A pressing concern today is whether the rationale underlying the protection of personal data is itself a meaningful foundation for according intellectual property (IP) rights in personal data to data subjects. In particular, are there particular technological attributes about the collection, use and processing of personal data on the Internet, and global access to that data, that provide a strong justification to extend IP rights to data subjects? A central issue in so determining is whether data subjects need the protection of such rights in a technological revolution in which they are increasingly exposed to the use and abuse of their personal data. A further question is how IP law can provide them with the requisite protection of their private space, or whether other means of protecting personal data, such as through general contract rights, render IP protections redundant, or at least, less necessary. This paper maintains that lawmakers often fail to distinguish between general property and IP protection of personal data; that IP protection encompasses important attributes of both property and contract law; and that laws that implement IP protection in light of its sui generis attributes are more fitting means of protecting personal data than the alternatives. The paper demonstrates that one of the benefits of providing IP rights in personal data goes some way to strengthening data subjects’ control and protection over their personal data and strengthening data protection law more generally. It also argues for greater harmonization of IP law across jurisdictions to ensure that the protection of personal data becomes more coherent and internationally sustainable.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Price includes VAT (USA)
Tax calculation will be finalised during checkout.
Zittrain (2000), p. 1203. Zittrain discusses how the music industry moved from being vulnerable to developing technological systems that could protect the IP of those that make music.
Lemley (2004), pp. 1–2.
The Universal Declaration of Human Rights, adopted by the General Assembly of the United Nations on 10 December 1948 (General Assembly resolution 217 A) was the first collective response by member states on the fundamental and inalienable nature of human rights.
Adopted and opened for signature, ratification and accession by General Assembly Resolution 2200A (XXI) of 16 December 1966, entry into force 23 March 1976.
Organization for Economic Cooperation and Development Guidelines governing the protection of privacy and trans-border flows of personal data (as amended on 11 July 2013), http://www.oecd.org/sti/ieconomy/privacy.htm.
Warren and Brandeis (1890).
Convention for the Protection of Human Rights and Fundamental Freedoms, 1950. Rome, 4.XI.1950, European Treaty Series – No. 5.
Ibid, Art. 6.
Articles 7 and 8, Charter of Fundamental Rights of the European Union, Official Journal of the European Union, 2000/C 364/01.
Ibid, Art. 8.
Case 4/73J Nold Kohlen- und Baustoffgroßhandlung v. Commission of the European Communities.
Official Journal of the European Communities C 364/1, Art. 17, “Right to property – 1. Everyone has the right to own, use, dispose of and bequeath his or her lawfully acquired possessions. No one may be deprived of his or her possessions, except in the public interest and in the cases and under the conditions provided for by law, subject to fair compensation being paid in good time for their loss. The use of property may be regulated by law in so far as is necessary for the general interest. 2. Intellectual property shall be protected.”
Case 275/06, Productores de Música de España (Promusicae) v. Telefónica de España SAU [GC], 29 January 2008.
Ibid. paras. 62–68. The Spanish court referred the issue to the Court of Justice of the European Union (CJEU), asking whether such personal data must be communicated, under community law, in the context of civil proceedings, to ensure the effective protection of copyright. It referred to Directives 2000/31, 2001/29 and 2004/48, read also in light of Arts. 17 and 47 of the Charter. The CJEU concluded that these three directives, as well as the e-Privacy Directive (Directive 2002/58), did not preclude Member States from imposing an obligation to disclose personal data in the context of civil proceedings to ensure effective copyright protection. The court concluded that “the Member States must, when transposing the directives mentioned above, take care to rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights … or with the other general principles of Community law, such as the principle of proportionality”.
See Doe v. Yahoo!7 Pty Ltd  QDC 181.
Chesterman (2012). Comparing these jurisdictions inter se poses another layer complexity because of the potential clash between the common law system of Australia and Singapore, and other Asian states whose legal systems are based on European civil law.
See further Sect. 2.1.4.
Merges et al. (1997), pp. 11–20.
Cohen (2000), pp. 1423–28.
Lemley (2000). This view diverges from Lemley’s earlier work, referred to in his article ibid in this note.
Tene and Polonetsky (2013), p. 239.
Malgieri (2018), pp. 118–140.
Ibid, user-provided data are the only piece of information that is explicitly recognized as “commodifiable” as a kind of digital good of individuals. Indeed, it is the only set of personal data that can be “ported” from one platform to another. However, it is the only kind of (personal) data that the (proposed) law would consider a legitimate counter-performance other than money for the provision of digital content.
Schwartz (2004), p. 7.
Karanasiou and Douilhet (2016).
Glancy (2010). The article recounts a thought experiment into what recognition of personal information as IP might look like.
Litman (2000), p. 1295.
Ibid, p. 1283.
Schwartz, supra note 36 p. 2097. Susan Rose-Ackerman’s definition, an “inalienability” is “any restriction on the transferability, ownership, or use of an entitlement. Rose-Ackerman (1985), p. 268.
Calabrese and Melamed (1972).
