3_4_SCRIPT-ed_270 When personal data, behavior and virtual identities become a commodity: Would a property rights approach matter? (C Prins) (2006) 3:4 SCRIPT-ed 270 (2006)


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

United Kingdom Journals


You are here: BAILII >> Databases >> United Kingdom Journals >> When personal data, behavior and virtual identities become a commodity: Would a property rights approach matter? (C Prins) (2006) 3:4 SCRIPT-ed 270 (2006)
URL: http://www.bailii.org/uk/other/journals/Script-ed/2006/3_4_SCRIPT-ed_270.html
Cite as: When personal data, behavior and virtual identities become a commodity: Would a property rights approach matter? (C Prins)

[New search] [Printable PDF version] [Help]


When personal data, behavior and virtual identities become a commodity: Would a property rights approach matter?+

Corien Prins*

 

Table of Contents:

Cite as: C Prins, "When personal data, behavior and virtual identities become a commodity: Would a property rights approach matter?", (2006) 3:4 SCRIPT-ed 270 @: <http://www.law.ed.ac.uk/ahrc/script-ed/vol3-4/prins.asp>
 

Download  options

DOI: 10.2966/scrip.030406.270
© Corien Prins 2006. This work is licensed through SCRIPT-ed Open Licence (SOL). Please click on the link to read the terms and conditions.
 


1. Introduction

Early in 2001, a judge in Massachusetts, US, approved a proposal by an Internet retailer specialized in the sale of toys, Toysmart, to destroy a list with names and other details of the retailer’s 250,000 customers (names, addresses, transaction details, and e-mail addresses). The customer list had become the subject of a dispute between the company and the US Federal Trade Commission when the Internet company, having gone bankrupt, advertised the sale of its customer list and database in The Wall Street Journal to the highest bidder. The customer data turned out to be the only hope for the many creditors, because it was the sole asset that still had any value. The troublesome issue, however, was that in its privacy policy, Toysmart had promised not to disclose the customers’ personal data to third parties. At first instance the FTC reached an agreement with the on-line retailer that would allow the company to sell the customer list to a similar company that was prepared to honor the privacy commitment. However, consumers and privacy activists became concerned about where the data would eventually end up, and a bankruptcy court had to decide whether the data could be sold. To end the negative publicity, a subsidiary of Walt Disney Co. (which owned 60% of Toysmart) offered $50,000 to ‘buy and destroy’ the list. Finally, the judge ordered that the payment should be made but that the list should not be transferred to Disney, and should instead be destroyed by Toysmart.1

The Toysmart example is far from unique. In the past decade, large amounts of personal data changed hands or ‘ownership’, as part of merger-acquisitions, reorganizations and other strategic company movements. With the growing economic importance of services based on the processing of personal data, it is clear that ownership rights in personal data become the key instrument in realizing returns on the investment. But who then owns our personal data? Courts have recognized celebrities’ claims to a property interest in their name and fame to seek compensation whenever such an image is used for a commercial purpose. Why not extend such a property interest to the personal data of ordinary individuals?2 For, with the advent of digital technologies, hasn’t personal data of us all become an asset that is worth real money? Moreover, it has been argued that market-oriented mechanisms based on individual ownership of personal data could enhance personal data protection. If ‘personal data markets’ were allowed to function more effectively, there would be less privacy invasion.3

This contribution aims to analyse the appeal, benefits and limitations of the commercial appropriation of privacy, or more specifically personal data, from a European perspective. It will discuss and analyse a highly market-oriented argument suggested to resolve the current problems in respect of personal data protection in our digital world: vesting a property right in personal data. Does our present society - in which personal data are considered a commercially valuable asset - indeed imply that we must consider protection instruments that are based on a market-oriented rationale?

Many of the arguments that have been advanced in favor of a proprietary perspective on protection mechanisms derive from American sources. There has been relatively little discussion outside the United States of whether such a perspective and approach could resolve the pressing problems of personal data protection – a fact that is not entirely surprising, given the European human rights-oriented approach to privacy protection. This contribution aims to add European perspectives to the debate. It will show that although it is all too often argued that the creation of a property right is not in conformity with the human rights-based approach to privacy, the European system appears to offer considerable leeway for a property rights model. There are certainly openings under European law for a utilitarian perspective on personal data protection and it could even be argued that the European data protection system is more receptive towards a property approach than the American system. The analysis will also show that although vesting a property right in personal data may have some appeal, albeit for rhetorical purposes, doubts rise about whether such an approach will offer the claimed prospects of achieving a higher level of personal data protection. Specifically, the final intent of this contribution is to show that the property argument fails to recognize the data protection challenges that arise with present-day developments in the area of context-aware computing. I will argue that in a society in which our behavior and identities (i.e. not individual data as such), become the object of commodification, the debate on data protection mechanisms must be structured along lines of control and visibility, rather than ownership. This then will require a debate on the role of the public domain in providing the necessary instruments that will allow us to know and to control how our behavior, interests and social and cultural identities are ‘created’.

The next section will first briefly sketch how increasing attention has been given to utilitarian considerations in the debate about privacy and more specifically personal data protection (section 2). Subsequently, section 3 will show that although our present-day legal system doesn’t expressly recognize a property right in personal data, this is in no way mirrored in the practice of the on-line world. Section 4 then turns to the claimed benefits of vesting a property right in personal data, followed in section 5 by an analysis of the often-heard argument that vesting property rights sits uneasily with a human-rights approach towards privacy protection. This section also locates the discussion in the broader framework of property and human rights, i.e. by discussing the issue of property and privacy in both commercial aspects of personality and the human body. We will see that, as regards these, new commercial practices challenge legal doctrine as well as the courts to think about the ways in which private property and human rights can be balanced. Section 5 also addresses the question of the extent to which individuals are allowed to waive the protection of their fundamental rights by means of a contract. For creating property rights assumes that private ordering and commercial arrangements determine the position of the respective parties. Section 6 subsequently addresses the position of a property perspective under the European Directive on personal data protection. It will show that this regime has given individuals certain instruments of control and power over their personal data. At least in a commercial setting, a property approach thus does not appear to be such a strange phenomenon under the European data protection regime after all. While vesting a property right in personal data may indeed have some appeal, albeit for rhetorical purposes, the obvious question is what the consequences of this approach would be. Section 7 analyses whether such an approach would indeed offer the claimed prospects of achieving a higher level of personal data protection, followed by a discussion in section 8 of the costs that may arise if property rights were to be vested in individuals. Section 9 then turns to possible concerns about the commodification of personal data in relation to the public domain: to what extent, and how would establishing a property right in personal data affect the interests of the public domain? Moreover, this section argues that developments in the area of ‘pervasive’ computing and the subsequent trend toward a commodification of our identities and behavior necessitate a debate on the role of the public domain in providing the necessary instruments to know and to control the ways in which our identities are created and shaped.

2. Background

A look at our contemporary, data-based society reveals that information about people is essential for a variety of economically and socially useful and crucial purposes: education, taxation, social benefits, health care, crime detection and terrorism prevention, commerce and marketing, to name but a few. The incentives for companies and organizations to process personal data are high: information means money as well as power. Moreover, advances in technology have provided almost everyone with low-threshold facilities to collect and use information: the technical infrastructure of the Internet combined with profiling techniques and other advanced processing applications make it easy and cheap to collect, combine and use enormous amounts of data. Whether it is for commercial, economic, political or technological reasons, the present-day dealings with personal data turn our society more and more into a privacy-unfriendly environment.4

In contrast to other legal domains – such as that of intellectual property rights and consumer protection – individuals have been given very few instruments to address the problems and challenges brought on by new information technologies. Only a handful of specific legislative measures have provided individuals with means to combat the invasion of their privacy rights brought on by new information technologies. Moreover, a glance at both the common law and civil law system shows that despite constitutional recognition, and numerous interpretative cases, as well as detailed laws covering the processing of personal data, day-to-day practice shows that privacy appears not at all protected under our legal system. Whereas various international and national legislative measures have made copyright evolve towards a strong property-based instrument, privacy right has remained no more than the set of rules governing fair information practices as developed during the 1970s by e.g. the OECD and laid down in regimes such as Convention 108 of the Council of Europe. A crucial difference, of course, is that stakeholders in the domain of intellectual property rights appear to have a rather direct economic and financial interest by which to measure and justify the scope of legal protection to insist upon, whereas economic interests and financial damages are difficult arguments to employ when it comes to discussing the rationale and actual amount of privacy protection.5

Nevertheless, some – mostly American – commentators have argued that it is exactly in the area of utilitarian considerations that the arguments and instruments to enhance the level of personal data protection must be sought: “Property talk would give privacy rhetoric added support within American culture. If you could get people (in America, at this point in history) to see certain resource as property, then you are 90 percent to your protective goal.”6 Given that data about individuals have become a key commercial asset for businesses and other organizations, individuals must be given an instrument that would enable them to negotiate and bargain over the use of their data. If, as Ann Bartow observed, “the rigid commodification of information is indeed inevitable, perhaps it is time for individuals to appropriate the intellectual property framework so eagerly constructed by corporate interests, and to seek control of the data we generate and a share of the proceeds of this information produces. We must assert proprietary interests in ourselves and hoist consumer data merchants by their own cyber-petards. We must definitively establish that consumer information is intellectual property that belongs to the consumers themselves.”7 And: “Perhaps we should have the same property rights in our names and personal information that corporations have in their names and data.”8 Organizations (among them the American Civil Liberties Union and the Electronic Frontier Federation9) have argued along the same line and claimed that individuals should receive fair compensation for the use of their personal data: “There should be no free lunch when it comes to invading privacy.”10 They feel that, given protection of personal data is expensive and in short supply, whereas the collection and use of personal data is wasteful and inefficient, we should consider market-oriented mechanisms based on individual ownership of personal data.11

In brief: the proponents of a proprietary approach towards personal data protection argue that the commercial appropriation of personal data implies and requires the law to grant individuals a property right in their personal data. Moreover, creating stronger property rights is often thought to be a plausible way of securing interests in our modern era of cyberspace. The intellectual property rights domain is a perfect example of an area where the appeal of stronger rights has gained considerable ground: legislatures have increasingly been creating new forms of private property rights. Also, our present-day society evolves more and more towards an environment in which protection mechanisms based on private instruments gain priority.12

At first sight, privacy and property seem mutually exclusive concepts. For privacy relates to much more than just protecting personal interests: it is also about broader interests such as human dignity and fundamental freedoms.13 Some, however, argue that privacy protection on the one hand and personal data protection on the other, have evolved into two highly distinct concepts, whereby personal data protection nowadays has nothing to do with fundamental freedoms. Instead, it is all about controlling information power.14 Recently, the supporters of this position have been given an additional argument with the separate listing of both rights in the European Charter on Fundamental Rights (articles 7 and 8). Moreover, when turning our attention to the practice of the on-line world, a conceptualization of privacy as a fundamental right that cannot be alienated appears a very far-fetched scenario. Individuals make deals for the disclosure, collection, use and reuse of their personal data, in certain situations receive some form of compensation (which may vary according to the type of data as well as use), and thus ‘exploit’ and ‘sell’ their habits, use-profile and individual data.

