Skip to main content

Is Privacy and Personal Data Set to Become the New Intellectual Property?

Abstract

A pressing concern today is whether the rationale underlying the protection of personal data is itself a meaningful foundation for according intellectual property (IP) rights in personal data to data subjects. In particular, are there particular technological attributes about the collection, use and processing of personal data on the Internet, and global access to that data, that provide a strong justification to extend IP rights to data subjects? A central issue in so determining is whether data subjects need the protection of such rights in a technological revolution in which they are increasingly exposed to the use and abuse of their personal data. A further question is how IP law can provide them with the requisite protection of their private space, or whether other means of protecting personal data, such as through general contract rights, render IP protections redundant, or at least, less necessary. This paper maintains that lawmakers often fail to distinguish between general property and IP protection of personal data; that IP protection encompasses important attributes of both property and contract law; and that laws that implement IP protection in light of its sui generis attributes are more fitting means of protecting personal data than the alternatives. The paper demonstrates that one of the benefits of providing IP rights in personal data goes some way to strengthening data subjects’ control and protection over their personal data and strengthening data protection law more generally. It also argues for greater harmonization of IP law across jurisdictions to ensure that the protection of personal data becomes more coherent and internationally sustainable.

This is a preview of subscription content, access via your institution.

Notes

  1. 1.

    Berners-Lee (2019).

  2. 2.

    Zittrain (2000), p. 1203. Zittrain discusses how the music industry moved from being vulnerable to developing technological systems that could protect the IP of those that make music.

  3. 3.

    Lemley (2004), pp. 1–2.

  4. 4.

    Ibid.

  5. 5.

    The Universal Declaration of Human Rights, adopted by the General Assembly of the United Nations on 10 December 1948 (General Assembly resolution 217 A) was the first collective response by member states on the fundamental and inalienable nature of human rights.

  6. 6.

    Ibid.

  7. 7.

    Adopted and opened for signature, ratification and accession by General Assembly Resolution 2200A (XXI) of 16 December 1966, entry into force 23 March 1976.

  8. 8.

    Organization for Economic Cooperation and Development Guidelines governing the protection of privacy and trans-border flows of personal data (as amended on 11 July 2013), http://www.oecd.org/sti/ieconomy/privacy.htm.

  9. 9.

    Ibid.

  10. 10.

    Warren and Brandeis (1890).

  11. 11.

    Ibid.

  12. 12.

    Convention for the Protection of Human Rights and Fundamental Freedoms, 1950. Rome, 4.XI.1950, European Treaty Series – No. 5.

  13. 13.

    Ibid, Art. 6.

  14. 14.

    Articles 7 and 8, Charter of Fundamental Rights of the European Union, Official Journal of the European Union, 2000/C 364/01.

  15. 15.

    Ibid, Art. 8.

  16. 16.

    Case 4/73J Nold Kohlen- und Baustoffgroßhandlung v. Commission of the European Communities.

  17. 17.

    Ibid.

  18. 18.

    Official Journal of the European Communities C 364/1, Art. 17, “Right to property – 1. Everyone has the right to own, use, dispose of and bequeath his or her lawfully acquired possessions. No one may be deprived of his or her possessions, except in the public interest and in the cases and under the conditions provided for by law, subject to fair compensation being paid in good time for their loss. The use of property may be regulated by law in so far as is necessary for the general interest. 2. Intellectual property shall be protected.”

  19. 19.

    Case 275/06, Productores de Música de España (Promusicae) v. Telefónica de España SAU [GC], 29 January 2008.

  20. 20.

    Ibid. paras. 62–68. The Spanish court referred the issue to the Court of Justice of the European Union (CJEU), asking whether such personal data must be communicated, under community law, in the context of civil proceedings, to ensure the effective protection of copyright. It referred to Directives 2000/31, 2001/29 and 2004/48, read also in light of Arts. 17 and 47 of the Charter. The CJEU concluded that these three directives, as well as the e-Privacy Directive (Directive 2002/58), did not preclude Member States from imposing an obligation to disclose personal data in the context of civil proceedings to ensure effective copyright protection. The court concluded that “the Member States must, when transposing the directives mentioned above, take care to rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights … or with the other general principles of Community law, such as the principle of proportionality”.

