The EU general data protection regulation: Toward a property regime for protecting data privacy

Yale Law Journal

Volumn 123, Issue 2, 2013, Pages 513-528

  Victor, Jacob M ^a  

^a NONE

Author keywords

[No Author keywords available]

Indexed keywords

EID: 84887754464     PISSN: 00440094     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Note

References (95)

1. Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, COM (2012) 11 final (Jan. 25, 2012), http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2012/0011/COM_COM%282012%290011_EN.pdf [hereinafter Draft Data Protection Regulation]. The draft Regulation seems to be primarily designed to regulate data processing by private entities. While some agencies of EU member-states may also be bound by the Regulation, the majority would fall outside its purview. See id. art. 2(2) (listing, inter alia, "Union institutions, bodies, offices and agencies" and authorities devoted to the "prevention, investigation, detection or prosecution of criminal offences" as entities that are not bound by the Regulation).
2. Id. art. 17.
3. The draft Regulation distinguishes between data "controllers," which own and maintain databases, and data "processors," which process data on behalf of data controllers. Id. art. 4(5)-(6). Because most of the Regulation's principles apply to both types of entities, I have adopted the neutral term "data user."
4. The draft Regulation defines a data subject as an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
5. Id. art. 4(1).
6. Id. art. 17; see also id. art 6(a) (explaining the role of the data subject's consent in determining the legality of processing).
7. Since January 2012, several European Union institutions have proposed amendments to the draft Regulation. For example, the Council of the European Union, a legislative body of ministers of EU member-states, proposed its own version in May 2013. A special committee is also examining various amended versions of the draft Regulation and preparing a text for consideration by the European Parliament. Once this version is approved, the European Parliament and Council of the European Union will enter into negotiations over the compromise version and likely vote on a final version in the next few months.
8. Hunton& Williams LLP, Council of the European Union Releases Draft Compromise Text on the Proposed EU Data Protection Regulation, PRIVACY & INFO. SECURITY L. BLOG (June 4, 2013), http://www.huntonprivacyblog.com/2013/06/articles/council-of-the-european-union-releases-draft-compromise-text-on-the-proposed-eu-data-protection-regulation. While some of the newly proposed versions of the draft Regulation significantly amend the original draft, the provisions of greatest significance to this Comment appear to be mostly unaffected.
9. Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)-Key Issues of Chapters I-IV, COUNCIL EUR. UNION (May 31, 2013), http://register.consilium.europa.eu/pdf/en/13/st10/st10227-ad01.en13.pdf (the Council of the European Union's amended version). Because the final version of the Regulation remains in flux, this Comment focuses only on the text of the original 2012 European Commission draft.
10. Draft Data Protection Regulation, supra note 1. However, it is important to note that the final version of the Regulation may temper some of the 2012 draft's more controversial proposals.
11. Draft Data Protection Regulation, supra note 1, art. 3(2).
12. Jeffrey Rosen, The Right to Be Forgotten, 64 STAN. L. REV. ONLINE 88 (2012) (arguing that the "right to be forgotten," as conceived of in the draft Regulation, may restrict speech protected by the First Amendment).
13. Remarks by U.S. Ambassador to the EU, William E. Kennard, at Forum Europe's 3rd Annual European Data Protection and Privacy Conference, U.S. MISSION TO EUR. UNION (Dec. 4, 2012), http://useu.usmission.gov/kennard_120412.html (arguing that the draft Regulation could hinder law enforcement cooperation).
14. Peter Druschel et al., The Right to Be Forgotten-Between Expectations and Practice, EUR. NETWORK & INFO. SECURITY AGENCY (Nov. 20, 2012), http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten/at_download/fullReport (highlighting challenges to implementing the draft Regulation under the existing technical structure of the Internet).
15. Paul M. Schwartz, The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 HARV. L. REV. 1966+1968-2001 (2013) (outlining the development of the EU-U.S. status quo on data privacy policy). Schwartz argues that "[t]he Proposed Regulation carries a potential for destabilization of the current status quo."
16. Id. at 1994.
17. Paul M. Schwartz, Property, Privacy, and Personal Data, 117 HARV. L. REV. 2055 (2004).
18. Vera Bergelson, It's Personal but Is It Mine? Toward Property Rights in Personal Information, 37 U.C. DAVIS L. REV. 379+403-04 (2003) (describing how U.S. law does not grant individuals property rights in their personal information)
19. NADEZHDA PURTOVA, PROPERTY RIGHTS IN PERSONAL DATA: A EUROPEAN PERSPECTIVE 153-220 (2012) (surveying European data protection law and contrasting it with a hypothetical property-based regime).