3. Privacy and property: ‘ownership’ models on the Internet

We started this contribution with the 2001 Toysmart bankruptcy case. This example is far from unique. In recent years, with a downturn in the e-business, many companies decided to sell their customer data as a means of generating cash flow and silencing creditors. In many other situations, customer lists and databases appeared a highly valuable asset as well. Personal data change hands or ‘ownership’, as part of merger-acquisitions, reorganizations and other strategic company movements. 15 The 2001 takeover by the American company eBay of the French auction sales operator iBazar is but one example of what is at stake when it comes to the acquisition of subscriber, user and customer lists.16 At best, users of digital services are informed that the company using and collecting their personal data is involved in a merger. Google’s privacy policy e.g. stipulates: “If Google becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will provide notice before personal information is transferred and becomes subject to a different privacy policy.”17

And there is more to come. With the growing importance of various so-called personalization services, it is clear that ownership rights in personal data and individual user profiles become the key instrument in realizing returns on the investment.18 Who owns and controls the profiles, patterns and the data that are behind these patterns? Who owns your personal Yahoo-profile or Google-profile? An October 2003 Jupiter Research study found that to develop and deploy a personalized website can reach four or more times the cost of operating a comparable dynamic website19. A healthy business model for personalized services would thus appear to require that the key asset, i.e. the personalized information, ‘belongs’ to the organization that has configured its system to allow users to perform personalization.20

If the answer to the ownership dilemma is up to the businesses that provide personalized services, then it is their data. Companies may even believe that they have ownership rights in the personal data compilations because the law itself offers several indications that this is indeed the case. In addition to the protection granted by means of the trade secrets regime, businesses that have invested in the collection and compilation of personal data are granted exclusive rights under the European Directive on database protection. Another illustrative indication may be found in section 55 of the UK Data Protection Act, which provides for a criminal sanction for stealing personal data from the data controller (i.e. not the data subject).

Hence, while the academic world may comment that the relevant legal regimes do not imply that personal data can be cast as a property right, present-day practice in the on-line world has evolved completely differently. Here information (including personal data) is seen as a commodity that can be traded against a discount in the virtual supermarket or some other benefit, such as access to a certain on-line service. Information generated by means of consumer behavior and transactions on the Internet is tracked, recorded and correlated with other sources. Data marketers and other commercial organizations invest heavily in data processing techniques, because it is worth the money and risk. Anyone with access to information, anyone who has collected personal data, can use it freely and, what is more, subsequently sell it to third parties for lucrative amounts of money.

Consumers react to this practice in different ways (some find it chilling; others do not care at all).21 And although some try to protect their privacy by applying techniques to ‘hide’ their data, actual and effective transparency and control seems unattainable. For individual consumers it is no longer possible to really find out what happens to their personal data, let alone that they are in the position to effectively control the dealings with these data. As a result, many individuals understandably try to gain as many benefits as possible from what is left of their privacy. To them, the only workable solution appears to be to ‘sell’ their personal data. One example of such a benefit is offered by the aforementioned Google Gmail initiative: it offers greater storage space in return for having Google monitor email and use the information for advertising. Thus, while the academic world argues that privacy is an inalienable right, the real world suggests a completely different picture. This has, as mentioned above, stimulated some commentators to propose a completely different approach: establishing property rights in personal data. But what, then, might be the arguments in favor of such an approach?

4. Establishing a property right in personal data

“Economically, privacy can be understood as a problem of social cost, where the actions of one agent (e.g., a mailing list broker) impart a negative externality on another agent (e.g., an end consumer). Problems in social cost can be understood by modelling the liabilities, transaction costs and property rights assigned to various economic agents within the system, and can be resolved by reallocating property rights and liability to different agents as needed to achieve economic equilibrium.”22

Social cost is often described as what happens “when a business does something that has a negative impact on someone else”.23 A popular example used to illustrate the concept is environmental pollution.24 Commentators have argued that, “much like unregulated, polluting factories, businesses collecting large amounts of personal data are able to internalize the gains from using and selling personal data, while externalizing most of the negative impact that results from their practices”.25 These businesses can often get away with using personal data in ways that consumers would not have freely bargained for.26 The market has not only failed to discipline businesses that misuse personal data, but has created a systematic incentive for over-disclosure of such data.27 In other words, the information asymmetry and the resulting high monitoring costs that consumers face leads to over-disclosure of personal data by the businesses that collect these data.28

In looking at privacy as a problem of social cost, commentators have argued that the prospects for effective personal data protection may be enhanced by recognizing a property right of such data. They feel that the present conception of privacy is an ineffectual paradigm and that, if we want strong privacy protection, we must replace it with the more powerful instrument of a property right.29 Such a market-based solution would, as mentioned above, also be in line with today’s apparently widely accepted practice, the regulation of online behavior by means of private ordering.30 It is noted that giving individual citizens control in the form of property rights will go a long way towards stimulating competition in the present situation of information asymmetry and market failure. In other words, a key argument of the proponents of a property approach is that present-day developments towards a commodification of personal data require that we vest individuals with some form of property right in data and information about themselves.

The suggestion that privacy should encompass an enforceable ownership right, which in fact was advocated as early as 1967 by Alan Westin31 and further analyzed on the basis of law and economics insights by Richard Epstein and Richard Posner32, has sparked the debate about the opportunities and risks of a ‘propertization’ of personal data.33 Proponents of strengthening privacy protection by means of a property right argue that personal data ‘belong’ to data subjects as ‘their’ property. Individuals generally have a legal right to be left alone and thus to refrain others from access to their personal data. The concept of privacy protects personal data from unauthorized disclosure and use. As a result, the law that implements this concept must not only provide individuals with ‘the sense’ that they have some sort of exclusive right34, but also actually provide them with an effective tool, i.e. an exclusive right to their personal data.35

Some commentators favor granting individuals property rights in their personal data because individuals have clear interests of their own in controlling their personal data and must therefore be given the benefits of the property concept. Vesting a property right would allow individuals to make individualized deals for trading the right to use their personal data against preferential services, money, or other benefits.36 Another suggested benefit for data subjects is that by vesting a property right in individuals, businesses would be forced to internalize the costs associated with the collection and processing of personal data. At present, businesses gain the full benefit of using personal information, but, as noted above, do not bear the societal costs: personal data can usually be collected for free, and with the advent of new technologies, it has become much easier and cheaper to gather and use data of individuals. Once companies had to internalize the societal costs associated with using personal data, they would perhaps be less inclined to gather and compile personal data than they currently do. This, in turn, would enhance levels of privacy.37 Moreover, “placing some cost burden on processors and users of personal data promotes greater respect for individual dignity than requiring individuals to purchase their privacy against a default rule of no-privacy”.38 Thus, the costs are no longer only borne by those individuals who both desire privacy and can afford it, but instead by society as a whole.39 Further, it is noted that by vesting an ownership right in personal data it would become expressly clear that such data are owned by the data subject, not by the business that collected them.40

Another claim made by the proponents of the property approach is that new advances in technology now make it considerably easier to create and sustain the conditions for individual and personalized choices of data use (such as restrictions on use and third party reuse). As is shown in the area of copyright, technology offers highly attractive means to uphold property rights that were too expensive and burdensome to provide in the past. Several years ago Phil Agre had already described ‘technologies of identity’ which made it possible to prevent personal data from being collected at all.41 Several commentators have argued that there is a profound relationship between those who wish to protect intellectual property and those who wish to protect privacy.42 Their common desire is to protect and control the distribution and use of information. Hence, the efforts of the sound recording and film industry at regaining control by means of technology (e.g. by applying digital rights management systems) offer inspiration, as well as lessons, to those who seek to strengthen and enhance the protection of personal data. Just as the titleholder of a copyrighted work may wish to let users listen, view or read his work a limited number of times, as well as restrict them in sharing the work with others, individuals can monitor the use of their personal data and e.g. limit secondary and broader use of their data.43 In line with this argument, Cohen contended that “the same technologies that enable distributed rights-management functionality might enable the creation of privacy protection that travels with data – obviating the need for continual negotiation of terms, but at the same time redistributing “costs” away from individuals who are data subjects”.44 Also, academics in the domain of economics have focused on the economic incentives that can justify the development and adoption of privacy enhancing technologies.45

5. Property rights and human rights

The proponents of vesting a property right in personal data suggest that we do ‘own’ our privacy in some sense, that personal data rights are tightly connected with ownership and control and, as such, these rights are alienable: they can be waived or ‘sold’. Of course there are those who do not favour property rights in personal data, as will be shown at a later stage of this contribution. But aside from the commentators that have specific points of criticism, there are those who claim at a more fundamental level that such an approach doesn’t have a future in those legal systems that value privacy as a human right.46 It is argued that securing privacy by means of property rights is indicative of a typical U.S. approach to the matter.47 Those who are convinced that the concept and rationale of personal data protection should be shaped along the line of property rights, are clearly influenced by the enormous power of property thinking that is so typical of the American legal tradition.48 In contrast, the European debate on privacy protection would take a human rights perspective on the issue: the concept of (commercial) property may not be vested in privacy because privacy is attached to individuals by virtue of their personhood, and, as such, this right cannot be waived or transferred to others (either for commercial or for other reasons). Also, human rights are conceived as closely linked to constituting and maintaining a person’s personal integrity. They are therefore seen as non-commodifiable rights. “Human rights are rooted in a non-commodified understanding of personhood and the attributes and context necessary to constitute and maintain personhood.”49 Typical of the human-rights perspective is the idea that privacy is negative in nature: it is viewed as a right of non-interference, not as a right of positive entitlement. The negative, autonomy-based conception merely provides individuals with a right as long as their personal information remains in the private sphere. However, once personal data enter the public sphere, individuals remain largely powerless in determining what further use is made of these data. In brief, the problem with creating property rights in personal data under the European legal system would be that it does not fit the human rights perspective as adopted in, e.g., article 8(1) of the Rome Convention for the Protection of Human Rights and Fundamental Freedoms, which provides that: “Everyone has the right to respect for his private and family life, his home and his correspondence.” Also, the human rights dimension was expressly used by the European Parliament as an argument in the debates on the Safe Harbor Principles.50

At first glance, it indeed seems a little awkward to bring the property argument into the human rights debate. This, then, may also be the reason why very few European theorists have reflected on the idea of a property right vested in personal data. In the 1980s, Catalat and Poullet elaborated on the matter as part of their search for an explanation of individuals’ rights regarding data pertaining to them. In drawing a parallel between personal data protection, an ‘ius in rem’, and intellectual property rights protection, Catalat defended the thesis that the right of property could be seen as the explanation of the notion of personal data rights51, whereas Poullet refused to accept this position, arguing that an explanation in terms of the notion of freedom was more appropriate to enlighten the ratio of data protection.52 More recently, Bygrave briefly touched upon the property rights theme in his 2002 study on the rationale of data protection law.53 Although he does not expressly decline the property rights option, Bygrave takes a very skeptical position. Interestingly, his hesitations relate to practical problems and not so much to fundamental human-rights related objections.54 Thus, although some have been critical55, we may conclude that during the past decades the majority of the theorists stressed that the human rights perspective forms the very essence of the European personality-based ratio of privacy and personal data protection.56 In this perspective there appears to be little room for a property approach.