  21. 21.

    See Doe v. Yahoo!7 Pty Ltd [2013] QDC 181.

  22. 22.

    Chesterman (2018).

  23. 23.

    Chesterman (2012). Comparing these jurisdictions inter se poses another layer complexity because of the potential clash between the common law system of Australia and Singapore, and other Asian states whose legal systems are based on European civil law.

  24. 24.

    On such abuse of the Internet, see e.g. Dhanjani (2015); Kozyris (2007).

  25. 25.

    See further Sect. 2.1.4.

  26. 26.

    Merges et al. (1997), pp. 11–20.

  27. 27.

    Ibid.

  28. 28.

    Ibid.

  29. 29.

    Ibid.

  30. 30.

    Cohen (2000), pp. 1423–28.

  31. 31.

    Lemley (2000). This view diverges from Lemley’s earlier work, referred to in his article ibid in this note.

  32. 32.

    Tene and Polonetsky (2013), p. 239.

  33. 33.

    Malgieri (2018), pp. 118–140.

  34. 34.

    Ibid.

  35. 35.

    Ibid, user-provided data are the only piece of information that is explicitly recognized as “commodifiable” as a kind of digital good of individuals. Indeed, it is the only set of personal data that can be “ported” from one platform to another. However, it is the only kind of (personal) data that the (proposed) law would consider a legitimate counter-performance other than money for the provision of digital content.

  36. 36.

    Schwartz (2004), p. 7.

  37. 37.

    Ibid.

  38. 38.

    Ibid.

  39. 39.

    Ibid.

  40. 40.

    Ibid.

  41. 41.

    Ibid.

  42. 42.

    Karanasiou and Douilhet (2016).

  43. 43.

    Glancy (2010). The article recounts a thought experiment into what recognition of personal information as IP might look like.

  44. 44.

    Ibid.

  45. 45.

    Ibid.

  46. 46.

    Lessig (1999).

  47. 47.

    Ibid.

  48. 48.

    Litman (2000), p. 1295.

  49. 49.

    Ibid, p. 1283.

  50. 50.

    Schwartz, supra note 36 p. 2097. Susan Rose-Ackerman’s definition, an “inalienability” is “any restriction on the transferability, ownership, or use of an entitlement. Rose-Ackerman (1985), p. 268.

  51. 51.

    Ibid.

  52. 52.

    Calabrese and Melamed (1972).

  53. 53.

    Ibid.

  54. 54.

    Lessig (1998). Lessig argues that the code simply means the software and hardware that constitutes cyberspace as it is – the set of protocols, the set of rules, implemented, or codified, in the software of cyberspace itself, that determine how people interact, or exist, in this space … For the rest of us, life in cyberspace is subject to the code, just as life in real space is subject to the architectures of real space.

  55. 55.

    Ibid.

  56. 56.

    Ibid.

  57. 57.

    Ibid.

  58. 58.

    Agre and Rotenberg (1997).

  59. 59.

    Solve (2001), pp. 1440–1446.

  60. 60.

    Ciani (2018), pp. 285–291.

  61. 61.

    Van Erp (2017), pp. 235–236.

  62. 62.

    Sonnekus (2014), pp. 130, 136.

  63. 63.

    Ibid.

  64. 64.

    For arguments to the contrary, see Ciani, supra note 60, p. 288.

  65. 65.

    See van Erp, supra note 61, p. 288.

  66. 66.

    See the EU, General Data Protection Regulation 2016/679.

  67. 67.

    See e.g. Lemley (2004), pp. 1–2.

  68. 68.

    Van Erp supra note 61, p. 240 “A person’s estate is comprised of all physical things and all patrimonial rights. However, a patrimonial right (e.g., a right arising from a contract) cannot be ‘owned.’ A person can only be ‘entitled’ to it, although ‘entitlement’ in economic terms comes very close to ownership.”.

