Should there be a property right in personal data?



For the last 50 years since the world’s first data protection law was adopted in Hesse, Germany in 1970, Data Protection Authorities have based their regulatory powers on a data protection or privacy right regarded in many democratic countries as a basic right.

These rights have been codified in many national laws, the Council of Europe Convention, the European Community Data Protection Directive, the GDPR and the EU Charter of Fundamental Rights. These rights apply quite properly to the collection and use of personal data by the state to avoid surveillance being adopted as a norm in civilised societies. The GDPR’s influence can be seen in countries as far apart as Jamaica which has adopted a new law, and South Africa.

There have always been exceptions for the purpose of fighting crime and terrorism and this year there have been exceptions for the mass collection of data to track and mitigate the impact of the Covid-19 pandemic on society – Listen to PL&B Privacy Paths podcasts number 1, 2 and 3 at www.privacylaws.com/podcasts/

When I first heard the argument that personal data could in some circumstances be considered a property right (in a presentation at PL&B’s 26th Annual International Conference in 2013 and covered in PL&B UK Report July 2013 p.19), I was rather sceptical. However, since then, the mass collection of personal data to use largely as they wish by Facebook, Google and by many other organisations, has become the norm.

Although privacy policies are present on the websites and devices powered by the tech giants and app developers, they are often lengthy and complex, even for privacy professionals. Of course, there are tensions for some organisations when they are challenged or sanctioned by the Data Protection Authorities, for example, in Belgium.

Advantages in a corporate privacy stance

But some organisations are seeing advantages in a public pro-privacy posture, as can be seen by the public statements by Microsoft regarding adopting the California CCPA across the US and Apple’s decision to require opt-in consent for access to ad tracking.

Obviously, those of us who favour more effective protection of privacy cannot be content with incremental change in corporate sentiment. But privacy laws, when aligned with companies’ perception of their self-interests, have led to changes in adtech culture (PL&B UK Report July 2020 and podcast number 5).

Is it legal to sell your personal data?

Clearview’s scraping of billions of images from the Internet to supply its facial recognition software is seen to contravene privacy norms and laws in many countries. So it has been rightly challenged by many privacy regulators, as in Canada, has sparked an investigation by the UK and Australian DPAs, and has led to class actions in the US.

The evident value of personal data has encouraged the establishment of at least three companies, Muna.io in Belgium and Clture and Citizen.me in the US, which give individuals the opportunity to knowingly sell their personal data to companies for a known purpose and reward. Obviously, the method and clarity of individuals giving their consent and their ability to revoke it are crucial. Privacy advocates will certainly object to this kind of business. But just because a person objects to this kind of business, in principle, does not mean that it is actually illegal or contrary to the GDPR or similar national laws.

National laws have not stopped a host of companies taking people’s data without their conscious knowledge. Therefore, there is an argument that a company which acts as an intermediary to enable people to knowingly sell their personal data for a known purpose for their reward and/or for charity, should be legitimate. I welcome both supporting and opposing views. Contact me at stewart.dresner@privacylaws.com

By the time of our next PL&B International Report in October, we expect to announce our plans for events in the last quarter of the year. Let’s all do our best to keep in good health, despite the long tail of the pandemic.

Regards,

Stewart Dresner, Publisher

International Report 166

Lead stories:

EU-US Privacy Shield is invalidated

Although Standard Contractual Clauses remain valid, the decision creates uncertainty for companies which have been relying on the Shield for their EU-US transfers. By Laura Linkomies.

Jamaica adopts data privacy law

Graham Greenleaf asks whether Jamaica’s law is strong enough to mark the start of a different direction for data privacy in the Caribbean.

Click for full contents list