Nevertheless, there are signs of a greater readiness in several areas of the European legal system to acknowledge the importance of elements of property thinking in the human rights, human dignity and autonomy arena. Illustrative is Article 1 “Protection of Property” of Protocol No. 11 to the Convention for the Protection of Human Rights and Fundamental Freedoms.57 Although the second and third parts of this article are directed to Treaty members and not individuals, the first part is expressly directed to every natural and legal person: “Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except in the public interest and subject to the conditions provided for by law and by the general principles of international law”. The question arises whether personal data constitute ‘possessions’ for the purpose of this article.58 Although the European Court has thus far never expressly addressed the status of personal data under this article, several rulings provide clear indications that the concept of property is certainly not restricted to physical goods. In the Gasus ruling, the Court stipulated that: “… the notion “possessions” (in French: biens) in Article 1 of Protocol No. 1 (P1-1) has an autonomous meaning which is certainly not limited to ownership of physical goods: certain other rights and interests constituting assets can also be regarded as “property rights”, and thus as “possessions”, for the purposes of this provision (P1-1).”59 A glance at several other rulings on the notion of ‘possessions’ makes clear that it covers a wide range of non-physical goods, among others intellectual property rights.60

But there are other developments that testify more explicitly to the growing influence of property thinking in the human rights domain. First, as will be discussed in more detail underneath, the property dimension is becoming an important phenomenon in the area of publicity rights. Many court rulings, with as an illustrative recent example the May 2004 UK ruling in the Naomi Campbell case61, testify to the hybrid character of commercial personality rights. Here, commercial interests combined with the property argument, appear to play a key role in the debate on the proper scope of protecting personality characteristics, such as a person’s name, appearance, voice, signature or likeness. Another area where market-oriented arguments enter the domain of human rights is that of biotechnology.

5.1. Property, privacy and personality

Several years ago, the magazine Hello! published without permission photographs of the wedding of celebrities Michael Douglas and Catharine Zeta-Jones. The newly-weds were clearly not amused. Their anger was, however, fueled not so much by the fact that they felt their privacy had been violated. Rather, the couple had entered into an exclusive publication contract with another magazine, OK!, and had made the ‘private’ matter of their wedding into a commercial transaction. By publishing the pictures, Hello! had deprived them of their ‘right’ to exploit their celebrity status for profit.62

The Douglas case as well as many other examples – among them rulings on the claims of a football-player, TV presenter, actors63 and afore-mentioned Naomi Campbell64 – all show that there is a clear demand for exclusive rights in personal characteristics such as a person’s name, appearance, voice, signature or likeness. The question then is what arguments necessitate a legally recognized entitlement in one’s own individual features. Some commentators have contended that the key argument in favor of establishing personality rights for the rich and famous relates to market-oriented arguments: the economic interests of the person (actor, singer, supermodel or other celebrity) who has invested considerable time, labor and effort in his or her appearance, image, fame or reputation, deserves protection. A publicity right provides economic incentives (it stimulates the creation of a ‘personality’) and safeguards a fair distribution of a person’s market value.65 Moreover, publicity rights stimulate economic growth: companies may obtain an exclusive license to commercially exploit a person’s celebrity status in order to run an exclusive news-item (the Douglas/Zeta-Jones example) or marketing campaign. Another line of argument holds that allowing personality rights results in more efficient use of a celebrity’s persona.66 Finally, while analyzing the property-related justifications for publicity rights some commentators rely on the parallel with intellectual property rights and more specific copyright.67 The arguments in favor of both copyright and publicity rights originate in economic incentives, fair distribution and safeguarding market value.68 As will be shown underneath, there appear to be, however, clear differences in the property regimes surrounding copyright and possible property regimes surrounding privacy rights.

Opponents of a property-based rationale have argued that economic interests alone cannot justify the existence of a personality right in personal characteristics. It is simply not plausible that a singer, actor or celebrity, who earns his money by making music and films, or performing, and has sold himself to the highest bidder, has waived all dignitary aspects of his personality. Or as Weber noted, free commercial appropriation of a persona by others is unsatisfactory with regard to human dignity, because the decision to be associated with a certain commercial product is not entirely a commercial issue, but part of the inner core of a person’s personality.69 The second argument of relevance in the debate on personality rights is therefore related to dignity-based considerations. Dignity survives a commercial transfer of a certain personality characteristic. Private autonomy (self-determination), identity and privacy are seen as major aspects of dignity: the individual’s dignity, his autonomous status concerning the indicia of his identity, does not allow appropriation by others without good reason.70

Huw Beverly-Smith, in analyzing common-law and civil-law court rulings, nevertheless concludes that it is the very “mixture of property-based arguments and arguments based on protecting personal dignity (that) inevitably reflects the hybrid nature of the problem of appropriation of personality and both its economic and dignitary aspects”.71 Although there is no international consensus on the specific rules relating to the commercial appropriation of personal characteristics, such as those resolving the conflict between publicity rights and other important interests (such as freedom of the press and arts)72, it is clear that when examining the interests of publicity rights involved, the courts are protecting not only interests relating to human dignity and personality, but also interests in economic and propriety nature.73 To summarize, the combination of economic arguments and dignity-based arguments appear to advocate for an individual’s entitlement in his or her personal characteristics and thus in favor of establishing publicity rights.74 Here, human rights and property rights seem to get along rather well.

5.2. Property, human dignity and the human body

More than ten years ago, the California Supreme Court ruled in the famous case Moore v. Regents of the University of California75 that an individual whose cells were derived from his spleen did not have a property interest in this ‘naturally occurring raw material’, whereas by contrast, the doctors who created a cell line from this material were granted a patent. In other words, Mr. Moore could not claim property rights in his cells because this would slow the further development of research. The researchers, however, were given a commercially highly valuable property right.

Contrary to what the outcome of the ruling may imply, legal acts in the area of biotechnology and intellectual property rights in particular show that information related to individual human beings is not normally regarded as something that can be owned or sold for profit. Art. 4 of the UNESCO Declaration on the Human Genome and Human Rights specifically refers to the argument of ‘dignity and identity of all human beings’ when stipulating that “The human genome in its natural state shall not give rise to financial gains.”76 A similar provision is included in art. 21 of the Council of Europe’s Convention on Human Rights and Biomedicine.77 Both provisions seem to suggest that commodification of information on individual human beings is not accepted by the law. Nevertheless, as the Moore v Regents ruling clearly shows, intellectual property rights are indeed granted in respect of human material. Other developments in the United States also show that legislative initiatives may allow for the commodification of human body parts.78

Inspired by the Moore v Regents case as well as by technological progress in biomedicine, various theorists have discussed the controversy on privacy, property and the human body, suggesting that the debate over ownership and the limits of rights of property and control over objects and information related to the human body has only just begun.79 Is it permissible for us to transfer the rights over our bodies, body parts or unique information about our bodies to others? Do we have commercial property in them or would this violate human dignity? A glance at the publications shows there is little consensus about whether there should be private property rights (patents) over stem cells and gene sequences. Proponents answer in the affirmative, arguing that only by granting such rights will we guarantee the required investment to produce medicines and treatment therapies. Others regard the commodification of our bodies as a dreadful scenario, declining that the rule of economics determines ownership of something (our body) that belongs in principle to ourselves or everyone (considering it part of our common human heritage).80 Reflecting on the issue of ownership of human body parts, various theorists have attempted to draw a line between what is commodifiable and what is not.81 In doing so, commentators have shown that setting the limits of monopolies in genes and body parts appears difficult and tricky.82

In the meantime, the European legislature has adopted, pursuant to its competence under art. 152 (4) (a) of the EC Treaty, two Directives that indirectly deal with the commercialisation of human body parts. Directive 2002/98/EC (Blood Directive) and Directive 2004/23/EC (Tissues/Cell Directive) aim to set a certain level of quality and safety in relation to blood derivatives and substances of human origin. During the course of the negotiations on the text of both Directives, the debate focused on the question whether blood or human tissue donation should be viewed as a gift or a commodity. Should EU citizens be allowed to sell their blood, tissues or cells as part of a donation? In the final texts of both Directives, the EU included statements that exclude the use of the body for commercial gain. The Tissues/Cell Directive is most explicit in stipulating that Member States shall endeavour to ensure that tissues/cells are sourced from voluntary, unpaid donation. It further states that procurement takes place on a non-profit basis and that any remuneration for tissues/cells be limited to the reimbursement of necessary expenses made for the donation.83 Although the EU regulatory measures say nothing about whether people have ownership over the substances of their body, the adoption of both regimes illustrates the complexity of questions surrounding systems of property.

Several of the arguments mentioned in the debates on the appropriation of human body parts, as well as an individual’s personality, will be encountered further on in this contribution, in the analysis of establishing a property right in a person’s data. For now, we can summarize this brief sketch by concluding that the commercial exploitation of attributes of an individual’s personality or body apparently has important potential for our modern economy. New commercial practices challenge legal doctrine, as well as the courts, to think about the ways in which private property rights and human rights can be balanced. At least one line of argument holds that commercial and economic imperatives demand that adequate protection for human rights can only be secured if we expand the scope of property rights to include intangible objects related to individual persons.

5.3. Contractual freedom and human rights

The basic assumption under a property approach, whether applied to name and fame, human body parts or personal data, is that individuals are able to exercise their free will with respect to these rights through the conclusion of contractual arrangements. Creating property rights assumes that private ordering and commercial arrangements determine the position of the respective parties. However, to what extent are individuals allowed to waive the protection of their fundamental rights by means of a contract?84 Can constitutional rights be sold to the highest bidder?

As was mentioned above, opponents of the notion that privacy is a commodifiable asset base their arguments on the claim that privacy is a human right and, as such, cannot be alienated. But the human rights argument may, of course, also work the other way around: in a pure sense, the idea of human rights is all about empowerment. It could be argued that to deny individuals a property right in privacy for the reason that such an approach sits uneasily with human rights, would violate these very same rights: why should we prevent free individuals from using what means they have to strengthen their position, even if this does involve being exploited by others?85 Denying individuals a property right would leave them less able to bargain for their interests, and thus less-empowered. The question then arises, what takes preference, individual autonomy or the human rights laid down in our constitution?

The principle of individual autonomy assumes that parties enter into contracts voluntarily, guaranteeing them a considerable degree of freedom to enter into contractual obligations. This principle is also recognized in relation to constitutional law, meaning that freedom of contract even prevails when the contract sees to fundamental human rights that are accorded protection under the constitution. Thus, under continental European law, individuals are allowed to waive the protection of their fundamental rights, albeit that the European Court of Human Rights requires that the individual who consents to waiving his fundamental rights does so in an explicit manner.86 When applied to personal data, the constitutional recognition of privacy thus does not prevent individuals exploiting their privacy rights by using the instrument of freedom of contract. Individuals are free to negotiate the content of agreements to best suit their needs, and to ensure the most efficient exploitation of the economic value of their personal data.

