Beyond Data Ownership

Abstract

Data ownership proposals are widely misunderstood, aim at the wrong goal, and would be self-defeating if implemented. This Article, first, shows that data ownership proposals do not argue for the bundle of ownership rights that exists over property at common law. Instead, these proposals focus on transferring rights over personal information solely through consent. Second, this Article shows the flaws of a property approach to personal information. Such an approach magnifies well-known problems of consent in privacy law: asymmetric information, asymmetric bargaining power, and leaving out inferred data. It also creates a fatal problem: a moral hazard problem where corporations lack incentives to reduce privacy harm. That moral hazard problem makes data ownership self-defeating. Recognizing these deficiencies entails abandoning the idea that property over personal data can achieve meaningful protection. This Article, third, develops proposals for privacy law reform amidst a national discussion on how to formulate federal and state privacy statutes. These involve implementing a combination of what the Calabresi-Melamed framework calls property and liability rules. This mixed rule system is essential because property rules alone fail to protect data subjects from the risks of future uses and abuses of their personal information. The Article implements this reform proposal with two recommendations. First, it proposes bolstering private rights of action for privacy harm irrespective of whether such harm was coupled with a statutory breach. Second, it proposes reinforcing ongoing use restrictions over personal data by strengthening the purpose limitation principle, a key and underutilized ongoing use restriction in American law.