Solving the conflicts between data owners and data exploiters through a spectrum of quasi-property models

The European Union keeps moving forward with its plans for a regulatory framework to guide the data economy development and foster data-driven innovations for further economic and societal growth.[1] The use of and access to data plays a key role in this context, and different actors can have different priorities. In particular, individuals and companies both have an interesting in enjoying a degree of control over the information used to fuel these data-driven innovations: individuals because the use of data related to them might affect them, and companies – and other controllers – because they might wish to generate economic and societal development by processing data.


This reopens and further develops a question to which no single uniform answer has been found yet: what exactly is data, whom it belongs to, and what legal relationship is there between the subject and the data? The answers to these questions are extremely relevant, in particular where the data economy has moved as far as using personal data as consideration for digital services.[2] Seeking answers from a legal perspective can be troublesome as there are different regulations, even in the European context, that provide different and, in some cases, contradictory solutions.


The question is particularly timely as a proposal for a Data Act should be published soon by the European Commission. While the exact content of the Data Act is still unknown as the proposal from the European Commission hasn’t been published, this piece of legislation is intended to address a considerable number of issues surrounding the data economy and the possibility of data ownership.


Currently, from a legal point of view, there are different notions of what data means exactly. Often, we tend to defer to the General Data Protection Regulation (GDPR- and the realm of data protection regulations to answer this where data is associated with an individual and known as ‘personal data’.[3] We can also find ‘non-personal’ data where it is not related to a natural person, as in the case of the Free Flow Regulation.[4]However, this doesn’t stop here but in upcoming legislation, such as the Data Governance Act, we can also find general wider notions for data.[5] As such, in different situations, we might be confronted by a particular regulatory framework that deals with a set of situations. Consequently, a comprehensive and systematic view is necessary to tackle this first question in a holistic manner.


On the questions of whom it belongs to – if it belongs as such to anybody – and what legal bond is there between them and the data, the literature has discussed different approaches, has tried for quite some time to find a balance between the interests of the involved stakeholders. When it comes to companies, the database sui generis right, trade secrets, or copyright were seen as the potential solutions for it.[6] On the other hand, the legal literature dealing with ‘ownership’ of data by individuals, while a tempting solution, [7] is besieged by the fact that personal data is also safeguarded as a fundamental right.[8] In this sense, it was pointed out that people would not own personal data but rather control access to it via the notice and consent scheme and/or the general data protection framework, including the exercise of associated data rights, even on a collective basis.[9]


This latter scenario, a more active data rights exercise approach, is finding an echo in recent technological developments, such as decentralized identity management systems.[10] Until now, companies acted as data controllers and oversaw every single activity related to the data processing, from the collection of the personal data until its destruction going through its usage and possible sharing. Decentralized identity management systems, such as self-sovereign identities or personal data stores, allow for further control by data subjects themselves rather than having to file a request before a data controller and wait for an answer.[11] In this sense, data controllers do not select which data are they going to collect but rather have to accommodate the data that individuals create and make available for use.


This difference in the existing approaches for answering our initial question shows that there might be tensions between the involved stakeholders as their rights on the same object are different and, in some cases, expressing contradictory concerns. it is unclear how rights transfer between the involved parties should operate. To achieve a balance between different positions, it has been suggested the adoption of a quasi-property model, with a different grounding on a particular right depending on the scholar analyzed.[12]Through it, it would be possible to adopt a practical and hands-on solution to the issue of data ownership and, consequently, bridge the different positions mentioned above. Exploring whether or not this approach is compatible with the GDPR or not shall be one of the main challenges for the LeADS project.


As mentioned, the European regulatory framework is currently in flux and attempting to tackle the new future economic developments sustainably in the long run. There are currently different proposals undergoing discussion at a different level that deals with the uneasy question of what exactly is (personal) data from a legal point of view in a unified manner and try to find an answer to the question of ‘what is data ownership?’, which forms one of the main research crossroads for the LeADS project, as well as with other research questions that form up its core.


Authors: Prof. dr. Paul de Hert, Prof. dr. Gloria González Fuster, Andrés Chomczyk Penedo


[1] ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data’ (European Commission 2020) COM(2020) 66 final.

[2] Carrie Gates and Peter Matthews, ‘Data Is the New Currency’, Proceedings of the 2014 New Security Paradigms Workshop(Association for Computing Machinery 2014) <> accessed 1 April 2021.

[3] Art. 4(1) GDPR: ‘(…) any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (…)’.

[4] Art. 3(1) Free Flow Regulation: ‘(…) means data other than personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679; (…)’.

[5] Art. 2(1) DGA: ‘(…) means any digital representation of acts, facts or information and any

compilation of such acts, facts or information, including in the form of sound, visual

or audiovisual recording; (…)’.

[6] Gianclaudio Malgieri, ‘“Ownership” of Customer (Big) Data in the European Union: Quasi-Property as Comparative Solution?’ (Social Science Research Network 2016) SSRN Scholarly Paper ID 2916079 <> accessed 15 July 2021.

[7] Ignacio Cofone, ‘Beyond Data Ownership’ (Social Science Research Network 2020) SSRN Scholarly Paper ID 3564480 <> accessed 1 April 2021; Václav Janeček, ‘Ownership of Personal Data in the Internet of Things’ (2018) 34 Computer Law & Security Review 1039; Patrik Hummel, Matthias Braun and Peter Dabrock, ‘Own Data? Ethical Reflections on Data Ownership’ [2020] Philosophy & Technology <> accessed 1 April 2021.

[8] Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer Science & Business 2014).