But other legal regimes may nevertheless prevent an individual from alienating his rights in personal data. As known, the European Union has laid down specific provisions as regards the use of personal data in its Directive 95/46/EC.87 An issue that thus remains to be dealt with relates to the intersection between European data protection legislation and the freedom of contracts: can – and if yes, to what extent – contracting parties depart from the legal framework set under the European data protection Directive? May individuals freely decide whether they want to benefit from the level of protection established by the European legislature, and does the principle of contractual freedom thus overrule the legislative balance in protecting personal data as established at the European level? Or does the European Directive limit the parties’ freedom of contract because it dictates that they should adhere to a certain minimum standard of privacy protection?88

6. Contractual freedom, control rights and the EU Personal Data Directive

To answer the above question we need to explore whether the specific provisions of the European Directive on personal data protection stipulate anything on their mandatory character. In the past, the European legislature has intervened several times in contractual relationships. It has found it appropriate to intervene in contractual relationships in the area of consumer protection and intellectual property rights and thus has put in place mandatory provisions to limit the parties’ freedom of contract. Art. 9(1) of the European computer program protection Directive, e.g. stipulates that ‘any contractual provisions contrary to Article 6 or to the exceptions provided for in Article 5(2) and (3) shall be null and void.’89 Other examples can be found in art. 15 of the European database protection Directive90, art. 12 of Directive 85/374 dealing with products liability,91 art. 12 of Directive 97/7 on the protection of consumers in respect of distance contracts 92 as well as Directive 99/4493 and Directive 00/31.94

A glance at the European Directive on personal data protection reveals that it does not contain provisions or indications as to the imperative character of the provisions.95 In contrast with the legal frameworks mentioned above, the Directive is almost completely silent on the mandatory character of its provisions. Nor does it indicate that the established level of personal data protection is of a mandatory character. Given that in practice, individuals are often ‘weaker parties’ – due to the fact that they rarely possess the sufficient information, as well as resources, to control the use of their personal data and thus their control as a bargaining tool in exchange for certain privileges -- it is somewhat surprising to note that the European lawmakers did not intervene in contractual relationships on the processing of personal data. Nevertheless, given that the Directive is silent on the mandatory character of the Directive’s level of protection, the logical conclusion must be that individuals are free to regulate by contract the collection, use, distribution and further processing of their personal data.96 Hence, contrary to what might be expected, the European Directive allows parties to commercially exploit their personal data without any interference from the European data protection regime.

The conclusion that freedom of contract prevails in the area of personal data protection does not, of course, mean that the contracting parties may freely determine their relationship. Clearly, the principle of freedom of contract does not allow parties to reach a result that is most unfavorable to a weaker party. When parties contract on the processing of personal data, their relationship is affected by general principles of law (e.g. to protect weaker parties to a contract) on the basis of which a number of measures have been established to redesign the balance of power between contracting parties. Most systems of continental European law contain a vast array of legal rules that limit the stronger party’s freedom of contract. These measures range from the imposition of substantive provisions that strengthen the position of the weaker party, to the prohibition of certain contractual clauses that are deemed unfair or excessive, and the legal obligations to fulfill certain formalities at the time of the conclusion of the contract (among them, the form of the contract and the information to be provided to the weaker party). It is clear that also in the sphere of personal data, these and other measures allow the courts to interpret, supplement, or correct the inequalities of bargaining power between contracting parties.

The conclusion that the EU Directive clearly facilitates a contractual approach to protecting personal data may even be taken one step further. For it could be argued that utilitarian considerations weigh heavily under the European system. As known, the Directive has two aims: 1) achieve a harmonized minimum level of personal data protection in the European Union and 2) abolish existing barriers to the flow of personal data between EU member states by allowing the free flow of personal data within the European Union. When subsequently considering the constituting principles of the Directive, one notes that in essence, the regime has nothing to do with the traditional human rights-based perspective of control and respect for the private sphere. Instead, the Directive works with a set of principles of fair personal data processing which have very little to do with fundamental interests essential to individual autonomy, dignity and freedom. The starting point of the European legal regime is that processing of personal data is in principle allowed, provided that it is done in accordance with the stipulated principles of fairness, finality, transparency, proportionality confidentiality and control.

Although the EU Directive favors utilitarian considerations in protecting personal data as well allowing for private arrangements regarding the level of protection, this does not imply that the framework acknowledges property interest in personal data. The EU regime doesn’t even expressly recognize as a starting principle the legal right of an individual to control the use, disclosure or further distribution of his data. One could even argue that it is not the data subject who determines what happens to his personal data and may pursue his particular interests with respect to these data. Instead, it is the processor of the personal data who, provided he acts in accordance with these above principles, may freely collect, use, control and further process personal data, unless one of the enumerated exceptions applies. Hence, the property perspective is definitely not the starting-point taken under the EU Directive: it does not forbid the processing of personal data without the permission of the individual, it merely guarantees a fair use of personal data.

Nevertheless, when viewed from the perspective of control rights, the European system does offer some indications that individuals have been accorded with certain instruments. Firstly, art. 14(b) of the Directive stipulates that an individual may object to the use of his personal data for direct marketing purposes (absolute right to opt-out). Although this provision does not restrict in advance the processing of personal data for direct marketing purposes, an individual may apply this provision to control the use of his data. Secondly, art. 7 of the Directive mentions permissible grounds for processing personal data. In a commercial setting, four of these appear particularly relevant. From these four, three provide the data subject with at least some power to influence the processing of his data. First of all, art. 7(a) allows processing when the data subject has unambiguously given his consent. Secondly, art. 7(b) makes it permissible to process personal data if this is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract. Finally, art. 7(f) allows the processing in case this “is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1).”97 Although in everyday practice these grounds offer data subjects very little power to determine the actual use of their personal data, the grounds do vest some form of legal control in individuals. Finally, art. 8 is worth discussing here. This provision grants special protection to ‘sensitive data revealing ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life’. Such data may only be processed under certain clearly-defined circumstances, one of which being that the data subject has given his explicit consent. Since all other circumstances listed are rarely present in a commercial setting, the processing of sensitive data for commercial purposes will almost always require the explicit consent of an individual.98 The requirement of explicit consent implies that the individual must have clearly indicated his assent to the processing. Since non-sensitive data can sometimes be linked to sensitive data (e.g. navigational data on an individual’s visits to websites that can be linked to health-related data), the implications of the consent requirement may go beyond the scope of pure sensitive data.

The above discussion shows that the European Directive is clearly not shaped from the basic perspective of an individual’s autonomy and choice regarding his personal data. Nevertheless, some instruments of control and power are included in the regime and some may thus claim that, at least in a commercial setting, a property approach may not, in the end, be such a very strange phenomenon under the European regime after all. One could even argue that the European legal system on data protection appears more receptive towards a property approach than the American system. But would vesting a property right in personal data offer individuals a better instrument with which to protect their interests, thus solving present-day problems of data protection? While vesting a property right in personal data may indeed have some appeal, albeit for rhetorical purposes, the obvious question is what the consequences of such an approach would be. Is such an approach viable, and would it really offer the claimed prospects of achieving a higher level of personal data protection?

7. Reflections on property in personal data

As mentioned earlier, not all commentators applaud the idea of an explicit legal recognition of the propertization of personal data. Some even argue that a discussion over a property approach versus a dignity approach does not seem especially helpful because such a discussion unduly privileges form over substance.99

One reason why it is argued that a property rights approach cannot play an adequate role in protecting privacy relates to the concept of property itself. Property isn’t simply a natural or innate quality of objects, since the definition of the concept is itself a social construct.100 Property is based on “socioeconomic facts and on that which a society considers legitimate.”101 Moreover, as is argued by Etzioni, different societies define different objects and interests as appropriate or inappropriate subjects of private property in their attempt to balance individual interests with the broader interests of society. Hence, the property concept cannot provide a strong and privileged ground for protection: “…relying on private property rights to serve as a basis for privacy hardly gives this right the privileged standing that individuals claim for it.”102

In reaction to the specific suggestions made by Lessig to assign individuals a property interest in his or her personal data, Schwartz has drawn the attention to several other structural difficulties with such a propertization approach. He mentions among others the lack of collective action (“individual privacy wishes need to be felt collectively in the market”103) and the phenomenon of bounded rationality (“default rules and form terms can have great psychological force and are likely to reward those who otherwise have great power (…) Specifically, in the current market, this move will benefit the parties who process and share our information and not those who help us place limits on this processing. As a result of this current power dynamic, individuals faced with standardized terms and expected to fend for themselves with privacy-property and available technology, are likely to accept whatever data processors offer them.”104 In line with this argument other commentators have contended also that the benefits of according a property right are unclear, as it would be a Pyrrhic victory: online commerce is increasingly governed by (standardized) contracts between providers and users, and less by a priori (default) entitlement structures.105 In the day-to-day practice of the online world, businesses and other users of personal data apply ‘take it or leave it’ terms under the threat of exclusion or denial of access to digital services. Individuals thus appear to ‘gladly’ consent to certain uses of their personal data. Even when they do not wish to consent or are reluctant to do so, they are nevertheless forced to consent because without use-rights, companies are willing to provide the services wanted. In other words, vesting a property right would not make any difference because bargaining would appear impossible, or consumers would have no effective choice in the matter.106 A suggested solution would be the development of global minimal background standards of due process and public policy limits on private agreements. Such an approach is seen as a necessary ingredient for self-ordering in an on-line world.107 Others argue along this line, claiming that to do any good, the property right might have to be inalienable and waivable only in certain limited circumstances (comparable to the moral rights under intellectual property law).

Another remark that has been made is that a propertization of personal data would merely address the problems of personal data protection in relation to private sector use: “Consumers may have some bargaining power with a direct marketing firm that wants to trade lists of named individuals; citizens, however, have no bargaining power when faced with a warrant or any other potentially privacy-invasive technique backed up by the sanctions of the state.”108 And, as the authors remind us, wasn’t it the power of government agencies that were considered to pose the most significant challenges?

Creating a property right in personal data may also be objectionable because actually licensing all the necessary data would be costly, inconvenient, and time-consuming. If we vested a property right in personal data, it would mean that companies and organizations have to obtain permission from each of the hundreds of millions of individuals whose personal data they wanted to process. “At the most trivial level, we will all be filling out a lot more forms. While this may be an annoyance for the individuals involved, those who are compiling large amounts of data may find the aggregate effort and cost daunting.”109 Proponents of ownership rights have reacted by arguing that by applying technological means, the cost of expressing permissions alongside customer information may reduce so dramatically that it is now easier and cheaper for consumers to manage the property rights over their personal information than it is for the companies collecting it.110 Zittrain, describing the use of personal data in the medical arena, made the claim that ‘trusted’ architectures, i.e. hardware and software that take note of various entitlements to personal data they store and that automatically enforce those entitlements, could help negotiate the allocation of use rights to personal data. Thinking in terms of privication architectures could balance the legitimate interests of parties who wish to use data and the interests of individuals who ‘produce’ these data.111

But this does not solve the problem entirely. There are many legitimate uses of individuals’ personal data, meaning that an extensive list of exceptions to the property right would have to be drawn up, and we may question whether the specifics of these exceptions may always be translated into technical code. Also, we might conclude that certain uses are not acceptable and consent could never be given, which again would necessitate a list of ‘unacceptable’ uses (e.g. in the area of sensitive data).112 In other words, establishing a property right would at the very least imply the introduction of some sort of statutory delineation of permissible and impermissible uses of personal data. But in the end, would such a system not be very similar to the present framework established under the EU Directive on personal data protection?

