Law permits trade in data, so it seems that data are alienable objects (res in commercio).Footnote 1 In this Article, we argue that commerce in some data is, and should be, prohibited by the law because some data embody values and interests that would be detrimentally affected by trade. We survey the legal limits on trading data in the digital economy and ask whether, and to what extent, a set of principles can rationalize (1) when data qualify as extra commercium and (2) who is to be held responsible for the illicit trade in the data extra commercium. By answering these two questions, we fill an important gap in the existing legal scholarship.
The problem is that, unlike in the case of traditional goods (res), inalienability of data cannot be ascertained ex ante because the question of whether or not a particular dataset represents values and interests that can be compromised by commerce is not a question about a static property of the dataset. We argue that alienability of data, unlike alienability of traditional goods, is limited by dynamic changes that have direct implications for data alienability. According to our research, these changes take place at the level of informational properties of data, such as when data are processed in a new context by a new analytic algorithm, and at the level of legal bases for trading data, such as when a data subject withdraws her consent in relation to processing of personal data.Footnote 2 This means, among other things, that alienability of data can be limited even ex post. Along these lines, by analyzing the legal framework around personal and sensitive data protection, we develop a “dynamically limited alienability rule” that concisely describes the principles of inalienability of personal and sensitive data under the GDPR.
This Article is structured as follows: Section B introduces the Roman law doctrine of res extra commercium and shows why it is inspiring in relation to trade in data. While the doctrine cannot account for the fluid nature of data nor the technology-driven virtual environment in which data are processed and traded, the infosphere,Footnote 3 the rationales for excluding some data from trade do not change and have legal implications very similar to the rationales behind res extra commercium. Accordingly, responsibility for trade in data extra commercium can be attributed almost fully in line with the principles behind the Roman law doctrine. Section C surveys positive law. We observe that no legal provision expressly addresses the question of (in)alienability of data, although data protection laws clearly seem to protect human flourishing. One thus cannot easily ascertain whether and when trade in data is illicit due to those data being qualified as extra commercium. We fill this gap by identifying and compiling legal rules that limit alienability of data, namely personal and sensitive data. To help advance EU law and transnational data trade while ensuring protection of the fundamental values that the law excludes from trade, we formulate what we call a “dynamically limited alienability rule”. In Section D, we seek to help legal practitioners, judges, and lawmakers to consider who, if anyone, shall be held responsible and eventually also liable for this mischief. Building on Roman law and modern contract law principles, we thus propose a general two-stage test that satisfies our goal. In Section E, we discuss how the two-stage test and the limited alienability rule may help link the EU data protection law with contract law rules and principles, and help enforce legal principles of data extra commercium in fully automated and autonomous data trading systems which are becoming increasingly significant for our daily lives.
Overall, our main original claims are that data are subject to a dynamically limited alienability rule and that responsibility for the consequences of inalienability of data can be determined using the two-stage test that we propose. We argue that data extra commercium is a useful dynamic concept that helps protect certain values and interests in the infosphere and can be employed in traditional European contract law.
For reasons set out below, we focus primarily on trade regarding personal data and other sensitive data. For reasons also set out below, we restrict this Article to questions of when and how we should protect these data. In contrast, we do not look at how we should protect parties if their contract is negatively affected by data protection tools. That is, we do not look at what remedies should be available to them. In addition, when we discuss attribution of responsibility, we do not mean to say that the law imposes a duty on a party to observe certain rules with respect to data or that the law imposes liability on a party for failing to respect certain rules. These issues would need to be resolved at the level of national legal systems, which is beyond the scope of this Article. What we mean instead is that national legal solutions should adhere to the principles we describe.
