Skip to main content

Is Privacy and Personal Data Set to Become the New Intellectual Property?


A pressing concern today is whether the rationale underlying the protection of personal data is itself a meaningful foundation for according intellectual property (IP) rights in personal data to data subjects. In particular, are there particular technological attributes about the collection, use and processing of personal data on the Internet, and global access to that data, that provide a strong justification to extend IP rights to data subjects? A central issue in so determining is whether data subjects need the protection of such rights in a technological revolution in which they are increasingly exposed to the use and abuse of their personal data. A further question is how IP law can provide them with the requisite protection of their private space, or whether other means of protecting personal data, such as through general contract rights, render IP protections redundant, or at least, less necessary. This paper maintains that lawmakers often fail to distinguish between general property and IP protection of personal data; that IP protection encompasses important attributes of both property and contract law; and that laws that implement IP protection in light of its sui generis attributes are more fitting means of protecting personal data than the alternatives. The paper demonstrates that one of the benefits of providing IP rights in personal data goes some way to strengthening data subjects’ control and protection over their personal data and strengthening data protection law more generally. It also argues for greater harmonization of IP law across jurisdictions to ensure that the protection of personal data becomes more coherent and internationally sustainable.

This is a preview of subscription content, access via your institution.


  1. Berners-Lee (2019).

  2. Zittrain (2000), p. 1203. Zittrain discusses how the music industry moved from being vulnerable to developing technological systems that could protect the IP of those that make music.

  3. Lemley (2004), pp. 1–2.

  4. Ibid.

  5. The Universal Declaration of Human Rights, adopted by the General Assembly of the United Nations on 10 December 1948 (General Assembly resolution 217 A) was the first collective response by member states on the fundamental and inalienable nature of human rights.

  6. Ibid.

  7. Adopted and opened for signature, ratification and accession by General Assembly Resolution 2200A (XXI) of 16 December 1966, entry into force 23 March 1976.

  8. Organization for Economic Cooperation and Development Guidelines governing the protection of privacy and trans-border flows of personal data (as amended on 11 July 2013),

  9. Ibid.

  10. Warren and Brandeis (1890).

  11. Ibid.

  12. Convention for the Protection of Human Rights and Fundamental Freedoms, 1950. Rome, 4.XI.1950, European Treaty Series – No. 5.

  13. Ibid, Art. 6.

  14. Articles 7 and 8, Charter of Fundamental Rights of the European Union, Official Journal of the European Union, 2000/C 364/01.

  15. Ibid, Art. 8.

  16. Case 4/73J Nold Kohlen- und Baustoffgroßhandlung v. Commission of the European Communities.

  17. Ibid.

  18. Official Journal of the European Communities C 364/1, Art. 17, “Right to property – 1. Everyone has the right to own, use, dispose of and bequeath his or her lawfully acquired possessions. No one may be deprived of his or her possessions, except in the public interest and in the cases and under the conditions provided for by law, subject to fair compensation being paid in good time for their loss. The use of property may be regulated by law in so far as is necessary for the general interest. 2. Intellectual property shall be protected.”

  19. Case 275/06, Productores de Música de España (Promusicae) v. Telefónica de España SAU [GC], 29 January 2008.

  20. Ibid. paras. 62–68. The Spanish court referred the issue to the Court of Justice of the European Union (CJEU), asking whether such personal data must be communicated, under community law, in the context of civil proceedings, to ensure the effective protection of copyright. It referred to Directives 2000/31, 2001/29 and 2004/48, read also in light of Arts. 17 and 47 of the Charter. The CJEU concluded that these three directives, as well as the e-Privacy Directive (Directive 2002/58), did not preclude Member States from imposing an obligation to disclose personal data in the context of civil proceedings to ensure effective copyright protection. The court concluded that “the Member States must, when transposing the directives mentioned above, take care to rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights … or with the other general principles of Community law, such as the principle of proportionality”.