Vesting a property right in personal data also would confront us with the difficult question, in what sorts of ‘personal data’ property rights should be vested? Exactly what data should and will fall within the ambit of the property right? As noted by Lemley, the more broadly we define the right, the more we will interfere with everyday commerce. In illustrating this point he mentions the example of stock market data that are aggregated from billions of individual bits of information, each representing an identifiable financial transaction by an individual or a corporation. “Do I “own” knowledge of the price at which I bought stock in Microsoft? If not, how can we distinguish that information from other aspects of my financial life that I would very much like to keep private? And if so, will we prevent the Wall Street Journal from reporting stock prices?”113

If we were to follow the definition laid down in the EU Directive, the scope of personal data would be rather broad.114 An illustration that other opinions may exist, however, is the debated UK Durant Case. 115 In this decision, handed down by a Court of Appeal on 8 December 2003, a highly strict interpretation of what amounts to ‘personal data’ was given: whenever the focus of certain information is something other than an individual person (but does include information ‘about’ an individual), such information will not ‘relate to’ the individual and, therefore, does not qualify as personal data. 116 In other words, when details of a website visitor (IP-address, name) are collected and those details are in principle not to be used to profile an individuals’ spending preferences, but instead are collected for fraud-detection (and thus may possibly have at a later stage implications for individual persons), such information will not be considered personal data.117 Whereas different opinions on the scope of the criterion ‘personal data’ may of have certain problematic consequences, they are not as far-reaching in situations in which personal data are worth money for the very reason that they are an individual’s property. Hence, a key problem will be that vesting a property right in personal data implies that ‘someone’ defines precisely what is worth a property right. But who then will make the paternalistic choice between data that are and are not within the ambit of an individual’s personal property? The legislatures, the courts, or individuals themselves?118 Given that the decision will not merely be influenced by economic factors but also by moral and societal considerations, which again may be highly dependent on the specifics of the context in which the data may be ‘sold’ and ‘used’, the property approach would face severe difficulties.119

In the context of defining the proper scope of the term ‘personal data’, one additional issue needs to be considered. In certain situations, personal data may not be related to merely one unique individual. One such situation would be where other individuals (e.g. family members or in the case of genetic data, members of the same biological group) could also have rights to certain personal data because the personal data are ‘shared’ data. These other individuals could also be considered as ‘data subjects’ with all the rights that follow from this. Establishing a property right in such data would, at the very least, imply shared exclusive rights. Given the nature of certain personal data (when sensitive or financial data are involved) it may not be very unlikely that conflicts arise between the different titleholders, either to sell the rights or to keep the data confidential. Individuals who ‘share’ a property right in certain personal data may have different opinions as regards the question whether their privacy should be addressed in market terms. Some may favor the selling of their data, whereas other may forcefully reject such a proposition because it would compromise their right to self-determination, dignity and autonomy. Given the present-day developments towards group profiling and multiple identities, more and more there will no longer be such a simple scenario of individual data belonging to individual people.

A final remark relates to the comparison that has been made with intellectual property rights. As mentioned earlier, various commentators have made an analogy with intellectual property rights. However, when analyzed more closely, property rights in personal data appear to be of a different nature than property rights in intellectual works, putting the usefulness of such an analogy in doubt. Firstly, as noted by Lemley, intellectual property exists only where there is a public goods problem and people need incentives to invest, i.e. to spend time and money in the creating of new works.120 With personal data, by contrast, there is no such need. The central aim is quiet the opposite: the suppression of their collection, use and further distribution. Secondly, personal data are usually generated through natural existence: doing certain things or acting according to certain preferences. Contrary to e.g. a copyrighted work, personal data are not the fruits of our intentional efforts to create these data. Thus, the differences in the property regimes surrounding copyright and a possible property regime surrounding personal data rights is that in the former case, there is an explicit theory of the relations between private property, intellectual products, and social benefit. The U.S. Constitution e.g. explicitly stipulates that property rights are granted in order to "promote the progress of science and useful arts." Creative works and inventions are good for society. No one would invent and create works if they didn't get paid for it. So U.S. Congress may assign property rights to inventors. There is no such articulation of a theory relating property rights in personal information to a broad social goal. And until there is, until it is clear what ‘social’ benefits accrue from those private property rights, one should be hesitant to endorse them. Finally, we would not want to be fully deprived of control over our personal data, our behavioral preferences or buying habits. Transfer of property rights in personal data about ourselves, thus alienating our privacy for commercial and economic benefit, would seem an uncomfortable scenario. A non-exclusive license would do, making it distinct from intellectual property rights.121 This distinction relates to the argument that the concept of intellectual property rights is based on the idea of exchange for value, whereas privacy, on the other hand, is ill-suited to being defined in terms of exchange.122

8. The costs of a property rights approach

For various reasons, commentators and interest groups have argued that vesting property rights in personal data would also be detrimental to various interests and that therefore, the costs of such an approach would be too high. A first objection to creating a property right in personal data is that this would risk enabling more, not less, commodification and thus producing less, not more, privacy.123 Paradoxically, a protection of personal data by according data subjects a property right would increase the value of information and thus the incentive for businesses to obtain (by whatever means) these data.124 Framing the privacy debate in terms of proprietary rights and trade in data neglects the fact that what data subjects really seek is “to guarantee individuals control over their personal data”.125 We lack, as Julie Cohen argued, “a word for describing control over things without legal or beneficial ownership of them”.126 What is more, treating personal data solely as a matter of individual negotiation and party autonomy in contracting arrangements neglects the more fundamental underlying values of privacy, as well as the collective societal interests in dignity and autonomy of individuals. Opponents of the strengthening of data protection by means of property claims therefore conclude that invoking “platonic ideals of ownership (…) just avoids tackling the hard policy questions (…)”.127

Another cost-related argument against establishing a property right in personal data sees to a point of criticism heard in the debates on publicity rights. Here it is argued that a commodification of publicity rights would lead to unacceptable costs in the form of lost uses, because individuals may not always adequately capture the value of their benefits.128 This argument is based on Landes and Posner’s theory that returns that lie in the distant future are usually deeply discounted by individuals and have little effect on their present decisions. 129 This would mean that individuals could forego the granting of a license for the use of their personal data if an adequate remuneration could not reasonably be anticipated.130 This argument relates to the larger problem of the information asymmetry that exists between companies and consumers. It seems very difficult for individuals to understand what is actually going on when online businesses collect and distribute their personal data, be sufficiently attentive to the implications of such use for their proprietary rights, let alone that they can verify what is really going on. Hence, in general, it appears very difficult for individuals to fully understand the possibilities, benefits as well as dangers of licensing their personal data. Taken one step further this argument relates to the position that individuals need to be protected and that rights in personal data protection should therefore be inalienable, so as to prevent unsophisticated people from being lured or pressured into giving up their proprietary rights without understanding the implications.131

A final objection to vesting a property right in personal data - raised in particular by the direct marketing industry - is that such an approach would inevitably restrict the free flow of personal data throughout the economy.132 If individuals could prevent the collection, dissemination, or use of data about themselves, a significant portion of modern commerce would no longer be possible or economically valuable.133 In other words, if we were to add controls to regulate the flow of personal data, we would take away the value that the market adds. Personal data have to be available to all because this is necessary for sustaining innovation and market incentives. But, as has recently been contended by Chander and Sunder, it may first be questionable whether the freely available data may indeed be equally used and exploited by all. For, in practice, “differing circumstances – including knowledge, wealth, power, access, and ability – render some better able than others to exploit a commons.”134 These distributional circumstances and limitations may also hamper the free availability and usability of personal data.

Moreover, commentators have claimed that the free flow of information argument is flawed, arguing that restricting information flows almost always creates value: “The trick is to get the constraints that govern the information flow just right. Overly restrictive controls do reduce economic value, but on the other hand completely open and free trade of information (as is true of personal information exchange in today's economy) is usually very inefficient as well. A happy medium that balances the rights of the information producers with the needs of the information consumers is required.”135 Another argument has been made by Cohen, indicating that “The belief that more personal information always reveals more truth is ideology, not fact, and must be recognized as such for informational privacy to have a chance.”136 According to Cohen, the unhesitating acceptance of the ‘more is better’ argument is deeply bound up with liberal political philosophy, and this represents one of the key obstacles to effectuating meaningful protection of personal data. Finally, with respect to the free flow of information argument, the difficult question arises of balancing property interests with another interest at stake, that of preserving the public domain. In the debates on publicity rights, several authors have argued that a commodification of name and fame and thus the creation of a publicity right would represent a serious threat to the public domain.137 Moreover, they point out that the limiting principles that are said to play an important role in protecting the public domain have lost their force as our present-day legal culture comes to rely more and more on the privatization model. As mentioned earlier, the public domain argument is an often-used argument against the propertization of various types of data, creative works, human body parts (human genome), personal name and fame, etc. Lately, the topic of the public domain has received considerable attention and in the meantime many questions in relation to the history, theory and future of the public domain have been posed and discussed.138 Our final issue for this contribution’s analyses is therefore the relationship between the public domain and vesting a property right in personal data.

9. Commodification of identities

A likely effect of the privacy-as-property solution, as noted earlier by Litman, would of course be that by recognizing property rights in personal data, we further endorse the idea that facts may be privately owned and that the owner of a fact is entitled to restrict the uses to which that fact may be put.139 In this way, vesting a property right in personal data would have a detrimental effect on the equilibrium between the public domain and private property, because it would further broaden the scope of exclusive rights. Such a broadening of the scope of exclusive rights would clearly present a dangerous signal in the present trend towards protectionism.

However, would a move towards establishing a property right in personal data make a difference in day-to-day practice? Would it indeed be detrimental of the public domain? Given that, to a large extent, individuals depend on the use of their data and that personal data are the motor of our information society, a move towards a legally recognized property right in personal data will in effect not change the free public availability and exchange of these data. It could be argued that at present personal data are almost by definition part of the public domain. They are so widely available, obtainable and usable that, for practical as well as legal140 purposes, they seem to inside the public domain. Would this change if property rights were vested in personal data? In theory: yes. But in reality, personal data will continue to be widely available to organizations, companies and the public. Even if personal data were to be protected by technologies such as P3P or other technical negotiating protocols, individuals would nevertheless be willing, required or forced to make their data available for use by third parties. While titleholders to copyrighted works may to a large extent oversee the limited consequences of this decision (effects on royalties obtained and ‘fame’), the same is not true for individuals who decide not to sell their personal data. The axis of variation here is not that straightforward. For, in contrast to copyrighted works, decisions on access to and use of personal data may have far-reaching and sometimes unknown effects on a person’s position and abilities in everyday life.141 In contrast to copyrighted works, the issue of control of personal data is not so much as to whether personal data are used. Instead, it is about the specifics of the context in which the data are processed as well as the actual uses to which personal data are put. To capture the essence of this protection need, Helen Nissenbaum recently proposed the introduction of the concept called ‘contextual integrity’. This alternative concept would tie adequate protection for privacy to norms of specific contexts, “demanding that information gathering and dissemination be appropriate to that context and obey the governing norms of distribution within it.”142

Another way to consider the relationship between the public domain and the commodification of personal data is by focusing not so much on the individual data, but on the effects of the present-day technologies, in particular the almost limitless surveillance capacities of new technologies, such as location-based systems, radio frequency identifiers (RFIDs) and on-line personalization instruments. In a sense, these surveillance techniques require that we shift our attention from individual sets of personal data toward the statistical models, profiles and the algorithms with which individuals are assigned to a certain group or ‘identity’. For these models and algorithms are privately owned, and thus unavailable for public contestation. But the interests of personal data protection seem to require that they are made known to the public and thus are part of the public domain. Let me discuss this point in some more detail.

