The title of this article may give the impression that the author incurred in a tautology. “If it is my personal data, it’s obvious that I am its owner!” That’s what you may be thinking. However, that’s not the case here.
The meaning of owner (“dono” in portuguese) is commonly tied to the idea of a proprietor, or someone who has possession over something, so that the description above refers to an important legal question: Is there property rights over personal information? If so, who holds them? The natural person to whom the data is related to or the company or entity that processed it?
The problem is not new, it must be said, as US legal scholars discuss the subject since the 1960s, when the Alan Westin’s “Privacy and Freedom” influential work was published. Nevertheless, the debate still deserves attention, given that in addition to the exponential growth of the relevance of personal data for business models – it has been said that (personal) data is a raw material more valuable than oil -, the defense and pursuit for market solutions for data protection and information privacy echoes until today. In this case, financial institutions, startups, and Silicon Valley’s technology companies wish to do the processing of large amounts of information with big data techniques and the constant improvement of artificial intelligence and robotics in a legal environment of scarce regulation.
An issue of control
Answering the above questions, it seems without prestige the possibility of businesses and governments to hold property rights over of personal information of their consumers/citizens, although in the US the governmental authorization for internet service providers to sell data about their customer’s browsing habits points out to the opposite direction.
To support the first assertion, one can argue the advent of the formulation and implementation of personal data protection bills all around the world, as well as the UN Human Rights Council endorsement on the right to privacy as a human right of international scope, according to its resolution on “The right to privacy in the digital age”. Indeed, it is the person herself who should have control over her personal information.
On the question about the existence of property rights on data, a big reason to think about the protection of personal information in proprietary terms would be precisely the necessity to ensure the holder’s control over the flow and transmission of information about himself.
In this sense, a proposal which gathered the attention of many is authored by professor Lawrence Lessig, whose ideas consist of introducing in the privacy legal framework the property rights discourse, in order to give individuals stronger protection over their personal data. Once recognized the proprietary statute, according to the author, there would be established a mutual convergence of law, designing of privacy-enhancing technologies and economic incentives, which would raise, at last, the level of protection and individual control of personal data.
The implementation of this guidance in Civil Law legal systems, such as Brazil’s, generates a proprietary protection model with regard to the processing of personal information. Its foundations are laid on the structure of the absolute subjective rights, and, according to Adolfo Di Majo, is defined “attraverso i momenti della inalienabilità del diritto senza il consenso del titolare e quello della cessazione dell’abuso in chiave di tutela inibitoria […] e/o oltre che nell’attivazione di misure ripristinatorie.” It means that this model is characterized by the holder’s indispensable consent to the processing and transfer of personal data – like the purchase and sale agreement legal scheme – and the granting of legal action to curb the violation of the right or to restore the status quo ante.
The inadequacy of the proprietary legal framework and market solution
All things considered, the idea of employing property rights in this area is due to mainly two reasons: (i) the notion is basic to the modern legal paradigm and gives way to the current market triumphalism, which expansive force seems to reach many “goods” in order to appropriate them and make them objects of sale; and (ii) the “semantic pervasiveness of the concept of property” which, influenced by political and philosophical liberal approach, confounds property with the notion of freedom – as argued by the legal philosopher Luigi Ferrajoli.
This guidance, however, does not deserve to thrive for at least three reasons: (i) the incompatibility of proprietary logic with the interests safeguarded under the broad notion of privacy; (ii) the collective dimension of the protection of personal data; and (iii) the inability of market forces alone raise the level of personal data protection policies and the fostering of privacy enhancing technologies.
The application of a proprietary regime in the field of personal information processing (proprietary protection model), centered on the economic exploitation logic of a good through a subjective right (to use, enjoy and dispose) outlined by the social function principle, not harmonizes with the personality interests that data protection law aims to promote – e. g., respect to one’s image, name, equality and personal identity. An example of this is the outright incompatibility of the consent for the sale of an asset and the contractual dynamics, with the consent for the processing of biometric data and health data (sensitive data). Sustaining otherwise clearly violates civil liberties.
Privacy legal protection is not consistent with a purely individual perspective. In spite of the informational asymmetry between the government and business entities (with their “digital dossiers”) and the citizens/consumers already indicates to a collective dimension, recent advances in the field of machine learning, profiling techniques improvement and the dissemination of software and applications embedded with automated decision-making algorithms that affect the lives of countless people and groups – e. g., discriminatory effects of opaque profiling systems, geospatial tracking for advertising purposes – gives rise to the concept of group privacy.
The practical reality has disproved the belief that the users demand for privacy friendly services would result in effective self-regulation, in which the market itself would boost the designing of technologies intended to promote privacy, and the provision of services with policies effectively focused on users personal data protection. There are important online platforms and services – almost essential, perhaps – that their “terms and conditions” are written with vagueness, obscuring the purpose(s) of the processing of personal data, preventing, in fact, the user’s informed consent, and the default settings are arranged to unduly exploit personal information as well (see recent case of Facebook’s condemnation by a german court of justice ruling).
Solution in the light of fundamental rights and duties
With this in mind, putting aside market solutions and the proprietary protection model of informational privacy is a more consistent output considering the importance of the protection of the right to privacy for the realization of individual and collective interests, and for the free development of human personality and to the democratic rule of law. As a result, it’s imperative to build a legal framework to protect the right to privacy from a broad institutional perspective, as contended by Stefano Rodotà.
Your personal data does not consist of a thing that is the object of your domain, but you own it since that it’s an extension of your personality, so that you should be granted the control power of your personal information. The legal statute should not follow the the property rights logic, but the fundamental rights and obligations approach in accordance with the constitutional protection of one’s privacy, and also should be mandatory to governmental entities and market actors, especially technology companies and internet service providers.