'No One Owns Data' by Lothar Determann in (2018) 70(1)
Hastings Law Journal 1-43
comments -
Businesses, policy makers, and scholars are calling for property rights in data. They currently focus on the vast amounts of data generated by connected cars, industrial machines, artificial intelligence, toys and other devices on the Internet of Things (IoT). This data is personal to numerous parties who are associated with the connected device, and there are many others are also interested in this data. Various parties are actively staking their claims to data, as they are mining the fuel of the digital economy.
Stakeholders in digital markets often frame claims, negotiations and controversies regarding data access as one of ownership. Businesses regularly assert and demand that they own data. Individual data subjects also assume that they own data about themselves. Policy makers and scholars focus on how to redistribute ownership rights to data. Yet, upon closer review, it is very questionable whether data is – or should be – subject to any property rights. This Article unambiguously answers the question in the negative, both with respect to existing law and future lawmaking in the United States and the European Union, jurisdictions with notably divergent attitudes to privacy, property and individual freedoms. Data as such, that is, the content of information, exists conceptually separate from works of authorship and databases (which can be subject to intellectual property rights), physical embodiments of information (data on a computer chip, which can be subject to personal property rights) and physical objects or intangible items to which information relates (a dangerous malfunctioning vehicle to which the warnings on road markings or a computer chip relate). Lawmakers have granted property rights to different persons regarding works of authorship, databases, land, and chattels to incentivize investments and improvements in such items. However, this purpose does not exist with respect to data. Individual persons, businesses, governments and the public at large have different interests in data and access restrictions. These interests are protected by an intricate net of existing laws, which deliberately refrain from granting property rights in data. Indeed, new property rights in data are not suited to promote better privacy or more innovation or technological advances, but would more likely suffocate free speech, information freedom, science and technological progress. The rationales for propertizing data are thus not compelling and are outweighed by the rationales for keeping the data ‘open’. No new property rights need to be created for data.
'Marketplace of Ideas, Privacy, and Digital Audiences' by Alexander Tsesis in (2019)
Notre Dame Law Review (Forthcoming)
comments
The availability of almost limitless sets of digital information has opened a vast marketplace of ideas. Information service providers like Facebook and Twitter provide users with an array of personal information about products, friends, acquaintances, and strangers. While this data enriches the lives of those who share content on the internet, it comes at the expense of privacy.
Social media companies disseminate news, advertisements, political messages, while also capitalizing on consumers’ private shopping, surfing, and travel habits. Companies like Cambridge Analytica, Amazon, and Apple rely on algorithmic programs to mash-up and scrape enormous amounts of online and otherwise available personal data to micro-target audiences. By collecting and then processing psychometric data sets, commercial and political advertisers rely on emotive advertisements to manipulate biases and vulnerabilities that impact audiences’ shopping and voting habits.
The Free Speech Clause is not an absolute bar to the regulation of commercial intermediaries who exploit private information obtained on the digital marketplace of ideas. The Commerce Clause authorizes passage of law to regulate internet companies that monetize intimate data and resell it to third parties. Rather than applying strict scrutiny to such proposed regulations as one would to pure speech, judges should rely on intermediate scrutiny to test statutes limiting the commercial marketing of data.
Legislative reforms are needed to address the substantial economic effects of massive, commercial agglomeration of data files containing histories, daily routines, medical conditions, personal habits, and the like. To address this logarithmically expanding cyber phenomenon, Congress should temporally restrict the retention and trade in private data. Internet intermediaries should not be immune from such a restriction on private data storage. For such a policy to be effective, safe harbor provisions shielding internet intermediaries should be modified to allow for civil litigation against internet companies that refuse a data subject’s request to remove personal information no longer needed to accomplish the transaction for which it was originally processed.
‘When Is Personal Data about or Relating to an Individual a Comparison of Australian, Canadian, and EU Data Protection and Privacy Laws’ by Normann Witzleb and Julian Wagner in (2018) 4
Canadian Journal of Comparative & Contemporary Law 293 comments
The definition of 'Personal information" or personal data" is foundational to the
application of data protection laws. One aspect ofthese defnitions is that the information
must be linked to an identifiable individual, which is incorporated in the requirement
that the information must be 'bout"or "relating to"an individual. his article examines
this requirement in light of recent judicial and legislative developments in Australia,
Canada and the European Union. In particular, it contrasts the decisions rendered
by the Federal Court of Australia in Privacy Commissioner v Telstra Corporation
Ltd and by the European Court offustice decisions in Scarlet Extended and Patrick
Breyer v Bundesrepublik Deutschland as well as the new General Data Protection
Regulation with Canadian law. This article also compares how the three jurisdictions
deal with the vexed issue of lP addresses as personal information where the connection
between the IP address and a particular individual often raises particular problems.
The authors argue
Data protection laws aim to protect personal privacy by regulating
the collection, processing and transfer of "personal information"
(Australia and Canada), "personal data" (European Union) or "personally
identifiable information" (United States). While the definitions of these
terms vary across jurisdictions, what they have in common is that they
are of fundamental significance. Data that does not contain information
about an identified or identifiable individual in the sense of the respective
definition falls outside the scope of data protection laws.
Differences in the definition of "personal information" have
relevance not only for the application of domestic data protection laws
but also affect data transfers between countries. Many domestic data
protection regimes impose restrictions on the export of personal data to
a third country, particularly if the data protection level in that country is
weaker than the law of the exporting state. This is intended to prevent
the bypassing of national data protection laws by the transfer of data
to a third country without an adequate level of protection. However,
even if the substantive data protection laws of a third country provide
a comparable level of protection overall, a closer look at the scope of
application of its data protection regime may also be necessary. If a third
country adopts a narrower understanding of the term "personal data",
that country's privacy laws will not apply to some data that would be
protected by the laws of the exporting country.
This article will analyse recent developments relating to these
definitions in Australia and the European Union and provide a comparison
with Canadian data privacy law. The article is prompted by an Australian
appellate decision on the definition of "personal information" under the
Privacy Act.' In its decision, Privacy Commissioner v Telstra Corporation
Ltd,2 the Full Court of the Federal Court of Australia also considered
relevant Canadian jurisprudence. In particular, it referred to the decision
of the Federal Court of Appeal in Canada (Information Commissioner) v
Canada (Transportation Accident Investigation and Safety Board). This
article will also consider recent developments in the European Union
and, in particular, the new General Data Protection Regulation (" GDPR")
and two recent decisions of the European Court of Justice. The practical
consequences of the differences between the terms will be explained using
the example of the classification of Internet Protocol ("IP") addresses as
personal information or as personal data, respectively.
