The Yale Law Journal

VOLUME
123
2013-2014
NUMBER
2
November 2013
266-529
Comment

The EU General Data Protection Regulation: Toward a Property Regime for Protecting Data Privacy

Jacob M. Victor

The European Union recently released draft legislation that has the potential to transform EU data privacy law. The draft General Data Protection Regulation (“draft Regulation”) proposes a range of new individual rights designed to protect consumers whose personal information is collected, processed, and stored by corporations and other entities.1Most notably, the draft Regulation would establish a consumer’s “right to be forgotten,”2 mandating that entities that collect or process data—which, for ease, I will call “data users”3—must delete any data relating to an individual “data subject”4 upon his request. Furthermore, any third parties with whom this information has been shared would also generally be required to respect the data subject’s request for deletion.5

The draft Regulation, which was approved by the European Commission in January 2012, is unlikely to be finalized and enter into force for at least another several months.6 But the legislation has already proven highly controversial for its potential applicability to any corporation that processes the personal data of EU citizens (including U.S. corporations),7 for its potential effects on free speech rights8 and criminal investigations,9 for its alleged technological infeasibility,10 and for the possibility that it may impede bilateral policymaking efforts between the United States and the European Union.11

A yet unexplored dimension of the draft Regulation, however, is its relationship to broader questions about what rights-and-remedies scheme is most appropriate for protecting consumer privacy in data collection. Though the Regulation is framed in the fundamental-human-rights terms typical of European privacy law, this Comment argues that it can also be conceived of in property-rights terms. The Regulation takes the unprecedented step of, in effect, creating a property regime in personal data, under which the property entitlement belongs to the data subject and is partially alienable. More specifically, the data protection plan takes for granted that personal data has become akin to a commodity capable of changing hands; working off of this reality, it allows for the highly regulated exchange of data while also adapting rights and remedies commonly associated with property in service of the goal of protecting consumer privacy. The Regulation’s use of property-derived rights is particularly unusual and significant since a human-rights-based approach to privacy—which the EU generally embraces—is often thought of as incompatible with a property-rights-based approach.12

The EU’s proposal includes three elements in particular that lend themselves to a property-based conception: consumers are granted clear entitlements to their own data; the data, even after it is transferred, carries a burden that “runs with” it and binds third parties; and consumers are protected through remedies grounded in “property rules.” In these respects, the proposed scheme is remarkably similar to existing, heretofore purely theoretical, proposals for property regimes for protecting personal data, especially the model proposed by Paul Schwartz in 2004.13 But the draft Regulation seems to be one of the first legislative proposals that would actually implement this kind of propertized personal data regime.

This Comment proceeds in two Parts. Part I outlines some theoretical proposals for propertized personal information designed to remedy the shortcomings of contemporary data protection law, exploring the features of “property” that scholars have seized on in presenting these proposals. Part II argues that these property-oriented safeguards are present in the draft Regulation, even though the Regulation is not at all framed in property terms. The Conclusion briefly explores the implications of this analysis for the broader question of whether propertizing personal data can be reconciled with treating privacy as a human right, pointing out that the draft Regulation seems to transcend this debate by adapting the rights and remedies commonly associated with property in service of a human-rights-driven approach to privacy.

I. data privacy and property

Both the United States and the European Union provide some privacy protections for consumers during data collection, but neither has established a property scheme to this effect. Neither U.S. law nor EU law considers data subjects to have proprietary interests in their own personal information.14 Both instead provide consumers with some limited options to sue for damages when their privacy is compromised in the course of data processing. These “liability rule”15 protections are based in the common law of tort or contract (in the United States),16 subject-specific statutes (also in the United States),17 or omnibus privacy legislation (in Europe).18

But despite the fact that data privacy is still protected through liability rules, the corporations that process personal data increasingly treat it as a commodity. Corporations collect this information from consumers (often as a quid pro quo during the sale of goods or services), compile it, and often sell these collections to other corporations.19 Even U.S. courts have occasionally recognized data as a kind of property, but only after it has been collected by a corporation.20