20. Under the famous framework developed by Guido Calabresi and Douglas Melamed, an entitlement is protected by a "liability rule" when a defendant may violate it in exchange for paying damages. Guido Calabresi & A. Douglas Melamed, Property Rules, Liability Rules, and Inalienability: One View of the Cathedral, 85 HARV. L. REV. 1089+1092 (1972). For a discussion of the differences between property rules and liability rules in the context of data protection
21. In practice, courts have generally been unwilling to award damages to consumers for breach of contract when a corporation has violated its data privacy policy. See, e.g., In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 326-27 (E.D.N.Y. 2005) (holding, interalia, that plaintiffs in a class action against JetBlue for breach of its privacy policy were ineligible to recover damages because "the only damage that can be read into the present complaint is a loss of privacy," which is "not a damage available in a breach of contract action"). Courts have similarly been unwilling to apply the "privacy torts," RESTATEMENT (SECOND) OF TORTS §§ 652B-652E (1977), to violations of privacy in data collection and processing. For a survey of such cases,
22. PURTOVA, supra note 14, at 99-106.
23. Video Privacy Protection Act of 1988, Pub. L. No. 100-618, 102 Stat. 3195 (codified at 18 U.S.C. § 2710 (2012)) (establishing a private cause of action against video rental companies that disclose consumer information). For a survey of these statutes, see DANIEL J. SOLOVE & PAUL M. SCHWARTZ, INFORMATION PRIVACY LAW 839-79 (4th ed. 2011)
24. Edward J. Janger, Privacy Property, Information Costs, and the Anticommons, 54 HASTINGS L.J. 899+904-08 (2003).
25. Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 (mandating that corporations provide certain protections to data subjects during data collection and processing). Data subjects may seek damages from corporations that violate the Directive.
26. Id. art. 22+23(1).
27. Jessica Litman, Information Privacy/Information Property, 52 STAN. L. REV. 283+1284 (2000) ("Non-cash purchases are memorialized and toted up. Large cash purchases are memorialized and turned in. Cash withdrawals and deposits are recorded and saved. Visits to the doctor, diagnoses, prescriptions, and referrals are coded and passed along. Everything we look at on the Internet is noted and retained. All of this information is collected, aggregated, and stored on computers. Anyone with reason to do so can correlate the information stored on one computer with the information stored on another, and another, and another. The resulting dossier may be used, sold, published, or correlated with other sources of data. In the United States, that's completely legal." (footnotes omitted))
28. Schwartz, supra note 13, at 2069-72 (describing how personal information is "commodified and traded" in various contexts).
29. In re Nw. Airlines Privacy Litig., No. Civ. 04-126, 2004 WL 1278459, at *4 (D. Minn. June 6, 2004) (stating that when passengers voluntarily gave Northwest Airlines their personal information and Northwest Airlines compiled that information into a data record, the record "itself became Northwest's property"); U.S. News & World Report, Inc. v. Avrahami, No. 95-1318, 1996 WL 1065557, at *6 (Va. Cir. Ct. June 13, 1996) (holding that the sale of a magazine mailing list did not constitute conversion because the plaintiff did not maintain a proprietary interest in his name, whereas U.S. News & World Report did maintain a proprietary interest in its collection of names).
30. LAWRENCE LESSIG, CODE AND OTHER LAWS OF CYBERSPACE 122-35+159-63 (1999)
31. Lawrence Lessig, The Architecture of Privacy, 1 VAND. J. ENT. L. & PRAC. 56+63-64 (1999) ("If the law gave individuals the rights to control their data, or more precisely, if those who wanted to use that data had first to secure the right to use it, then a negotiation would occur over whether, and how much, data should be used. The market could negotiate these rights, if a market in these rights could be constructed.")
32. Lawrence Lessig, Privacy as Property, 69 SOC. RES. 247+261 (2002).
33. Neil Weinstock Netanel, Cyberspace Self-Governance: A Skeptical View from Liberal Democratic Theory, 88 CALIF. L. REV. 395+476 (2000) ("[M]ost users are not even aware that the websites they visit collect user information, and even if they are cognizant of that possibility, they have little conception of how personal data might be processed.").
34. Timothy D. Sparapani, Putting Consumers at the Heart of the Social Media Revolution: Toward a Personal Property Interest to Protect Privacy, 90 N.C. L. REV. 1309+1313 (2012).
35. Schwartz, supra note 13, at 2094
36. Janger, supra note 17, at 901+916-20 (describing a system structured by "muddy" property rules that can be "shaped by social policy concerns").
37. Janger, supra note 17, at 913-18
38. Schwartz, supra note 13, at 2095-2116.
