By Theresa Henne, University of Vienna (UNIVIE), Clara Saillant University of Vienna (UNIVIE) &
Varvara Kalokyri, Foundation for Research and Technology (FORTH)
Data is increasingly regarded as a valuable resource, in particular for the development of Big Data and AI-driven technology. Hence, a debate emerged concerning the question of how the value of data can be better protected by legal means, especially in the domain of health data. One of the most dominant streams of argumentation in this debate revolved around the concept of “data ownership”, suggesting that data should be owned by individuals or groups similar to other goods and assets. Under the existing EU law, however, no legal framework exists that attributes “data ownership” rights to any entity. The General Data Protection Regulation (GDPR), for example, provides a number of means for individuals, referred to as data subjects, to oversee and control the processing of their personal data. According to Chapter III of the GDPR data subjects are granted the rights of access, of rectification, of restriction of processing and of erasure (also called the right “to be forgotten”). Yet, data subject’s rights are not absolute and can be restricted. For example, the right to erasure under Article 17 can be limited, if the controller can demonstrate that the deletion of the data would seriously impair the achievement of a scientific research project. The GDPR does not assign ‘data ownership’ to the data subjects nor to the data controller, which is the entity responsible for the processing. The term “ownership” itself is not even used in the GDPR regarding personal data.
Intellectual property (IP) law grants property rights to certain non-rival resources, such as original literary, scientific and artistic work. IP law aims at protecting the innovation itself and rewarding the effort put into its creation. This means that, even though someone’s art piece or scientific publication can be copied and accessed an infinite amount of times – hence being a non-rival resource – the author still has rights attached to its work limiting the ways it can be used by others. However, the EU’s IP framework does not protect data itself since the collection of information and facts is not considered an act of creation. So far no common understanding of the concept of “data ownership” could be established. Various, sometimes conflicting responsibilities and rights are discussed under the generic term of ‘data ownership’ (Hummel et al., 2020). Oftentimes, ‘data ownership’ is envisioned as a bundle of rights, such as the right to use the data, the right to share data or limit access, the right to sell data or the right to inherit any income generated by the data. Also, different opinions exist concerning the question, who is entitled to be the owner of the data. On the one hand, Fezer (2019) envisions “data ownership” as a citizen’s rights enabling the individual to have more control over their personal data and to counter the power asymmetries within the data economy.
On the other hand, Montgomery (2017) argues that the entity, which invests resources in the data collection, curation and analysis, creates the actual value and therefore should own the data. Ballantyne (2018) is in favor of a broader, relational account of “ownership”. She argues that rather than data belonging to the patient, data is about the patient. Since clinical data is co-created by multiple actors, including the patient and health care professionals, the attempt to confer an exclusive ownership right to only the patient must fail.
According to Ballantyne, rather than conceptualizing data as private property, the solution is “to reconnect patients with their data and engage them in debates and decision-making about secondary uses” (p.290). Similar to Ballantyne, also Prainsack and Forgó propose that “[i]nstead of endorsing individual-level property rights to data, we should consider health data as collective property” (p. 1990). Thus, local communities, states or international organizations could collectively own data and define for which purposes the data should be used. In any case, when we are discussing how to modify the existing legal framework governing the use of health data for research, we should clarify that the overall aim must be to facilitate and promote data generation, curation and sharing that enables health research that is beneficial to the people of the EU and protect the fundamental rights of the data subjects (see Evans 2011). The legal framework shall provide incentives to research that is sustainable and beneficial to past, current and future patients as well as contribute to building the knowledge bases.
In order to move forward in the debate regarding the value of data in health research the following questions need to be answered:
- In what regard is the current legal framework hindering the achievement of this objective? More specifically: Why and in which contexts are the existing legal or technical securities, e.g. ways to control data access and usage, insufficient? What kind of legal or technical securities are necessary?
- What kind of incentive or reward needs to be provided to whom? Shall the reward be monetary, an acknowledgment of intellectual contribution or contribution of another kind, or provide rights in technology that is developed based on the data?
– Fezer, K.-H. (2019). Digitales Dateneigentum – ein grundrechtsdemo- kratisches Bürgerrecht in der Zivilgesellschaf. In: Stiftung Datenschutz (Ed.). Dateneigentum und Datenhandel. Erich Schmidt Verlag.
– Hummel, P., Braun, M., & Dabrock, P. (2021). Own Data? Ethical Reflections on Data Ownership. Philosophy & Technology, 34(3), 545–572. https://doi.org/10.1007/s13347-020-00404-9
– Montgomery, J. (2017). Data Sharing and the Idea of Ownership. The New Bioethics, 23(1), 81–86. https://-doi.org/10.1080/20502877.2017.1314893