Lessig (1998). Lessig argues that the code simply means the software and hardware that constitutes cyberspace as it is – the set of protocols, the set of rules, implemented, or codified, in the software of cyberspace itself, that determine how people interact, or exist, in this space … For the rest of us, life in cyberspace is subject to the code, just as life in real space is subject to the architectures of real space.
Agre and Rotenberg (1997).
Solve (2001), pp. 1440–1446.
Ciani (2018), pp. 285–291.
Van Erp (2017), pp. 235–236.
Sonnekus (2014), pp. 130, 136.
For arguments to the contrary, see Ciani, supra note 60, p. 288.
See van Erp, supra note 61, p. 288.
See the EU, General Data Protection Regulation 2016/679.
See e.g. Lemley (2004), pp. 1–2.
Van Erp supra note 61, p. 240 “A person’s estate is comprised of all physical things and all patrimonial rights. However, a patrimonial right (e.g., a right arising from a contract) cannot be ‘owned.’ A person can only be ‘entitled’ to it, although ‘entitlement’ in economic terms comes very close to ownership.”.
Litman (2000), supra note 48, pp. 1295–1296.
Scholz (2016), pp. 113.
Samuelson (2000), p. 1125.
Karki (2005), pp. 59–62.
Glancy, supra note 43.
Huberman et al. (2018).
The EU has taken the use of privacy enhancing technologies to protect the personal identities of users a step further than the other jurisdictions identified below. Article 25 of the GDPR adopted by the EU includes the principle of data protection by design. This requires that data controllers and processors adopt and embed privacy measures, including privacy enhancing technologies, directly into the design of technologies and systems. Cambridge Analytica harvested data from more than 87 million Facebook users, a whistleblower says, http://www.abc.net.au/news/2018-04-18/cambridge-analytica-employee-testifies-before-uk-committee/9670192, (accessed 2 August 2018). Notwithstanding Art. 25 of the GDPR, regulation of the Internet market has already failed to provide adequate technological mechanisms for coordinating individual wishes for information privacy. This inadequacy stems, in part, from evidence of a high number of privacy breaches on the Internet that are detected only after the fact, and then reported to national governments. For instance, the 2016 Facebook and Cambridge Analytica privacy breaches have all received worldwide attention from government regulators.
Department for Business and Innovation Skills (2011).
Interestingly, an important source of information identifying a person includes the current and last employer. As an illustration, once a person in Australia begins working or undertaking business, regardless of age, he/she is required to have a Tax File Number, even though a Tax File does not capture that person’s identity to the same extent as an identification card that is required in Singapore.
Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, European Commission (20 June 2007), available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf.
See Wang (2017), pp. 3286–3305.
Privacy Act 1988, Sec. 6.
Personal Data Protection Act 2012.
General Data Protection Regulation, Official Journal of the European Union 2016/679.
Article 9, General Data Protection Regulation, Official Journal of the European Union, 2016/679.
Janeček, supra note 92.
Id, at 92, citing Aycaguer v. France App No. 8806/12 (ECtHR, 22 June 2017), (2017) EHRLR 519; see also S v. United Kingdom (2009) 48 EHRR 50 (ECtHR).
Supra note 92.
Ibid. Janeček argued further that “[t]he original question featuring in said debates was ‘When information (not data) can be protected by the law?’ and the answer was that while semantic information (i.e. information per se) can never be protected by the law because it would violate free access to information, syntactic information can be given legal protection. From the information-centred viewpoint this answer was satisfactory. Saying that syntactic information or more precisely the formal expression of information, for example in form of a digital sequence of data, can be legally protected addressed the relevant information-centred problem. The data-centred discourse, however, cannot make efficient use of this conceptual scheme, because its original questions are ‘How can we protect data?’ and ‘What information can be extracted from data?’, not ‘How can we express some information in form of (eg digital) data?'”.
Ibid, at 7.
General Data Protection Regulation 2016/679, Art. 6 recognizes the legitimate interests by public authorities in the performance of their tasks.
Personal Data Protection Commission (2018).
Office of Australian Information Commissioner (2018).
Coogan v. News Group Newspapers Ltd  EWCA Civ 48,  2 WLR 84,  EMLR 14,  2 All ER 74.
Price v. Hal Roach Studios, Inc., 400 F. Supp. 836 (S.D.N.Y. 1975).
Ibid [para 1-01].
Gordley (2006), p. 49.
Janeček, supra note 92.
