Who owns data? | In Principle

Go to content
Subscribe to newsletter
In principle newsletter subscription form

Who owns data?

A core issue for the data economy is how to define the legal status of data. Can data be the subject of ownership? If not, what rights can be exercised with respect to data? Future models for management of data will depend on the answers to these questions.

Not so fast!

In commerce we increasingly encounter notions like “my data,” “ownership of data,” and “acquisition of data.” Concepts alluding to notions of ownership are also used in formal statements by public administrative authorities to refer to data. For example, the Communication from the Office of the Polish Financial Supervision Authority (UKNF) on processing by supervised entities in public or hybrid cloud computing states that one of the mandatory elements in contracts with cloud computing providers is to specify “ownership of the processed information during the term of the contract and after its completion or termination.” The European Banking Authority Guidelines on outsourcing arrangements also require that provisions be included in certain outsourcing agreements ensuring access to data “owned” by a financial institution.

It turns out that references to ownership in the case of data are a great oversimplification, and sometimes can generate major misunderstandings. First and foremost, under Polish law, data, in the sense of intangible content, are assumed to be incapable of being the subject of ownership. Only “things,” defined by the Civil Code as “material objects,” can be owned in this sense. Thus a physical medium on which data are recorded can be the subject of ownership, but not the data themselves, which do not have a material form.

This situation gives rise to a number of crucial consequences. The first challenge is to determine the content of rights to data. If it is not the right of ownership, what entitlements with respect to data are enjoyed at all by an entity that asserts “ownership” of the data? What sorts of legal protections are available to that entity when its rights are infringed? And what is the legal status of data in the event of the death of an individual, or liquidation of a legal entity, that has asserted rights to data?

Fundamental distinctions

Essentially, the existing provisions of Polish civil law do not directly provide for a right to data. The provisions on protection of personal data, primarily the EU’s General Data Protection Regulation, function as something of an exception. The GDPR is undoubtedly the most systematised set of provisions concerning data. However, it applies only to personal data. Moreover, the civil-law status of personal data is not the main subject of these provisions (an issue that will be the subject of a separate article in this series).

The basic scheme for systematising subjective rights assumes that rights are divided into property rights and non-property rights. It seems that data, depending on the type, can be regarded as the subject of property rights, and in some instances also as the subject of non-property rights. The criterion for this distinction is the degree to which a given right is conditioned on an economic interest on the part of the rightholder.

Property rights are traditionally divided into several types, in particular tangible rights, claims, and rights of an economic nature to intangible goods. Given their intangible nature, data cannot be the subject of many tangible property rights. They could be the subject of claims, however, as well as certain rights of an economic nature to intangible goods.

Non-property rights, in turn, including moral rights held by a natural or legal person for the purpose of protecting the holder’s personal interests. It appears that personal data could be assigned to this category of rights.

From the practical perspective, there is also an important distinction between absolute and relative rights. The criterion for this distinction is the scope of protection afforded to the holders of these rights. It is recognised that absolute rights are effective against the whole world (erga omnes); in other words, basically anyone, even if not connected with the holder of the rights by any contract, must respect these rights. Relative rights, in turn, are effective only between the parties to a specific legal relationship. It is also accepted that the legal system recognises a fixed catalogue of absolute rights; such rights must arise expressly out of the regulations and cannot be freely created by the parties to legal relationships.

Some data will be the subject of rights of an absolute nature. This will be the case for example with data that could constitute the subject of copyright or the subject of protection based on regulations concerning databases. The scope of rights with respect to such data will be established by the regulations governing the specific category of absolute property rights. We will provide more remarks on this category of data in articles discussing the specific types of property rights for which such data can qualify.

But the properties of a large portion of data do not allow the data to fall within any of the recognised categories of absolute property rights. For the purposes of this article, we refer to such data as “uncategorised data.” Such data present the most legal doubts. They also constitute a significant portion of all data that now are or can be generated. The rest of this article addresses this category of data. For the purposes of this discussion, personal data have been excluded from this category (although in practice personal data may also fall into this category).

