Out of the three hypotheses which we took up for discussion in constituting the Naavi’s Theory of Data, we have so far discussed the “Definition hypothesis” and “Reversible life cycle hypothesis”. We shall now take up the third hypothesis through which we shall discuss the issue of how we can interpret the “Ownership of Data”.
In all the regulatory discussions on “Data Protection”, there is a concept of the “Data Subject” (or the “Data Principal” )providing “Consent” to another person as an expression of the data subject’s choice of how his personal data can be used by the recipient. In certain laws, it is specified that there are some basic data protection principles to be followed, there are certain basic rights of the data subject recognized and certain obligations of the data recipient in terms of security, disclosure etc.
The “Consent” is almost always recognized as a “Contract”.
Certain regulations are clear in defining that “Personal Data” is a “Property” of the data subject and the “Consent Contract” is transferring some part of or all of the property to the recipient.
It is interesting to note that even in regulations which consider that personal data is a personal property which can be “Sold” for a consideration, there is no mention of whether the sale is “Exclusive” or “Non Exclusive”. We know that unlike the physical property, “Data Property” can be transferred to another person even while a copy of the same remains with the transferor. In fact, if there is a legal challenge, the copy with the transferor may be considered as “Original” and the copy with the recipient as a “Secondary copy”.
Though not specifically mentioned, some laws imply that “Personal Data” or “Elements of Personal Data” are “Transferable” as a “Right to Use”. So what happens in the transfer of personal data information from the data subject to the data recipient is that there is a disclosure with a transfer of right to use, process, share or otherwise dispose off the transferred elements of data either together or independently.
But even the best Consent form drafted by the best GDPR lawyer in the world has never properly indicated that the
“Personal Data now being disclosed consists of several data elements and this consent is deemed as an offer/acceptance to transfer the rights of individual data elements contained here in like the name, email address, etc., to the limited extent of it being used for the purpose for which this consent is being provided as understood by me, namely ………. and that the right is collective/applicable to each data element individually”
If the transfer of right is for “Collective” data elements, then use of the data for aggregation even after de-identification or anonymization becomes a violation of the terms of the contract.
Thus the ownership of data as is presently understood as a “Property” has a problem in not being able to identify if it extends to the whole set given at a particular point of time, whether it can be considered as multiple consents for each of the data elements.
Then the question of what is the legal instrument by which such transfer can be effected also is difficult to recognize since “Data” as a property cannot be classified either as movable or immovable or actionable right or as an Intellectual Property Right such as Copyright, Trade mark or Patent for which separate laws and definitions exist.
Even if the instrument of transfer is a “Contract”, there is a need to define what is the “Property” being transferred. If there is ambiguity on the same, then the Contract may fail due to lack of “Meeting of the Minds” between the contracting parties.
In India we also have an issue that “Click Wrap” contracts only have the status of an implied contract and the onerous clauses that may be included there in may become voidable like in a standard form contract/dotted line contract.
The Theory of Data should therefore provide such explanations as necessary to ensure that this transfer is properly explained.
The Processing Value
One of the other areas where the existing explanations on the ownership of personal data fail miserably is when the processor takes in the personal data as provided by the data subject and through his own contributions, creates a new product out of it such as a “Profile” or “Community Data” or “Aggregated Anonymized Data” etc.,
Under the current regulations like GDPR, it is interpreted that all this value added versions that emanate from the original set of personal data belongs to the personal data owner and when he withdraws his consent or wants to exercise his right to forget, all the derivatives have to be destroyed (Except perhaps the anonymized data elements). If the data subjects want the data to be ported back to him or another processor, then the entire derivative set including the profile created by one processor has to be perhaps transferred to another processor who may actually be a business competitor of the first processor.
This interpretation will seriously conflict with the law of intellectual property rights where it is already an established view that a value added data base creation is an intellectual property of the creator and is different from the value of the raw data.
