The question of who owns the data treasure we have created, who is allowed to process it and why that is so, has not been answered to date. Some people think that it’s even better that way: That data ownership was Pandora’s box, the beginning of the end. Here are a few approaches to a fundamental question of the information age.
Shopping. Crossing a street. Call your mother. Plan a trip. Even if we read an old book in our armchair at home – we generate data. Or let’s rather say: information. About our electricity consumption, our account balance, about our thoughts. From this information, as we know, large models can be compounded – for all citizens, all road users, all consumers, but also for you and me as individuals. The data we collect describes us more accurately than we ourselves could. They are literally a part of ourselves.
Therefore, the sentence “My data belong to me” meets a natural sense of justice. – Who else should they belong to? Who presumes to steal it from me? But it’s not that simple. In our gbs position paper “How should IT work?” we write about it:
In order to receive benefits, comfort, bonus points or attention, we give away control over our data on a daily basis. Not everyone who has an interest in this means well with us. The following must apply: Even if we share information about ourselves, i.e. grant others rights of use for the time being, it is essentially inalienable. Laws, business conditions and technical solutions must do justice to this.
The term rights of use is borrowed from copyright. My copyright in a text or graphic is inalienable, I can only grant others a (possibly exclusive) right of use. Advertisers or architects are familiar with this: If the user is utilzing my creation in an inappropriate way (e.g. concerning distribution or execution), I can withdraw the right of use or make additional demands if necessary. In Germany, e.g. the lawsuit of the architect Gerkan against Deutsche Bahn manager Mehdorn has become famous, after Mehdorn ordered disfiguring changes to his building plans.
Therefore a right of use can never be a total “buy out”, this is even excluded from copyright.
But informations are not „works of art“?
Now the right concerning an information is not to be equated with copyright. If you make a traffic census on a street using a tally sheet, the anonymous road users have little right to the information collected. But when you record their number plates, that is something else. The focus on me as the subject of the information gives rise to my right to be informed and to have a say in my data – even if the author is someone else. The same applies, for example, to photos of me being taken by someone.
The question also arises: Do data have the necessary level of creation to establish intellectual property? This terrain has not been satisfactorily developed by law. And the tech companies, of course, promptly interpret this fact in their favour. That’s also true: If I walk along a path with my mobile phone, it’s not an intellectual creation. But it is sensitively linked to my person. And that’s enough to get me to authorize a recording. This is where the analogy to intellectual property ends.
A link (e.g. facebook “friends”) is also a clear case: Both parties have a right to this information, similar to a photographer and his model. A use requires the authorization of both. In most cases people will automatically agree, but there are exceptions. If one is the British Queen, for example, a licence is needed to write “By Appointment To Her Majesty …”.
Data ownership – Pandora’s box?
In the German Wikipedia there is only one paragraph concerning the keyword data ownership:
According to applicable law, ownership of the data itself (unlike, for example, the data carrier on which they are stored) is not possible, since ownership in the civil-law sense (§ 903 BGB) can only exist in principle for objects, i.e. physical objects (§ 90 BGB). In many cases, however, the concept of property (including, but not limited to, digital data) is equated with the right of access and disposal.
Note: The latter would not be property or ownership, but posession.
The European Charter of Fundamental Rights contradicts this when it simply says in Art. 17 (2): “Intellectual property shall be protected”. Whoever recognises patents and copyrights as inheritable property would logically also have to recognise data as intangible property.
In the English Wikipedia, quite significantly, the term “data ownership” includes the retention of title of the “creator”:
Data ownership refers to the rights of the creator of data as opposed to the subject of the data.
And it is this quasi expropriating view that makes the term data ownership seem so dangerous to many. “We built the device / control the interface, so we own the data.” Now, whoever built the James Joyce’s typewriter does not have the copyright to Ulysses. But that’s exactly what car manufacturers demand, if they secure their access and rights to mobility data. In Germany even with the backing of the Ministry of Transport.
In defence of such a de facto surprise, the Federation of German Consumer Organisations, for example, has proclaimed that there is simply no need to clarify the issue of data ownership beyond the question of data protection. But this also means recognising the power of the factual and legitimising whoever has his hands on the data as their owner. GDPR applied or not – a part of my digital self would be a freely tradable commodity – except for me.
