PRIVATE AND COMMON PROPERTY RIGHTS IN PERSONAL DATA

• Author: HU Ying1 LLB (The University of Hong Kong), LLM (University of Cambridge & Yale Law School); Lecturer, National University of Singapore.
• Publication year: 2021
• Citation: (2021) 33 SAcLJ 10173
• Published date: 01 December 2021
• Date: 01 December 2021

I. Introduction

1 We find ourselves in a rather odd situation: companies collect and use data about our online and offline activities to make huge profits. However, there is no prima facie right for us to share any portion of that profit. Despite common belief that our personal data belongs to us,2 we do not legally own that data, which is not even considered “property” in the first place. Unless otherwise specified, the term, personal data, is used broadly in this article to refer to information about an individual's characteristics, knowledge and behaviour — ranging from his gender and age, to his political affiliation and the time he goes to sleep at night.

2 Academics have long debated whether individuals should be given property rights over their personal data.3 In recent years, the idea of

propertising personal data has gained greater public attention as various politicians proposed legislation seeking to grant individuals property rights over their data.4 At the same time, a greater number of digital platforms have emerged to facilitate commodification of personal data.5

3 This article suggests that there may be advantages to treating personal data as property. Part II outlines both the benefits and harms that might result from the collection and use of personal data. Part III explains what it means to examine personal data from a property law perspective and the value of such an approach. Parts IV and V set out the arguments in favour of granting both private and common property law rights in personal data.

II. Personal data: A story with two sides

4 We live in the era of “big data”. An increasing number of our interactions with the world are being tracked: the goods we purchase, the photos we post, and the places we visit are stored electronically by service providers such as Amazon, Google and Facebook. These tech giants are not alone in the quest for more data. Many websites track visitor Internet Protocol addresses, browsing histories, mouse movements and sometimes even battery states.6 Entrepreneurs peddle “free” applications (“Apps”) ranging from games to fitness trackers to record a greater variety of user data. This part highlights both the dark and the bright sides of ubiquitous collection and use of personal data.

A. The dark side

(1) Loss of privacy

5 The rise of big data is likely to pose a significant threat to people's right to privacy. Scott McNealy, the chairman of Sun Microsystems, famously said, “you already have zero privacy — get over it”.7 While privacy is a notoriously difficult concept to define, this article focuses on what has come to be known as information privacy, which is often understood as a person's “control of information concerning his or her person”.8

6 Big data undermines our control over our personal data in a number of ways. First, we are more likely to experience difficulty determining when our data is being collected. Technologies such as cookies and web beacons allow websites to track their visitors unobtrusively. When we walk on a street, we often know when we are being followed. However, it is much more difficult to detect a follower online: for example, many people did not know that the mere presence of a Facebook “like” button meant their online activities were being reported back to Facebook.9

7 We are also more likely to be mistaken about who has access to our data. What appears to be a one-on-one interaction can sometimes involve hidden third parties. When buying a prescription drug from an online pharmacy, we tend to assume that we are dealing only with that pharmacy. However, the pharmacy might allow third parties to store cookies on its website, alerting them to our visit. It might even sell information about our purchase records: Pharmacy2U, the UK's largest NHS-approved online pharmacy, was fined for selling customer data (at the price of £130 per 1,000 customers) without their consent.10

8 Moreover, we often do not know when we disclose more information than we intend to. If we upload a photo taken with our smartphone, we might not know it is embedded with a geotag that can reveal our location.11 Businesses also increasingly use algorithms to

analyse our data to find correlations and patterns of behaviour. A famous example is Target's prediction of a girl's pregnancy, from her shopping history, before her family was aware of it.12 Sometimes, additional personal information may be deduced from seemingly unrelated data. In one study, researchers demonstrated that Facebook “likes” could be used to predict a wide range of personal attributes.13 Interestingly, among the content “liked” by Facebook users, the best predictors of high intelligence include words such as “thunderstorms” and “curly fries”.14 Consequently, it is difficult for us to know what insights businesses can generate from the information we have disclosed, the accuracy of those insights, or how they might be used against our interest.