B. From Res Extra Commercium to Data Extra Commercium
The Roman law protected multiple types of thing (res) by excluding them from commerce (extra commercium). The commercial inalienability of these things was entrenched in the values and interests that res extra commercium embodied. Accordingly, Roman law prohibited trade in free humans (liberi homines),Footnote 4 things of divine interest (res divini iuris),Footnote 5 and things of secular public interest (res publicae).Footnote 6 Although we no longer use the Roman law doctrine of res extra commercium, these categories evoke some strong parallels with the recent prohibitions regarding human trafficking,Footnote 7 trade in human organs,Footnote 8 trade in some religious and cultural artifacts,Footnote 9 unlicensed commerce in publicly dangerous or invaluable things,Footnote 10 and traffic in publicly important things which are either considered common to everyone or that belong to no one.Footnote 11
A purported sale of any of these three categories of thing was first deemed void as legally impossible,Footnote 12 except where the purchaser, without fault on his part, was unaware of their real nature.Footnote 13 The tendency to protect the buyer is understandable as “it can be difficult to distinguish a free man from a slave”.Footnote 14 It is also understandable to have regard to the buyer’s fault, because “even the greenest provincial on his first visit to the mother city could [not] honestly believe that he could take effective possession […] of, say, the Temple of Venus or the Porta Capena or, turning to res publicae, of the Theatre of Pompey or the Via Sacra”.Footnote 15
Eventually, the various rules have been compiled into a specific provision of Justinian’s Institutes (Inst.III.23.5), according to which a person who, in full awareness of the facts, bought a thing in which trade is forbidden, bought in vain and his contract was void. Yet if the purchase was based on the seller’s fraud, deception, or misrepresentation,Footnote 16 the law granted the buyer a remedy in damages for mischiefs such as eviction, confiscation, and misapprehension induced by the seller. To the extent that these remedies were conditioned on a breach of contract, the jurists felt that they should not to deem the contract void because otherwise there would be no legal basis for the remedy. This required an exception to be made to the general rule that fraud renders a contract void ab initio.Footnote 17
Recent EU laws and other legal rules also protect certain types of valuable assets by excluding them from commerce. We focus on data. The laws regarding data and digital content seem to exclude some data types from commerce, although somewhat ambiguously, as we will show in Section C. Thus, it effectively looks as if some types of data—due to characteristics of the information they embody—cannot be the subject of a sale contract (extra commercium), similarly to how Roman law prohibited trade in certain types of thing. Yet as we have seen in the introduction, trade in data, unlike trade in material objects, poses some very challenging questions. In particular, it seems that we need to think dynamically about the values and interests that the data represent, and it is unclear what implications this may have for the validity of contracts and the availability of contractual remedies in relation to data extra commercium. Let us investigate these issues in relation to personal data.
The parallels between res extra commercium and our proposed concept of data extra commercium look particularly strong in the case of free humans and personal data. Illicit trade in free humans, unlike trade in things of divine or public interest, was allegedly an increasingly common source of practical trouble in Roman times.Footnote 18 An analogy may be drawn with recent illicit handling of personal data by tech giants such as Facebook.Footnote 19 Also, in Roman times, free individuals were not “things” in a legal sense, just as data are not considered to be “things” in many modern jurisdictions.Footnote 20 Finally, the distinction between a slave and a free individual is epistemically obscure, just as there is no clear line between non-personal and personal data.Footnote 21 Both a slave and a free individual are humans, although they embodied different values in Roman law. Both non-personal and personal data are data, although they encapsulate different types of valuable information.
Given that the distinction between a free individual and a slave is no longer legally significant, we could instead seek to draw an analogy with trade in human organs. Although organs are different from data—and, generally, from intangible goods—legal protection of human organs has been widely compared with legal protection of personal data.Footnote 22 This is perhaps due to the central role of personal data in constructing personal identity and to the inherently personal nature of both organs and data as components of the moral and physical integrity of human beings.Footnote 23 Accordingly, if the human body and its components are capable of being considered res extra commercium, one might be tempted to conclude that personal data—that is data that already relate to an identifiable human, just like organs pertain to an individual—are likewise inalienable in the European digital market.
Indeed, the rationales for excluding trade in human organs can partly translate to commerce in personal data—as we will see in the next two sections of this Article—but arguments about tradability of data must take a very different form. This is so because non-personal data can become personal, and vice versa. The difficulty with all data, not just personal data, is that one must always first compute the information that data embody in order to find out the legal status of such data. Data as objects of digital transactions can therefore never be excluded from commerce ex ante, because they can be ex post linked with values and interests that would be compromised by sale.
