They say that data is the new oil — but who exactly owns it?

By on

As part of Legal Cheek’s occasional series exploring buzzing legal research across the UK and internationally, today, on the day that new data protection rules come into force, we delve into the unchartered territory of the law on data ownership

In the not too distant future, driverless cars will be the norm. We will be speeding around in autonomous vehicles, our journeys managed through a handheld device, our lives transformed — again.

Those cars will collect and store a huge amount of data: on our exact location and where we are going, on how fast we are going. Through connected devices, ‘the Internet of Things’, data will be transferred and stored on who the passengers are, including biometric data for identification purposes and even something as personal as heart rate monitors which will assess our health risks and how comfortable we are in our vehicle.

This vast reservoir of data (perhaps amounting to as much as 4,000 gigabytes every day), some of it highly personal, has untold value: as market intelligence, as consumer information, as well as value for less business-oriented reasons such as safety or public policy.

We are building rules around data that is personal to us in a bid to ensure such data is treated with respect and privacy (witness today’s ‘Hallelujahs’ over the new GDPR) but what about the much thornier issue of who exactly owns this data, whose data is it? Who should reap the benefits of this “new asset class”? This is the subject with which Václav Janeček, currently a research student at the Oxford Law Faculty, is grappling in his paper: Ownership of Personal Data in the Internet of Things.

We often find it surprising that we don’t automatically have ownership rights over our personal data, and we are taken aback that the likes of Facebook can legally do what it does with our data which is invite us to give it our data, and then package it up and sell it onto someone else; Facebook makes money out of our data without paying us for that — that is its business model.

The quandary of data ownership has emerged as an issue at an EU level when the European Commission consulted on it as part of its push to encourage the free flow of data across EU borders. The response to its consultation has been, in a nutshell, “don’t go there”. So why is data ownership so — legally speaking — challenging?

Janeček is assisting in a joint project between the American Law Institute and the European Law Institute to explore the key legal principles in a data economy, and you can read his paper here or here. He argues that from the very outset the concept of ownership has been overshadowed by real problems of definition: if we want to own personal data (in the same way that we want to be able to keep personal data private) then how do we work out what is personal and what isn’t?

Want to write for the Legal Cheek Journal?

Find out more

Apart from certain intrinsically personal types of data such as your name, your heart rate in the above example, or biometric data that is increasingly used for identification, personal data is “a moving target”. Raw data might be non-personal data in one aspect and in one configuration but could well become personal data in another. Take, for example, data regarding your journeys in that driverless vehicle of the future. If a company profiles all your journeys to work out how far you travel and how often, that might be personal data. But if a company profiles those journeys to assess fuel consumption and efficiency of that particular vehicle, is that still, usefully, personal data?

Even if we could work out what type of data we were talking about and even if we could accept that some sort of data ownership is essential for our economic growth, the next problem is how we go about introducing such a new type of legal right. Janeček suggests that we can either impose the legal right of ownership by creating it through legislation (what Janeček calls “the top-down approach”) or we could let ownership rights develop through various other means such as through technology or through piecemeal case decisions which give certain classes of data ownership potential (“the bottom-up approach”).

For example, you can imagine that in the driverless car example, our journey data could be quite easily stored in an app which we could download and “own”, or you can imagine a legal challenge where your journey data is sold to a travel company and a judge might decide that it is the car company not the person taking the journey that has some ownership rights to that data. In such cases, ownership rights would stem from the bottom up.

Janeček is uncomfortable with the top-down approach because of the problem of working out what is and isn’t personal data, but also, more fundamentally, because ownership is regarded as something which comes from human nature, a fundamental right, therefore something that cannot be imposed from the top down. He turns to the philosopher John Locke, writing at the end of the 17th century, who stated in his Second Treatise of Government: “God has given the earth to the children of men; given it to mankind in common.” And so “in the state of nature, all particular things are unowned”. But what man does, Locke argues, is enter into society for “the preservation of their property” and it is at this point that ownership in things becomes possible.

In the (near) future then, when drones deliver our Amazon shopping, when driverless cars take us to work, when an estimated 163 zettabytes of digital data is out there, Janeček argues that there is unlikely to be a single comprehensible legal instrument which declares who owns this data (the limiting factors being not only the law but also the lack of technology).

Instead, there will be a patchwork of specific rights: to data access and erasure, property rights in storage mechanisms such as black boxes, there will be intellectual property rights in some databases (like Spotify) — but the individual nuggets of data will hardly fit our traditional notions of ownership rights. The raw data, that vast reservoir of prima facie meaningless numbers and words, is, legally-speaking, unowned.

This is the second in an occasional Legal Cheek Journal series, looking at new and interesting legal research. If you are working on a paper or research which you’d like to share with Legal Cheek, email us.



The law will inevitably continue to develop at a slower rate than technology. As developments are made, the law will have to be amended to facilitate and accommodate such changes.

Look at the data protection act 1998 for example, it was created when Google was a new concept and just prior to social media becoming a key part of day to day life, yet it has taken until today for legislation to be passed to bring legislation back in line with how data is used.


The fact of the matter is Facebook, Twitter and Instagram tell you that they use and sell your data to third parties within their terms and conditions.

This is also true of most applications you install, including within Facebook. The fact that such terms are buried in the depths of the T&Cs AND that no one reads terms and conditions before clicking “Accept” is a reflection of laziness, acquiescence, disinterest and indeed perhaps intellect on the part of people using such platforms and software.

What this really ought to give rise to is a discussion on the extent to which terms relating to your personal data and rights conferred to dispose, use or sell this data in specific ways ought to be brought to the attention of users in the way that the law expects of other terms that are “onerous or unusual” in the law of contract.


I love the ode to the “occasional series” in the preamble.


Personal data isn’t necessarily something that can be ‘owned’. It should be respected and GDPR is a good thing, of course, but data is factual. You cannot own a fact. You can limit what other people do with a fact, though, through legal rights/contract but you can’t stop a fact existing or someone being aware of that fact existing. One could simply remember someone else’s phone number or email address or other identifying feature which conflates to processing personal data, you cannot force someone to forget a fact.


The biggest hypocrisy of all this is when Tech companies refuse to co-operate with the police/special services because they supposedly respect their customers’ data…

Not Amused

Clearly tech companies cannot be trusted. So the options are top down by legislation or bottom up by case law.

The problem is that top down requires a fully sovereign parliament. Which we do not have. Bottom up requires class action type case law. Which again, we do not have.

Judge hobpsexual

Fuck offa some of us need to make a living, instead of relying on benefits and inheritances like you lot


New toxic waste, not oil.


It is necessary to protect only those data that a person can create in person or data that are related to private property, everything else will be controversial and uncertain.

Join the conversation

Related Stories