Legal systems work on the basis of categories and classifications (‘goods’/’moveable’ and ‘immoveable’, ‘tangible’ and ‘intangible’, ‘contracts’…). ‘Data’ is not an existing category in our civil code and it is difficult to qualify data under one of the existing legal categories. This creates a situation of legal uncertainty.
GDPR framework does not create any ownership rights
The GDPR has clarified certain legal aspects pertaining to the specific category of personal data. For example, the GDPR stipulates various obligations for controllers and processors of personal data and it grants explicit rights for data subjects such as the right to rectification, the right to be forgotten, the right to data portability etc. Moreover, the GDPR sets up a regime of oversight and sanctioning to monitor compliance with these rights and obligations. However, the GDPR framework does not create any ownership rights (rights in rem) of data subjects vis-à-vis the personal data. Rather, it establishes rights vis à vis certain other parties (controllers and processors, eg. rights in personam).
Hence, GDPR only partially deals with the issue of legal rights to personal data. Moreover, the non-personal data are not covered by GDPR. A limited number of aspects concerning non-personal data are covered in the Regulation 2018/1807 on the free flow of non-personal data which comes into force in May 2019. This new Regulation focuses on localization requirements, control by regulators and the right to portability of commercial data.
What are the rights of the creators of data?
As a result, a large number of legal aspects relating to both personal and non-personal data remain unclear today. For example, what are the rights of the creators of data? Can they control the re-use of the data created or claim a remuneration in case of derivative use? Are data recipients required to share data received with third parties? Is there any compulsory data licensing on which data holders need to anticipate.
And to what extent can contracts help to fill the gap of regulation? What rights and obligations can you stipulate in a contract for a data rich innovation partnership? How can you avoid that a party re-uses sensitive data that you have provided? Or how can you make sure you obtain exclusive rights to the data generated by a platform on your behalf?