Who Owns our Data

c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 5 e7 9 Available online at www.sciencedirect.com ScienceDirect www.compseconline.com/publications/prodclaw.htm Comment Who owns our data? Christopher Rees* Taylor Wessing LLP, London, UK abstract Keywords: The layman’s answer to the question posted in the title to this paper lies in the question Big data itself. The common understanding of people when they talk about information about Cloud computing themselves is that it is indeed “theirs”. Until relatively recently, the law has been content to Obligation of confidence remain agnostic on the subject. The Common Law in general and English Courts in Information as property particular have traditionally avoided philosophical debates about the nature of things, In rem rights preferring to develop concepts and principles from the results of cases decided on specific In personam rights facts and circumstances. This approach has been acceptable while we have been winding our way gently up the foothills of the Information Age, but now that we see the towering peak of Big Data standing before us, covered by the ubiquitous Cloud, it is necessary to make a critical examination of some of the basic assumptions which we have hitherto carried with us about the way in which the law should treat rights over personal information. This paper will argue that the correct approach which the law should adopt is a proprietary one. That is to say that the protection of the economic value inherent in personal information should be grounded in property rights acknowledged by the law. ª 2014 Christopher Rees. Published by Elsevier Ltd. All rights reserved. 1. Why is there a need for a change of approach? The World Economic Forum report of 2011 described information as the “new oil”. By this it meant to demonstrate how the vital raw material for the digital economy is information itself. Consider how revolutionary this notion really is, and you will see why it requires an equally revolutionary adaptation by the law to cope with it. When the principal asset class of value was land, the law developed many and various ways of increasing complexity and subtlety to allow the economic exploitation of this asset class. The law of real estate, the law of trusts and rules of equity all bear witness to these developments. With the arrival of the industrial age, land itself became less the means of wealth creation and the focus turned to the moveable property and manufactured goods which were produced by the process of industrialisation. This gave rise to the law of personal property, of banking and finance and to the ancillary disciplines of shipping law which dealt with the movement of these goods, and of intellectual property law which covered the industrial application of ideas. By common agreement, we are now in an entirely new economic phase, which we call the Information Age, and it is information itself which is powering the engines of this particular outpouring of human creativity. The law must therefore wrestle with the problems which are thrown up by the new economic order and seek to find the right way of providing checks and balances and economic redress for wrongs for participants in this new economy. The law has until now focused on the protection that should be afforded to one particular class of information, so * Taylor Wessing LLP, 5 New Street Square, London EC4 3TW, UK. E-mail address: [email protected]. 0267-3649/$ e see front matter ª 2014 Christopher Rees. Published by Elsevier Ltd. All rights reserved. https://dx.doi.org/10.1016/j.clsr.2013.12.004 76 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 5 e7 9 called “confidential” information. A significant body of case law has been developed by the Courts over the years, from which we know that if information is: (a) possessed of the necessary quality of confidence; (b) imparted in circumstances imparting an obligation of confidence; (c) used in an unauthorised way to the detriment of the confider, then the Court will grant remedies ranging from injunctions to damages to prevent misuse of the information concerned. (See Coco v A.N. Clark [1969] RPC 41, and many subsequent cases where this formulation has been accepted and further developed.) Lawyers have debated for many years whether it was appropriate to classify “confidential information” as a species of property without reaching a firm conclusion one way or the other. The most recent ruling by an English court on the subject was given by Lord Neuberger, the Master of the Rolls, and is typical of the reluctance of the judges to give a definitive view on the subject: “while the prevailing current view is that confidential information is not strictly property, it is not inappropriate to include it as an aspect of intellectual property”. (Coogan v News Group Newspapers [2012] EWCA Civ48.) As the observant reader will note, the hedges in that sentence seem to be designed so as to allow the rider of a sufficiently spirited horse to be able to surmount them in a future case. Be that as it may, the information that applies to each of us as individual citizens and economic actors will not ordinarily satisfy the three criteria set out above so a consideration of how the law treats confidential information should not be determinative in deciding how the law should treat the much wider class of information into which our “personal information” falls. In this connection it is helpful to draw a distinction between what we may call a mere fact and “information” properly so called. That my name is Christopher Rees is a mere fact. A specific address is a mere fact. If my name is connected with a specific address the sum of the two mere facts becomes information. The reason for this distinction is that addressability is a