We Lawyers Were Mistaken: Online Privacy is a Property Matter

By Doug DePeppe

In June, the US Supreme Court ruled in TransUnion v. Ramirez, 594 U.S. (2021), that plaintiffs suffering identity loss must show “concrete harm” to have standing to sue, at least in federal court. The case was a class action suit involving a class of individuals that had been improperly listed on a terrorist watch list by a credit reporting agency. The Court disallowed claimants’ standing-to-sue who had merely been listed but whose faulty designation had not actually been shared with a third party. Commentators are suggesting that, after Ramirez, a privacy violation alone may be insufficient to enable a lawsuit, and that defenses to data breach litigation, especially in class action litigation, will possess better armaments against challengers demanding redress for a loss of privacy. Apparently, the lines are being redrawn — to the detriment of individual privacy.

Many commentators have already unpacked Ramirez and offered opinions about the state of data breach remedies in the US. Rather than debating the impact of Ramirez, perhaps it is time to question the foundational logic behind data breach litigation. Instead of focusing on data breaches as injuries to privacy or violations of contractual provisions, they may be more appropriately viewed (and protected) as transgressions, infringements or harm to property interests. That view would also reflect the increasing reality of data commodification.

In a 2020 prescient law review article, Professor Chao, from the University of Denver Sturm College of Law, questioned the practice of asserting privacy violations in data breach litigation. He published Privacy Losses as Wrongful Gains, 106 Iowa Law Review 555 (2021), and suggested unjust enrichment theory as a preferred legal framework for redressing privacy violations. First, his law review catalogued the many shortcomings of current litigation theory and practice concerning data breaches. Professor Chao noted the challenge of proving harm, as well as deficiencies in contract-based claims. But at its root, Professor Chao rightfully noted the inherent challenge of protecting privacy itself:

But undoubtedly the thorniest obstacle is that privacy harms are often not considered cognizable injuries under many common legal theories. Tort, contract, and constitutional standing doctrine all demand some form of concrete injury, but privacy injuries are often too intangible or risk-based to qualify. (Id. at 556.)

This writing takes Professor Chao’s thesis a step further. He rightfully takes issue with the practice of law in the data breach area; and, implicit in his thesis is the recognition that the function of the institution of law is to attempt to balance the often-competing virtues between rights and duties (in the data realm). This writing questions whether framing the virtual world’s rights and duties redress system in a traditional privacy ontology was error at the inception of the data loss era.

The Property Premise

Why has data loss been equated to a privacy invasion or harm? The Internet remains a relatively new global innovation, so it is not surprising that we are starting to see a pivot concerning individual rights regarding data.[1] Rather than decrying the loss of privacy, a common trend today is to focus on data rights and data sovereignty. Viewing data through the lens of privacy brings inherent limitations as determining the reaches and limits of privacy has been an ongoing societal debate for hundreds of years. As Professor Chao wrote, privacy is “intangible”. By contrast, data is definable. Data is a thing — albeit a less tangible thing than a touchable item[2], it is no less real. It is something that is bought and sold every day all across the world. Like other items of value, billions of dollars a year are spent to protect it from theft. If data has a value, in and unto itself, it should logically follow that its loss through carelessness or recklessness should be enough to justify compensation.

Why is it important to characterize data as a “thing”? Because analyzing data loss under a privacy theory focuses on the impact that the loss of data may eventually have. Considering data as property puts it in the realm of things that can be owned, and if something can be owed, the damages from its loss are not determined just by what future harm may result from the loss, but mostly it is determined by the value of the property at the time of loss. Accordingly, why doesn’t the law consider a loss of one’s data as a loss of one’s property?!

Questioning why data loss is not deemed a property loss is not an abstract or alien notion. With the destabilizing nature of the Internet today, ownership of the data generated or collected through it is a key concept, and the question of whether “we should all own our data” becomes paramount. Given our creation of it, shouldn’t we always have owned our data? Data is king today, with Big Tech built upon the concept of control of data. The current controversy around whether Big Tech companies should be broken up derives from the massive power they have generated from the control of data. However, when data is considered a thing (i.e., property), data associated with a person (“created” by that person) should rightfully be that person’s personal property. As property, an owner is empowered with dictating all authorized and unauthorized uses of personal data — Full Stop! Indeed, personal data should have been viewed through the lens of property rights, rather than under a privacy regime, from its genesis.

A property-based legal construct — framed here as Digital Identity Sovereignty™ — will be introduced later. But first, it is helpful to recognize that commodification of data is already ongoing.

Data Provenance as a Trend

Before the decision in Ramirez, there was already a change in the ontological approach around online privacy. For example, a pivotal privacy construct, the European Union’s General Data Protection Regulation (GDPR), is built upon a data model designed to categorize lifecycle uses and constraints concerning personal data. That is, the GDPR contains operational features that prescribe data controls rather than articulate objectives addressing aspirational notions about privacy itself. Though conceptualized as a privacy protection, aspects more resemble a property ownership model, such as: a data subject has prescriptive protections as if privacy data were indeed personal property.