In reaction to this trend, scholars, especially in the early 2000s, began exploring alternative data privacy protection schemes derived from property law and theory. Lawrence Lessig is one of the best-known proponents of creating a free market in personal data. Under Lessig’s proposal, consumers would hold the original property entitlements to their own personal information and would be able to bargain with data users to determine when it would be advantageous to forfeit their privacy by selling their data.21 Critics of this proposal highlight the dangers of allowing consumers to freely sell their private information, pointing especially to the potential information disparities in a personal data market. Under an unregulated market system, consumers could be convinced to sell their information without completely understanding the full scope of how corporations might use it, or the degree to which their privacy would be compromised by the transaction.22

In response to these concerns, scholars including Paul Schwartz, Edward Janger, and Vera Bergelson have proposed highly regulated property regimes that would carry some property-oriented rights and remedies but not others. Schwartz’s proposal is the best known—indeed, it was recently endorsed by Timothy D. Sparapani, the former Public Policy Director of Facebook23—and will be the primary focus of this Comment.

“Property” is a notoriously nebulous concept, and Schwartz (as well as other theorists of data property) has declined to adopt a cohesive definition, understanding “property as a bundle of interests rather than despotic dominion over a thing.”24 Proponents of a regulated data property regime all focus on the ways that personal information is already treated as a commodity by corporations and argue that protecting such data with a legally cognizable property entitlement, vested in data subjects and regulated in various ways, provides necessary protections that are absent in the status quo.25 Rather than arguing that the free market can do all the work of protecting privacy, as Lessig does, they instead seize on some of the other rights and remedies commonly associated with property regimes and explore how conceiving of data as property for certain purposes might in fact offer the best option for protecting consumer privacy while still enabling individuals to share their data with data users under certain circumstances. For example, Schwartz especially seizes on one of the features commonly associated with property regimes: under some property schemes, “the burden of a property right ‘runs with the asset’” in question.26 This feature allows for property rights to create burdens that bind third parties—third parties with whom I have no explicit legal relationship nonetheless have a duty to respect my property rights in an asset—in contrast to contract rights, which bind only the specific parties in privity.27 This is particularly important in the context of data privacy, because it allows a data subject to retain some rights in her data, even in transactions between data users to which the subject is not a party.

Schwartz uses this definition to argue that crafting a regime in which consumers have legally enforceable property interests in their data would “enable[] certain interests to be ‘built in’” to personal data.28 Such a regime would “allow[] individuals to share, as well as to place limitations on, the future use of their personal information” and is property-like in that data subjects’ interests “follow the personal information through downstream transfers and thus limit the potential third-party interest in it.”29 Schwartz’s model, in this respect, is predicated on the assumption that free alienability is not “an inexorable aspect of information-property.”30 Indeed, Schwartz argues that a propertized data scheme, even while treating data as a commodity for certain purposes, should place limits on a consumer’s right to fully sell her personal information on an open market.31

In practicable terms, Schwartz advocates for several requirements in a hypothetical propertized personal data scheme, two of which are most clearly tied to the unique benefits of propertization.32 First, such a scheme would clearly vest the original entitlement to personal information with the data subject. Schwartz frames this requirement as a default rule requiring consumers to “opt in” to any use of their information.33 Even after opting in, consumers would always maintain a “right of exit” from existing agreements to data processing, to “prevent[] initial bad bargains from having long-term consequences.”34 In this respect, an individual would only ever partially (and temporarily) forfeit her right to exclude others from the data, similar to a licensing scheme.35 Second, such a scheme would also give consumers rights enforceable against third parties and the burden of these rights would run with their data. Further transfers of the data would be subject to “use-transfer” restrictions: consumers could agree to initial use of their data by a private entity, but “block further transfer or use” by other entities who might gain access to the data through downstream transactions.36

Other advocates of propertizing data, including Janger and Bergelson, devote significant attention to a third feature common to property regimes: remedy. As discussed above, under current law, data privacy is generally only protected by liability rules. A defendant may be ordered to pay damages, but remedies commonly used to protect property interests, such as injunctions or punitive damages,37 are generally not available. As Janger notes, under a data property regime, a data subject’s rights would be protected by property rules, rather than liability rules. A data user may not simply “choose to violate” a data subject’s interest in her own personal information and pay appropriate damages; rather, “[p]ropertization changes the order of this interaction. Either through criminal sanction, affirmative judicial order, or prohibitively high (and/or punitive) fines, a property rule makes a non-consensual taking infeasible.”38

The next Part demonstrates that even though the draft Regulation is not presented as explicitly establishing property-like protections for personal data, these three features—default entitlements, burdens that run with the data, and property-rule-based remedies—are all present in the Regulation’s rights-and-remedies scheme. The Conclusion then explains the significance of this finding for broader debates about whether a human-rights-driven approach to privacy can be reconciled with treating personal data as property.