valuable economic asset. Once you can be addressed, whether by phone, by mail or online you are of value to the market. Without more, this information would not usually be of much moment or commercial value. (Although if my name were William Gates III then the information would already be more valuable.) If a further “mere fact” were to be added to this information, for example that my household insurance policy was about to expire then it can easily be seen how the personal information concerned would be of great interest to insurance companies anxious to expand their business. So at a certain point, usually by the third step in this accumulation of “mere facts” a commercially valuable nugget of “personal information” has been assembled. The question is why should the law not protect this nugget of information in the same way that it protects a nugget of gold? The answer is that the law does indeed offer protection, but up to now it has sought to provide that protection and redress by treating personal information as an aspect of human dignity and autonomy. It has been protected in this way in various codes around the world, most notably in the data protection laws in Europe which are based on Article 8 of the European Convention on Human Rights. This Article grants to citizens the right to protection of their private life, their home and correspondence. From that premise, the Data Protection Directive has established a formidable set of rights and obligations which surround the processing of personal information. This paper does not seek to belittle the considerable achievements of this body of law and practice over the past 30 years. It has served well to raise the awareness of the importance of respect for personal information amongst both individuals themselves and the industry which carries out much of the processing of it. Nonetheless, it is an observable fact that the data protection approach is fatally flawed. It is flawed because by focussing on the “human rights” aspect of the issue it has ignored entirely the economic value in personal information. As a corpus of law Data Protection or Data Privacy as it is variously known is hopelessly wordy, prescriptive and out of touch with reality. It is also, as Hamlet put it, more honoured in the breach than the observance. It is estimated for example that if each of us were to take the trouble to read the Privacy Policies on the websites which we use in the course of each year, then we would need to allocate five working weeks to do so. One survey in America by McDonald & Cramor in 2008 put the annual costs of perusing the privacy policies of US internet sites at the sum of $781bn. That they settled on the figure of 781 rather than 780 billion is presumably intended to show a degree of scientific exactitude to their number, but even if a large dose of salts is allowed in the assessment of the value of such estimates, the basic proposition that the law is being inefficient in its attempt to regulate the use of personal information is unarguable. 2. Can personal information be treated as property? To answer this question, we first have to understand what the law means by property. The English jurist Austen defined property as the right to use something and the power to exclude others from its use. If you consider personal information about yourself, you will see that it fits within that definition. As torturers through the ages have learnt to their cost, if you want to keep a matter about yourself secret, no power on earth can make you yield it up. In economic terms, property can be said to be the sum of things which have money value. In law, things can be either tangible, that is to say they have objective form, or intangible, that is a mere right enforceable by action in a court of law. So where is the intangible right in personal information? Under English law, it is found in Section 13 of the Data Protection Act 1998. This states that “an individual who suffers damage by reason of any contravention of any of the requirements of this Act [the Act regulates the use of personal information] is entitled to compensation from a Data Controller [the person who is using the information] for that damage.” Thus, the law already acknowledges a property right in personal information. It may be objected that the courts have decided that the categories of property are restricted and therefore it will not be open to them to admit a new category of personal information to the class of things which are recognised as property. c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 5 e7 9 This is the so called “numerus clausus” doctrine (that the number of property rights is closed). However, a correct understanding of the numerus clausus doctrine shows that the courts are open to the introduction of new categories of property. The categories of property might more correctly be said to be restricted but not closed. Lord Wilberforce in his leading judgment in National Provincial Bank v Ainsworth [1965] AC 1248 put the matter thus: before a right or an interest can be admitted into the category of property, it must be (i) definable, (ii) identifiable by third parties and (iii) have some degree of permanence or stability. Personal information consisting of my name and address satisfies all of these three requirements, so we can conclude that personal information is indeed already treated as Property under English law. 3. What sort of property is personal information? Here we must recognise that we are limited in our understanding of the nature of what we are seeking to define by the fact that we are at such an early stage in the development of the law of information. What follows is therefore somewhat tendentious and is intended more to provoke thought and debate than to be prescriptive of the true nature that this new property right might over time come to bear. In the first place, I would propose two distinct “flavours” for this property. I choose this term by analogy with the way in which nuclear physicists talk about the different flavours of sub-atomic particles. Depending on their state, those particles may exhibit one or other of their inherent flavours. The two flavours of the property right in personal information that I suggest are in rem and in personam. I choose these terms deliberately for their resonance with Roman law so that this analysis may appeal as much to Civilian Lawyers as Common Lawyers. The intention is to draw a distinction between the rights which are exercisable in personal information against the whole world (the in rem flavour) and the more limited rights which will exist in the in personam flavour. 