The EU general data protection regulation: toward a property regime for protecting data privacy.

• Author: Victor, Jacob M.

The European Union recently released draft legislation that has the potential to transform EU data privacy law. The draft General Data Protection Regulation ("draft Regulation") proposes a range of new individual rights designed to protect consumers whose personal information is collected, processed, and stored by corporations and other entities. (1) Most notably, the draft Regulation would establish a consumer's "right to be forgotten," (2) mandating that entities that collect or process data--which, for ease, I will call "data users" (3)--must delete any data relating to an individual "data subject" (4) upon his request. Furthermore, any third parties with whom this information has been shared would also generally be required to respect the data subject's request for deletion. (5)

The draft Regulation, which was approved by the European Commission in January 2012, is unlikely to be finalized and enter into force for at least another several months. (6) But the legislation has already proven highly controversial for its potential applicability to any corporation that processes the personal data of EU citizens (including U.S. corporations), (7) for its potential effects on free speech rights (8) and criminal investigations, (9) for its alleged technological infeasibility, (10) and for the possibility that it may impede bilateral policymaking efforts between the United States and the European Union. (11)

A yet unexplored dimension of the draft Regulation, however, is its relationship to broader questions about what rights-and-remedies scheme is most appropriate for protecting consumer privacy in data collection. Though the Regulation is framed in the fundamental-human-rights terms typical of European privacy law, this Comment argues that it can also be conceived of in property-rights terms. The Regulation takes the unprecedented step of, in effect, creating a property regime in personal data, under which the property entitlement belongs to the data subject and is partially alienable. More specifically, the data protection plan takes for granted that personal data has become akin to a commodity capable of changing hands; working off of this reality, it allows for the highly regulated exchange of data while also adapting rights and remedies commonly associated with property in service of the goal of protecting consumer privacy. The Regulation's use of property-derived rights is particularly unusual and significant since a human-rights-based approach to privacy--which the EU generally embraces--is often thought of as incompatible with a property-rights-based approach. (12)

The EU's proposal includes three elements in particular that lend themselves to a property-based conception: consumers are granted clear entitlements to their own data; the data, even after it is transferred, carries a burden that "runs with" it and binds third parties; and consumers are protected through remedies grounded in "property rules." In these respects, the proposed scheme is remarkably similar to existing, heretofore purely theoretical, proposals for property regimes for protecting personal data, especially the model proposed by Paul Schwartz in 2004. (13) But the draft Regulation seems to be one of the first legislative proposals that would actually implement this kind of propertized personal data regime.

This Comment proceeds in two Parts. Part I outlines some theoretical proposals for propertized personal information designed to remedy the shortcomings of contemporary data protection law, exploring the features of "property" that scholars have seized on in presenting these proposals. Part II argues that these property-oriented safeguards are present in the draft Regulation, even though the Regulation is not at all framed in property terms. The Conclusion briefly explores the implications of this analysis for the broader question of whether propertizing personal data can be reconciled with treating privacy as a human right, pointing out that the draft Regulation seems to transcend this debate by adapting the rights and remedies commonly associated with property in service of a human-rights-driven approach to privacy.

1. DATA PRIVACY AND PROPERTY

   Both the United States and the European Union provide some privacy protections for consumers during data collection, but neither has established a property scheme to this effect. Neither U.S. law nor EU law considers data subjects to have proprietary interests in their own personal information. (14) Both instead provide consumers with some limited options to sue for damages when their privacy is compromised in the course of data processing. These "liability rule" (15) protections are based in the common law of tort or contract (in the United States), (16) subject-specific statutes (also in the United States), (17) or omnibus privacy legislation (in Europe). (18)

   But despite the fact that data privacy is still protected through liability rules, the corporations that process personal data increasingly treat it as a commodity. Corporations collect this information from consumers (often as a quid pro quo during the sale of goods or services), compile it, and often sell these collections to other corporations. (19) Even U.S. courts have occasionally recognized data as a kind of property, but only after it has been collected by a corporation. (20)

   In reaction to this trend, scholars, especially in the early 2000s, began exploring alternative data privacy protection schemes derived from property law and theory. Lawrence Lessig is one of the best-known proponents of creating a free market in personal data. Under Lessig's proposal, consumers would hold the original property entitlements to their own personal information and would be able to bargain with data users to determine when it would be advantageous to forfeit their privacy by selling their data. (21) Critics of this proposal highlight the dangers of allowing consumers to freely sell their private information, pointing especially to the potential information disparities in a personal data market. Under an unregulated market system, consumers could be convinced to sell their information without completely understanding the full scope of how corporations might use it, or the degree to which their privacy would be compromised by the transaction. (22)

   In response to these concerns, scholars including Paul Schwartz, Edward Janger, and Vera Bergelson have proposed highly regulated property regimes that would carry some property-oriented rights and remedies but not others. Schwartz's proposal is the best known--indeed, it was recently endorsed by Timothy D. Sparapani, the former Public Policy Director of Facebook (23)--and will be the primary focus of this Comment.

   "Property" is a notoriously nebulous concept, and Schwartz (as well as other theorists of data property) has declined to adopt a cohesive definition, understanding "property as a bundle of interests rather than despotic dominion over a thing." (24) Proponents of a regulated data property regime all focus on the ways that personal information is already treated as a commodity by corporations and argue that protecting such data with a legally cognizable property entitlement, vested in data subjects and regulated in various ways, provides necessary protections that are absent in the status quo. (25) Rather than arguing that the free market can do all the work of protecting privacy, as Lessig does, they instead seize on some of the other rights and remedies commonly associated with property regimes and explore how conceiving of data as property for certain purposes might in fact offer the best option for protecting consumer privacy while still enabling individuals to share their data with data users under certain circumstances. For example, Schwartz especially seizes on one of the features commonly associated with property regimes: under some property schemes, "the burden of a property right 'runs with the asset'" in question. (26) This feature allows for property rights to create burdens that bind third parties-third parties with whom I have no explicit legal relationship nonetheless have a duty to respect my property rights in an asset--in contrast to contract rights, which bind only the specific parties in privity. (27) This is particularly important in the context of data privacy, because it allows a data subject to retain some rights in her data, even in transactions between data users to which the subject is not a party.

   Schwartz uses this definition to argue that crafting a regime in which consumers have legally enforceable property interests in their data would "enable[] certain interests to be 'built in'" to personal data. (28) Such a regime would "allow[] individuals to share, as well as to place limitations on, the future use of their personal information" and is property-like in that data subjects' interests "follow the personal information through downstream transfers and thus limit the potential third-party interest in it." (29) Schwartz's model, in this respect, is predicated on the assumption that free alienability is not "an inexorable aspect of information-property." (30) Indeed, Schwartz argues that a propertized data scheme, even while treating data as a commodity for certain purposes, should place limits on a consumer's right to fully sell her personal information on an open market. (31)

   In practicable terms, Schwartz advocates for several requirements in a hypothetical propertized personal data scheme, two of which are most clearly tied to...