New technologies such as mobile location-based services, Radio Frequency Identification (RFID), smartcards and biometrics support a greater capturing of customer and user information and allow for tailored services to the individual’s needs and desires. The future of this type of applications is aptly illustrated with the following quote taken from a mini movie-clip written and produced by Robin Sloan and Matt Thompson of the Museum of Media History.143 The movie-clip begins to tell: “On Sunday, March 9, 2014, Googlezon unleashes EPIC.” In this scenario, EPIC does not refer to the well-known public interest research centre in Washington, D.C. that was established in 1994 to protect privacy and constitutional values. Instead, in 2014, EPIC stands for the ‘Evolving Personalized Information Construct’. In a fascinating story, Sloan and Thompson describe a future in which unparalleled search technology, detailed knowledge of individuals allow for total customization of data and information. In less than ten years time, EPIC will stand for a “single source of content that contains everything that anyone could possibly ever want to know about.”144 The EPIC-scenario is just a mere illustration of a world in which our behavior is increasingly monitored, captured, stored, used and analyzed to become privately-owned knowledge about people, their habits and social identity. With the new technologies it will become easier for individuals to find people, organizations, and/or communities with similar tastes and interests through different online channels. At present, particularly Internet-based personalization applications (such as collaborative filtering and recommendation systems) are being used for an increasing number of personalized service activities around the world.145 But also mobile location based services through cell-phones are gaining popularity. With these services, people can trace other individuals with similar preferences that are present within the same geographical space of about 30 metres. Illustrative is the Buddy Alert services of the German-based company Mobiloco, that offers a personalized friend finding, dating and smart shopping services by making use of located based services (combining internet and mobile technology).146 In short, personalization seems to be an important, if not inevitable strategy to deploy all kinds of individual-centric activities and services. The creation of EPIC as described by Sloan and Thompson, is indeed on its way.

Indeed, the term commodification of personal data may loose its significance once we acknowledge the afore-mentioned trend toward a commodification of identities and behavior. It is this trend that is lacking in the present debate on privacy and property. Personal data are not used and processed anew and in isolation each time a company acquires a set of personal data. In contemporary society, ‘useful’ information and knowledge goes beyond the individual exchange of a set of personal data. In ‘giving’ his or her personal data to a certain organization, the individual does not provide these data for use in an ‘objective’ context. Today, the use and thus ‘value’ of personal data cannot be seen apart from the specifics of the context within which these data are used. Processing of personal data occurs within, and is often structured by, social, economic and institutional settings, as is e.g. shown by Phillips in his analysis of the implications ubiquitous computing developments.147

Thus, the question is not so much whether personal data are processed. They always are and will be, whether for legitimate or unlawful purposes. It is an illusion to think that vesting a property right in personal data will limit the use of personal data. Rather, the problem is how personal data are processed, in what context, and towards what end. Therefore, the focus of the discussion should move away from entitlements of single data. What we need are instruments to enhance the visibility of and our knowledge about how personal data are used and combined, on the basis of what data individuals are typified, by whom and for what purposes. In accordance with Nissenbaum’s theory of contextual integrity, “it is crucial to know the context—who is gathering the information, who is analyzing it, who is disseminating it and to whom, the nature of the information, the relationships among the various parties, and even larger institutional and social circumstances.”148 This is a much more fundamental issue which cannot be tackled by vesting a property right in individual data. To illustrate this argument, I would like to point towards the development of ubiquitous computing environments. Ubiquitous computing will create a context-aware environment in which, by means of the coordinated use of databases, sensors, micro-devices and software agents, numerous systems scans our environment for data and serve us with particular information, based on certain notions about what is appropriate for us as unique individual persons given the particulars of daily life and context. Some thus argue that ubiquitous systems will to a large extent structure and determine our daily life, mediating our identity, social relations and social power.149 Not only will our homes and working offices become public places, but our social identities as well.

Given these and other developments in the area of ‘pervasive’ computing, the discussion about protecting personal data must become a discussion about how individuals are typified (upon what social ontology, with what goal?) and who has the instruments and power to do so.150 In this sense, personal data protection is not about something (i.e. personal data) that can be owned. It has everything to do with position, social ordering, roles, individual status and freedom. Therefore, protection personal data in our present-day society assumes the capability to know and to control about typifying people.151 It requires the availability of instruments to enable awareness of the context in which personal data are used and to monitor the data-impression that individuals are exhibiting to others.152 In other words, the discussion on the relationship between the public domain and the commodification of personal data must be a discussion on whether, and to what extent, the statistical models, profiles and algorithms that are used to generate knowledge about our individual behavior, social and economic position, as well as personal interests, belong in the public domain.153 The commodification of our identities and behavior does not need a property rights debate with respect to individual and isolated personal data. It requires a debate on the role of the public domain in providing the necessary instruments to know and to control the way in which our identities are made.154

10. Conclusion

In conclusion let me repeat what I think this contribution has offered. Firstly, I have suggested that although it is all too often argued that the creation of a property right is not in line with the continental human rights-based approach to privacy, the European system certainly offers leeway for a property rights model. There are clear openings under European law for a utilitarian perspective on personal data protection, and it could even be argued that the European data protection system is more receptive towards a property approach than the American system.

Secondly, in reflecting on vesting some form of property right in personal data, I have touched upon several consequences of the property rights approach that do seem to have a certain appeal. Further analysis reveals, however, that doubts rise about whether such an approach would indeed offer the claimed prospects of achieving a higher level of personal data protection. Also, vesting a property right in personal data would differ to a considerable extent from well-known property rights, such as copyrights. One of my key arguments was that the use of personal data cannot be viewed in the isolated perspective of one single piece of information to be used by one organization for a very specific purpose. Given developments such as ubiquitous computing, the use of personal data will increasingly occur within, and be structured by, social, economic and institutionalized settings. I have suggested that data protection mechanisms must therefore be structured along lines of control and visibility in relation to identities, instead of ownership of individual data. For in order for individuals to effectively protect their data, they should be given the instruments to know and understand how their social and economic identities are constructed, influenced and used.155 This requires a debate on the role of the public domain in providing the necessary instruments for use to know and to control how our ‘lives’ are ‘created’.



+ This article is a revised version of a chapter to appear in: The future of the public domain (Guibault, Hugenholtz, (eds.), The Hague: Kluwer Law International (forthcoming 2006).

* Professor of Law and Informatization and Director of the Tilburg Institute for Law, Technology, and Society (TILT) <http://www.uvt.nl/tilt> Tilburg University, The Netherlands.

1 For details on this story see: L. Enos, “Deal afoot to destroy Toysmart database”, E-Commerce Times, 10 January 2001. Available at <http://www.ecommercetimes.com/perl/story/6607.html>.

2 K C Laudon, “Markets and privacy”, Communications of the ACM, vol. 39, no. 9, 1996, 103; See also: A Bartow, “Our data, ourselves: Privacy, propertization, and gender”, University of San Francisco law review, Vol. 34, p. 633, Summer 2000, 695.

3 Laudon (1996), 103.

4 Or, as simply put by Dianne Leenheer Zimmerman, “My life is your data”. D L Zimmerman, “Fitting publicity rights into intellectual property law and free speech theory: Sam, you made the pants too long!” 49 DePaul art & entertainment law journal 2000. Available at <http://papers.ssrn.com/paper.taf?abstract_id=211789>

5 See on this in more detail: J Zittrain, “What the publisher can teach the patient: Intellectual property and privacy in an era of trusted privication”, 52 Stanford law review (2000), 1201.

6 L Lessig, “Privacy as property”, Social research, vol. 69, no. 1 (Spring 2002), 255.

7 Bartow, (2000), 685.

8 Bartow, (2000), 634.

9 On the campaigns of both organizations, see: J Litman, “Information privacy/information property”, 52 Stanford law review (2000), 1290.

10 K C Laudon, “Markets and privacy”, Communications of the ACM, vol. 39, no. 9 1996, 103.

11 Laudon, (1996), 93.

12 See: M J Radin, R. Polk Wagner, “The myth of private ordering: Rediscovering legal realism in cyberspace”, Chicago-Kent law review 1295 (1998); L M C R Guibault, Copyright limitations and contracts. An analysis of the contractual overridability of limitations on copyright, The Hague: Kluwer Law International (2002); B M J van Klink, J E J Prins, Law and regulation: Scenarios for the information age, Amsterdam: IOS Press (2002); Mark A. Lemley, “Comments. Private property”, 52 Stanford law review 1545.

13 “By translating the different aspects of privacy in subjective (personality) rights, individual freedom is forcibly encroached upon.” S Gutwirth, Privacy and the information age, Lanham: Rowman & Littlefield, (2002), 40.

14 P. Blok, Het recht op privacy (The right to privacy), The Hague: Boom Juridische Uitgevers (2002), 326.

15 See: S Gauthronet, “The future of personal data in the framework of company reorganisations”, 23rd International Conference of Data Protection Commissioners, Paris, September 2001.

16 Gauthronet, (2001).

17 <http://www.google.com/privacypolicy.html>

18 Illustrative are the so-called recommender systems that enable personalization by presenting to the user a list of items (content, services, products, etc.) in which he or she might be interested, based on what the system knows about the user. The system automatically makes the appropriate choices for the customer based on input about his tastes and interests. In addition, the system predicts, by means of scores for items, which product or service the user might find most interesting. Thus, a recommender might notice a pattern of searching and purchasing behavior across health-related sites that suggests that the user has a certain disease. So-called third party recommenders aggregate customer data across many websites by tracking activity across many websites and drawing conclusions (purchase patterns and profiles) about the customers that no individual website could draw. See in more detail on recommender systems and how they work: B Miller, J Konstan, J Riedl, “PocketLens: Toward a personal recommender system”, ACM Transactions on Information Systems, Issue 3, July 2004, at 437-476.

19 Beyond the personalisation myth: Cost-effective alternatives to influence intent, Jupiter Research Corporation, 30 Sept 2003, 26.

20 For more detail on developments in the area of personalization, see: A M B Lips, S van der Hof, J E J Prins, A A P Schudelaro, Issues of online personalisation in public and commercial service delivery, Tilburg: Wolff Legal Publishers, (2005).

21 Lundblad argues that we live in a ‘noise society’, characterized by a high collective expectation of privacy, but a low individual expectation of privacy. N Lundblad, “Privacy in a noise society”, 2004. Available at <http://www.sics.se/privacy/wholes2004/papers/lundblad.pdf>

22 P Sholtz, “Transaction costs and the social costs of online privacy”, First Monday, volume 6, number 4, May 2001, Available at <http://firstmonday.org/issues/issue6_5/sholtz/index.html>

23 Sholtz, (2001). In describing the concept of social cost, Sholtz uses the work of Ronald Coase, The firm, the market and the law: The nature of the firm. Chicago: University of Chicago Press, (1988), 33-56.

24 See on this e.g. P Samuelson, “Privacy as intellectual property”, 52 Stanford law review May 2000, 1125; Sholtz, (2001).

25 Sholtz, (2001)

26 Sholtz, (2001); P Swire, “Markets, self-Regulation, and government enforcement in the protection of personal information”, in: Privacy and self-regulation in the information age by the U.S. Department of Commerce, 1997, available at <http://ssrn.com/abstract=11472>.

27 Swire, (1997).

28 Sholtz, (2001).

29 P Sholtz, “The economics of personal information exchange”, First Monday, volume 5, number 9 (September 2000). Available at <http://firstmonday.org/issues/issue5_9/sholtz/>.

30 Lemley, (2000), 1546.

31 A F Westin, Privacy and freedom, New York: Atheneum Press, (1967), 324-325.

32 R A Epstein, “Privacy, property rights, and misrepresentations”, Georgia law review, vol. 12 (Spring 1978), at 463-465; R A Posner, “The Right of Privacy”, Georgia law review, vol. 12 (Spring 1978), 422.

33 Some early contributions to the debate on property, contract rules and privacy are: Laudon, (1996); M Cloud, “The fourth amendment during the lochner era: Privacy, property, and liberty in constitutional theory”, Stanford law review, 48 (1995-1996), 555-631; P M Schwartz, “Privacy and the economics of personal health care information”, Texas law review, vol. 76, issue 1, November 1997, 1-76; P P Swire, “Cyber banking and privacy: The contracts model”, San Francisco, Computers, Freedom & Privacy Conference, March 1997 at <http://www.peterswire.net/cyber.htm>; P P Swire, R E Litan, None of your business. World data flows, electronic commerce, and the European privacy directive, Washington D.C.: Brookings Institution Press (1998), at 86-87.

