When a company, a social network or a public organization says: “we protect your personal data”, what does the word “your” really mean?
Is my personal data mine in the sense that I own it like any other object, or does it belong to me as an inseparable element of my personality?
This contemporary debate, born out of the extremely flourishing economic model based on personal data of the digital giants known as Big Tech or sometimes as GAFAM (Google, Apple, Facebook, Amazon and Microsoft), confronts two approaches: the proprietary and the non-proprietary. We distinguish here between having and being: data seen as an asset and data seen as an attribute of the personality. Here are a few arguments for each side, far from summarizing the entire debate on the proprietization of personal data.
The first position that can be adopted is that of considering personal data as an appropriable asset, i.e., one to which a right of ownership can be attached. Theoretical and practical arguments support this approach, as well as others that contradict it.
The genesis of the proprietary approach to personal data is to be found in practice and in particular in the economic model of the digital era based on the valuation and monetization of personal data. This approach consists in saying that if, in fact, our data are collected, processed and resold in a massive way, the only way for the person concerned by this data to regain control over them and, by the same token, to be able to take part in the chain of value that they generate, is to establish a right of ownership over the said data.
It is true that ownership seems to be the main way in which one imagines a monopoly on a thing and can be able to control its slightest uses. It has been defined since 1804 with the creation of the French Civil Code as “the right to enjoy and dispose of things in the most absolute manner, provided that one does not make a use of them that is prohibited by laws or by regulations” (Art. 544).
The owner is recognized as having three prerogatives: usus, fructus and abusus. Usus allows the use or non-use of the thing in any way. Fructus confers the right to enjoy the thing, that is to say, to reap the fruits it produces or the income it generates. Abusus, on the other hand, provides authorization to proceed to all acts of disposition on the thing: to transform it, to sell it, to consume it, etc., until it is destroyed. Thus, recognizing a right of ownership to the person concerned over their personal data would give their control over what they wants to do with it and, above all, the possibility of recovering part of the value created by its use. The personal data of individuals is currently monetized for the sole benefit of platforms, advertisers, data brokers and other actors involved in the value chain, with the exception of the person about whom it relates and from whom it originates.
The advocates of the proprietary thesis support their argument by explaining that contractualization could allow the use of personal data by individuals in a way that is controlled by them, since they would agree with the platforms on the authorized uses and the remuneration that would be due to them in return for providing their personal data. Alternatively, data subjects could choose to pay a fee to enjoy the services offered by the platforms without the collection and resale of their data.
They also argue that the tools to achieve such a proprietary model already exist. First of all, blockchain technology would ensure the security of transactions and would allow the management of smart contracts, adapted to the automation of these transactions and payments, which would take place in the form of micro-payments thanks to cryptocurrencies, given the small sums that would generate the return of value to the individual in each transaction. From a legal perspective, they also analyze the right to data portability provided by Article 20 of the General Data Protection Regulation (GDPR) as a favorable tool. It allows the data subject to retrieve the personal data they have provided to one controller and transfer it to a new one, or to have this transfer made directly between the two controllers when technically possible. It would therefore be a real right, which relates directly to a thing, and not a personal one, which would give the illusion of ownership as the person can take back and transmit his data.
Of course, every thesis has arguments for and against.
The first argument against the idea of recognizing a right of ownership over personal data is the exact opposite of what we have seen above, since it consists in asserting that the three prerogatives of the owner are inapplicable to personal data. Indeed, if usus, the right to use the thing, would translate for the individual to the free use of their data (first name, first name, email address, postal address, etc.) to subscribe to a newsletter or to create an account on a website for example, how to imagine that this prerogative can be transmitted to another person in case of transfer of property without constituting a usurpation of identity?
As far as fructus is concerned, that is to say the right to reap the fruits produced by the property one owns, the economic model of the platforms relies on the targeting of the user’s characteristics (age, sex etc.) and preferences based on the collection and processing of their personal data in order to resell this information to advertisers so that they can personalize the pop-ups accordingly, according to our last searches on Google for example. Judging by the sales figures of the giants of the sector, the personal data market seemed to be a profitable one for the individual. However, it is the multitude, the very high number of collected data that makes the value, so if each person recovered the value represented by his own personal data, it would constitute a derisory sum, of the order of a few cents of euro per transaction.