II. the draft regulation as a property regime

The EU draft Regulation,39 if adopted, would modify current European data protection law significantly.40 Most importantly, the legislation would establish new individual data privacy rights including a “[r]ight to be forgotten.”41These provisions are self-consciously framed as stemming from the human right to privacy enshrined in documents like the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union.42 Viviane Reding, the Vice President of the European Commission, has explained that “[p]ersonal data protection is a fundamental right for all Europeans” and that the draft Regulation was crafted with this human-rights-oriented approach in mind.43

But despite the fact that the draft Regulation is grounded in human rights rhetoric and employs no property terminology, its protections nonetheless function remarkably like the regulated property schemes described in the last Part. While the right to be forgotten and the Regulation’s other consumer-protection rights are not themselves “property rights” enforceable against third parties, they stand for a set of interests in, and burdens placed on, consumer data that can be best understood in property terms. The remainder of this Part demonstrates how the draft Regulation creates a scheme that adopts three of the principal features of propertized personal information described by Schwartz and others: (1) default data subject entitlements that are only partially alienable; (2) burdens that run with the asset and bind third parties; and (3) property-rule-based remedies.

A. Data Subjects Maintain Default Entitlements to Their Own Personal Information that Are Only Partially Alienable

The various requirements imposed on data users by the draft Regulation are all predicated on the notion that the data subject maintains the default entitlement to her personal information. Article 6 outlines a limited set of circumstances in which the collection and processing of data is lawful, the clearest of which is explicit “consent” by the data subject. Under this framework, a data subject must explicitly opt in to granting a data user access to her information in order for future processing to be lawful.44

Article 6 also lists specific (though seemingly rare) circumstances where no explicit consent has been proffered but the data user has some obligation that necessitates the data processing. For example, if “processing is necessary for the performance of a contract to which the data subject is party,” it is lawful even without the explicit consent of the data subject.45 However, even in these special situations where the data subject has not explicitly consented to processing, she must still be explicitly informed that her data has been collected and that she maintains the prerogative to end any data processing by requesting that her data be erased from the databases in which it is currently being held.46

The data subject may exercise a right of exit—namely, her “right to erasure” (or “right to be forgotten”)—at any time, with restrictions based on the original grounds under which the data was collected. For example, if the data processing was originally lawful only because the data subject had expressly consented—the most likely scenario—the data subject may withdraw that consent and demand erasure at any time.47 But if the processing was based on one of the circumstances in which explicit consent is not necessary (for example, the “processing is necessary for the performance of a task carried out in the public interest”48), the data subject may still object to the processing.49 Unless the data user can demonstrate “compelling legitimate grounds for the processing,” the data user must also erase this data.50

In this respect, the draft Regulation is predicated on the assumption that although data is a kind of commodity capable of changing hands, the data subject always retains the ultimate entitlement to this property. A data user may essentially receive a “license” to use the subject’s data,51 since the data subject has temporarily waived her right to exclude it from using her information. But the data subject maintains the discretion to terminate this license and force the data user to cease storing or using her information.

The draft Regulation arguably goes a step beyond most real and intellectual property schemes in that it establishes that individuals always maintain the ultimate entitlement to their own personal data and may not forfeit their rights through contract. Like in Schwartz’s proposed model, individuals may never completely sell or forfeit their right to block use of their personal information.52 In this respect, the draft Regulation’s scheme is similar to a more unusual area of intellectual property: the moral rights of artists, which grant an artist a proprietary interest in his own work, even after it has been sold, that prevents others from altering or destroying the work.53 In France, an artist may never contract away this right.54

B. Data Subjects’ Rights Create Burdens that “Run with” the Data

The draft Regulation establishes that the data subject’s proprietary interest in her own data—her original entitlement to that information and right to reclaim it from the control of others—creates a burden that runs with the data and binds third parties. In other words, the data subject maintains a right to demand that her data be erased, not only by the original data user with whom she dealt, but also from the databases of any other entities that may have gained access to the data. The draft Regulation states that any data user must “take all reasonable steps . . . to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data.”55 These third-party data users would be bound to respect the data subject’s exercise of her right to be forgotten or risk incurring sanctions under the Regulation.

