Privacy and property: do you really own your personal data?

Privacy and property: do you really own your personal data?

Two weeks ago Spotify launched their new privacy policy, which instantly led to an uproar. The question Spotify’s policy has raised is what the value of personal data is.

Spotify plans on gathering more data on users (location, music taste, Facebook activities) and put them to commercial use. Spotify is hardly unique in this. Most free services are creating ever richer user profiles in order to better target advertisements. The deal is as follows: users get to use an online service for free and in exchange they accept that their behaviour is observed so the service can target them with ads effectively. A user thus ‘pays’ for a service with his interests, location, pictures and in some cases, his friends.

The debate about online privacy is increasingly framed in terms of this transaction. Prominent scholars such as Tufekci and Wu have recently written opinions on the price of selling our personal data. But the question is whether the concept of privacy as a commodity that you can sell is accurate. In this blog I will explore whether personal data is actually ‘owned’ by the individual (the data subject) and whether it can be ‘bought’ by a third party (the data controller).

The idea of paying with your data is part of a broader notion in society that you ‘own’ your personal data. This idea probably stems from the fact that the right to privacy has its origins in that of private property. John Locke for instance argued through his theory of private property, that every person has a property in his own person, and that therefore we all have inalienable, fundamental human rights. As such, a right to privacy can be derived from the right to personal property. But while the right to privacy definitely has a strong link to private property it is at the same time more and less than property.

Warren and Brandeis, who were the first to conceptualise privacy as a legal right in their seminal 1890 Harvard Law Review article, convincingly argue that the privacy principle which protects us, is not the principle of private property, but rather that of an ‘inviolate personality’. Reducing privacy and personal data protection to something that you can ‘sell’ diminishes the protection provided by the right to privacy. It also raises the spectre that those who cannot afford privacy, are not entitled to it.

So, privacy is more than personal property.

But at the same time it is also less.

Personal data is created in the relationship between the data subject and the data controller. Unlike intellectual property, personal data is generally not created by the data subject. More often than not, personal data is created by a data controller. This alone makes the argument that the data subject owns his personal data shaky. But the argument goes beyond merely the question who created the data. Reducing privacy and personal data protection to an issue of ownership undervalues the fact that in a personal data transaction there are always two parties: the data controller and the data subject. The data controller also has legitimate interests in keeping and using the data he created or helped create. In a sense, personal data is the opinion a data controller holds about a person.

The fact that both parties have legitimate interests in personal data often leads to friction. A good example of this is the discussion about the right to be forgotten: data subjects have a right to be forgotten, but society at large has a right to form and record an opinion about a person. If personal data is treated as private property, the right to be forgotten always wins out. What this example shows is that the legitimacy of personal data processing is not so much dependent on who owns the data, but rather about what is fair and reasonable in the interaction between two (or more parties) interacting with each other.

Reducing the discussion about privacy and personal data to a discussion about ownership oversimplifies the discussion about privacy in the information society and may lead to sub-optimal results when it comes to regulating the use of personal data.


Lori Ramsey

We need to put the control of human and corporate data back into the “subjects’” hands, as their own personal property. Redefine the created data as personal property like created art in your example, or with a new definition of property, so if the subjects choose to share their data, then they receive the profits from it. Even change it from being called online data to something like “private information” protected like mail. But it should be privatized and not open for sale like a data stock market! I believe it is too powerful of a commodity for social media companies, not only because the money they are making from it, but the power it gives them in using it against the subjects themselves. ie Cambridge Analytica for example. Cambridge worked on many elections around the globe and were able to put people into categories. They identified those people whose opinions they found they could sway to their candidate’s side and then would target and bombard them with ads and other tools of online manipulation. Would giving control of the data back to the subjects stop this?

Now that Trump is putting together an executive order which will cause monitoring of the internet, we need to do this sooner than later.

Jose Rodriguez

It would seem that the data controllers by their own terms and condition agreements have established that data is currency i.e. "if you want free Facebook give us your data". They have established a direct monetary connection that would provide the bases that data is a tangible product. The argument that personal data is created by the data controller would be akin to saying that the painting the artist created belongs to the paint manufacturer. The proof is that data can be created with or without the data controller but data cannot be created without the data provider. As long as companies are will to trade something of value for data you will be hard press to say my data did not belong to me.

Add a comment