3.1. The in personam flavour The in personam flavour has the appeal and advantage of being inherently democratic. Everybody has an in personam right in their own personal information. Depending on how active you are as an economic and social citizen, the more or less in personam rights you will have in personal information. It also has the peculiar quality of being inexhaustible. In personam rights to your own personal information can be reused without limit. You can take the same information from one bank to another, from one supplier to another as you wish throughout life. Furthermore, the value of your in personam right increases in direct relation to your net worth. The more other assets you collect through life, the more valuable the information about you becomes to a potential third party supplier of goods and services to you. 77 We then come to two aspects of the in personam right which might be objected to militate against treatment as property in the conventional sense. The first is that the right ends on death. The simple explanation for this is that personal information under the Data Protection Act is defined to cover living individuals. Furthermore, by its nature, personal information in its in personam flavour cannot be acquired. However, there are other existing property rights, such as a joint tenancy in land, which also expire on death and there are rights analogous to property rights, such as the moral right in copyright, which cannot be acquired by anyone other than the original author of the copyright work. Personal information can, like all other property rights, be partitioned and segmented as the owner sees fit. It will, importantly, also be subject to government and regulatory derogation. There are requirements which apply to all citizens to volunteer some of their personal information to the State for the purposes of voting in elections, paying taxes receiving medical care and so on. There is also an overriding need in a functioning democracy subject to the rule of law to allow a free press to use personal information about individuals for the purposes of reporting on daily events. All of these issues will have to be taken into account in prescribing the ambit of the property right in personal information, but it is submitted that none of them represents an impossible objection to the subsistence of the right itself. 3.2. The in rem flavour This flavour of the property right in personal information is intended to show how those who invest in the collection and aggregation of personal information of others should be protected in their activities and how a property regime can assist the achievement of this objective. The in rem flavour can be used by such a processor of information subject to the limits imposed by the in personam rightholder. This means that the relationship between a user of personal information and the individual about whom that information relates becomes much more like that of a trustee and a beneficiary. The trustee can only do that which is in the interests of the beneficiary (the in personam rightholder) and must make an account to the beneficiary of the profit earned by the use of the information. I realise that this appears to turn the economics of the current internet on its head. At the moment services are generally said to be provided “free of charge” in return for the unbridled use of the participants’ personal information. However, that model is exploitation of the many by the very few, and over time such models cannot endure. It will therefore be a matter of enlightened self interest for the great Internet companies to embrace the property model as being a fairer and more sustainable one for the long term. For present purposes, it is not necessary to move into detail as to what the correct allocation in monetary terms of the profit derived from use of the personal information as between the trustee and the beneficiary in this case should be. That, is something which will be worked out by market forces over the coming years. Whereas in classic trust law, the trustee is not entitled to benefit in any way from his trust, it is easy to see that there will be an economic rationale for the in rem right holder as the processor of information to be charged by the in personam rightholder only a small amount of the profit from the 78 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 5 e7 9 information use. This may come to resemble the dividend or loyalty bonus scheme of the type which a number of farsighted suppliers already use. The difference would be that the dividend would be earned as of right rather than condescension, and that will fundamentally redraw the economics of the transaction. That the in personam property owner is entitled to some recompense for the use of his property is the basis of the argument in this paper. The in rem flavour cannot be transferred or assigned without the consent of the in personam rightholder. This