to identify particular individuals within the dataset. But it will be more difficult for those working with the dataset to identify them.[7]

Anonymised data and pseudonymised data are different in at least two ways. First, data, when it is fully anonymised, will not provide any information allowing you to identify a particular individual, whereas it is still possible for you to do so with pseudonymised data. Second, fully anonymised data will not fall within the scope of the GDPR, but pseudonymised data is considered a subcategory of personal data and thus regulated by the GDPR.

In practice, how your organisation should classify different kinds of data could be complicated. Our team will be very happy to help you with this. For our present purposes, however, a preliminary distinction between different forms of data will suffice.

What are the current circumstances of data ownership in the EU and UK?

While Europe has relatively well-established frameworks for data protection, it does lack the legal basis, both in common and civil law, for the concept of data ownership. Not only do common and civil law lack a definition of data, but they also do not confer a special status on data.[8] Here are a few other key points concerning data ownership in Europe:[9]

In the UK, data is not generally considered ‘property’ (unlike a house or a car) and calls for ownership rights on that basis. For instance, English judges have held that confidential data is not property that can be stolen and that it is not possible to exercise a lien over intangible property (e.g. electronic database).
In Europe (including the UK), there are laws that regulate and protect certain kinds of data, such as copyright-related legislation or laws, database rights as well as breach of confidence and/or trade secrets.
To promote innovation, governments in Europe have been actively encouraging sharing of non-personal data to unlock the value of such data. One example is the EU Digital Single Market Strategy, as I mentioned earlier.
Unlike non-personal data, the collection and sharing of personal data is under strict regulations by governments in Europe. In the UK, for example, the processing of personal data is strictly regulated by the Data Protection Act (DPA).
The UK data protection legislation does not designate individuals as owners of their personal data. However, they are provided with some rights (e.g. the right to be informed, right of access and right to erasure), which strengthened the obligations of controllers and processors of personal data. Among those rights are the data subjects’ rights, which will be explained below.

In short, there is not (yet) such a thing as ‘data ownership’ under the current regulatory frameworks governing data practices. Still, there are strict regulations of the processing of personal data given the various data protection rights enjoyed by individuals, but non-personal data is not as strictly regulated.

What does, and what should it mean to own data?

Since there is not yet a well-developed framework for data ownership in Europe, the concept of data ownership remains open to various interpretations. Here, I focus on two major perspectives in the recent debates over the concept.

The first view says that data ownership is a property right. This concept of property right is ‘derived from civil law concepts of property in real estate and chattel, or intellectual property rights’[10]. If we have a property right to some datasets, the key implications will be:

Decisional Authority: We have the authority to make decisions about the datasets, such as selling or disposing of it. We also have the right to use the datasets for commercial and legal purposes, for instance. In short, we can decide what to do with the datasets, and for what purposes, according to our will.
Exclusion: We have the right to exclude others from using or accessing the datasets. Others are prohibited from using the datasets unless we have permitted them to do so.
Inheritance: We have the right to pass the datasets to some designated beneficiaries on our death. We can pass the datasets to our families, or anyone else according to our will.

There are, of course, mixed opinions on this approach. Proponents of data ownership as a property right often start with the assumption that the current regulatory system of data is not enough to protect individuals. When individuals have a property right to data, they are better positioned to negotiate with companies and demand a fairer distribution of the benefits generated by the processing of their data.[11] But people also object to data ownership as property rights, on the following grounds:

Data is a public good and should be used by an unlimited number of individuals. When access to data is shared efficiently among individuals, this often leads to socially desirable outcomes, one of which being the third point below, for instance. There should be limits to the collection and sharing of data, only when this is required to avoid socially undesirable consequences. But introducing data property rights would grant data owners the right to exclude others from using their data, and is likely to diminish the social and economic value of data sharing.[12]
When individuals have property rights to their data, data becomes alienable and individuals would be allowed to trade their data away, regardless of what such data is about. This conflicts with data protection as a fundamental human right, as is widely recognised in Europe, and one is supposed not to waive such human rights guarantees.[13]
Introducing property rights to data induces significant transaction costs. For example, it will require every transfer and use of data to be subject to some prior agreement of the data owner; potential users of the data will have to negotiate with the owner as to when the data can be used; and so on. This is likely to defeat the very aim of the EU Digital Single Market Strategy, that is, to encourage the free flow of data among countries to enhance innovation and economic growth.[14]

The second view understands data ownership as ‘informational self-determination’, ‘informational control’ or ‘informational autonomy’.[15] As Hummel, Braun and Dabrock argue, informational self-determination means ‘the ability of data subjects to shape how datafication and data-driven analytics affect their lives, to safeguard a personal sphere from others, and to weave informational ties with their environment’[16]. Here, individuals own data to the extent that they have the right to determine which data about them is shared with others, and which purposes such data will serve.