We have also in the past given the following two examples that establish that the theory that all super structures built on the personal data become the property of the personal data subject as if it is a land on lease on which buildings are constructed and which has to be returned back to the land owner after the expiry of the lease contract.
Example 1:
A person gives a piece of lemon to the processor. He crushes it adds water and sugar and creates “lemon Juice”. Then the lemon owner withdraws his consent on the use of lemon and wants the lemon or juice back. Obviously the processor cannot give back the lemon. But will he be required to return the lemon juice which is more valuable than the original lemon since additional cost inputs have gone in?
Example 2:
A person gives a piece of Coal to the processor. The Processor uses a compression technology to compress the coal and convert it into its allotropic form of a “Diamond”.
(P.S: Allotropy is the property by virtue of which an element exist in more than one form and each form has different physical properties but identical chemical properties. These different forms are called allotropes. The two common allotropic forms of carbon are diamond and graphite)
Now if the owner of “Coal” wants the “Diamond” back, how fair is the demand?
In the Indian draft legislation of “DISHA”, an attempt has been made to define that the medical diagnostic reports of a patient developed by a diagnostic center or the hospital is the property of the patient. Unless the law clarifies that the medical report has a value and the patient is entitled to get a copy of the report only if he pays the value in terms of the fees charged for the diagnosis, there may be a legal conflict when the patient demands that the information should be returned whether or not he has paid the fees.
We can therefore conclude that there is a shortcoming in the present theories of data ownership either as a “Property” or as a “Right”. We need a better explanation of the “Data Property Ownership”.
Under this new Theory of Data being propounded, I therefore propose a hypothesis as follows:
“The ownership of Data is applicable to individual data elements and belongs to the person/entity who creates the said element of data that enhances the value of the associated set of data elements”.
What this means is that as the “Data” is born and then grows as explained in the life cycle hypothesis, the value of the data set undergoes a change. Different persons are responsible for the change. The data subject is of course one party who may be involved in most of these value changes but there are others who contribute to the value addition. The ownership of the data has to be recognized with a segregation of the data in current form into different value units and ownership has to be recognized to the persons who are responsible for the value addition.
For example, let us say Company C floats a service and Mr P opts to become a member. P provides some set of personal data of which he is the owner. Company C creates a “Profile”. The “Profile” data if attached to the original raw data provided by the data subject is more valuable and marketable. Company C can realize say Rs 100 for this profile data where as Mr P had zero value for his name, address etc which he might have shared in the first place with Company A. Let us say that Company C has been fair to Mr P and paid Rs 10 for the collection of the raw personal data and had also agreed that 10% of any further value realization that may be attributed to the personal data would be paid to him like a “Royalty”, then there is a fair distribution of the “Value Addition”.
In such a concept, B will be an owner to the extent of 10% of the value in the hands of C and C will be the owner to the extent of Rs 90.
This “Additive Ownership” concept co-exists with “Additive Value Realization” of the data as it matures in its life cycle. The Value realization can be “Notional” in the sense that C may not sell the data to a third party but transfer it to another division of its own in which case the “opportunity benefit” has to be recognized as a “Transfer Price”.
If there is therefore collection of personal data for processing, the processor may after defining the purpose may also indicate the notional value of the processed personal data and the price he is willing to recognize as payable to P either immediately or after a certain event or time.
This “Additive Value Ownership” will have a cascading effect and there could be multiple owners of the Data for each recognizable value addition. The composite data set at any point of time will therefore be considered as having made up of multiple sub sets each of which is attributable to one processor and the ownership of that value addition remains with the entity that contributes that value.
This also means that each such part owner of the value has a right to transfer his property to another person unless his contract of value creation prohibits the same. Law should however prohibit restrictions that restrict such transfers as an “Unfair Contract” and therefore enable the free flow of value addition for any given data set so that the society at large benefits.
This discussion will continue…
Naavi
Regarding ‘ Obviously the processor cannot give back the lemon” in data case of course lemon (data) will be intact as a copy no issue. Not sure this correct comparison