Uncategorised data

Examples of uncategorised data include machine data generated from various types of sensors, which often are not the subject of copyright protection or protection of databases. However, such data can be the subject of civil-law dealings. The holder of such data may, for example, conclude a contract with other entities providing for transfer of such data, including for a fee. Such contracts may also provide for certain limitations in disposing of the data.

But the rules for administering uncategorised data will generally arise exclusively out of contractual relations and will be binding on, and enforceable by, only the parties to those relations. In other words, an entity wishing to limit the use of uncategorised data can impose such restrictions and enforce them only as against entities with which they are bound by a valid legal relationship (particularly a contract).

The practical consequences of this state of affairs are huge. First and foremost, the protection of entities holding relative rights is greatly restricted compared to the protection enjoyed by holders of absolute rights. An entity coming into possession of uncategorised data and not also a party to a contract limiting the use of the data generally has great freedom in disposing of the data. This leads to a clear fracture in the economic interest, which increasingly ties the economic value of data to the legal status of the data. In the case of uncategorised data, the economic interest with respect to the data is not protected in a degree comparable to other types of assets.

This leads us to ask more and more often whether uncategorised data should nonetheless be the subject of some new absolute subjective right that would reflect the growing importance and value of such data in the economy. This would require creation of new regulations as well as a deeper reflection on the scope and content of such potential rights. The economic interests of the generators of such data would have to be weighed against the general societal interest, which assumes that easy access to data can result in creation of great added value in the economy.

Until such time as a new absolute subjective right to data is created, we will have to deal with the challenges posed by the absence of such a right in the legal system. In subsequent articles in the data economy series, we will discuss several of the most serious consequences of the absence of such a right (for example involving establishment of security interests in data and inheritance of data).

The technological context

The technological dimension of administering data is also relevant for these issues. In discussions about the possible need to create a new absolute property right to data, the argument has often been raised that there is no technical possibility to administer such an absolute right. It has been pointed out, among other things, that there are huge quantities of such data, they are generated under various technological standards, and the possibilities of duplicating such data are boundless. All of these properties of data mean that deliberations over an absolute right to data, comparable to a right of ownership, may remain purely abstract, because even if such a right existed there would be no way to effectively enforce it.

Many of these arguments seem valid. However, we must also factor in the dynamically evolving technological context. Some tech solutions could potentially lead to a state where the model for trading in data approaches familiar models for trading in material objects. For example, thanks to “tokenisation” of data using blockchain technology, we are potentially capable of turning specific data or bundles of data into an identifiable subject of commercial relations and effectively controlling the trade in data in this sense. Consequently, from a technological perspective, it is possible to imagine introduction of models for trading in data and conceptions similar to models for trading in material objects based on a conception of ownership.

It cannot be ruled out that the availability of solutions enabling the “tokenisation” of data will force the creation of regulations governing the legal status of data. Appropriate technological solutions may also prove essential for a potential new property right to be applied to data. Administration of huge data sets derived from various entities may simply prove too burdensome without automation of this process. Thus a potential new property right to data may prove to be one of the first examples of a right whose very existence requires technological support.

The socio-economic context

When considering the legal status of data, their socio-economic dimension also cannot be ignored. Along with the growth in automation of manufacturing and services, we are beginning to seek ideas for guaranteeing sources of income to people who lose their jobs as a result of automation or are condemned to very low-wage occupations. Among other things, we are considering more and more seriously a system of guaranteed income.

In this context, the idea arises of using data as a source of passive income. Such notions are also growing bolder as technological solutions appear potentially creating the possibility of efficient management of such data. You will find further commentary on this dimension of the debate in subsequent articles in this series.

An effect of realisation of these ideas may be the creation of special types of rights to data. This may prove essential to properly secure the economic interest tied to data by these concepts.


The current legal system does not yet offer clear answers to many fundamental questions about data, particularly the status of data under the civil law. Thus basic legal rules for administering data have yet to be determined. Thanks to this, we can still exercise a high degree of flexibility in developing models for administering data. But over the longer term, the lack of clarity on the legal status of data may pose a barrier to the growth of the new economy. Moreover, technological progress and the socio-economic dilemmas facing us may spark the creation of new types of rights to data. Consequently, huge changes may occur in the near future in the legal status of data.

Krzysztof Wojdyło, adwokat, Intellectual Property practice, Wardyński & Partners