Agre P, Rotenberg M (1997) Technology and privacy: the new landscape. MIT Press, Cambridge
Akkermans B (2008) The principle of numerus clausus in European property law. Intersentia, Antwerp
Berners-Lee T (2019) Interview on the need to seek complete control of data. https://www.channelnewsasia.com/news/world/web-inventor-urges-users-to-seek--complete-control--of-data-11334546. Accessed 12 March 2019
Calabrese G, Melamed AD (1972) Property rules, liability rules, and inalienability: one view of the cathedral. Harv Law Rev 85:1089–1128
Chesterman S (2012) After privacy: the rise of Facebook, the fall of Wikileaks, and Singapore’s personal data protection act 2012. Singap J Leg Stud 391–415
Chesterman S (2018) Data protection law in Singapore, privacy and sovereignty in an interconnected world. Academic Publishing, Singapore
Ciani J (2018) Governing data trade in intelligent environments: taxonomy of possible regulatory regimes between property and access rights. Intell Environ 23:285–291
Cohen J (2000) Examined lives: informational privacy and the subject as object. Stanf Law Rev 52(1373):1423–1428
Department for Business and Innovation Skills (2011) The midata vision of consumer empowerment. https://www.gov.uk/government/news/the-midata-visionofconsumerempowerment. Accessed 28 April 2018
Dhanjani N (2015) Abusing the internet of things: blackouts, freakouts, and stakeouts. O’Reilly Media, Sebastopol
Glancy D (2010) Santa Clara personal information as intellectual property. https://www.law.berkeley.edu/files/bclt_IPSC2010_Glancy2.pdf. Accessed 20 May 2019
Goldberg I (2018) Privacy enhancing technologies for the internet III: ten years later. Cheriton School of Computer Science University of Waterloo. https://www.cypherpunks.ca/~iang/pubs/pet3.pdf. Accessed 26 April 2018
Gordley J (2006) Foundations of private law: property, tort, contract, unjust enrichment. OUP, Oxford, p 49
Huberman B, Franklin M, Hogg T (2018) Enhancing privacy and trust in electronic communities. Xerox Palo Alto Research Center, Palo Alto. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.89.395&rep=rep1&type=pdf. Accessed 26 April 2018
Janeček V (2018) Ownership of personal data in the Internet of Things. Comput Law Secur Rev 34:1039–1052
Karanasiou A, Douilhet E (2016) Never mind the data: the legal quest over control of information and the networked self. http://eprints.bournemouth.ac.uk/23392/1/PID4084429%20%285%29.pdf. Accessed 20 May 2019
Karki M (2005) Personal data privacy and intellectual property. J Intellect Prop Rights 10:59–62
Kozyris PJ (2007) Regulating internet abuses: invasion of privacy: invasion of privacy. Wolters Kluger, Alphen aan den Rijn
Lemley M (2000) Private property: a comment on professor Samuelson’s contribution. Stanf Law Rev 52:1551–1554
Lemley M (2004) Property, intellectual property, and free riding. Stanford Law School, Working Paper No. 291 August 2004, pp 1–2
Lessig L (1998) The laws of cyberspace. https://cyber.harvard.edu/works/lessig/laws_cyberspace.pdf. Accessed 2 Jan 2018
Lessig L (1999) Code and other laws of cyberspace. Basic Books, New York
Litman J (2000) Information privacy/information property. Stanf Law Rev 52:1295
Malgieri G (2018) User-provided personal content in the EU: digital currency between data protection and intellectual property. Int Rev Law Comput Technol 32(1):118–140
Merges P, Menell P, Lemley M, Jorde T (1997) Intellectual property in the new technological age. Aspen Law & Business, New York, pp 11–20
Mydex (2018) https://pds.mydex.org/. Accessed 28 April 2018
Office of Australian Information Commissioner (2018) https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-b-key-concepts. Accessed 26 Oct 2018
Personal Data Protection Commission (2018) https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Legislation-and-Guidelines/PDPC-Response-to-Feedback-for-Public-Consultation-on-Approaches-to-Managing-Personal-Data-in-the-Dig.pdf. Accessed 26 Oct 2018
Rose-Ackerman S (1985) Inalienability. In: The new Palgrave dictionary of economics and the law. Yale Law School Faculty Scholarship, vol 1–3, p 268
Samuelson P (2000) Privacy as intellectual property? Stanf Law Rev 52:1125
Scholz L (2016) Privacy as quasi-property. Iowa Law Rev 101:113
Schwartz P (2004) Property, privacy, and personal data. Harv Law Rev 117:7
Solve D (2001) Privacy and power: computer databases and metaphors for information privacy. Stanf Law Rev 53:1440–1446
Sonnekus J (2014) The fundamental differences in the principles governing property law and succession from a South African law perspective. Eur Prop Law J 3(130):136
Tene O, Polonetsky J (2013) Big data for all: privacy and user control in the age of analytics. Nw J Tech Intell Prop 11:239
Van Erp S (2017) Ownership of data: the numerus clausus of legal objects. In: Brigham-Kanner property rights conference journal, vol 6, pp 235–236
Wang M (2017) The defining approaches and practical paradox of sensitive data: an investigation of data protection laws in 92 countries and regions and 200 data breaches in the world. Int J Commun 14:3286–3305
Warren S, Brandeis L (1890) The right to privacy. Harv Law Rev 4:193–220
Zittrain J (2000) What the publisher can teach the patient: intellectual property and privacy in an era of trusted privication. Stanf Law Rev 52:1203
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
About this article
Cite this article
Trakman, L., Walters, R. & Zeller, B. Is Privacy and Personal Data Set to Become the New Intellectual Property?. IIC 50, 937–970 (2019). https://doi.org/10.1007/s40319-019-00859-0
- Data protection
- Intellectual property
- Personal data