What does that mean in concrete terms?
So I buy a car and the included software wants to call home all the time. According to our theory, the car company must not use the data without further permission. Of course they have to sign a contract with me. They will probably get my consent if they can convince me that they will take care of anonymizing my data. My trust increases their market value.
In practice, therefore, credibility is also at stake. Companies rightly fear that trust in their data protection will become a powerful factor in the customer relationship beyond the purchase. The Cluetrain Manifesto predicted it in 1999: “Markets are conversations”. Whether I really have a fair choice depends on the market position of the provider, in interaction with consumer expectations. The former has to be examined by the antitrust authorities, the latter we have to develop ourselves.
This brings us to the right of withdrawal: Must Toyota, BMW, Facebook or Google delete the information collected about me if I change my mind and withdraw my right of use? Of course – as long as the information can be attributed to me, you must give me the opportunity to do so. This is exactly what the GDPR regulates (consent, transparency, right to be forgotten). A generally valid standard, which arbitrary use of data must be regarded as immoral, does not yet exist. In case of doubt, courts must clarify this.
If it’s mine, I can sell it?
Having accepted the concept of “information about me is an inalienable part of my person”, the question of monetization still arises. If data is the new oil, isn’t the idea obvious to get payed for it as the source of the data? Let’s say not as an unconditional, but as a data-related basic income. (More about a data taxes some other time.)
With all the charm of this idea, I personally don’t believe that such a payment of data is suitable for a real participation of society in the added value of the tech companies. If the power is distributed accordingly … who knows. But the added value of the apps on offer seems already enough to motivate us. Rather than oil, data is comparable to water, which we drink and excrete and which passes into our blood, precious and available at the same time, and inseparably linked to us. I rather think that those who use data cleverly will continue to make a good living from it in the future – not those who want/have to disclose it, or who cause it en passant.
But we can expect fair consideration, transparency, accountability and privacy by design, can’t we?
Unfortunately not at the moment. Because many companies that claim to share these values show little interest in keeping their promises. At least as long as they are not forced to do so with thumbscrews and glowing irons. Why should they? Car manufacturers today are saving on urgently needed cryptochips worth one euro. Health apps are so ridiculously easy to hack, that you should keep your hands off them, however useful they may be.
Fairness would also mean that social media companies would have to give up their monopolies by opening up their interfaces. Only in this way could alternative providers establish themselves and one really would have a choice to say “no”. And voluntarily they never do. This is where antitrust law and the judiciary are called upon to act: Do your damn Job!
The moaning about the GDPR and the questions of implementation
Now I immediately hear the objections as to how all this could be practically accomplished: The “exaggerated data protection” was an obstacle for the economy, so we could not keep up internationally, etc. – You must be kidding me.
Honestly, there are massive interests involved. The acquisition of, let’s say: mobility data from cars is a huge business. If you want something from your customers, you just have to be familiar with the matter. And there are concepts. There is anonymization of Big Data. There are pseudonymous identities. There is data economy, blockchain and encryption.
And there is the interesting concept of not handing over data at all, but keeping it available on a personal server for (contractually regulated) processing. If I pull the plug, that was it. This sounds complicated. But such a physical self-security is exactly the user’s reaction we have to expect when credibility, transparency and self-determination are lost. Once this concept has matured, it could become the starting point for a complete parallel economy in the event of a crisis.
To describe a “European solo attempt” such as the GDPR as a competitive disadvantage is likely to go down in history as a particularly stupid mistake. The EU has thus set a standard for at least 500 million people, which is being respected worldwide and can no longer be ignored.
Lobbyist smoke candles like a misunderstood “data sovereignty” try to deceive us. As if we were always well informed and free to decide to whom we will sell our data, never to be seen again. Quite often the consumer won’t even know what his device is telling about him. No one could possibly read through all the terms and conditions that he accepts with a single click. He can demand both understandable clarification and the possibility of ending a spook that has gone out of control with a strike.
Finally, allow me a brief forecast:
China will impress us with its rigid policy of incapacitation. But we will see a future worth living in Europe if we are consistent and committed to self-determination. The USA still has to decide. I do not see an interim solution that manages without full respect for our digital personas. And as a clear legal expression of informational self-determination, inalienable ownership of personal data could turn out to be very valuable.