39. Henry Hansmann & Reinier Kraakman, Property, Contract, and Verification: The Numerus Clausus Problem and the Divisibility of Rights, 31 J. LEGAL STUD. S373+S378-79 (2002)
40. Schwartz, supra note 13, at 2097.
41. Hansmann & Kraakman, supra note 26, at S378 ("[T]he attribute that distinguishes a property right from a contract right is that a property right is enforceable, not just against the original grantor of the right, but also against other persons to whom possession of the asset, or other rights in the asset, are subsequently transferred."). Similar, though not identical, to this idea is the notion that "[p]roperty rights... are in rem-they bind 'the rest of the world.'"
42. Thomas W. Merrill & Henry E. Smith, The Property/Contract Interface, 101 COLUM. L. REV. 773+777 (2001).
43. Schwartz, supra note 13, at 2098.
44. Id. at 2094+2097.
45. Id. at 2093
46. Bergelson, supra note 14, at 444-45 (arguing that, under a hypothetical data property regime, some rights to personal data could be declared inalienable even while others are freely marketable)
47. Janger, supra note 17, at 903 (recognizing that a "mandatory crystalline inalienability rule" could be included in a property regime).
48. Hansmann & Kraakman, supra note 26, at S411-12 (providing a general critique of the notion that property rights are synonymous with alienability)
49. Thomas W. Merrill, The Property Strategy, 160 U. PA. L. REV. 2061+2079 (2012) (arguing that alienation is not "essential to the property strategy").
50. Schwartz, supra note 13, at 2094 (explaining that under Schwartz's proposed "hybrid alienability" model, consumers would be able to "share, as well as to place limitations on, the future use of their personal information").
51. Schwartz in fact outlines five features in a hypothetical data property regime: "inalienabilities, defaults, a right of exit, damages, and institutions," Schwartz, supra note 13, at 2094, but also recognizes that "[a] key element of this model is the employment of use-transferability restrictions in conjunction with an opt-in default," id. (emphasis omitted), which are the two features most tied to the unique nature of property-based protection. For that reason, I focus mainly on these property-based protections, rather than on the other features of the proposed regime.
52. Id. at 2060+2100-06.
53. Id. at 2106-07.
54. Bergelson, supra note 14, at 446. A license is defined as a property owner's "temporary and revocable" waiver of his right to exclude.
55. THOMAS W. MERRILL & HENRY E. SMITH, PROPERTY: PRINCIPLES AND POLICIES 449 (2d ed. 2012).
56. Schwartz, supra note 13, at 2095-2100.
57. MERRILL & SMITH, supra note 35, at 962.
58. Janger, supra note 17, at 914
59. Bergelson, supra note 14, at 417 ("On a more abstract level, the choice between the tort regime and the property regime for the protection of personal information means the choice between property rules and liability rules as defined in the seminal article authored by Calabresi and Melamed."). It is interesting to note that Schwartz self-consciously chooses to use compensatory damages as the main remedy in his model, in lieu of property-rule-based protections.
60. Schwartz, supra note 13, at 2109 ("A state determination of damages through privacy legislation is preferable to the Calabresi-Melamed approach of enforcing the subjective valuations of private parties with injunctions."). However, in keeping with this Comment's goal of exploring the unique features that a property regime can bring to data protection, I choose to focus on Janger's and Bergelson's use of property-rule-based protections.
61. The new legislation is a "Regulation," meaning it would be binding on all EU memberstates as law and enforceable in any member-state court. In contrast, the EU's current data protection Directive, supra note 18, must be implemented by member-states through domestic legislation.
62. Jane Finlayson-Brown, How to Prepare for Proposed EU Data Protection Regulation, COMPUTER WKLY., Mar. 2012, http://www.computerweekly.com/opinion/Proposed-EU-Data-Protection-Regulation-what-should-companies-be-thinking-about.
63. For example, it would impose more rigorous consent and notice requirements and costly administrative sanctions for failure to comply. Draft Data Protection Regulation, supra note 1, arts. 7, 14, 35-37, 79.
64. Id. art. 17.
65. Q. and A. with Viviane Reding, N.Y. TIMES, Feb. 2, 2013, http://www.nytimes.com/2013/02/03/business/q-and-a-with-viviane-reding.html.
66. Joel R. Reidenberg, Ecommerce and Trans-Atlantic Privacy, 38 HOUS. L. REV. 717+730-32 (2001) (describing how the EU has generally "treat[ed] privacy as a political imperative anchored in fundamental human rights").
67. Draft Data Protection Regulation, supra note 1, art. 6(1)(a).
68. Id. art. 6(1)(b).
69. Id. art. 14(1)(b), (d).
70. Id. art. 17(1)(b).
71. Id. art. 6(1)(3).
72. Id. art. 19.
73. Id. art. 19(1)
74. id. art. 17(1)(c).