  21. See Doe v. Yahoo!7 Pty Ltd [2013] QDC 181.

  22. Chesterman (2018).

  23. Chesterman (2012). Comparing these jurisdictions inter se poses another layer complexity because of the potential clash between the common law system of Australia and Singapore, and other Asian states whose legal systems are based on European civil law.

  24. On such abuse of the Internet, see e.g. Dhanjani (2015); Kozyris (2007).

  25. See further Sect. 2.1.4.

  26. Merges et al. (1997), pp. 11–20.

  27. Ibid.

  28. Ibid.

  29. Ibid.

  30. Cohen (2000), pp. 1423–28.

  31. Lemley (2000). This view diverges from Lemley’s earlier work, referred to in his article ibid in this note.

  32. Tene and Polonetsky (2013), p. 239.

  33. Malgieri (2018), pp. 118–140.

  34. Ibid.

  35. Ibid, user-provided data are the only piece of information that is explicitly recognized as “commodifiable” as a kind of digital good of individuals. Indeed, it is the only set of personal data that can be “ported” from one platform to another. However, it is the only kind of (personal) data that the (proposed) law would consider a legitimate counter-performance other than money for the provision of digital content.

  36. Schwartz (2004), p. 7.

  37. Ibid.

  38. Ibid.

  39. Ibid.

  40. Ibid.

  41. Ibid.

  42. Karanasiou and Douilhet (2016).

  43. Glancy (2010). The article recounts a thought experiment into what recognition of personal information as IP might look like.

  44. Ibid.

  45. Ibid.

  46. Lessig (1999).

  47. Ibid.

  48. Litman (2000), p. 1295.

  49. Ibid, p. 1283.

  50. Schwartz, supra note 36 p. 2097. Susan Rose-Ackerman’s definition, an “inalienability” is “any restriction on the transferability, ownership, or use of an entitlement. Rose-Ackerman (1985), p. 268.

  51. Ibid.

  52. Calabrese and Melamed (1972).

  53. Ibid.

  54. Lessig (1998). Lessig argues that the code simply means the software and hardware that constitutes cyberspace as it is – the set of protocols, the set of rules, implemented, or codified, in the software of cyberspace itself, that determine how people interact, or exist, in this space … For the rest of us, life in cyberspace is subject to the code, just as life in real space is subject to the architectures of real space.

  55. Ibid.

  56. Ibid.

  57. Ibid.

  58. Agre and Rotenberg (1997).

  59. Solve (2001), pp. 1440–1446.

  60. Ciani (2018), pp. 285–291.

  61. Van Erp (2017), pp. 235–236.

  62. Sonnekus (2014), pp. 130, 136.

  63. Ibid.

  64. For arguments to the contrary, see Ciani, supra note 60, p. 288.

  65. See van Erp, supra note 61, p. 288.

  66. See the EU, General Data Protection Regulation 2016/679.

  67. See e.g. Lemley (2004), pp. 1–2.

  68. Van Erp supra note 61, p. 240 “A person’s estate is comprised of all physical things and all patrimonial rights. However, a patrimonial right (e.g., a right arising from a contract) cannot be ‘owned.’ A person can only be ‘entitled’ to it, although ‘entitlement’ in economic terms comes very close to ownership.”.