follows from the ownership right of the in personam party. It makes otiose the argument about whether the consent necessary for personal information to be passed on to third parties should be based on an opt-in or an opt-out system. If the matter is put in terms of property law, it goes without saying that no-one can pass on your property to a third party without your express consent beforehand to do so. It also follows from the comments made above about the lifetime nature of the in personam right that the restrictions on the in rem right will fall away upon the death of the in personam rightholder. Whether this position continues in the future will be one of the moot points of this area of jurisprudence as it further develops. There are already lawsuits on foot in the US which seek to allow the transfer of what are known as “digital archives” from one generation to another. It is possible to see how this might be extended to personal information rights so we should not exclude this development in due course. For data aggregators and industrial users of personal information in the new economy the good news under this proposed scheme of property ownership would be that once personal information is effectively annonymised (the emphasis being on effectively), the resulting data may be used as the in rem rightholder chooses. In other words, once the information cannot be traced back to the original individual who has contributed it, then it loses its quality of personal information and becomes an unencumbered asset of the processor. 4. How do the two flavours of personal information property right inter-relate? Some inter-relations seem to flow from the above analysis. The in personam right will always, during the lifetime of the in personam rightholder, trump the in rem right. The in rem rightholder holds the personal information as a fiduciary on trust for the in personam owner. He will therefore be accountable for any breach of that trust. An in rem right can be acquired by an aggregator or user of personal information who expends money and effort to acquire and process the personal information about individuals. Third party acquirers of personal information from the in rem rightholder will take subject to the trust under which the in rem rightholder holds the information and will also be accountable to the in personam rightholder during his lifetime. It is possible to see how the use of symbols attached to personal information might helpfully allow third parties to discriminate between the two flavours of the property. By analogy with copyright, a small symbol attached to personal information could denote the assertion of the in rem right in respect of it. In the hands of the search engine or social media site the same information, once volunteered to it, could bear an symbol. Metadata could be used to link the two pieces of information within the in rem rightholder’s systems so as to allow an account to be made to the in personam owner in due course. Objections from the internet industry to the expense and technical impracticability of such an approach are to be expected, but should be met with scepticism. The industrialists who constructed the first factories could not, in general, see why they should spend their profits in protecting the safety of the people who willingly came to work in them. In the same way, the safety and fairness of the ground rules of the use of personal information will have to be developed in our time, often in the face of opposition from those who started in the business when it was much less regulated. 5. How would recent Court decisions have benefitted from the above approach? That this controversy over how to treat information is “of the moment” can be gauged by the number of recent court cases in which has arisen. Let us consider how the above analysis might have proved helpful in allowing Mr Justice EdwardsStuart to reach a more satisfactory verdict in the recent English case of Fairstar v Adkins [2012] EWHC 2952. (The judge himself admitted that he did not view the result he arrived at “with any enthusiasm”. The Court of Appeal showed even less enthusiasm: they unanimously overturned it.) The case concerned the ownership of emails, and whether there could be said to a property right in the content of them. In the course of his review of the authorities the learned Judge chose not to rely on the dicta of the majority of both the Court of Appeal and the House of Lords in Boardman v Phipps [1967] 2AC 46 on the basis that none of those dicta formed part of the ratio of that decision. That, it is respectfully submitted, was a pity as Lord Hodson put it well when he said in Boardman: “each case must depend on its own facts and I dissent from the view that information is of its nature something which is not properly to be described as property” [emphasis added]. Even so, in his judgment Edwards-Stuart J listed a number of possible options which might apply in relation to the ownership of the content of any particular email. Of the 5 options he listed, two are of particular interest in the context of this paper: (1) that title to the content remains throughout with the creator (or his principal);. (3) as for (1) but that the recipient of the email has a licence to use the content for any legitimate purpose consistent with the circumstances in which it was sent;.. It will be seen that option (1) above is the in personam right and (3) above is the in rem right. The judge considered that if the information were not confidential then there would be few circumstances in which a person would need or want to restrain another’s use of it. Per contra, a little thought about personal information relating to ourselves would show that there are many circumstances where we would wish to restrain another’s use of