The dynamic nature of data is unparalleled in the physical world. The closest we could perhaps get is the example of 3D-printed organs.Footnote 24 Unlike organs extracted from a human, organs printed on a 3D printer are a tradable commodity. In the physical world, it is relatively easy to understand why the law prohibits trade in human organs but not trade in 3D-printed organs. The rationale for this protection seems to be based on moral and ethical considerations, grounded on human dignity in terms of moral and physical integrity.Footnote 25 For the same reasons, one could argue that it would be illicit to trade 3D-printed organs that have already been successfully implanted in a human body. While this looks like a dynamic change in the nature of those 3D-printed organs, however, it is important to highlight that this is a one-off change. In contrast, the nature of data may change repeatedly.
A further complication is that a data subject—that is a human to whom the personal data relate—may ex post withdraw her consent with processing of personal data for a specific purpose. Again, in the physical world, it would be hard to imagine that a producer of 3D-printed organs would terminate a contract and withdraw their organs from the human body. In the infosphere, however, a data subject can demand her data back, which causes some headaches for the contracts involving those data and attendant remedies.Footnote 26 We will get to these issues in Sections C, D and E.
For now, it suffices to highlight that these dynamic ex post changes in the nature of data are a new phenomenon that might lead to exclusion of data from trade. This issue seems to have slipped the attention of lawmakers as well as many scholars, although it presents a distinct problem for the data economy. As, for instance, Basedow argues, “[i]t should be clarified to what extent personal data are res extra commercium and what this means for contracts covering such data”.Footnote 27 The uncertainty over when the law excludes data from commerce is further magnified by the fact that there are no clearly defined rationales for treating certain data as res extra commercium such as is the Roman law triad of reasons—an interest in liberty of free humans; a divine interest; and a public interest. Further, in cases of hidden data commodification and when data are provided instead of a monetary price for the provision of digital content, there is always an implicit danger that contracts involving such data would be invalidated ex post.
Thus, it seems worth attempting to map the concept of data extra commercium onto the moral and public policy reasons found in Roman law or a similar set of reasons, so as to clarify the constraints on trading data which are implicitly baked in our laws and provide a higher degree of certainty for the data economy. Due to the number of parallels and the reasons given, we will use personal data as a vehicle for our argument, although we aspire to make more general claims about limits on trade in data.
In this regard, Margaret Radin’s work in which she challenges the idea of “paternalism” as a basis for market inalienability is particularly relevant.Footnote 28 By criticizing Calabresi and Melamed’s famous view on inalienability,Footnote 29 Radin argues that the real justification of trade limitations should not be based on traditional liberalism or economics but on a conception of personhood and human flourishing. According to Radin, the reason why we do not trade children or human bodies is thus our interest in human flourishing. Human flourishing, a key concept in virtue ethics,Footnote 30 means the development and fulfilment of one’s own personality, based on positive freedom (life, health, thought), negative freedom, and autonomy. Allowing individuals to trade their body parts or entire bodies, for instance, would impair the foundation of individuals’ freedom, because it would be detrimental to personhood itself. Accordingly, inalienability should not be justified through paternalism but, on the contrary, through human freedom.
Radin was one of the first to discuss personal information in the context of the inalienability of human beings.Footnote 31 Indeed, she affirms that personal information—“attributes” and “characteristics”—is what makes personhood unique and, thus, it cannot be separated from persons themselves.Footnote 32 Following this line of argument, we can infer that if humans are inalienable, their personal data should likewise be inalienable, because only objects separate from the self are suitable for alienation. For example, the French national advisory Committee for Ethics, when interpreting Article 16-10 of the French Civil Code, considered the technology of genetic fingerprints (empreintes génétiques) as res extra commercium Footnote 33 because fingerprints are inseparably liked to an individual.