  69. 69.

    Ibid.

  70. 70.

    Litman (2000), supra note 48, pp. 1295–1296.

  71. 71.

    Scholz (2016), pp. 113.

  72. 72.

    Ibid.

  73. 73.

    Ibid.

  74. 74.

    Ibid.

  75. 75.

    Samuelson (2000), p. 1125.

  76. 76.

    Ibid.

  77. 77.

    Ibid.

  78. 78.

    Ibid.

  79. 79.

    Karki (2005), pp. 59–62.

  80. 80.

    Ibid.

  81. 81.

    Glancy, supra note 43.

  82. 82.

    Ibid.

  83. 83.

    Ibid.

  84. 84.

    Ibid.

  85. 85.

    Ibid.

  86. 86.

    Goldberg (2018).

  87. 87.

    Huberman et al. (2018).

  88. 88.

    Ibid.

  89. 89.

    The EU has taken the use of privacy enhancing technologies to protect the personal identities of users a step further than the other jurisdictions identified below. Article 25 of the GDPR adopted by the EU includes the principle of data protection by design. This requires that data controllers and processors adopt and embed privacy measures, including privacy enhancing technologies, directly into the design of technologies and systems. Cambridge Analytica harvested data from more than 87 million Facebook users, a whistleblower says, http://www.abc.net.au/news/2018-04-18/cambridge-analytica-employee-testifies-before-uk-committee/9670192, (accessed 2 August 2018). Notwithstanding Art. 25 of the GDPR, regulation of the Internet market has already failed to provide adequate technological mechanisms for coordinating individual wishes for information privacy. This inadequacy stems, in part, from evidence of a high number of privacy breaches on the Internet that are detected only after the fact, and then reported to national governments. For instance, the 2016 Facebook and Cambridge Analytica privacy breaches have all received worldwide attention from government regulators.

  90. 90.

    Department for Business and Innovation Skills (2011).

  91. 91.

    Mydex (2018).

  92. 92.

    Janeček (2018).

  93. 93.

    Ibid.

  94. 94.

    Interestingly, an important source of information identifying a person includes the current and last employer. As an illustration, once a person in Australia begins working or undertaking business, regardless of age, he/she is required to have a Tax File Number, even though a Tax File does not capture that person’s identity to the same extent as an identification card that is required in Singapore.

  95. 95.

    Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, European Commission (20 June 2007), available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf.

  96. 96.

    Ibid.

  97. 97.

    See Wang (2017), pp. 3286–3305.

  98. 98.

    Privacy Act 1988, Sec. 6.

  99. 99.

    Ibid.

  100. 100.

    Personal Data Protection Act 2012.

  101. 101.

    General Data Protection Regulation, Official Journal of the European Union 2016/679.

  102. 102.

    Article 9, General Data Protection Regulation, Official Journal of the European Union, 2016/679.

  103. 103.

    Janeček, supra note 92.

  104. 104.

    Id, at 92, citing Aycaguer v. France App No. 8806/12 (ECtHR, 22 June 2017), (2017) EHRLR 519; see also S v. United Kingdom (2009) 48 EHRR 50 (ECtHR).

  105. 105.

    Supra note 92.

  106. 106.

    Ibid.

  107. 107.

    Ibid. Janeček argued further that “[t]he original question featuring in said debates was ‘When information (not data) can be protected by the law?’ and the answer was that while semantic information (i.e. information per se) can never be protected by the law because it would violate free access to information, syntactic information can be given legal protection. From the information-centred viewpoint this answer was satisfactory. Saying that syntactic information or more precisely the formal expression of information, for example in form of a digital sequence of data, can be legally protected addressed the relevant information-centred problem. The data-centred discourse, however, cannot make efficient use of this conceptual scheme, because its original questions are ‘How can we protect data?’ and ‘What information can be extracted from data?’, not ‘How can we express some information in form of (eg digital) data?'”.

  108. 108.

    Ibid.

  109. 109.

