24 JUNE 2019
Summary by Anastasia Karagianni, Privacy Salon
On 24 June 2019 the Brussels Privacy Hub organised a roundtable titled 'The (In)Alienable Data Subjects: The seductions of data ownership, control and trade in data protection law'. This roundtable explored critical questions about personal ‘data ownership’ and data subject rights under the General Data Protection Regulation (GDPR). The panelists addressed issues such as individuals’ consent ratio and limitations, the legal barriers to commercial flow of personal data under data protection law, the meaning of genuine ‘free’ consent, and how data subject rights described in the GDPR are being made, or should still be made, more effective under innovative perspectives.
The event was chaired by Gianclaudio Malgieri, who introduced the panellists and gave the floor to the moderator Paul Nemitz, Principal Advisor at the European Commission. Paul Nemitz firstly asked to the speakers whether data can be considered like property. He emphasized that although data has been characterized as ‘oil of the future’, we cannot assume that data is commodities. That assumption is ideologically wrong and conflicts with the EU fundamental right to data protection.
The introduction was followed by a keynote of the first Speaker, Meg Leta Jones (Assistant Professor in Georgetown University) about cookies and the differences among choice, consent and trust. She explained that the transnational story of cookies started the last twenty five years by big companies, while the consent has been appeared on first generation of data protection regimes at 1967. Regarding ownership, Meg Leta Jones pointed out that at ‘90s the birth of ‘user’ came out by PC and software industries. For the developer of cookies, this was detrimental, since he admitted that an early enemy of net is memories of individual user. There was a proposal to maintain state on the stateless web in 1998 by Koe Holtmane, escaping browser and anonymity. Meg Leta Jones mentioned also that in 1998 there were also different types of privacy. In March 1997 the 72% of people online have never heard of a cookie! She stressed also that there were third parties cookies-DoubleClick in 1995 used for targeting and marketing in an Ad Network. Meg Leta Jones referred also to Lester Wunderman, the godfather of direct marketing, who studied how people behave online trying to prevent people from getting targeted, as a kind of close guardian. To the end, Meg Leta Jones mentioned that on February 1997 Montulli and Kristol propose IETF cookie standard, which privacy advocate groups were based on. However, now there is confusion between choice and consent. There is a grey decline which needs to be separated as meaning. There is an appropriate distinction between American and European Data Protection Law, although there are different norms of consent and ethical data practice.
Valentina Pavel (Mozilla Fellow at Privacy International) gave a presentation on the general idea of data ownership, considering motivations and drawbacks. A legal definition of data ownership might be required, considering the big ambiguity in this field. She clarified that “ownership” is different from “compensation” in data protection law and that it is difficult to consider individual ownership on personal data, since data are always processed on an aggregated level. She argued that rather than looking for proprietorial control on personal data, we should look for a new structure of the data market economy. Data market economy should be shaped to produce collective benefit for individuals (the so called social wealth of data). Thus, Valentina Pavel concluded that main question should be: what we want to achieve with property rights? She suggested that, if the objective is to enhance control on data processing, maybe we need to find other mechanisms to regain control.
On the other hand, Václav Janeček (Oxford Faculty of Law), presented his research on the legal status of commercial flow of personal data. He made an analogy with “res extra commercium” in Roman law, i.e. a doctrine originating in Roman law, holding that certain things may not be the object of private rights, and are therefore insusceptible to being traded. Václav Janeček claimed that commerce in some data is, and should be, limited by law (data extra commercium) because some data embody values and interests (in particular, human dignity) that may be detrimentally affected by trade. In addition, it is difficult to set an inalienability rule, since it is difficult to distinguish between personal data and non-personal data. To illustrate his point, Václav Janeček made a comparison between human organs and personal data: human organs are excluded from commerce, but artificial organs are “intra commercium” by default. Investigating about the legal status of personal data as regulated under the EU Charter and the GDPR, in a recent Article co-authored with Gianclaudio Malgieri, he observed that transactions in personal data are not forbidden but subject to what we call a dynamically limited alienability rule. This rule is based on two dynamic variables: the nature of data and the legal basis for commercially trading such data (at primary or secondary level). Accordingly, in order to deal with such dynamism and the uncertainty, he proposed a general two-stage reasonableness test that should help legal practitioners, judges and law-makers in considering when trade in data is illicit and who shall be held responsible in such cases. The responsibility for the illegal agreement of the trade requires further tools and to address the situation business to business. For further details you can read the article Data Extra Commercium by V. Janeček and G. Malgieri.
Then, Sylvie Delacroix (Professor at University of Birmingham) presented her research on data trust. She argued that data ownership is not only unlikely to provide adequate control, but it is also a poor answer to the type of problems and vulnerabilities at stake. A more profitable solution according to Sylvie Delacroix might be the creation of “trusts” on personal data: data subject might choose to delegate the exercise of their data subject rights to expert trustees in order to re-balance the asymmetry between controllers and subjects. Sylvie Delacroix mentioned also four conditions for this proposal to work: 1) the law barrier for entry must be low, 2) data subjects’ personal data must be secure, 3) an individual’s personal data must be erasable from any particular system (art.17 GDPR) and 4) an individual’s personal data must be portable between different computer systems (art. 20 GDPR). At the end, Delacroix claimed that in Trust law the subject matter can be based on rights, rather than merely on property. Similarly, for “data trust” the object might be data subjects’ rights and not 'data property’. Data trustees will need to be ‘mandated’ to exercise the data subjects’ rights on their behalf. Art. 80(1) of the GDPR currently envisages such mandates only in relation to art. 77-79. For further details you can read her article “Disturbing the ‘One Size Fits All’ Approach to Data Governance: Bottom-Up Data Trusts”.
The keynotes were followed by a lively discussion with the audience and at the end, Professor Paul de Hert gave final remarks, summarized the main findings of the day and expressing gratitude to Brussels Privacy Hub and all panelists.
Keep up to date of our activities and developments. Sign up to our newsletter:
Copyright © Brussels Privacy Hub