In other words, we think Radin’s work identifies a strong rationale for what we call data extra commercium: Inalienability of personal information justified through arguments concerned with human flourishing. Interestingly, privacy scholars have recently affirmed that the right to human flourishing might be the general justification, or even the raison d’être, for the right to privacy as protected under Article 8 of the European Convention on Human Rights.Footnote 34 Overall, it seems that inalienability of personal data could be justified on a moral basis, just like Roman law advanced moral reasons when prohibiting trade in free humans, because the morally-laden values and information that personal data embody would be compromised by sale. So, while the nature of data dynamically changes, the rationales for excluding some data from trade can remain unaltered. What dynamically changes is whether data encapsulate values and interests that would be detrimentally affected by trade, not whether we want to protect those values and interests. Building on the existing literature, we submit that human flourishing is regarded as one such fundamental value that can justify inalienability of personal data.
C. When the Law Limits Trade in Data?
The law is, however, not bound to follow such abstract moral arguments. It may build on them to provide a principled legal ground for excluding data from commerce, but it could just as easily disregard those rationales. Accordingly, the aim of this section is to explore whether, and under what conditions, there are already some forms of data extra commercium in EU law or in national legislation.
Before we begin, we stress that several leading commentators consider data to be intra commercium by default.Footnote 35 Indeed, Article 2(11) of the Directive on Consumer Rights seems to protect the commercial use of data in sales law by explicitly addressing production and supply of digital content.Footnote 36 The Regulation on a Framework for the Free Flow of Non-Personal DataFootnote 37 and the Digital Content and Digital Services DirectiveFootnote 38 support the same conclusion, as they consider data tradable goods. The Regulation, for instance, explicitly declares the objective of “removing obstacles to trade”.Footnote 39 The Digital Content and Digital Services Directive, then, defines “digital content” as “data which are produced and supplied in digital forms”Footnote 40 and allows for data—even personal data—as an alternative payment for the supply of digital content and services.Footnote 41 Although the proposal for this directive has been severely criticized from the perspective of personal data protection,Footnote 42 the debate about data (in)alienability is still underdeveloped.Footnote 43 Below, we advance this debate.
I. Are Personal Data Inalienable?
The Digital Content and Digital Services Directive goes as far as to assert that “the protection of personal data is a fundamental right and that therefore personal data cannot be considered as a commodity”.Footnote 44 Although this may indicate a clear political aspiration of EU leaders to exclude personal data from commerce, we think that black letter law is not as clear. Consider, for example, how the EU Charter of Fundamental Rights (the Charter) addresses personal integrity and personal data protection. While Article 3(2) affirms that body parts cannot be “a source of financial gain”, and thus sends a clear message regarding trade in human organs, Article 8 merely declares that everyone has the right to the protection of personal data concerning her. It does not prohibit financial gain from one’s own personal data, which suggests that the Charter does not take any position in relation to (in)alienability of personal data.
As regards personal data in general and their being in the nature of inalienable goods, we should take into account EU secondary law (in particular the GDPR) and national data protection legislation. We also need to acknowledge that among personal data, there are some special categories of personal data (hereinafter sensitive data, that is data revealing racial or ethnic origin, political, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning sex life or sexual orientation of the data subject) whose processing is limited to even more restricted cases (Article 9 GDPR, see more below).
The GDPR does not explicitly address inalienability of personal data or their nature as res extra commercium. Nor does it use the terms “trade” or “sale” when referring to personal data. However, the centrality of the data subject as a holder of inalienable data protection rights—the right to access, the right to object to processing, the right to withdraw the consent, the right to erasure, the right to portability—seems to be the first relevant element to be considered. It is true that personal data can be processed on the basis, among others, of consent and contract and that these are two elements that could also justify tradability of personal data. Nevertheless, consent should be free and revocable (Article 7 GDPR).
Revocability of consent is thus an apparent index of the not-fully-tradable nature of personal data.Footnote 45 In addition, Article 7(4) states that, “[w]hen assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. In other words, when consent to data processing is given merely as a counter-performance in exchange for the provision of a service, one may doubt the freedom with which consent is given.