Additionally, the term “data subject” is used rather than “person”. That, by itself, is either Freudian or notable, as if the authors’ use of a depersonalized term about private data signaled a property focus. Finally, the data subject has a right to direct uses of data (i.e., GDPR Article 18 Right to Restriction of Processing). Though not as extensive as full property control, the GDPR’s treatment of data resembles property ownership. That is, a right to control third-party use of data resembles a property stake in that data. Indeed, under an intellectual property lens, both creation and derivative use constraints are property principles that imbue ownership.

The GDPR model also resembles property ownership, and appears dissimilar to traditional dimensions of privacy, in the externalities of GDPR application. Whereas privacy tends to look inward, the GDPR prescribes the uses of data extending outward from its point of origination. In the real world, individuals effectuate personal privacy by things they do inward-facing. A person may stay in the home and not go out in public. A person may elect not to communicate certain details, such as about sensitive matters, feelings, likes and dislikes, and so on. Importantly, one’s personal privacy is largely within one’s own control and tends to be inward focused about intangible or abstract notions. Conversely, the GDPR construct prescribes ways and means by which personal data is handled by third parties. It is outward-focused. In this externality aspect, one’s data more resembles a thing than the attribute of privacy.

Dissecting other privacy statutes and regulations reveals a similar data control-centric (or creator-owner) ontology. To protect privacy in the Digital Era, the standard structural approach has been to institute data controls. It therefore is incongruous to apply a traditional privacy regime to redress privacy wrongs. Data is a thing, things are property, and redressing harms should be pursued under a new property-based construct.

Disruptive Change

Colleagues who have reviewed and critiqued this writing have understandably and fairly questioned whether the proper balance for the rights and duties challenge within the law should pivot entirely to a property-oriented construct, or whether a dual “privacy and property” theory should reign? To support a critique of a “property only theory”, some have raised the issue of whether data can ever be truly and fully owned — and further, how an absolute data ownership theory would work against competing bodies of law associated with public figures, rights of publicity, creative works by third parties concerning a subject’s name, image or likeness, and similar areas of friction?

A property-based redress system for data transgressions would certainly be a transformational paradigm. However, the law is never absolute because there are always competing rights and duties. One cannot kill another, except in self-defense; a trespass upon property is disallowed, except for the self-help doctrine. That there may be exceptions to a new construct does not render it any less transformational. What is likely to transpire with this transformation is the emergence of new transactional arrangements. That is, new ways of licensing and obtaining the explicit consent of the data owner will emerge; and, in many cases, the data owner will provide the data use approval in exchange for compensation or something of value.

Introducing Digital Identity Sovereignty™

In pursuing a new property-based legal redress construct[3] — Digital Identity Sovereignty™ — it is helpful to draw upon other emerging movements that similarly view the issue through an asset or property lens. Data Trusts[4] have emerged as mechanisms and institutions to better protect data rights. Within the blockchain space, an initiative has emerged known as Self-Sovereign Identity[5]. These distinct initiatives should be separately explored to glean asset-based approaches to data. They are mentioned here to support the contention that a societal trend is afoot, and becoming widely accepted, where data is treated as an asset — a “thing.” This begs the question posed earlier: why are we using a privacy model to redress infringements if data is an asset (i.e., property)?

Moreover, the notion of data as an asset views personal data more expansively, raising the concept of a digital identity. Just as identity is broader than privacy, Digital Identity Sovereignty™ extends data ownership around privacy data to the entirety of one’s online presence. Grasping the full reach of digital identity illustrates the transformative potential of a property-based model. The Internet has caused an explosion of digital remnants of one’s online activity. Additionally, people have imprinted facets of their identity throughout the Internet. People have social media accounts, website profiles, and communicate and transact leaving digital marks of their identity. Across many online platforms, separate aspects of one’s digital identity reveal highly sensitive information, such as one’s DNA profile and other health information, biometric details, personality makeup and quirks, financial profile, friends and family, social security and credit card information, etc. The US Supreme Court has addressed how data contained on the ordinary mobile phone can reconstruct one’s identity:

The storage capacity of cell phones has several interrelated consequences for privacy. First, a cell phone collects in one place many distinct types of information — an address, a note, a prescription, a bank statement, a video — that reveal much more in combination than any isolated record. Second, a cell phone’s capacity allows even just one type of information to convey far more than previously possible. The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions; the same cannot be said of a photograph or two of loved ones tucked into a wallet. Third, the data on a phone can date back to the purchase of the phone, or even earlier. A person might carry in his pocket a slip of paper reminding him to call Mr. Jones; he would not carry a record of all his communications with Mr. Jones for the past several months, as would routinely be kept on a phone. [6]

Accordingly, owning one’s personal data must necessarily encompass all of one’s online and digital traces. Digital Identity Sovereignty™ asserts one’s rights across the entire spectrum of one’s digital footprint.[7]

The empowerment of the individual afforded from a property construct includes improved enforcement of rights. Notably, efficiency of redress is a substantial benefit of a property-based construct. As Professor Chao explained, proving harm from a loss of privacy is both conceptually challenging and evidentiary intensive. Those two elements also translate into it being an expensive legal endeavor. Under Data Trust theory, data-as-an-asset could be categorized and valued according to an asset class. Even more exciting, certain personal digital assets could conceivably come under copyright or trademark right protection. Anyone with a website or a social media profile, might establish, for instance, that a hack, misuse of personal data, or social media abuse, damages one’s brand.