    Ibid.

  110. 110.

    Ibid.

  111. 111.

    Ibid.

  112. 112.

    Ibid, at 7.

  113. 113.

    Ibid.

  114. 114.

    General Data Protection Regulation 2016/679, Art. 6 recognizes the legitimate interests by public authorities in the performance of their tasks.

  115. 115.

    Personal Data Protection Commission (2018).

  116. 116.

    Office of Australian Information Commissioner (2018).

  117. 117.

    Coogan v. News Group Newspapers Ltd [2012] EWCA Civ 48, [2012] 2 WLR 84, [2012] EMLR 14, [2012] 2 All ER 74.

  118. 118.

    Ibid.

  119. 119.

    Ibid.

  120. 120.

    Ibid.

  121. 121.

    Price v. Hal Roach Studios, Inc., 400 F. Supp. 836 (S.D.N.Y. 1975).

  122. 122.

    Ibid [para 1-01].

  123. 123.

    Ibid.

  124. 124.

    Ibid.

  125. 125.

    Ibid.

  126. 126.

    Gordley (2006), p. 49.

  127. 127.

    Akkermans (2008).

  128. 128.

    Janeček, supra note 92.

  129. 129.

    Ibid.

References

  1. Agre P, Rotenberg M (1997) Technology and privacy: the new landscape. MIT Press, Cambridge

    Book  Google Scholar 

  2. Akkermans B (2008) The principle of numerus clausus in European property law. Intersentia, Antwerp

    Google Scholar 

  3. Berners-Lee T (2019) Interview on the need to seek complete control of data. https://www.channelnewsasia.com/news/world/web-inventor-urges-users-to-seek--complete-control--of-data-11334546. Accessed 12 March 2019

  4. Calabrese G, Melamed AD (1972) Property rules, liability rules, and inalienability: one view of the cathedral. Harv Law Rev 85:1089–1128

    Article  Google Scholar 

  5. Chesterman S (2012) After privacy: the rise of Facebook, the fall of Wikileaks, and Singapore’s personal data protection act 2012. Singap J Leg Stud 391–415

  6. Chesterman S (2018) Data protection law in Singapore, privacy and sovereignty in an interconnected world. Academic Publishing, Singapore

    Google Scholar 

  7. Ciani J (2018) Governing data trade in intelligent environments: taxonomy of possible regulatory regimes between property and access rights. Intell Environ 23:285–291

    Google Scholar 

  8. Cohen J (2000) Examined lives: informational privacy and the subject as object. Stanf Law Rev 52(1373):1423–1428

    Google Scholar 

  9. Department for Business and Innovation Skills (2011) The midata vision of consumer empowerment. https://www.gov.uk/government/news/the-midata-visionofconsumerempowerment. Accessed 28 April 2018

  10. Dhanjani N (2015) Abusing the internet of things: blackouts, freakouts, and stakeouts. O’Reilly Media, Sebastopol

    Google Scholar 

  11. Glancy D (2010) Santa Clara personal information as intellectual property. https://www.law.berkeley.edu/files/bclt_IPSC2010_Glancy2.pdf. Accessed 20 May 2019

  12. Goldberg I (2018) Privacy enhancing technologies for the internet III: ten years later. Cheriton School of Computer Science University of Waterloo. https://www.cypherpunks.ca/~iang/pubs/pet3.pdf. Accessed 26 April 2018

  13. Gordley J (2006) Foundations of private law: property, tort, contract, unjust enrichment. OUP, Oxford, p 49

    Google Scholar 

  14. Huberman B, Franklin M, Hogg T (2018) Enhancing privacy and trust in electronic communities. Xerox Palo Alto Research Center, Palo Alto. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.89.395&rep=rep1&type=pdf. Accessed 26 April 2018

  15. Janeček V (2018) Ownership of personal data in the Internet of Things. Comput Law Secur Rev 34:1039–1052

    Article  Google Scholar 

  16. Karanasiou A, Douilhet E (2016) Never mind the data: the legal quest over control of information and the networked self. http://eprints.bournemouth.ac.uk/23392/1/PID4084429%20%285%29.pdf. Accessed 20 May 2019