it. Or perhaps you are one of the c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 7 5 e7 9 happy few who receive cold calls and spam with equanimity? On the basis of his false premise the Judge concluded that there were “no compelling practical reasons that support the existence of a proprietary right”. As we have seen, the Judge admitted that the result was not one which he viewed with any enthusiasm: he felt that there was a gap that the law should have been able to fill, but did not feel able (in the light of the view he had taken about the authorities cited to him) or obliged (in view of his perception that the issue was not of practical significance) to fill that gap with a ground-breaking judgment. In the Court of Appeal judgment on Fairstar handed down in July this year ([2013] EWCA Civ886) Lord Justice Mummery and his colleagues decided that there were sufficient grounds based on the law of agency to reverse Mr Edwards-Stuart’s decision and grant Fairstar the access to the emails which it was seeking. He saw the “proprietary right” in information argument as a distraction as “no competing claims of third parties are involved”. With respect, the learned Lord Justice cannot know this to be the case: under Data Protection Law the individuals named in the emails have rights that they may wish to assert in relation to the use of those emails. This goes as much to criticise the breadth and nature of Data Protection Law as to underline the fact that what Fairstar was asserting (that its agent should hand over property held on Fairstar’s behalf) was both economically sensible and intrinsically fair. That is why Mummery LJ. made clear his determination to give Fairstar their remedy. However, in declining to use the Proprietary model advocated in this paper the Court of Appeal has left itself open to the possibility of a successful appeal, or at least subsequent questioning of its reasoning. The learned Lord Justice went on to state that “the claim to property in intangible information presents obvious definitional difficulties having regard to the criteria of certainty, exclusivity, control and assignability that normally characterise property rights and distinguish them from personal rights. In my judgment the court should decline to enter into a controversy of that kind when it is not necessary to do so in order to decide the case on its particular facts. It would be unwise, for example, for this court to endorse the proposition that there can never be property in information without knowing more about the nature of the information in dispute and the circumstances in which a property right was being asserted”. This brings us back to the point made earlier that the English courts through their inbuilt caution and pragmatism are content to sit on the fence of this debate for the time being, but do not rule out the possibility of change in the future. The contention of this paper is that, sooner or later, and possibly much sooner than might be thought likely, a judge in similar circumstances will take the opportunity to lay down 79 some ground rules for what might be loosely termed this new Law of Information. In the same way that Lord Atkin did, with such clarity and resonance in the landmark case for the law of negligence in Donoghue v Stevenson [1932] AC 563 it will then be seen that what has been creeping up, almost unnoticed, through the undergrowth has emerged into the bright and ever accommodating light of the Common Law is a fully articulated brand new branch of Property, called Personal Information. 6. The consequences of this new paradigm If the property model for Personal Information were to be adopted then far from becoming redundant, data protection laws will assume even greater relevance than hitherto. The reason for this is that search engines, data aggregators and social media sites who up to now have assumed that they own the data which they are harvesting will recognise that they have a vested interest in making sure that they following best practice in the way in which they acquire and use the information about individuals. What it will mean is that those data protection laws will not need to be so detailed and bureaucratic in their approach. Nor will one have vainly to try to rationalise the competing regimes for data protection which have grown up in the U.S, Europe and Asia. Property is a concept that all legal regimes recognise, so relying on the property right inherent in personal information will solve many of the current drafting problems for the legislators in this field. The property right approach will also save both industry and individuals’ money and energy. There will be no need for long winded privacy policies; there will just be a shared understanding of the trust based nature of the relationship between the in personam rightholder and the in rem collector of information. In this way, there will be created a healthier balance of risk and obligation as between owners of personal information and those whom they allow to process it on their behalf. The ownership paradigm will encourage the use of privacy enhancing technologies and state of the art security measures to protect data. Those who hold vast quantities of personal information will realise the risks inherent in losing the property of vast numbers of third parties and the risk of consequent class actions for damages for having done so. This will not eradicate the occurrence of security breaches, but it will encourage the use of better processes and systems for the protection of personal information, which was one of the fundamental aims of data protection law in the first place. And, the law of Information will have taken a significant step forward towards the sunlit uplands that await us in this ever fascinating Information Age.