34 Samuelson, (2000), 1129.

35 Laudon, (1996), 92.

36 Laudon, (1996), 104. See also the overview of the arguments presented by P Samuelson, “Privacy as intellectual property”, 52 Stanford law review (2000), 1125.

37 Laudon, (1996), 104.

38 J E Cohen, “Examined lives: Informational privacy and the subject as object”, 52 Stanford law review, May 2000, 1390.

39 Cohen, (2000), 1390.

40 See for an extensive overview of the literature on this: Litman, (2000), footnote 19; Lemley, (2000), 1545, footnote 5. An interesting overview of publications from both a legal as well as (micro-) economic perspective can also be found on the website “The economics of privacy” maintained by Alessandro Acquisti at <http://www.heinz.cmu.edu/~acquisti/economics-privacy.htm>

41 P E Agre, “Beyond the mirror world: privacy and the representational practices of computing”, in: Technology and privacy: The new landscape (P E Agre, M Rotenberg, eds.), Cambridge: MIT Press 1997, 29.

42 See e.g. Zittrain, (2000).

43 Zittrain,(2000).

44 Cohen, (2000), 1391.

45 A Acquisti, “Protecting privacy with economics: Economic incentives for preventive technologies in ubiquitous computing environments”, Workshop on Socially-informed Design of Privacy-enhancing Solutions, 4th International Conference on Ubiquitous Computing (UBICOMP 02), Goteborg, Sweden, September 2002. At <http://guir.berkeley.edu/pubs/ubicomp2002/privacyworkshop/> See also various of the publications listed at <http://www.heinz.cmu.edu/~acquisti/economics-privacy.htm>

46 See Samuelson, (2000), citing Radin (footnote 93).

47 M J Radin, “Incomplete commodification in the computerized world”, in N Elkin-Koren, N Weinstock Netanel, (eds.), The commodification of information, The Hague: Kluwer Law International 2002, at 17-18.

48 Cohen, (2000), 1379.

49 Radin, (2002), 17.

50 European Parliament, Committee on Citizens’ Freedoms and Rights, Justice and Home Affairs, Report on the Draft Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles, C5-0280/2000-2000/2144(COS)), 22 June 2000. Available at <http://europa.eu.int/comm/internal_market/privacy/adequacy/0117-02_en.pdf >

51 P Catalat, cited in: Y Poullet, “Data protection between property and liberties. A civil law approach”, in H W K Kaspersen, A Oskamp (eds.), Amongst friends in computers and law. A collection of essays in remembrance of Guy Vandenberghe, The Hague: Kluwer Law International, (1990), 161.

52 Poullet, (1990), 161-181.

53 L A Bygrave, Data protection law. Approaching its rationale, logic and limits, The Hague: Kluwer Law International, (2002), 120-122.

54 To Bygrave it is questionable that the adoption of property rights approaches will assist arguments for providing increased levels of data protection, because such rights - like most other rights – are seldom applied in an absolute manner. In addition, he argues that many of the challenges faced by data protection law and policy (among them the ability of data subjects to comprehend the logic of information systems) cannot be adequately addressed under the property rights rubric. Bygrave, (2002), 121.

55 See e.g. L Bergkamp, “The privacy fallacy: Adverse effects of Europe’s data protection policy in an information-driven economy”, Computer Law & Security Report 2002, p. 31.

56 See recently: Gutwirth, (2002), at 39-41, arguing that vesting a property right conflicts with the notion that privacy needs to be seen in the perspective of freedom. Moreover: “The attempts to create an unequivocal subjective right to privacy are implicitly based on the wrong assumption that the law has to and is allowed to impose “good values”. Gutwirth, (2002), 41; P de Hert, “Internet en privacy”, in K Byttebier, R Feltkamp, E Janssens (eds.), Internet en Recht. Internet et le Droit, Antwerpen: Maklu 2001, at 404-414 (rejecting a property approach and arguing that the Selbstbestimmungsrecht is the basis of data protection law, 405).

57 Protocol to the Convention for the Protection of Human Rights and Fundamental Freedoms as amended by Protocol 11 (ETS No. 155). The amendments came into force on 1 November 1998. See <http://conventions.coe.int/treaty/en/Treaties/Html/009.htm>.

58 Aside from the conceptualisation of ‘property’ and ‘possessions’ under this Protocol, the broader issue that of course needs discussion is whether the notion of ownership encompasses the sort of ownership that we seek to define when dealing with personal data rights. The understanding of ownership that applies to physical things, such as watches, books or cars, does not encompass all of the legally relevant interests that the term privacy denotes. This contribution however does not develop a definition of property or discusses the arguments that have been brought forward in the debate on the different conceptions of ownership. Nor does this contribution analyse the various functions of property. See on these issues in relation to human rights: G F Gaus, “Property, rights and freedom”, in: E F Paul, F D Miller Jr., J Paul (eds.), Property rights, Cambridge: Cambridge University Press, at 213-214; D Beyleveld, R Brownsword, Human dignity in bioethics and biolaw, Oxford: Oxford University Press (2001).

59 ECHR 24 January 1995 (Gasus Dosier-und Fördertechnik GmbH v. the Netherlands) Series A, vol. 306 B, §53. Available at: <http://hudoc.echr.coe.int>

60 More in detail on this argument: C M C K Cuijpers, Privacyrecht of privaatrecht? Een privaatrechtelijk alternatief voor de implementatie van de Europese privacyrichtlijn, Den Haag, Sdu 2004.

61 The supermodel Naomi Campbell wanted compensation for the publication by the Daily Mirror of articles and photographs that suggested drug-addiction. Campbell v Mirror Group Newspapers [2002] EWHC 499 (QB). Overturned on appeal: [2002] EWCA Civ 137.On 6 May 2004 the law lords overturned in a 3-2 majority the ruling of the Court of Appeal, acknowledging that individuals, including celebrities, have a right to privacy which is wider than the existing UK law of breach of confidence, or disclosure of private information. At <http://www.bailii.org/cgi-bin/markup.cgi?doc=/uk/cases/UKHL/2004/22.html>.

62 The couple went to court, arguing their case on an action for breach of commercial confidence and the UK Data Protection Act 1998. After addressing the role of the law of confidence and attaching considerable importance to the rights of freedom of expression as well as privacy, the court held Hello! liable to pay OK! £1,033,156 to cover the total cost of its lost sales, the loss of advertising revenue and wasted costs. Douglas and Zeta-Jones were awarded a sum of £50 each under the Data Protection Act 1998 and £7,000 for wasted costs. The case, as well as many other stories that deal with the balance to be struck between privacy and freedom of the press are discussed in detail in: J Rozenberg, Privacy and the press, Oxford: Oxford University Press, (2004), (chapter 2).

63 See the Ewan McGregor case, decided 11 Nov 2003, in which the actor won an action against a photo agency over photographs of his two children (McGregor v. Fraser, High Court of England and Wales, No. [2203] EWHC 2972, 11/11/03).

64 For a discussion of several cases, see: Rozenberg, (2004); R Wacks, “Privacy, property, and personality – Do we need them?” (Conference paper Edinburgh 2000). See also the personality database, established as part of “Privacy, property, personality”, a project of the AHRC Research Centre for Studies in Intellectual Property and Technology Law based in the School of Law at the University of Edinburgh: <http://www.law.ed.ac.uk/ahrb/personality/database.htm>

65 See on these arguments: O Weber, “Human dignity and the commercial appropriation of personality: Towards a cosmopolitan consensus in publicity rights?” Script-ed. Online Journal of Law and Technology, Issue 1, 2004. <http://www.law.ed.ac.uk/ahrb/script-ed/personality.html>.

66 M Madow, “Private ownership of public image: Popular culture and publicity rights”, 81 California law review, 1993, 223-224.

67 See: Weber, (2004).

68 Although noting that exclusive rights in the area of copyright are justified as stimulus for investment in culture and industrial inventions, whereas publicity rights serve no public interest or higher economic goal. Weber, (2004).

69 Weber, (2004).

70 Weber, citing D Lindsay (footnote 109).

71 H Beverly-Smith, The commercial appropriation of personality, Cambridge: Cambridge University Press, (2002), 287. The author offers a detailed account and analysis of the various perspectives on personality rights. See also: E Volokh, “Freedom of speech and information privacy: The troubling implications of a right to stop people from speaking about you” 52 Stanford law review 2000, 1049 (also available at <http://www.law.ucla.edu/faculty/volokh/privacy.htm>)

72 See on the multitude of different legal instruments between jurisdictions: Weber, 2004.

73 See on this in detail: H Beverly-Smith, (2002), chapter 11.

74 See for a discussion of the downside of vesting a property right in personality, see: D L Zimmerman, (2000).

75 793 P.2d 479 (Cal. 1990), cert. denied, 111S. Ct. 1388 (1991). For a detailed discussion and analysis of the case, as well as its broader implications for the distinction between public and private information, see: J Boyle, “A theory of law and information: Copyright, spleens, blackmail, and insider trading”, 80 California law review 1413 (1992).

76 Article 4 of the UNESCO Universal Declaration on the Human Genome and Human Rights, Paris 11 Nov 1997. Available at <http://www.unesco.org/shs/human_rights/hrbc.htm>.

77 Council of Europe, Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedice, Oviedo, 1997 <http://conventions.coe.int/Treaty/en/Treaties/Word/164.doc>.

78 D Beyleveld, R Brownsword, Human dignity in bioethics and biolaw, Oxford: Oxford University Press (2001), 171 (footnote 1).

79 Of interest here is the so-called PropEur project launched in February 2004. The University of Birmingham initiated this three year research project to compile and analyse new approaches in ethics and law to tangible and intangible property in the human genome, human tissue and other body parts. See the various documents available at <www.propeur.bham.ac.uk>

80 See on the different arguments e.g. A McCall Smith, “Property, dignity and the human body”, Privacy and property. Hume papers on public policy, vol. 2 no. 3 1994, at 35-38; Beyleveld, Brownsword, (2001), chapter 8; J A Bovenberg, Property rights in blood, genes and data, Leiden: Martinus Nijhoff Publishers, (2006) (To remedy to ensure a fairer distribution of the fruits of biological material, Bovenberg proposes the introduction of a new tax on human body parts).

81 See, e.g., Beyleveld, Brownsword, (2001) (in particular chapter 8); G Laurie, Genetic privacy. A challenge to medico-legal norms, Cambridge: Cambridge University Press (2002) (in particular chapter 6); J Boyle, (1992); C Barrad, M Valerio, “Genetic information and property theory”, Northwestern University law review, 87 (Spring 1992), at 52-70; M Everett, “The social life of genes: privacy, property and the new genetics”, Social science & medicine 56 (2003), at 53-65.

82 See e.g. M J Radin, Contested commodities, Cambridge: Harvard University Press, (1996).

83 See on the EU Directives: A Farrell, “Governing the body: EU regulatory developments in relation to substances of human origin”, Journal of social welfare and family law, 27: 3-4, at 419-429 (2005).

84 Of course, the contractual arrangement may also be used to protect privacy in that it imposes an obligation to respect privacy and not to disclose certain personal data.