Finally, abusus, the right to dispose of the thing, is very quickly limited because the legal disposition of the property, notably its sale, is technically feasible, but it would entail a divestiture of the individual from their data which could then be sold and resold to multiple subsequent owners, entering into a profound contradiction with the primary objective of giving back control of the data to the data subject.
In addition, the idea that contractualizing the use of personal data between platforms and data subjects could give the latter control over the fate of their data seems purely utopian. Indeed, in practice, the contract is the very model that can seal the individual in their position as a weak party. The contract between an individual and a company, and especially Big Tech, multinationals among the most powerful and richest in the world, can, in the vast majority of cases, only be a contract of adhesion, pre-drafted by the strong party and to which the weak party has only to acquiesce, or in any case, a contract in which the relationship between the parties during the negotiation phase will have been unbalanced. The immediate consequence is an imbalance of the contract itself with clauses in favor of the company to the detriment of the individual. As for the solution of paying a price to take advantage of the services currently offered for free by these platforms in exchange for a total absence of collection and resale of users’ personal data, we must ask ourselves a pragmatic question: are we ready to pay to access social networks? Is the total absence of data monetization desirable?
Finally, to counter the argument about the tools that could enable a proprietary model to be achieved in a technical way, it must be emphasized that these technologies: the blockchain, smart contracts and micro-payments have not been mastered by the general public. Building a management model for one’s personal data on them will therefore inevitably be a vector of inequalities between individuals who are experienced in the use of new technologies and those who are not, those who usually manage the growth of their assets and those who do not. The control of one’s personal data will be reserved for an elite, excluding the others from any evolution of the situation. As for the legal tool that is the right to data portability, it is more reasonable to see it as a way for the individual to choose which data controller will be able to exploit their data, all the more so as when one studies the conditions of its implementation, this right is determined in its exercise and the prerogatives it grants, which puts it in contradiction with the right to property, which, by definition, is only limited by compliance with laws and regulations.
Faced with the attitude of wanting to bring into play proprietary rights, and first and foremost the right of ownership, in order to allow the person concerned to take part in the value chain of the proprietization of his data, the non-proprietary vision stands up. The latter aims at framing this phenomenon by recognizing a right of personality in order to give priority to the protection of personal data as attributes of personality.
The second conception behind which to fall back is that of seeing personal data, this time not as property, but as an attribute of the personality. The personal dimension of data is not intended to ignore the proprietization of data that is taking place, but it calls for its supervision with the aim of preserving the fundamental interests of the person concerned. It is here that the proposed demonstration ceases to be purely impartial insofar as this conception seems to be the best adapted at the present time, as shown by the numerous arguments that come to its support.
The basis of the non-proprietary or personalist approach is the idea that personal data cannot be the subject of a property right because it is an element reflecting the personality of the individual to whom it relates. Personal data according to this conception cannot be considered as ordinary things. Indeed, it can be of interest to the person concerned in terms of their identity, their behavior, their private life (especially when it is a matter of sensitive data such as sexual orientation, political opinions, religious beliefs, etc.). This is why, it seems more judicious to the supporters of the personal conception to recognize a non-proprietary right on the data and more precisely to make the personal data enter the batch of the attributes of the personality protected by personality rights beside the name, the image, the voice, the moral right of the author..
Moreover, the legal regime attached to personality rights has already shown its adaptability to a context of proprietization while respecting the eminently personal dimension of the objects to which these rights relate. As non-proprietary rights, they are unavailable, intangible, non-transferable and imprescriptible, unlike proprietary rights such as property rights. Therefore, this right cannot be rented or sold, nor can it be renounced, even for a reward, nor can it be made tangible, nor can it be transmitted to heirs after the death of the holder, nor can it be lost because of non-use. Everyone may realize that these rights can nevertheless be contracted for exploitation and generate income in the field of music, advertising, press, cinema, theater, etc. This is due to the fact that these attributes of the personality have been externalized from the individual to be fixed on objects, material or immaterial, which can therefore be communicated and even sold. Court decisions on personality rights have been able to adapt and accommodate these patrimonial elements without calling into question the non-proprietary nature of personality rights.