This is a less demanding conception of data ownership than the property-right approach, which has implications for data alienation and inheritance. This view also aligns more with the GDPR in terms, which states clearly that ‘natural persons should have control of their own personal data’[17].

Informational self-determination is marked by two important conditions: consent and data subjects’ rights. Data subjects can grant data control to others with their consent, but the consent must represent ‘freely given, specific, informed and unambiguous indication’[18] by data subjects. The free choice of data subjects is questionable, for example, in cases of power imbalances or if consent is the precondition for the provision of a service. Deception, intimidation, or significant negative outcomes for the data subjects if they refuse to consent also violate the conditions for a freely given consent.

Consent is informed only if the data subjects are

able to understand who processes what data for which purpose(s);
made aware of their right to withdraw consent;
made aware of the consequences associated with a transfer of their data to a third party; and
provided with the necessary information about the data controllers’ privacy policy, in an intelligible and accessible form.[19]

Consent has long been a contested concept in the fields of law and ethics. Another data ethics expert in our team, Alex McKeown, has written an article on this. We encourage you to seek our assistance if you have difficulties incorporating the requirements of consent into the data practices of your organisation.

Meanwhile, data subjects’ rights are another key condition for informational self-determination, where these rights include:[20]

the right to information (i.e. information that data controllers must offer to data subjects when collecting their data);
the right to access, which gives data subjects the right to receive a copy of their personal data from the data controllers, as well as the right to acquire the information about how their data is processed;
the right to rectification, which allows data subjects to correct inaccurate or incomplete personal data;
the right to erasure, which allows data subjects to request data controllers to erase their data in specific situations, for instance, when the data subjects withdrew consent or when the data is no longer essential to the ends it was collected for;
the right to restriction of processing in specific circumstances, for example, when the accuracy of data is challenged or when data subjects have objected to the processing of their data;
the right to data portability, which allows data subjects to obtain their data in a machine-readable format and to transfer it to any third party;
the right to object to data processing, that is based on legitimate public or private interests on grounds in relation to their particular circumstances.

In short, the informational self-determination approach makes considerable reference to data protection practices that are already available. But is this model of data ownership successful?

Florent Thouvenin (Professor of Law, University of Zurich) and Aurelia Tamò-Larrieux (Assistant Professor for Privacy, Security, and Computational Law, Maastricht University) have argued that ‘Compared with the property rights model, ownership as [informational] control takes a more balanced approach. In particular, data access rights are seen as a way forward to enable a more (adequate) free flow of personal data’[21]. Although the informational self-determination approach can provide more room for the free flow of data, without compromising individuals’ legitimate interests in data security, I have reservations about the potential of this approach to make data ownership a meaningful subject of inquiry. After all, if we interpret data ownership in light of existing data regulatory frameworks, for the most part, the concept of ‘data ownership’ seems redundant and will not make any substantial difference to how data ought to be governed.

It is beyond the scope of this article to defend a comprehensive framework of data ownership. But for the concept of data ownership to guide our future data practices in a way that differs meaningfully from our existing practices, it is necessary that we consider data ownership in a way that does not deviate too much from how ownership is ordinarily understood in other domains—ownership, after all, is a concept intimately linked to ‘property’.

But it does not follow that we must accept the property rights approach presented above. Its failure, I argue, lies in the fact that it relies on a highly legalistic conception of ‘property’ and disregards the many efforts in interpreting the term made by moral and political philosophers. For instance, Jeremy Waldron—a leading legal and political philosopher—has identified the following issues when it comes to interpreting ‘property’, which, in my view, can stimulate our thinking about data ownership.

Waldron observes that there are at least three species of property, including common property, collective property and private property. Common property is governed by ‘rules whose point is to make them available for use by all or any members of the society’; collective property gives the community as a whole the right to determine how the resources in question are to be used, through some mechanisms of collective decision-making; private property is governed by rules decided by some particular individuals (or families or firms).[22] The property rights approach, as presented above, focuses very much on private property. The rights to decisional authority, exclusion and inheritance are rights typically associated with private property, but not common and collective property. By clarifying different kinds of property, it is possible to fit different types of data into different subcategories of property.