Athletes and celebrities would especially benefit from Digital Identity Sovereignty™. For most athletes and celebrities, their digital identity is their brand. Many generate more revenue from brand-related activities than from their performance contracts. Moreover, knockoffs and online advertising fraud are common attacks upon these personalities. For example, Sports-ISAO[8], an information sharing enterprise devoted to protecting sport from online threats, performed sample inspections of some international soccer stars, as well as major international events and prominent sporting organizations, and detected substantial knockoff activity. These entities stand to benefit from anti-piracy enforcement actions that turn to intellectual property law for redress for data theft or damage from brand disparagement, knockoffs and other infringements.

Take-Aways for Now

The purpose of this article is to propose a better way of protecting privacy, to extend protection of privacy onto the broader concept of digital identity, and to propose this construct as an improved method for redressing digital identity transgressions. In proposing a property-based construct, the method of Digital Identity Sovereignty™ [9] was briefly introduced to illustrate an enforcement practice that includes intellectual property-based remedies. In proposing this data-as-property construct, it is acknowledged that its implementation will entail new rights and duties balancing by law. However, acknowledging that uncertainties of application will emerge does not concede weakness in the model, it is inherent in our common law system. The privacy model itself, as revealed by the Supreme Court’s outcome and analysis in Ramirez, is irreconcilably weak and should be replaced by a property model.

Proposing a property-based model is an initial step toward retiring — or at least substantially modifying and improving — the current privacy-based system of redress for transgressions upon digital identity. A property-based model should be universally instantiated, not just in the U.S. (note the GDPR reference). More research, analysis, and thought leadership is needed to build out and implement a property model. Perhaps this article[10], and efforts in Data Trust and blockchain, will serve as a foundation and inspiration to spearhead more efforts to shape a future where individuals and data owners convert their interests and stakes in digital identity into meaningful claims of property ownership.

Acknowledgements: This article was greatly improved through the comments, suggestions, and edits of several respected colleagues: Dru Brenner-Beck, Randy Bagwell, Erik Dullea, Brian Meegan, and Tim Opsitnick, each of whom acted in their individual capacity. The opinions and viewpoints contained herein, however, are exclusively those of the author notwithstanding the substantial feedback from my colleagues. A well-deserved and sincere note of “THANKS!!” goes out to these friends and colleagues.

[1] Insofar as the Internet created a virtual domain for humans to interact, transact, entertain and engage in a wide range of human activities, it is not surprising that lines were initially drawn through the lens of privacy. The “virtual world” and the real world are not equivalent, however.
[2] Modern touchscreens now enable users to manipulate and interact with data via their computer screen. The ability to interact with data through touch certainly renders data, at least conceptually, more like tangible property.
[3] A “legal redress construct” is not a characterization or definition intending to suggest that property rights are applied merely in the rights balancing aspect. Digital Identity Sovereignty™ encompasses property ownership of data as well. Yet, it is within the rights and duties balancing scenario (i.e., legal redress) that the transformation from a privacy construct can be better illustrated.
[4] See, e.g., the Data Trust Initiative at Cambridge University; https://www.cst.cam.ac.uk/research/data-trusts.
[5] A website that has surveyed and curated this emerging field, and which provides references and history, can be viewed at https://decentralized-id.com/literature/self-sovereign-identity/#about-ssi
[6] In a unanimous ruling in Riley v. California, 573 U.S. 373 (2014), the Supreme Court catalogued the extensive data contained on the ordinary mobile phone, even characterizing how the mosaic of a person’s life, sensitive details of the person’s identity, can be reconstructed from its contents.
[7] That online platforms may require user’s to license away or waive certain ownership rights is a separate issue from the user owning all personal data in the first instance. Secondly, data ownership by the individual alters the nature of that relationship, which may result in a transactional change from the existing relationship.
[8] Sports-ISAO engages in online threat monitoring as an evidentiary production partner supporting Digital Identity Sovereignty™. Sports-ISAO, in partnership with eosedge Legal, engages in a method and assembly of technologies and practices that, from a digital property rights approach, detects misuse and affords strategies for redress that are far more efficient than pursuing privacy loss litigation.
[9] Digital Identity Sovereignty™ is a rights enforcement practice conceived by eosedge Legal and licensed to its partner network (e.g., Sports-ISAO, the CyberJurist Network and OnCall Cyber).
[10] Efforts arising from the practice of Digital Identity Sovereignty™, including publications and enforcement actions, will continue from eosedge Legal, Sports-ISAO, and the CyberJurist Network. Collaboration with others is sought.

Leave a Reply

Your email address will not be published.