Who owns a customer’s data? How should it be monetised and who should profit from it? asks Hitesh Chowdhry, Legal Consultant and Lawrence Ryz, Legal Counsel, Kroll Ontrack UK.
Introduction
There are three inter-linked causes of the increased concern about the ownership of customer data: the explosion in the volumes of data created by consumers, the real-time nature of it, and the growing awareness of its value. The issues raised by consumers centre around privacy, ownership and monetary benefit: who is profiting from these data, and who should be doing so? We look at these issues and some proposed solutions.
In this article, the term ‘ownership’ is used in the layman’s sense – namely to denote that consumer data ultimately originates from a human being. However, it is worth bearing in mind that, from a legal perspective, there is no property in data itself. It is therefore more accurate to speak of different rights that arise ‘in relation to’ data, rather than rights of ownership in the data itself. These rights can include:
•Copyright, which protects the intellectual creation that the author or creator of a database makes in selecting or arranging the data;
•Database rights, which protect any substantial investment that has been made in obtaining, verifying or presenting the data (but not investment made in creating data in the first place);
•Rights of confidence – if the data is confidential, English laws protecting confidentiality may help to prevent unauthorised use or disclosure of the confidential information. Having said that, most customers freely impart their data to service providers, such as Facebook, on the terms of any privacy policies those service providers have in place.
•Privacy and data protection rights – if the information relates to an individual, then that individual has rights such as to understand what data is being processed about them or to prevent processing in certain circumstances.
•Contractual rights – even in the absence of one of the rights above, someone who controls data can restrict access to those data by imposing contractual restrictions on how they can be used and disclosed.
Who owns a customer’s data?
The complexity of ownership was underlined by Facebook CEO, Mark Zuckerberg when he explained that when data are shared on its platform, more than one copy is created; at which point control is ceded. Zuckerberg highlighted the inherent contradiction in customers wanting to retain full ownership and control over their data; whilst at the same time seeking to retain data that others have shared with them (such as photographs and contact details), thereby depriving those people of the same level of control.
Whilst there are well-recognised laws on how data are to be handled, the law on actual ownership of customer data is complex. Under English law, there is no general property right in data or information itself. The 1978 English case Oxford v Moss held that a student could not be held liable for ‘theft’ of information contained in an examination paper that he found and copied prior to the examination because the information in the paper was not ‘property’. For this very reason, individuals neither own their criminal records nor their credit history; and the mere right of access or privacy (as in the case of medical records) does not confer ownership.
Rights and responsibilities
Alongside the data rights aforementioned, there are also some responsibilities, or obligations, when handling consumer data. Issues can arise when data are shared electronically by data originators with commercial enterprises.
The Data Protection Act (1998) imposes various obligations on “data controllers” when they process “personal data.” However, these obligations do not define the boundaries of ownership. The aforementioned example of Facebook is interesting: when information is shared electronically, a corresponding record of that information is often imprinted on the recipient’s platform, which is outside the control of the original source of the data. It may be difficult or impractical for the data originator to use the rights it owns in the data (see introduction) to exert control over these ‘copy data’, particularly in the context of social media or cloud platforms. However, the terms of use of the platform and any contractual agreement between the user and the host will govern rights and obligations with respect to the data as between the parties to that agreement.
Similarly, when products or services are purchased, the vendor will be required to make some record of the transaction’s details. Such records will contain more information where transactions have been made online. Mass volumes of personal data provided by customers are therefore copied and aggregated, generally without clarification of where ownership of the resulting aggregated data lies. In fact, as shown above, Copyright protects how data are selected and arranged, and Database Right protects the investment made in obtaining, verifying or presenting data; but neither protects the customer data per se. Therefore, the process of aggregating and collecting consumer data could create valuable legal rights, whereas individual consumer data sets may not be protected because there is no property in data alone. Consumers therefore have to rely on the more limited rights afforded to them by data protection laws. The issues of data ownership, rights and responsibilities are thus complex, and subject to commentary and opinion.
What’s it worth?