This requirement is one of the most property-like features of the new regime in that it creates a burden that “runs with” the data subject’s information. Rather than conceiving of privacy protection as purely in personam, the draft Regulation instead grounds these rights in the data itself. Like in Schwartz’s model, then, the data subject’s interest is “built in” to the data,56 functioning like a kind of negative covenant.57 Any data users that gain access to the data subject’s information, irrespective of whether they are in privity with the data subject, must still respect what Schwartz might call the “use-transferability” restrictions58 built into the data that give the original data user the discretion to terminate processing.

C. Data Subjects Can Seek Property-Rule-Based Remedies

The remedy system established by the draft Regulation also mirrors the scheme often used to protect property interests. As discussed in Part I, an interest is protected by a “property rule” if it is protected from an unwanted taking by another party, under the assumption that property can only legitimately change hands based on the true consent of the original owner.59 Courts and legislatures often (though not always) protect such interests using remedies designed to restore the true owner’s entitlement (injunctions)60 or to deter parties from violating the entitlement to begin with (fines or punitive damages).61

The draft Regulation provides several avenues for a data subject to enjoin a data user to erase her data, in essence enforcing the data subject’s entitlement by “returning” the information to her exclusive ownership. Individuals may “lodge a complaint” against data users through their local “supervisory authority”—the regulatory bodies charged with enforcing compliance with the Regulation62—which have the power “to order the rectification, erasure or destruction” of data.63 Additionally, a data subject may bring a direct action against a data user in local courts, which are also empowered to enforce the provisions of the Regulation using injunctions.64Finally, a data user that “intentionally or negligently” fails to respond to a data subject’s attempt to exercise her right to be forgotten may be subject to extremely high fines: “500,000 [euro], or in case of an enterprise up to 1% of its annual worldwide turnover.”65

Conclusion

Though the EU’s draft Regulation is framed as stemming from the human right to privacy enshrined in European public law,66 this Comment has argued that it also, implicitly, treats personal data as a commodity capable of changing hands. While the Regulation forbids free marketization of data, it nonetheless uses property-derived rights and remedies—similar to those identified by Paul Schwartz and other scholars—to protect personal privacy in the course of data processing. By creating default data subject entitlements to data, a quasi-licensing scheme for data users who seek to use this data, use-transfer restrictions that “run with” the data, and property-rule-based remedies, the draft Regulation would dramatically overhaul the current system of primarily liability-oriented protections.

The fact that a regime might utilize some property-derived rights and remedies in service of human-rights goals may seem incongruous, considering that we often treat propertization as anathema to human-rights interests.67 But the draft Regulation model demonstrates that a regulated property regime—in which some but not all of the property-rights “sticks” are granted to consumers—might, in fact, be able to accommodate the same normative impulse that drives some to conceive of data privacy as a fundamental human right: the notion that uninhibited exchanges of personal data corrode human dignity and personhood.68 The draft Regulation is predicated on the assumption that we live in a world in which personal data has been and will be treated like a commodity and simply banning exchanges of personal data is not a viable option; instead, regulating these exchanges and providing consumers with additional agency, using property-derived rights and remedies,69 offers the best hope of protecting the dignitary, human-rights-driven privacy interests at stake.70 This reflects the assumption that “property is an artifact, a human creation that can be, and has been, modified in accordance with human needs and values”71 that also underlies the propertized data model proposed by Schwartz.

In this respect, the European Commission’s apparent willingness to implicitly use property-derived rights and remedies in the service of data privacy protection demonstrates that, notwithstanding claims that this approach has “passed its peak,”72 the prospect of crafting a regulated property regime to protect data privacy still has the potential to inform other data privacy law reform efforts in years to come.

jacob m. victor*