Data ownership is a highly non-trivial issue today; indeed, we all know data is a key, valuable economic asset for modern economies and societies, but the question is: can we legally own it? Being a data-driven business, at U-Hopper we know the answer is quite controversial. With this article we want to - at least try to - give you an idea.
We live in an increasingly digital world, where industries are getting deeply transformed by the ability to leverage data (as a form of evidence) to improve processes and efficiency, and at the same time to offer new products and services.
The term ‘data economy’ is broadly used to define all those economic activities in which data plays a central role. According to a study by the European Commission , we are talking about a value (within EU-27) of almost €325 billion in 2019, representing 2.6 % of GDP. The same estimate predicts that it will increase to over €550 billion by 2025, representing 4 % of the overall EU GDP. While at the same time generating 3.2 million jobs for data professionals.
This is oversimplified in the saying “data is the new oil”. This exemplifies the fact that, while oil played a central role in the development of economies in the 20th century, data will play the same enabling role in the 21st century.
Data is therefore a key, valuable economic asset for modern economies and societies. Yet, there is one important aspect that is often overlooked:
can you own (legally) data?
While the question seems silly, it turns out that the answer is highly non-trivial. We do not want to dwell into historical reasons for it (property is a long-standing concept in legal frameworks, and when it was established, well, data was not under the radar of the legislator…), but we do believe that there are few points which are worth analysing.
First, ‘ownership’ is a rather generic, mundane term. Formally, we should speak about ‘property rights’. To have property rights in a resource, means “to have the rights of possession, use, and enjoyment, which the owner can bestow, collateralize, encumber, mortgage, sell, or transfer, and the right to exclude everyone else from.” While it is fairly easy to see how such terms would apply to, let’s say, a piece of land, a car, a cow or a house, it may not be evident to see how this can be applied to data. And indeed, to a large extent, it does not.
The problem is of legal nature, but it has large potential economic impacts as well: if there is no clear applicable legal framework, businesses basing their economic activities on data may face risks and controversies. If you cannot claim property right on some data, you cannot take legal actions against a data theft, as there would be… no theft of any asset you own!
In reality, there are a plethora of legal frameworks which cover, in a fragmented and not always 100% consistent manner, data. Let us have a quick look at the three most relevant ones (at the European level):
This EU directive offers legal protection for any valuable piece of information for an enterprise that is treated as confidential and that gives that enterprise a competitive advantage. In particular, it applies to any resource that “is secret (..), has commercial value because it is secret (..) has been subject to reasonable steps by the owner to keep it secret”. While this looks great for data as well, on paper, in reality it presents some limitations. Indeed, it may be non-trivial to prove that a given dataset (or even a single individual data unit!) has “commercial value because it is secret”. Further, the interpretation of such directive at the national level is not fully coherent, and the practise of considering data as trade secrets per se (not as digital representation of a trade secret like the formula of Coca-Cola or the design of a manufacturing machine) is not fully accepted.
This includes a set of instruments for protecting the outcome of intellectual work (and as the name suggests, it defines a form of property). Two intellectual property laws appear of relevance here: copyright and database directive.
Copyright. Copyright entitles the creators of original material to make copies (or to authorise others to make copies). Apparently, this would make it an ideal tool for data (which are extremely easy to copy at close-to-zero cost). However, copyright was historically introduced to protect tangible, creative assets (like a book, a painting etc.). It is therefore extremely hard to get copyright on data, as the requester should demonstrate that said data (the asset to be protected) is an original work of authorship - can you fit data into such a tight eye-of-a-needle? (On a side note, the definition which instead fits well original software, which is typically protected by copyright.) Furthermore, copyrights are typically territorial rights, which means that the right is limited to a given country/state, albeit there are international treaties that may extend said protection geographically.
Database directive. This EC directive protects databases, defined as “a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means”. The directive does not protect the single data items per se, but recognizes their value as a collection thereof. It further focuses on the way in which the data was structured - so using the same exact data content, represented under a different structure, would not constitute a breach. Also, provided that you simply record data from, let’s say, an IoT device, would that meet the standards of the database directive? The answer is likely negative.
The General Data Protection Regulation represents the relevant european regulation framework on privacy and personal data protection; it applies to every data that refers to a natural person and it overlaps with the Trade Secret Directive and the Database Directive.
The GDPR enhanced individuals’ rights and created new ones in order to increase the centrality of the subject. Those rights represent, for enterprises (named ‘Controllers'), a significant reduction of power over their data assets and they affect the concept of data ownership.
Controller’s possession and use of personal data assets is limited in time and purpose by the regulation itself, plus it can be interrupted by the individual who can withdraw its consent or exercise the right to be forgotten or to object. Controller’s right to sell, or transfer personal data is subordinate to a set of legal requirements which may (often) include individual’s consent. The right to exclude everyone else from the use of personal data assets sees a boundary on the exercise of portability right and access right. Moreover, GDPR excludes that individuals may transfer their personal data to third parties discarding any right or claim; consequently Controller’s right on personal data will never be absolute as property right is.
Hence, personal data, despite being an important and valuable asset for companies, can be processed, but not properly owned according to the traditional concept of ownership.
So, should you be worried about the value of your data? Should you try to sell them (provided that you can) to buy houses, land or anything else you can legally own? (We don’t mention bitcoins to avoid flames…).
The answer is not. As it often happens, technology is faster than law. Regulations follow inventions - with quite some delay. So, albeit you might find yourself uncomfortable in this gray area, there is not much reasonably to worry about. Just sit back and wait, a new Data Act may pop up at some time in the near future. And while it may not sort out all the corner cases, it should (hopefully) provide a solid foundation for building sustainable data-driven businesses.