The wording of Article 7(4) GDPR has triggered a vivid debate about its proper interpretation. On the one hand, commentators largely recognize the nature of data as a de facto price, consideration, or counter-performance in the digital market.Footnote 46 On the other hand, Article 29 Data Protection Working Party (Art 29 WP)—which was an independent European working party that dealt with issues relating to the protection of privacy and personal data before the entry into application of the GDPR—has explicitly affirmed that personal data can never be “counter-performance”, thus strengthening the argument that personal data should not always be considered alienable.Footnote 47 However, Art 29 WP seems to accept that personal data may be monetized if specific conditions are respected. In particular, data can be monetized if the controller offers to the data subject a genuine choice:
between a service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by the same controller that does not involve consenting to data use for additional purposes on the other hand.Footnote 48
Further, Art 29 WP remarks that “both services need to be genuinely equivalent”.Footnote 49 One might wonder whether a premium service upon payment and a free service upon accepting additional purposes of data processing could ever be “genuinely equivalent” alternatives. Still, if there is—at least in principle—the possibility of accepting a service delivered by the controller without consenting to the additional data use in question, then the consent could be considered genuinely free.
These considerations seem to suggest that, in principle, the data subject should not be asked to disclose her personal data in exchange for money or as an alternative to money. But if her will is genuinely free, that is if the expressed consent is not conditional (Article 7(4) GDPR), it is possible that personal data are monetized. Of course, the consent can be always withdrawn (Article 7(3) GDPR).
Accordingly, we submit that the flow of personal data is based on a limited alienability rule: Personal data can be traded in exchange for a monetized service only if specific conditions are met.Footnote 50
Interestingly, at least two European Member States’ legislation implementing the GDPR—that of the UK and of Denmark—mention the wording “sale of personal data”. The UK Data Protection Act 2018, similarly to the UK Data Protection Act 1998, prohibits the “sale of data” as part of the crime of “unlawful obtaining of personal data”.Footnote 51 In particular, it is prohibited to sell data or offer to sell data that have been obtained without the consent of the data controller. However, these provisions criminalize only business-to-business—or more accurately, controller-to-controller—data trading. What is protected here is the consent of the data controller to commercialize personal data that were lawfully obtained and processed.
The UK Data Protection Act 2018 would seem to imply that any sale of personal data is permitted and lawful, provided that the first data controller consents. But that would be a misunderstanding of what the law demands. According to the GDPR, the exchange of personal data from one data controller to another data controller must respect the data protection principles. Namely, the transaction must have a legal basis according to Article 6 GDPR, such as the data subject’s consent or necessity of processing, discussed further in Section C.II.2, and the data subject should be informed about any recipient of the personal data (Articles 13(1)(e) and 14(1)(e) GDPR). If and only if all the GDPR safeguards are respected, then the exchange of personal data between two data controllers is permitted, even if that exchange is monetized. In other words, we think we can already affirm at this point that personal data are based on a limited alienability rule.
The same argument must apply to other national legal systems in the EU, including Danish law. The Danish Data Protection Act states that:
[D]ata controllers who sell lists of groups of persons for direct marketing purposes or who print addresses or distributes messages to such groups on behalf of a third party may only process: (1) [D]ata concerning name, address, position, occupation, e-mail address, telephone and fax number; (2) data contained in trade registers which according to law or provisions laid down by law are intended for public information; and (3) other data if the data subject has given explicit consent.Footnote 52
This confirms the possibility of trading personal data, but, again, only where the data protection principles set out above are met.
In order to understand tradability of personal data, it is instructive to look outside the EU, for instance to California’s Silicon Valley. Presumably, European businesses would want to trade data with innovative entities incorporated there. California law seems to recognize personal data as res intra commercium. In the California Consumer Privacy Act 2018 (CCPA), for instance, the concept of “sale of personal data” is largely accepted as the basic rule in the relationships between different data controllers.Footnote 53 In addition, such sale of data is recognized as the basic rule, while individuals have only the right to be notified that their data will be sold and the right to opt out from any sale of data relating to them.Footnote 54 The rights of notification and opt-out seem similar to the requirements of information disclosure and legal bases in the GDPR (Articles 14 and 6) as described above. Thus, alienability of personal data is arguably also limited in California.
