In the first part of this blog series, we answered the question to what extent there is a property right in data. The short answer is that in a property law sense, there can be no property right in data. However, this does not mean that the consequences of a property right, such as an action for release or destruction, are completely absent.
The previous blog discussed what contractual possibilities there are to exercise a 'semi-proprietary right' over data. In this blog, we discuss the possibilities offered by the European General Data Protection Regulation (AVG) for acts related to ownership.
First of all, it is important to note that data can of course consist of all kinds of different types of data (in digital form). The regulation of the AVG is limited to data, consisting of personal data. Briefly, data is considered personal data if it is information about an 'identified or identifiable natural person'. Think of a name, location data or a combination of personal characteristics.
Thus, the rights similar to property rights under the AVG only apply to personal data.
The AVG offers the possibility to ask the organisation processing one's personal data to delete, limit, modify, give access or a copy and transfer that data.
Reserved to natural person
Thus, based on the AVG, you can exercise some control over your personal data and how it is used. Incidentally, these rights are reserved to the person whose data is involved. In other words; companies and public institutions cannot, in principle, invoke these rights under the AVG.
However, it is possible for companies or organisations to bring a claim under the AVG on behalf of (a group of) natural persons. For example, consider a collective data deletion request.
Controller - processor
Be aware that this is a different situation from the circumstance where a company or organisation, as a data controller, requests (for example) destruction of personal data from the processor. It follows from the legal relationship between the controller and the processor that the processor only processes personal data 'on behalf of' the controller. For this reason, the processor is bound by the controller's instructions (which are also often contractually defined). The controller can then request the processor to destroy or transfer, for example. Incidentally, this right of the controller may well be limited by legal retention obligations in other regulations. Think, for example, of tax retention obligations.
With the AVG giving individuals a form of control over their data, one might wonder whether personal data should not 'just' fall under the private law ownership regime. The 'expert meeting Control, ownership and personal data' considered this question in 2021. The conclusions drawn were shared by the state secretary with the House of Representatives in 2022. In summary, the conclusions of this expert group boil down to the following:
The legal concept of property is not suitable to apply to personal data. One example is that a property right and resulting power of disposal can be transferred. The expert group states that:
"It [is]inconceivable and undesirable that a data subject could transfer control of his or her personal data to another person and would therefore then have no say over his or her data."
As a second reason, the expert group indicates that certain data - depending on the context and meaning - may be personal data in some cases, but not in others. This may - according to the expert group - depend on changes in technology or processing purposes. "Personal data as an object of rights are not stable enough to be an object of property rights."
The expert group does not provide a concrete example of such 'fluctuating (personal) data', but one might think here of a license plate number or customer number. These are data that lead to an 'identified or identifiable natural person' if additional data are available (also called an 'indirect personal data'). However, these data will not count as (direct) personal data for everyone.
The AVG provides a number of rights for natural persons whose data is concerned that are substantively covered by property law. These rights cannot be exercised by companies or organisations unless they bring a claim on behalf of the natural person.
Legally, however, personal data (as well as other digital data) are not property rights. As a controller of certain personal data, you do have options against the processor of that personal data, for example, to claim it or to destroy it (or have it destroyed). However, these rights arise from the legal relationship between parties, not from property law.
Our specialists at Team Commercial Contracting will of course be happy to help you with issues relating to personal data and privacy regulations.