'The EU General Data Protection Regulation: Toward a Property Regime for Protecting Data Privacy' by Jacob M. Victor in
Yale Law Journal (Forthcoming)
considers
the new EU draft regulation on data privacy - especially its controversial provision establishing a "right to be forgotten" - and argues that the regulation implicitly creates the kind of propertized data regime that scholars proposed and debated a decade ago.
The Comment identifies the key conceptual features of a data property regime, explains how the draft regulation implicitly embodies these features, and compares this property-centric framing to the human-rights framing that tends to dominate discussions of data privacy.
Victor comments that
The European Union recently released draft legislation that has the potential to transform EU data privacy law. The draft General Data Protection Regulation proposes a range of new individual rights designed to protect consumers whose personal information is collected, processed, and stored by corporations. Most notably, the draft Regulation would establish a consumer’s “right to be forgotten,” mandating that entities that collect or process data—which, for ease, I will call “data users”—must delete any data relating to an individual “data subject” upon his request. Furthermore, any third parties with whom this information has been shared would also be required to respect the data subject’s request for deletion.
The draft Regulation, which was approved by the European Commission in January 2012, is unlikely to be finalized and enter into force for at least another several months. But the legislation has already proven highly controversial for its potential applicability to any corporation that processes the data of EU citizens (including U.S. corporations), for its potential effects on free speech rights and criminal investigations, for its alleged technological unfeasibility, and for the possibility that it may impede bilateral policymaking efforts between the U.S. and EU.
A yet unexplored dimension of the draft Regulation, however, is its relationship to broader questions about what rights-and-remedies scheme is most appropriate for protecting consumer privacy in data collection. Though the Regulation is framed in the fundamental- human-rights terms typical of European privacy law, this Comment argues that it can also be conceived of in property-rights terms. The Regulation takes the unprecedented step of, in effect, creating a property regime in personal data, under which the property entitlement belongs to the data subject and is partially alienable. More specifically, the data protection plan takes for granted that personal data has become akin to a commodity capable of changing hands. Working off of this reality, it allows for some, highly regulated exchanges of data while also adapting rights and remedies commonly associated with property in service of the goal of protecting consumer privacy. The proposal includes three elements in particular that lend themselves to a property-based conception: consumers are granted clear entitlements to their own data; the data, even after it is transferred, carries a burden that “runs with” the data and binds third parties; and consumers are protected through remedies grounded in “property rules.” In these respects, the proposed scheme is remarkably similar to existing, heretofore purely theoretical, proposals for property regimes for protecting personal data, especially the model proposed by Paul Schwartz in 2004. But the draft Regulation seems to be one of the first legislative proposals that would actually implement this kind of propertized personal data regime.
This Comment proceeds in two parts. Part I outlines some of the theoretical proposals for propertized personal information designed to remedy the shortcomings of contemporary data protection law, exploring the features of property regimes that scholars have seized on in presenting these proposals. Part II argues that these property-oriented safeguards are present in the draft Regulation, even though the Regulation is not framed in property terms. The Conclusion briefly explores the implications of this analysis for the broader question of whether propertizing personal data can be reconciled with treating privacy as a human right, pointing out that the draft Regulation seems to transcend this debate by adapting the rights and remedies commonly associated with property in service of a human-rights-driven approach to privacy.