85 See also: Beyleveld, Brownsword, (2001), 171.

86 See the rulings Deweer/Belgium (ECHR 27 February 1980, A 35 §48-54); De Wilde, Ooms, Versyp/Belgium (ECHR 18 June 1971, A12 §65), available at: <http://www.dhdirhr.coe.fr>. See also on these and other relevant rulings: R A Lawson, H G Schermers, Leading cases of the European Court of human rights, Nijmegen: Ars Aequi Libri, (1997), at 637-638.

87 Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L281/31, 1995.

88 Compare Bergkamp who argues: “In other words, even if an individual wants to give up some or all of his privacy rights (e.g. to obtain a lower price for a product or service), EU law will not let him do so. The EU privacy rights cannot be waived in any matter. Consequently, any agreement pursuant to which a data subject waives some or all of his rights under the Data Protection Directive is void and unenforceable, even if the agreement otherwise meets al the validity requirements and is in the data subject’s interest.” L Bergkamp, European community law for the new economy, Antwerp: Intersentia, (2003), 123.

89 Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs, OJ 1991 L122/42.

90 Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, OJ 1996 L 077/20. Art. 15: Any contractual provision contrary to Articles 6 (1) and 8 shall be null and void.

91 Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, OJ 1985, L 210/29. Art. 12: The liability of the producer arising from this Directive may not, in relation to the injured person, be limited or excluded by a provision limiting his liability or exempting him from liability.

92 Directive 97/7/EC of the European Parliament and of the Council of 20 May 1997 on the protection of consumers in respect of distance contracts, OJ 1997 L 144/19. Art. 12: (1) The consumer may not waive the rights conferred on him by the transposition of this Directive into national law. (2) Member States shall take the measures needed to ensure that the consumer does not lose the protection granted by this Directive by virtue of the choice of the law of a non-member country as the law applicable to the contract if the latter has close connection with the territory of one or more Member States.

93 See art. 7. Directive 99/44/EC of the European Parliament and of the Council of 25 May 1999 on certain aspects of the sale of consumer goods and associated guarantees, OJ 1999 L 171/12.

94 See art. 10. Directive 00/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ 2000 L 178/1.

95 Art. 8(2) (a) however provides that member states are allowed to prohibit the processing of sensitive data even when the data subject has consented to the use of these data.

96 See in detail on this: Cuijpers, (2004).

97 In the situations covered by art. 7(f) the individual may object to the use of his personal data. However, in contrast to the use for direct marketing purposes, the opt-out right is here not absolute.

98 See also: C Kuner, European data privacy law and online business, Oxford: Oxford University Press (2003), 70.

99 Compare the excellent article by J Kang and B Buchner, “Privacy in Atlantis”, 18 Harvard Journal of law & technology, Fall 2004.

100 A Etzioni, The limits of privacy, New York: Basic Books (1999), 201.

101 Etzioni, (1999), 200.

102 Etzioni, (1999), 201.

103 P M Schwartz, “Beyond Lessig’s Code for internet privacy: Cyberspace filters, privacy-control, and fair information practices”, Wisconsin law review, 2000:743, 767.

104 Schwartz, (2000), 768.

105 Radin, (1996), 18.

106 See also: De Hert, (2001), 409.

107 Radin, Polk Wagner, (1999).

108 C J Bennett, C D Raab, The governance of privacy. Policy instruments in global perspective, Aldershot: Ashgate Publishing, (2003), 17.

109 Lemley, (2000), 1552; Samuelson, (2000), 1137.

110 See recently Lessig, (2002), 263: “My assumptions about the value of a property system assume that the negotiations and preferences about privacy would be expressed and negotiated in the background automatically. This was the aspiration of the technology Platform for Privacy Preferences (P3P) in its first description.”

111 J Zittrain, “What the publisher can teach the patient: Intellectual property and privacy in an era of trusted privication”, 52 Stanford law review 1201 (2000).

112 Similar to art. 8(2)(a) of the EU Directive on data protection, providing that member states are allowed to prohibit the processing of sensitive data even when the data subject has consented to the use of these data.

113 Lemley, (2000), 1550.

114 Art. 2(a) defines personal data as to mean “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

115 In this case, Mr. Durant sought disclosure of information concerning his complaints in order to re-open his case against Barclays Bank and/or to secure an investigation of this bank’s conduct. As part of his activities, Durant asked the Financial Services Authority (FSA) to disclose information relating to his complaint, basing this request on section 7 of the UK Data Protection Act 1998. The FSA disclosed some of the information requested, but refused to provide other information as well as ‘redacted’ other pieces of information (in order to protection the rights of third persons who could be identified on the basis of that information). Durant disagreed with the approach taken by the FSA and took the matter to court. Michael John Durant v Financial Services Authority [2003] EWCA Civ 1746, Court of Appeal (Civil Devision), 8th Dec 2003. The full text of the judgement can be found via <http://www.courtservice.gov.uk> and < http://www.bailii.org/ew/cases/EWCA/Civ/2003/1746.html >

116 “Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater of lesser degree… In short, it is information that affects his privacy, whether his personal or family life, business or professional capacity…”

117 See the commentary by the UK Information Commissioner, “The ‘Durant’ Case and its impact on the interpretation of the Data Protection Act 1998’. Available at: <www.informationcommissioner.gov.uk>. See also: L Scott, “The Durant case: Is there something you should know?” 2004. Available at: < http://www.morton-fraser.com/knowledge/knowledge.php?k_id=122>.

118 See also: Gutwirth, (2002), at 39-41.

119 Let alone other difficult questions such as: how do we create remuneration payment schemes; realize commercial personal data transfer on behalf of children and mentally ill people; sort out actual owners of personal data from fake?

120 Lemley, (2000), 1550.

121 See however Sholtz: “…the consumer retains rights to the property even after it has been transferred to the commercial organization (under contract). An obvious analogy with another powerful form of information property rights, namely intellectual property rights, is appropriate. When I buy a CD from a major Hollywood label, the Hollywood label still retain property rights to the music even though the CD is now in my possession. I have not so much purchased property rights to the music as I have purchased a license to listen to the CD in my own home for non-commercial purposes.” P Sholtz, “Transaction costs and the social costs of online privacy”, First Monday, volume 6, number 5, May 2001. At <http://firstmonday.org/issues/issue6_5/sholtz/index.html>

122 J E Cohen, “Examined lives: Informational privacy and the subject as object”, 52 Stanford law review 1373 (2000).

123 Cohen, (2000), 1379; Litman, (2000), 1283.

124 Litman, (2000), 1303.

125 Cohen, (2000), 1379.

126 Cohen, (2000), 1379.

127 Cohen, (2000), 1436.

128 Leenheer Zimmerman, (2000).

129 On the economic arguments in favour of a right of publicity, see: W M Landes, R A Posner, “An economic analysis of copyright law”, Journal of legal studies, vol. 18, no. 2, June 1989, at 362-363.

130 Leenheer Zimmerman, (2000).

131 See on this position Bergkamp (2003), 123. Also J E Cohen, “DRM and privacy”, 18 Berkely technology law journal, 2003, para. III.B, arguing that the decision to promote the values of self-determination and human dignity “in the law of “privacy” while simultaneously enabling easy evasion of accountability via “contract” would be nothing short of perverse. Taking these intangible harms seriously requires a more consistent approach.”

132 See e.g. B B Read, “Searching farther for customer data”, PlanetIT, 12 Dec 2000, cited in: Sholtz, (2001), at: <http://firstmonday.org/issues/issue6_5/sholtz/index.html>. Available at: <http://www.callcentermagazine.com/shared/article/showArticle.jhtml?articleId=8701704&classroom=>

133 Lemley, 1550.

134 A Chander, M Sunder, “The romance of the public domain”, 92 California law review 2004, 1331.

135 Sholtz, (2001), at: <http://firstmonday.org/issues/issue6_5/sholtz/index.html>

136 J E Cohen, “Privacy, ideology, and technology: A response to Jeffrey Rosen”, 89 The Georgetown law journal, 2029 (2001), 2036. Available at: <http://www.law.georgetown.edu/faculty/jec/privacyideology.pdf>. See also: D Solove “The virtues of knowing less: Justifying privacy protections against disclosure”, 53 Duke law journal, 967 (2003) available at: <dsolove@law.gwu.edu>, arguing that more information does not necessarily lead to more accurate judgments.

137 Leenheer Zimmerman, (2000).

138 See e.g. the papers presented at the November 2001 Conference at Duke University School of Law. Available at: <http://www.law.duke.edu/journals/lcp/articles/lcp66dWinterSpring2003p1.htm>

139 Litman, (2000), 1294.

140 As was discussed earlier, the present data protection regimes are constructed along the lines of fair information processing. In principle, the use and processing is personal data is free. See also Simon G. Davies who argues that the European Directive on personal data protection does almost nothing to prevent or limit the collection of personal information. S G Davies, “Re-Engineering the right to privacy: How privacy has been transformed from a right to a commodity,” in P E Agre, M Rotenberg (eds.), Technology and privacy: The new landscape, Cambridge: MIT Press (1997), at 156-157.

141 See for illustrations of this, the contributions in: D Lyon (ed.), Surveillance as social sorting. Privacy, risk and digital discrimination, London/New York: Routledge, (2003).

142 H Nissenbaum, “Privacy as contextual integrity”, 79 Washington law review, 119 (2004).

143 <http://oak.psych.gatech.edu/~epic/>

144 For a transcript, see: <http://www.masternewmedia.org/news/2004/11/29/summary_of_the_world_googlezon.htm>

145 J B Schafer, J A Konstan, J Riedl, “Electronic commerce recommender applications”, Journal of data mining and knowledge discovery, (2000), vol. 5 nos. 1/2, at 115-152. One such application available for users on the Internet is ‘Movielens’, where individuals can get movie recommendations based on ratings by website visitors, but also rate or review any movie to be able to recommend to others, or share movie recommendations in discussion groups: <http://movielens.umn.edu/login>.

146 <http://www.mobiloco.de/html/index.jsp>.

147 See on this argument in further detail: D J Phillips, “From privacy to visibility: Context, identity, and power in ubiquitous computing environments”, Social text 23(2), 2005, at 95-108.

148 Nissenbaum, (2004).

149 See e.g. the different papers presented at the workshop on Socially-informed Design of Privacy-enhancing Solutions, 4th International Conference on Ubiquitous Computing (UBICOMP 02), Göteborg, Sweden, Sept 2002. Available at: <http://guir.berkeley.edu/pubs/ubicomp2002/privacyworkshop/>

150 See: Phillips, (2005).

151 See: J E J Prins, “The propertization of personal data and identities”, vol 8.3, Electronic journal of comparative law, (October 2004), <http://www.ejcl.org/83/art83-1.html>

152 See Phillips, (2005). Also: D H Nguyen, E D Mynatt, “Privacy mirrors: Understanding and shaping socio-technical ubiquitous computing systems”, Georgia institute of technology technical report (2002) Available at: <http://quixotic.cc.gt.atl.ga.us/~dnguyen/writings/PrivacyMirrors.pdf>

153 Moreover, individuals should be able to contest that certain determinations are made, to object to certain use, and to ask for alternative use.

154 Earlier, Vedder has suggested introducing the new concept of ‘categorical privacy’. This concept is largely based on the concept of individual privacy, but including privacy as regards information that is no longer identifiable to persons, because such information may still have possibly negative consequences for group members. A Vedder, “Medical data, new information technologies and the need for normative principles other than privacy rules”, in M Freeman and A Lewis (eds.), Law and medicine, Oxford: Oxford University Press, (2000), at 441-459.

155 Also Phillips, (2005).

 


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/other/journals/Script-ed/2006/3_4_SCRIPT-ed_270.html