Self-Own: The Many Shortcomings of a ‘Data Ownership’ Framework
Policymakers, companies, and consumer advocates are rightfully exploring new methods to vest consumers with greater control over the use of their personal data in the information economy. One idea that has long percolated on the fringes of policy debates is the concept of ‘data ownership’ – creating property rights in one’s personal information. Lately, advocates of this approach appear to have gained new traction. For example, in March the “Own Your Own Data Act” was introduced in the Senate, which would grant consumers “an exclusive property right in the data that individual generates on the internet.” The concept of ‘data ownership’ was also raised in the fourth Democratic Presidential debate by entrepreneur Andrew Yang, who argued that data is “our property and we [should] share in the gains.” Moreover, this week the Senate Banking committee will hold a hearing on “Data Ownership: Exploring Implications for Data Privacy Rights and Data Valuation.” While intriguing and well-intentioned as a concept, in practice the ‘data ownership’ model would be characterized by untenable obstacles to implementation, costs in operation, and policy failures.
A property right in data: theory and practice
With a cursory overview, the idea of treating personal data as property has undeniable appeal. In an era of increasing data breaches, many consumers feel like they have “lost control” over their data and desire additional choices about the use and protection of their personal information. The theory goes that equipped with a property right in your data, companies will have to come to you and negotiate for your permission to use personal information on your terms — some might even pay you for the privilege! However, on closer inspection, any introduction of a ‘data ownership’ framework would be completely impractical to implement, introduce serious costs, trigger far-reaching negative repercussions, and ultimately prove ineffective at protecting privacy, while also raising serious equity concerns.
Issues for Implementation
The common law foundations for assigning and exercising property rights are ill-suited for personal information in the digital environment. This is because despite pop-culture refrains to the contrary, data is not the new oil. Unlike natural resources and other tangible assets, digital information can be cheaply replicated, widely disseminated, and jointly possessed between multiple parties. Furthermore, holders of information can process that data for a variety of purposes repeatedly without depletion or diminished value. These are significant substantive differences that make governing the digital environment with a physical property-based framework a serious mismatch that would be both ineffective and create enormous costs and inefficiencies. For example, traditional sticks in the bundle of property rights such as the right of exclusion and the right of disposition do not make sense for a non-rivalrous, knowledge-based resource like personal information.
Assigning ownership rights over personal information would not be easy or intuitive. Policymakers would have to determine how to assign rights over various forms of information that can pertain to multiple parties, such as group messages, photos, and even genetic information. It is unclear whether each data subject would be able to use or sell jointly-held information as they see fit, or if the consensus of every implicated individual would be necessary to take any action. Difficult rights assignment questions would also arise for data jointly-created through transactions between consumers and online services such as e-commerce sites. While some types of information such as items viewed or purchase history may relate to the activity of an individual consumer, this data only exists due to the observation, collection, and analysis conducted by the service. To whom and under what equitable basis would a property right flow in these scenarios? Furthermore, significant volumes of personal information are produced through third-party observation which necessarily implicates free speech interests. As a result, a restrictive ‘data property’ framework that vests ownership rights primarily in the individual(s) to whom the information pertains would be immediately vulnerable on First Amendment grounds.
Problems in Practice
However the property rights under a ‘data ownership’ regime are assigned, significant transaction costs would result, creating serious market inefficiencies and restrictions on socially beneficial data uses. Most consumers recognize that certain data collection is necessary for the functioning of many online and offline services and are comfortable with most data processing pursuant to these purposes. For example, ordering a ride-share to bring you to the airport necessarily involves sharing your current location information. Creating a ‘data ownership’ regime that would require companies to individually bargain for or purchase the use of your data for routine activities would interrupt the smooth operation of digital services with a tsunami of disruptive new pop-up requests. Outside the context of providing services, these transaction costs would also severely restrict socially beneficial secondary uses of data, such as processing information to secure information systems, detect fraudulent activity, and conduct academic research.
A property right in personal information would also create complications outside the realms of privacy and consumer power. For example, the government routinely issues subpoenas and warrants for personal information for law enforcement purposes. A well-established body of law has developed to balance this need with protections for civil liberties. Setting up a property right in data from scratch would upend this system, potentially converting law enforcement data access requests to government takings subject to the Fifth Amendment requirement of just compensation. Tug on this string and proposals for a ‘data ownership’ system quickly unravel further. For example, cross-border data flows account for trillions of dollars in the global GDP. Under a property rights system, would Americans’ data be subject to taxation, levies, seizure, or nationalization by foreign governments? Back in the U.S., would one’s data be subject to a lien for non-payment of debts, or subject to forfeiture to satisfy a judgment? Will journalists need to obtain specific consent to reference an individual in a story? Long settled legal doctrines touching many sectors of society would be thrown into chaos in the courts upon the adoption of a ‘data ownership’ system.
Ineffective and Inequitable
The many practical costs and inefficiencies of a ‘data ownership’ regime would not be offset by any meaningful improvement to consumer privacy or choice. In fact, it is reasonable to conclude that a ‘data ownership’ model would have the opposite effect on these goals. This is because any one individual’s personal information just isn’t that valuable. While at scale, data can be analyzed to generate valuable insights (though at rapidly diminishing returns to volume), the cost of any individual user’s information would be negligible. Consumers would not have the time or bargaining power to negotiate profitable new contracts for the sale of their information. Instead, faced with a deluge of new ‘data sale’ notices, most consumers would likely opt-in to whatever default terms of sale would be offered by the myriad of services they wish to use. The ensuing ‘consent fatigue’ and irritation would also dramatically reduce the utility of existing pertinent privacy notices and controls, decreasing consumers’ practical ability to exercise choice over their privacy preferences.
Furthermore, most data privacy and protection laws ensure that consumers maintain certain rights and protections for their personal information no matter what entity possesses or processes it. However, in a data-as-property model, once an individual sells their data they would necessarily relinquish all claims and control. Personal information that has been sold could thus be used for any number of potentially harmful purposes without recourse. Worse still, these harms would likely fall most heavily on income-insecure individuals, who would face more pressures to sell their data to unscrupulous third parties. Rather than protecting privacy, ‘data ownership’ would have the impact of diminishing privacy rights by turning privacy into a luxury good.
A better path forward: comprehensive privacy legislation
While the ‘data ownership’ model is impractical, advocates of this concept have identified an important issue and have worthy intentions of better protecting individual privacy and empowering consumers with more control over their personal information. However, a far better way to achieve these goals would be for Congress to pass comprehensive and robust federal privacy legislation establishing rights and guarantees for the treatment of individuals’ personal information no matter where it is collected or how it is used. Such legislation can promote individuals’ privacy and control by creating enduring consumer rights that travel with their data, such as the right to access, correct, and delete personal information as well as a carefully scoped right of data portability to allow users to transfer their information between competing services. A new privacy framework built on these principles would promote a trustworthy data ecosystem while also driving innovation and U.S. competitiveness.