  69. Ibid.

  70. Litman (2000), supra note 48, pp. 1295–1296.

  71. Scholz (2016), pp. 113.

  72. Ibid.

  73. Ibid.

  74. Ibid.

  75. Samuelson (2000), p. 1125.

  76. Ibid.

  77. Ibid.

  78. Ibid.

  79. Karki (2005), pp. 59–62.

  80. Ibid.

  81. Glancy, supra note 43.

  82. Ibid.

  83. Ibid.

  84. Ibid.

  85. Ibid.

  86. Goldberg (2018).

  87. Huberman et al. (2018).

  88. Ibid.

  89. The EU has taken the use of privacy enhancing technologies to protect the personal identities of users a step further than the other jurisdictions identified below. Article 25 of the GDPR adopted by the EU includes the principle of data protection by design. This requires that data controllers and processors adopt and embed privacy measures, including privacy enhancing technologies, directly into the design of technologies and systems. Cambridge Analytica harvested data from more than 87 million Facebook users, a whistleblower says,, (accessed 2 August 2018). Notwithstanding Art. 25 of the GDPR, regulation of the Internet market has already failed to provide adequate technological mechanisms for coordinating individual wishes for information privacy. This inadequacy stems, in part, from evidence of a high number of privacy breaches on the Internet that are detected only after the fact, and then reported to national governments. For instance, the 2016 Facebook and Cambridge Analytica privacy breaches have all received worldwide attention from government regulators.

  90. Department for Business and Innovation Skills (2011).

  91. Mydex (2018).

  92. Janeček (2018).

  93. Ibid.

  94. Interestingly, an important source of information identifying a person includes the current and last employer. As an illustration, once a person in Australia begins working or undertaking business, regardless of age, he/she is required to have a Tax File Number, even though a Tax File does not capture that person’s identity to the same extent as an identification card that is required in Singapore.

  95. Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, European Commission (20 June 2007), available at:

  96. Ibid.

  97. See Wang (2017), pp. 3286–3305.

  98. Privacy Act 1988, Sec. 6.

  99. Ibid.

  100. Personal Data Protection Act 2012.

  101. General Data Protection Regulation, Official Journal of the European Union 2016/679.

  102. Article 9, General Data Protection Regulation, Official Journal of the European Union, 2016/679.

  103. Janeček, supra note 92.

  104. Id, at 92, citing Aycaguer v. France App No. 8806/12 (ECtHR, 22 June 2017), (2017) EHRLR 519; see also S v. United Kingdom (2009) 48 EHRR 50 (ECtHR).

  105. Supra note 92.

  106. Ibid.

  107. Ibid. Janeček argued further that “[t]he original question featuring in said debates was ‘When information (not data) can be protected by the law?’ and the answer was that while semantic information (i.e. information per se) can never be protected by the law because it would violate free access to information, syntactic information can be given legal protection. From the information-centred viewpoint this answer was satisfactory. Saying that syntactic information or more precisely the formal expression of information, for example in form of a digital sequence of data, can be legally protected addressed the relevant information-centred problem. The data-centred discourse, however, cannot make efficient use of this conceptual scheme, because its original questions are ‘How can we protect data?’ and ‘What information can be extracted from data?’, not ‘How can we express some information in form of (eg digital) data?'”.

  108. Ibid.

  109. Ibid.

  110. Ibid.

  111. Ibid.

  112. Ibid, at 7.

  113. Ibid.

  114. General Data Protection Regulation 2016/679, Art. 6 recognizes the legitimate interests by public authorities in the performance of their tasks.

  115. Personal Data Protection Commission (2018).

  116. Office of Australian Information Commissioner (2018).

  117. Coogan v. News Group Newspapers Ltd [2012] EWCA Civ 48, [2012] 2 WLR 84, [2012] EMLR 14, [2012] 2 All ER 74.

  118. Ibid.

  119. Ibid.

  120. Ibid.

  121. Price v. Hal Roach Studios, Inc., 400 F. Supp. 836 (S.D.N.Y. 1975).

  122. Ibid [para 1-01].

  123. Ibid.

  124. Ibid.

  125. Ibid.

  126. Gordley (2006), p. 49.

  127. Akkermans (2008).

  128. Janeček, supra note 92.

  129. Ibid.


Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Leon Trakman.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Trakman, L., Walters, R. & Zeller, B. Is Privacy and Personal Data Set to Become the New Intellectual Property?. IIC 50, 937–970 (2019).

Download citation

  • Published:

  • Issue Date:

  • DOI:


  • Data protection
  • Intellectual property
  • Personal data
  • Privacy