[9] Nestor Duch-Brown, Bertin Martens and Frank Mueller-Langer, ‘The Economics of Ownership, Access and Trade in Digital Data’ (European Commision, Joint Research Centre 2017) JRC Digital Economy Working Paper 2017–01 <> accessed 1 April 2021; Tommaso Fia, ‘An Alternative to Data Ownership: Managing Access to Non-Personal Data through the Commons’ [2020] Global Jurist <> accessed 1 April 2021.

[10] Christopher Allen, ‘The Path to Self-Sovereign Identity’ (Life With Alacrity, 25 April 2016) <> accessed 27 June 2019.

[11] Andrés Chomczyk Penedo, ‘Self-Sovereign Identity Systems and European Data Protection Regulations: An Analysis of Roles and Responsibilities’ (Gesellschaft für Informatik 2021) <>.

[12] Malgieri (n 6).

Technical and legal aspects of privacy-preserving services: the case of health data

Nowadays, the potential usefulness as well as the value of health data are broadly recognized. They may transform traditional medicine into clinical science intertwined with data research, driving innovation and producing value from the perspective of the key stakeholders of the health care ecosystem: not only patients but also health care providers and the life insurance sector.

Yet, the health data does not appear out of thin air, it is not a product that can be viewed in isolation. It is:

  • the personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status (data concerning health),
  • the personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (genetic data),
  • the personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (biometric data).

Thus, the individual cannot be deprived of the right to decide about their processing as the health issues are at the very centre of the privacy protection sphere.

It becomes clear that balancing the interests of the private individual whose privacy is protected, interests of other private and public actors, and general common interests is highly problematic. Naturally, processing of the health data cannot be unrestricted: optimally, the legal framework should facilitate unlocking the value of health data for European citizens and businesses and empower users in the management of their own health data without undermining the very essence of the right to privacy.

Currently, processing of health data falls under complex GDPR legal regime. This, however, poses a serious challenge for the data processors on the one hand and, on the other, gives rise to numerous legal questions. What are the grounds for processing such data in this highly differentiated context?  How should medical data be protected both on the regulatory and technological level? How can we harness newest technology to increase data safety? How can anonymization and/or privacy-preserving data management techniques using efficient cryptography (e.g. homomorphic, secure multi-party computations) contribute to reaching higher protection levels without becoming a hurdle or an impediment for legitimate data processing? Can the blockchain technologies be used for health information exchange? Should the creation of technological infrastructure be coupled with establishing proper key management schemes?

The task is twofold. First, on the regulatory level general policy guidelines for legislators, independent agencies, businesses on data sharing platforms are necessary, together with the analysis of the policy and market implications of providing privacy-preserving services. Second, the practical recommendations are needed: specific postulates should be formulated on how data protection techniques can be applied in the health domain, in order to contribute to achieving the abovementioned aims.

Author: dr. Katarzyna Południak-Gierz, Jagiellonian University

The beginning of the LeADS era

On January 1st 2021 LeADS (Legality Attentive Data Scientists) started its journey. A Consortium of 7 prominent European universities and research centres along with 6 important industrial partners and 2 Supervisory Authorities is exploring ways to create a new generation of LEgality Attentive Data Scientists while investigating the interplay between and across many sciences.

LeADS envisages a research and training programme that will blend ground-breaking applied research and pragmatic problem-solving from the involved industries, regulators, and policy makers. The skills produced by LeADS and tested by the ESR will be able to tackle the confusion created by the blurred borders between personal and commercial information and between personality and property rights typical of the big data environment. Both processes constitute a silent revolution—developed by new digital business models, industrial standards, and customs—that is already embedded in soft law instruments (such as stakeholders’ agreements) and emerging in case law and legislation (Regulation EU 2016/679 and the e-privacy directive to begin with), while data scientists are mostly unaware of them. They cut across the emergence of the Digital Transformation, and call for a more comprehensive and innovative regulatory framework. Against this background, LeADS is animated by the idea that in the digital economy data protection holds the keys for both protecting fundamental rights and fostering the kind of competition that will sustain the growth and “completion” of the “Digital Single Market” and the competitive ability of European businesses outside the EU. Under LeADS, the General Data Protection Regulation (GDPR) and other EU rules will dictate the transnational standard for the global data economy while training researchers able to drive the process and set an example

The data economy or better way the data society we increasingly live is our explorative target under many angles (from the technological to the legal and ethics one). This new generation is needed to better answer to the challenges of the data economy and the unfolding of the digital transformation scoping. Our Early Stage Researchers (ESRs) will come from many experiences and backgrounds (law, computer science, economics, statistics, management, engineering, policy studies, and mathematics,..).

ESRs will find an enthusiastic transnational, interdisciplinary team of teams tackling the relevant issues from their many angles. Their research will be supported by these research teams in setting the theoretical framework and the practical implementation template of a common language.

LeADS research plan, although already envisages 15 specific topics to be interdisciplinary investigated, remain open-ended.

It is natural in the fields we have selected for which we identified crossover concepts in need of a common understanding of concepts useful for future researchers, policy makers, software developers, lawyers and market actors.

LeADS research strives to create, share cross disciplinary languages and integrate the respective background domain knowledge of its participants in one shared idiolect that it wants to share with a wider audience.

It is LeADS understanding that regulatory issues in data science and AI development and deployment are often perceived (and sometimes are) hurdles to innovation, markets and above all research. Our unwritten goal is to contribute to turn regulatory and ethical constraints which are needed in opportunities for better developments.

LADS aims at nurturing a data science capable of maintaining its innovative solutions within the borders of law – by design and by default – and of helping expand the legal frontiers in line with innovation needs, preventing the enactments of legal rules technologically unattainable.

By Giovanni Comandé