This opens up another question that remains largely uncultivated in data ethics: what are the moral justifications of labelling a particular kind of data as a specific type of property? Moral and political philosophers have contributed enormously to defining the conditions for different types of property, but it is surprising that the mainstream perspectives on data ownership in recent years show little attention to those, and focus very much on legalistic interpretations of ownership as property rights.

My aim, again, is not to defend a particular theory of data ownership. However, this highly contested concept is a very good example of the relevance of moral/political philosophy to data governance and ethics. It enables us to see more ways to engage with some of the most important debates in developing the frameworks for data governance.

Conclusion

In short, you should take data ownership seriously for all sorts of reasons: it aligns with your commercial and policy interests when you are aware of the major arguments for and against it. Meanwhile, moral and political philosophy has much potential to contribute to the discussion of data ownership. If your organisation is seeking advice on surrounding issues, our team at IGS will be able to help from across our highly-trained advisers and consultants in law, data governance, ethics and political philosophy.

[1] “EU digital single market aspects.” https://enterprise.gov.ie/en/what-we-do/the-business-environment/digital-single-market/eu-digital-single-market-aspects/#:~:text=The%20EU%20vision%20for%20the,a%20high%20level%20of%20consumer.

[2] “What is personal data? | ICO.” https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-is-personal-data/.

[3] “Storing and processing data in Europe: The free-flow of non-personal data.” https://europa.eu/youreurope/business/running-business/developing-business/free-flow-non-personal-data/index_en.htm#:~:text=Non%2Dpersonal%20datasets%20refer%20to,way%20to%20a%20specific%20person.

[4] Nigar Hashimzade, Gareth Myles, and John Black, “Aggregate data,” (Oxford University Press, 2017). https://www.oxfordreference.com/view/10.1093/acref/9780198759430.001.0001/acref-9780198759430-e-3996.

[5] “Anonymisation of personal data,” 2020, https://www.ed.ac.uk/data-protection/data-protection-guidance/specialised-guidance/anonymisation-personal-data.

[6] “Article 4, EU GDPR,” https://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm.

[7] “Anonymisation of personal data.”

[8] “Data ownership, rights and controls: Reaching a common understanding – Discussions at a British Academy,” https://royalsociety.org/-/media/policy/projects/data-governance/data-ownership-rights-and-controls-October-2018.pdf.

[9] “Data Ownership and Contact Tracing.” Lexology, 2020, https://www.lexology.com/library/detail.aspx?g=74726852-5ba9-45cb-bafd-2dbb26e17b72#:~:text=The%20data%20protection%20legislation%20in,processors%20of%20personal%20data%2C%20and.

[10] Thouvenin, Florent, and Aurelia Tamò-Larrieux. “Data Ownership and Data Access Rights: Meaningful Tools for Promoting the European Digital Single Market?”. In Big Data and Global Trade Law, edited by Mira Burri, 317. Cambridge: Cambridge University Press, 2021.

[11] Herbert Zech, “Information as Property,” J. Intell. Prop. Info. Tech. & Elec. Com. L. 6 (2015).

[12] Wolfgang Kerber, “Governance of Data: Exclusive Property vs. Access,” IIC – International Review of Intellectual Property and Competition Law 47, no. 7 (2016),https://doi.org/10.1007/s40319-016-0517-2, https://doi.org/10.1007/s40319-016-0517-2.

[13] Nadezhda Purtova, “Do property rights in personal data make sense after the big data turn : Individual control and transparency”. In Journal of Law and Economic Regulation (2016).

[14] “Data Ownership and Data Access Rights”, 323.

[15] Helena Ursic-Vrabec, Uncontrollable: Data Subject Rights and the Data-driven Economy’, PhD thesis, University of Leiden.

[16] Patrik Hummel, Matthias Braun, and Peter Dabrock, “Own Data? Ethical Reflections on Data Ownership,” Philosophy & Technology 34, no. 3 (2021/09/01 2021),https://doi.org/10.1007/s13347-020-00404-9, https://doi.org/10.1007/s13347-020-00404-9.

[17] Recital 7, GDPR, https://gdpr-info.eu/recitals/no-7/

[18] Consent, GDPR, https://gdpr-info.eu/issues/consent/

[19] “Data Ownership and Data Access Rights,” 326.

[20] Ibid.

[21] Ibid., 329.

[22] Jeremy Waldron, “Property and Ownership,” The Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/archives/fall2023/entries/property/.