(2) Data-related harm

9 The personal data we have disclosed, either intentionally or unintentionally, can be used to our disadvantage in various ways. For example, information about an individual's location might enable criminals to stalk or injure him. A few years ago, an App called “girls around me” used information from Facebook and Foursquare to display images of nearby users.15 One can easily imagine the physical danger this App posed to the girls whose images and locations were captured by the App. Not surprisingly, there was a backlash against it.16 Our personal data might also enable retailers to charge us a higher price than they would charge someone living in a different neighbourhood: for example, in the US, the prices for The Princeton Review's online SAT tutoring packages varied significantly depending on the location of its customers; moreover, customers in Asian-majority neighbourhoods were almost twice as likely to be offered higher prices.17

10 Further, the personal data that companies have collected about an individual as well as inferences made based on such data might be inaccurate or outright false, causing that individual to suffer reputational damage, emotional distress or financial loss. Even where the relevant information or inferences about an individual is accurate, it may

nevertheless be used to discriminate against that individual, to exploit his vulnerabilities, or to manipulate his behaviour (eg, his voting decision).18

B. The bright side

(1) Personal data fuels the economy

11 On the other hand, personal data has been the backbone of many technology companies. Facebook alone made a profit of US$1.6m in the last quarter of 2015, the majority of which was derived from advertising programmes.19 The wealth of data controlled by Facebook enables advertisers to target specific groups of people based on their location, demographics, interests and behaviour (eg, female lawyers aged 20 to 30, living in San Francisco, who eat organic food and have purchased gym memberships in the past year).20

12 Companies also increasingly devote resources to analysing personal data in order to generate more profits. Such analyses sometimes enable them to better anticipate the needs of their customers: in the case of Target, after concluding that a girl was pregnant from her shopping history, it sent her coupons for baby clothes and cribs.21 Other times, insights from personal data help companies reduce operation costs: thanks to the petabytes of customer data in its warehouse, eBay manages to automate 90% of the 60 million disputes it receives every year, thereby saving hundreds of thousands of dollars in labour costs.22

(2) Personal data is essential to technological development

13 Personal data has played and will continue to play an essential role in developing new products and services through machine learning. Machine learning models are often trained with large datasets, a significant part of which is personal data. Our medical data, for example, may be used to help diagnose genetic diseases earlier and with

greater precision. Face2Gene, a facial recognition App, took advantage of the fact that people with genetic conditions (such as down syndrome) would sometimes exhibit a distinctive set of facial features.23 The App developers trained their algorithms using a large database of photos of people with known diagnoses to find facial features that are associated with particular genetic conditions. Its findings can potentially be more reliable than even the most skilled human dysmorphologist, who can only see a limited number of patients in his lifetime. Similar techniques may be used to identify other diseases. For instance, researchers have used machine learning to help with early detection of autism in infants as well as Alzheimer's disease.24

14 Our voice data, on the other hand, may be used to train digital assistants, such as Amazon's Alexa and Apple's Siri,25 to recognise and respond to our verbal requests to carry out a wide variety of tasks ranging from checking weather to ordering products online. It may even be used to train digital assistants to perform tasks that could previously only be performed by humans. Many people would probably remember a prerecorded demo released by Google in 2018: Google's robot assistant, which sounded “eerily lifelike”, called real people and successfully made appointments for a haircut and for lunch.26

III. Private, common and public property rights in personal data

A. Beyond data protection law

15 This article seeks to demonstrate that, in addition to data protection law, it is also helpful to examine personal data from a property law perspective. The reasons are multifold. First of all, as the bright side of the personal data story has shown, data has increasingly become a valuable resource. Since property law is essentially concerned with the allocation of valuable resources, it is well suited to address issues such as who should have access to and control over...