The market for consumers’ data is reported to be a $15bn industry. Questions therefore arise as to who should benefit from the data being exchanged, which is an issue that is inextricably linked to the debate about ownership. The compensation deficit between those who provide and those who extract value from data has led to some consumers seeking compensation for the data being handed over. Companies such as Datacoup extract data from users’ accounts once explicit consent has been given, and then trade those data for the financial benefit of the users. Some individuals have even incorporated themselves as limited companies, deriving profit from the various aspects of human existence that create value which others are currently profiting from. Ultimately, the issue of compensation becomes as thorny as the issue of ownership. As stated above, in many instances, data become more valuable once they have been aggregated – and often anonymised – at which point they arguably no longer relate to the individual.
What can go wrong and how can such pitfalls be avoided?
When companies collect, store, process, interpret, use and sell data about individuals, there are perhaps two key risks the company runs. One is that, as a result of a lack of care or malicious activity, data may be lost or stolen, which can lead to liability, negative PR and notifications to regulators or those affected. Second, if companies seem to ‘know too much’ about a person, or collect or sell data in a way that consumers were not aware of and they object to. This can cause a loss of trust and affect companies’ relationships with consumers. Companies should therefore take cyber security seriously and be clear with consumers both in the information they give about the data exchange, and with the consents they obtain.
A ‘new deal on data’?
Professor Alex Pentland of the Massachusetts Institute of Technology has argued that people should be given outright ownership of their data. In defining ownership, he cited three tenets enshrined in English Common Law: the rights of possession, use and disposal. Possession means that organisations act like a private bank account, in which data can be deposited and removed at the owner’s discretion. Similarly, usage entitles the consumer to have full transparency on how his data are being used, with the unequivocal right to remove them at will. This ties in with the right of disposal, which gives the consumer the ultimate authority to decide where data are distributed.
The European Commission appeared to agree with the sentiment of Pentland’s suggestions. In its legislative resolution for a new General Data Protection Regulation (GDPR) (2014), the Commission proposed that consent for the processing of personal data should be “explicitly” given, and that such consent would not be valid when there was “a clear imbalance between the data subject and the controller…”. A condition of consent would be that it “should be as easy to withdraw…as to give it”.” However, in the final text of the proposed Regulation (2015), the compromise reached was “unambiguous consent” for processing, with “explicit consent” only required for the processing of “sensitive” data.
Others, however, argue that the concept of ‘my data’ is misconceived, as data are merely a means of identifying personal attributes. Instead of concentrating on the source of data, then, it may be more appropriate to consider who controls data. The World Economic Forum (2011) agreed that it would be more productive to focus on how data are handled – “rights management, accountability, due process and the formation of ‘interoperable’ legal frameworks” – than data ownership. Such an approach puts proof to the contention that the fluidity of data in the age of ‘big data’ may render discussions about ownership futile, and the better approach is to impose firm but realistic duties on data processers and controllers.
Conclusion
It is likely that individual consumers are often unaware of how their data – be it personal or not – are being processed, aggregated, analysed, and used at an intra and supra-organisational level. This has led to concerns over privacy, ownership and compensation. However, the issue of ownership is more complex than many would assume. In this light, Pentland’s model of transparent ownership – whilst raising important issues – seems unworkable. There is no doubt that the anonymised aggregation of consumer data can bring businesses more revenue, but this is likely by virtue of delivering better products and services to consumers. It would be difficult to argue in favour of the benefits brought to consumers without conceding the inevitable commercial gains to businesses.
That said, a greater transparency of information will bring about a fairer market. If better regulation is introduced to encourage the disclosure of how data are shared within and between organisations, then consumers can make more informed decisions about whom they transact with. A transaction includes the act of logging onto the internet through a browser which may be capturing data without the user necessarily being aware of the implications. After transactions have taken place, the ownership of data – to some extent – may have already been ceded. A focus on the transparency of data handling and distribution, therefore, should allow for better-informed consumers, who can then make more rational decisions and bring about a more equitable market. It remains to be seen whether the GDPR will help to achieve this.
With special thanks to Nicola Fulford and Alison Rea of Kemp Little LLP; and Greg Callus of 5RB Chambers