75. The data could be said to be partially protected by what Calabresi and Melamed call an "inalienability rule." Calabresi & Melamed, supra note 15, at 1092-93 ("An entitlement is inalienable to the extent that its transfer is not permitted between a willing buyer and a willing seller. The state intervenes not only to determine who is initially entitled and to determine the compensation that must be paid if the entitlement is taken or destroyed, but also to forbid its sale under some or all circumstances.").
76. Henry Hansmann & Marina Santilli, Authors' and Artists' Moral Rights: A Comparative Legal and Economic Analysis, 26 J. LEGAL STUD. 95 (1997) (describing the right of integrity, one of the moral rights of artists).
77. Hansmann & Kraakman, supra note 26, at S386-87.
78. Draft Data Protection Regulation, supra note 1, art. 17(2).
79. Schwartz, supra note 13, at 2098.
80. The comparison with moral rights is also instructive here: to the extent an artist maintains a right that future purchasers not destroy or alter her work and "the artist can. enforce that right against subsequent third-party transferees of the painting," she maintains "a property right in the painting." Hansmann & Kraakman, supra note 26, at S379. We might understand the burden placed on future holders of the artwork as "a type of negative covenant held in gross (that is, personally)... that would let the artist prevent any subsequent owner of a work of art from altering it." Id. at S377. So too here, a data subject's right to demand erasure by any third parties that gain access to her personal information, irrespective of whether that party is in privity with the data subject, creates a kind of negative covenant on the data that binds third parties.
81. Schwartz, supra note 13, at 2098.
82. Janger defines a property rule by distinguishing it from a liability rule: Where an entitlement is protected by a liability rule, the defendant may choose to violate the right and pay damages. In other words, a non-consensual taking may precede negotiation over price. Propertization changes the order of this interaction. Either through criminal sanction, affirmative judicial order, or prohibitively high (and/or punitive) fines, a property rule makes a nonconsensual taking infeasible.
83. Janger, supra note 17, at 914.
84. eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388, 395 (2006) (Roberts, C.J., concurring) ("From at least the early 19th century, courts have granted injunctive relief upon a finding of infringement in the vast majority of patent cases. This 'long tradition of equity practice' is not surprising, given the difficulty of protecting a right to exclude through monetary remedies that allow an infringer to use an invention against the patentee's wishes....").
85. For example, in a now-famous case, the Wisconsin Supreme Court affirmed an award of $100,000 in punitive damages to a victim of trespass, even though the actual damages were minimal, because "the individual and society have significant interests in deterring intentional trespass to land, regardless of the lack of measurable harm that results." Jacque v. Steenberg Homes, Inc., 563 N.W.2d 154, 159 (Wis. 1997).
86. Draft Data Protection Regulation, supra note 1, arts. 46, 73(1).
87. Id. art. 53(1)(f).
88. Id. arts. 75(1), 76(5).
89. Id. art. 79(5).
90. Margaret Jane Radin, Incomplete Commodification in the Computerized World, in THE COMMODIFICATION OF INFORMATION 3, 17 (Niva Elkin-Koren & Neil Weinstock Netanel eds., 2002) ("It makes a big difference whether privacy is thought of as a human right, attaching to persons by virtue of their personhood, or as a property right, something that can be owned and controlled by persons. Human rights are presumptively marketinalienable, whereas property rights are presumptively market-alienable.").
91. Marc Rotenberg, Fair Information Practices and the Architecture of Privacy (What Larry Doesn't Get), 2001 STAN. TECH. L. REV. 1, ¶ 93 (arguing that a "market-based model [of the right to privacy], which seeks to facilitate the transfer of control over privacy interests, is clearly at odds with th[e] tradition" of treating privacy as a personhood interest).
92. Notably, Radin's skepticism of protecting privacy using a property regime is grounded in the assumption that under a propertized personal data regime "online commerce will be governed more and more by contracts between providers and users, and less by a priori (default) entitlement structures." Radin, supra note 67, at 18 (footnote omitted). In contrast, default entitlement structures (and curtailed free marketability) are essential to the regime presented in the draft Regulation, which explains its greater compatibility with a humanrights approach.
93. Hansmann & Kraakman, supra note 26, at S386 (noting that while Europeans often think of the artist's moral right of integrity as a "right[] of personality," not a property right, it can nonetheless be conceived of as a human right that is protected through property-based rights and remedies).
94. Schwartz, supra note 13, at 2095 (quoting Hanoch Dagan, The Craft of Property, 91 CALIF. L. REV. 1518, 1532, (2003)).
95. PURTOVA, supra note 14, at 2 (claiming that the "American debate on the propertisation of personal data has since passed its peak").