More than a decade and a half later, in my work with
Professor Laurie on the Administrative Data Research Centre Scotland project[4],
similar questions have arisen as to the efficacy of the consent model, but in
particular, the consent-or-anonymise paradigm at work in context with the use
of personal data for research purposes.[5] Other
work has considered the prospect of a property model in an effort to provide
individuals with more control over their personal data, attracting robust
arguments both for and against this idea.[6]
Even if the law in the UK currently eschews any idea of personal ownership, we
cannot ignore the thriving black market for personal data across the globe as a
result of the increasing sophistication of technologies and methodologies used
by cyber criminals, or indeed the billion dollar businesses which arose from
the intermix of code and ‘freely’ given personal data for various ‘services’.
What values do we hold in personal data that may make propertisation
objectionable? Do those values change once data are ‘anonymised’ or
‘de-identified’?
In the two decades since the enactment of the Data
Protection Directive 95/46/EC, personal data has become commoditised and is an
essential asset to public, private and third sector organisations. While data
has become infinitely more valuable, the protection of privacy and the
safeguarding of individual autonomy has concomitantly become more difficult to
attain. The meaningless of ticking a box to consent has at once become a cliché
of modern life but also represents the stark power imbalances between
individuals and those that continue to collect, hold and process our personal
data.
The forthcoming General Data Protection Regulation has been
lauded as a marked improvement in data protection law, offering individuals’ more ‘control’ over their personal data,
notably through the introduction of new or expanded data subject rights
including the right to data portability, the right to be forgotten and with the
heightened requirements for obtaining valid
consent. However, many of these new or expanded rights are limited and do not
address the fundamental power imbalance between a data subject and a data
controller. Data controllers are still in ‘control’ – they remain free to
determine the legal basis, purpose for, and manner in which, they will process
personal data. Enhanced legal requirements for obtaining valid consent does not
address this nor does it recognise sufficiently the economic value in an
individual’s personal data. If data controllers continue to reap such high
economic value from personal data, and moreover, in light of the risks posed by
the growing prominence of data breaches, why can’t individuals assert and exercise a form of ownership over
their data to compensate?
Data protection law effects a relationship with individuals
primarily based on ‘rights’, despite the fact that the provisions of current
and forthcoming legislation facilitate the transfer of personal data, often for
economic exploitation. This is a fact just as it is also true that personal
data holds an intrinsic value to personhood. A property model could provide
individuals with actual control over certain economic uses of their data in recognition of the value that it
represents in today’s economy. Yes, commercialisation of personal data could
lead to more exploitation, but as argued by Mason and Laurie in relation to
human tissues and organs: ‘… merely because we face that prospect is no reason
in se to refuse to recognise property rights as a matter of principle…Indeed,
the non-recognition of property rights arguably perpetuates exploitation; it
has, for example, done little, to date, to prevent a thriving global black
market in organs and tissues.’[7]
So to answer the question posed by the title of this blog, I
would suggest that there is no reason
in principle why a property model
working alongside data protection
(and privacy laws) could offer individuals further respect and control over
their personal data, data which reaps such value for data controllers (and even
criminals) across the globe. At a time of political, social and economic
uncertainty, the time is ripe to rethink the relationship between the law and
personal data.
[1] JK
Mason and GT Laurie, ‘Consent or Property?
Dealing with the Body and Its Parts in the Shadow of Bristol and Alder Hey’
(2001) 64 The Modern Law Review 710
<http://dx.doi.org/10.1111/1468-2230.00347>.
[2]
Human Tissue Act 2004, s 1.
[3] Mason and Laurie (n 1) 729.
[4] ‘Administrative
Data Research Centre Scotland’
<http://adrn.ac.uk/centres/scotland>.
[5] Graeme Laurie and Emily Postan, ‘Rhetoric
or Reality: What Is the Legal Status of the Consent Form in Health-Related
Research?’ [2012] Medical Law Review; Graeme
Laurie and Leslie Stevens, ‘Developing a Public Interest Mandate
for the Governance and Use of Administrative Data in the United Kingdom’
(2016) 43 Journal of Law and Society 360; Graeme Laurie, ‘Liminality
and the Limits of Law in Health Research Regulation: What Are We Missing in the
Spaces In-Between?’ [2016] Medical Law Review 1.
[6] Julie
E Cohen, ‘Examined
Lives: Informational Privacy and the Subject as Object’ (2000) 52 Stanford Law
Review 1373; L Lessig, Code (Basic Books 2006); Nadezhda Purtova, ‘Property in Personal Data: A
European Perspective on the Instrumentalist Theory of Propertisation’
<http://www.ejls.eu/6/84UK.htm>; Marc Rodwin, ‘Patient Data: Property,
Privacy & the Public Interest’ [2010] American Journal of Law and Medicine;
Jacob M Victor, ‘The EU General Data Protection Regulation:
Toward a Property Regime for Protecting Data Privacy’ (2013) 123 Yale Law Journal
513.
[7] Mason
and Laurie (n 1) 727.
No comments:
Post a Comment