Another example of personality rights whose legal regime results in a proprietization framed by limits of an non-proprietary nature is that of the moral rights of the author of a work of the mind. Indeed, the copyright is double, it is composed of proprietary rights framing its exploitation, in particular commercial, and of moral rights taking into account the link between the work and its author and allowing them to preserve their non-proprietary interests because this work is the reflection of their personality. Among these moral rights, the author has the right of disclosure which allows them to determine the moment and the means according to which their work will be made public, the right to see their name or pseudonym associated with the work, which is what their right of paternity allows them. Finally, the author can use their right to observe the integrity of the work and their right of withdrawal and repentance to, respectively, oppose modifications of the initial work that do not suit them and recover their work by compensating the one who exploited it at any time and without having to give any justification. This is the proof that it is possible to have a reinforcement of the individual’s control over elements by granting rights, but non-proprietary rights, to take into account the essential link existing between the individual and these elements.
To go further in the search for a solution to provide the individual with means of controlling the use of their personal data, it seems desirable to recognize for the benefit of the person concerned a specific personality right, which is the right to informational self-determination, enshrined in Germany since 1983. This right emphasizes the individual’s power of decision as to the communication of their personal information, which is shown just by the use of the term “self-determination”, and its autonomous consecration makes it possible to raise it to the level of a “framework” right for the exercise of the rights of access, rectification, opposition, etc. held by the data subject.
The various scandals that have been made public and massively reported by the media, such as the Cambridge Analytica affair and the takeover of WhatsApp by Facebook, to name but a few, have shown the limits of the ownership of personal data. They have, in fact, revealed uses subsequent to those to which the data subjects had initially consented with the first Data Controller, deregulated and hidden, which can undermine the protection of our personal data, but also the exercise of our fundamental freedoms.
There are many reasons to support an extra-privacy concept of personal data, which would involve the recognition of a right to informational self-determination in French law as the first step in a new dynamic of strengthening the tools available to the persons concerned. They are, moreover, corroborated by a few final remarks which conclude that this solution appears to be the most desirable at the present time, when the supervision of the massive exploitation of personal data is the goal, not an abolition of monetization, which is purely utopian and would not necessarily be beneficial, nor an encouragement of the latter by the switch of data protection to a patrimonial legal regime.
This way of understanding the legal relationship between the data subject and their data through the prism of the personalist approach is reflected in the current regulations on personal data protection. This protection is based on the granting of rights to the individual that they can exercise against the controller(s). Moreover, even if GDPR which was adopted on April 27, 2016 and entered into force in May 2018 also relates, as its entire title indicates, to the free flow of data, the underlying logic is that data subjects may exploit their personal data only on the condition of allowing the latter to intervene by using the rights granted to them and of respecting certain obligations for the data controllers, starting, in the first place, with a duty to inform. The spirit of the text tends rather to reinforce the supervision of data processing according to an non-proprietary conception.
The rights that the data subject has over their personal data in GDPR and the amended Data Protection Act: the right of access, the right of rectification, the right to deletion, the right to object or the right to restrict processing are all part of this philosophy of accentuating the data subject’s control over their data, using tools of an extra-personal nature in order to grasp the essential relationship between the individual’s personality and his or her personal data.
This personalist or non-proprietary model, implemented through the recognition of a right to informational self-determination, appears to be the most suitable to ensure the individual’s control over the use made of their personal data. However, the concerns about the effectiveness of this model lie in the general public’s lack of knowledge of their rights regarding the protection of their personal data, which in turn stems from a lack of awareness of GDPR in its entirety. The CNIL has already started to educate the public, but more needs to be done.
– Alizée VAAST