  17. Karki M (2005) Personal data privacy and intellectual property. J Intellect Prop Rights 10:59–62

    Google Scholar 

  18. Kozyris PJ (2007) Regulating internet abuses: invasion of privacy: invasion of privacy. Wolters Kluger, Alphen aan den Rijn

    Google Scholar 

  19. Lemley M (2000) Private property: a comment on professor Samuelson’s contribution. Stanf Law Rev 52:1551–1554

    Article  Google Scholar 

  20. Lemley M (2004) Property, intellectual property, and free riding. Stanford Law School, Working Paper No. 291 August 2004, pp 1–2

  21. Lessig L (1998) The laws of cyberspace. https://cyber.harvard.edu/works/lessig/laws_cyberspace.pdf. Accessed 2 Jan 2018

  22. Lessig L (1999) Code and other laws of cyberspace. Basic Books, New York

    Google Scholar 

  23. Litman J (2000) Information privacy/information property. Stanf Law Rev 52:1295

    Article  Google Scholar 

  24. Malgieri G (2018) User-provided personal content in the EU: digital currency between data protection and intellectual property. Int Rev Law Comput Technol 32(1):118–140

    Article  Google Scholar 

  25. Merges P, Menell P, Lemley M, Jorde T (1997) Intellectual property in the new technological age. Aspen Law & Business, New York, pp 11–20

    Google Scholar 

  26. Mydex (2018) https://pds.mydex.org/. Accessed 28 April 2018

  27. Office of Australian Information Commissioner (2018) https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-b-key-concepts. Accessed 26 Oct 2018

  28. Personal Data Protection Commission (2018) https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Legislation-and-Guidelines/PDPC-Response-to-Feedback-for-Public-Consultation-on-Approaches-to-Managing-Personal-Data-in-the-Dig.pdf. Accessed 26 Oct 2018

  29. Rose-Ackerman S (1985) Inalienability. In: The new Palgrave dictionary of economics and the law. Yale Law School Faculty Scholarship, vol 1–3, p 268

  30. Samuelson P (2000) Privacy as intellectual property? Stanf Law Rev 52:1125

    Article  Google Scholar 

  31. Scholz L (2016) Privacy as quasi-property. Iowa Law Rev 101:113

    Google Scholar 

  32. Schwartz P (2004) Property, privacy, and personal data. Harv Law Rev 117:7

    Article  Google Scholar 

  33. Solve D (2001) Privacy and power: computer databases and metaphors for information privacy. Stanf Law Rev 53:1440–1446

    Google Scholar 

  34. Sonnekus J (2014) The fundamental differences in the principles governing property law and succession from a South African law perspective. Eur Prop Law J 3(130):136

    Google Scholar 

  35. Tene O, Polonetsky J (2013) Big data for all: privacy and user control in the age of analytics. Nw J Tech Intell Prop 11:239

    Google Scholar 

  36. Van Erp S (2017) Ownership of data: the numerus clausus of legal objects. In: Brigham-Kanner property rights conference journal, vol 6, pp 235–236

  37. Wang M (2017) The defining approaches and practical paradox of sensitive data: an investigation of data protection laws in 92 countries and regions and 200 data breaches in the world. Int J Commun 14:3286–3305

    Google Scholar 

  38. Warren S, Brandeis L (1890) The right to privacy. Harv Law Rev 4:193–220

    Article  Google Scholar 

  39. Zittrain J (2000) What the publisher can teach the patient: intellectual property and privacy in an era of trusted privication. Stanf Law Rev 52:1203

    Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Leon Trakman.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Trakman, L., Walters, R. & Zeller, B. Is Privacy and Personal Data Set to Become the New Intellectual Property?. IIC 50, 937–970 (2019). https://doi.org/10.1007/s40319-019-00859-0

Download citation

Keywords

  • Data protection
  • Intellectual property
  • Personal data
  • Privacy