Interestingly, the CCPA even seems to declare an absolute inalienability rule. Section 2 of the CCPA acknowledges that “the right to privacy is among the ‘inalienable’ rights of all people”. The same section further clarifies the content of such inalienable right: “Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information”. In other words, the inalienable right to privacy includes the right of individuals to limit the trade of data related to them. Overall, we thus submit that one can identify a limited alienability rule for personal data even in the US.Footnote 55
A similar declaration of inalienability can be found in the Quebec Civil Code, in which Article 3 affirms that: “[E]very person is the holder of personality rights, such as the right to […] privacy. These rights are inalienable”.Footnote 56 Even in this case, inalienability does not refer to market inalienability of personal data as res extra commercium, but to the right to privacy as a right that cannot be removed from individuals.
In sum, the analysis of personal data as res extra commercium is complicated; their nature as an (in)alienable commodity might appear ambiguous in many legal frameworks. Regardless of definitions and pronouncements in legal documents, however, if we focus just on the possibility of processing personal data on a monetization basis—either the data controller asks the data subject for personal data in exchange for money or for a valuable service, or the data controller exchanges personal data with a third recipient, such as a business, in exchange for money—we conclude that there is a limited alienability rule. In the following sections we will summarize the limits for trading personal data under EU law.
II. Trading Personal Data under the GDPR: Conditions and Uncertainty
In order to understand the conditions under which the GDPR allows trade in personal data, we should first clarify what “trading data” means and then differentiate amongst relevant scenarios. We accept here that trading data means obtaining personal data in exchange for money or for other valuable assets such as digital services or valuable information. Two different scenarios should be addressed here: Primary data trade where the data controller obtains personal data from the data subject, and secondary data trade where the data controller exchanges personal data with a third recipient, such as a business that can thus become a second data controller.
In both primary and secondary data trade, the trader(s) need to consider two variables: (1) The nature of data—are they personal or non-personal data? If they are personal data, are they sensitive or non-sensitive data?; (2) The legal basis for trading data—what is the legal basis and when does it change? We will discuss these variables in the following two sections of this Article.
1. The First Variable for Limited Alienability of Data: The Dynamic and Uncertain Nature of Data
Regarding the nature of data, Article 4(1) GDPR clarifies that “personal data” means any information relating to an identified or identifiable natural person. Interestingly, recital 26 of the GDPR explains that when determining whether a natural person is identifiable, “account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly”. To ascertain whether some means are reasonably likely to be used to identify the natural person—the recital continues—“account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments”. If, considering reasonable efforts, it is not possible to link the information to a natural person, the information shall be considered anonymous.Footnote 57
As discussed in Section B, it appears clear that the nature of data is relative. Several variables, such as reasonable costs, time, or available technology, significantly affect our realistic capacity to single out individuals.Footnote 58 The CJEU in Breyer v. Germany recently clarified that data are anonymous not just if it is technically unfeasible to identify the natural person to whom they are related, but also if it is legally unfeasible.Footnote 59 In particular, if there are no legal channels for obtaining the “identifiers” that would turn those “anonymous” data into “personal” data, personal data shall be considered anonymous.Footnote 60 Owing to a broad interpretation of the CJEU’s statement, it is sometimes thought that pseudonymous data (personal data separated from identifiers)Footnote 61 could also be considered anonymous data for a third party that cannot technically or legally access the identifiers.Footnote 62
It is noteworthy that the nature of data also varies across time. For example, advancements in technology could make it easier to reidentify some originally anonymous data, or a party processing anonymous data could ex post obtain the identifiers in a lawful way. Thus, it should be accepted as a given that the nature of data is not only uncertain for traders at the moment of the trade, for example when it is not clear whether some data are really anonymous or relatable to an identifiable person, but also dynamically uncertain in the future, as anonymous data might become personal data.
Once it has been verified that traded data are personal data under the GDPR, another test should be performed to find out whether those data are of a sensitive nature. This extra categorization is necessary in the context of trading data because Article 9(1) provides for stricter rules for processing sensitive data. Accordingly, sensitive data are based on a more limited alienability rule than personal data generally.
For the reasons given above, the border between sensitive and non-sensitive data is uncertain, relative, and dynamic.Footnote 63 In particular, it has been affirmed that in the age of Big Data, machine learning, and data mining, it becomes increasingly easier to infer sensitive information from apparently non-sensitive data.Footnote 64 All personal data have a certain degree of intrinsic sensitiveness and an inversely proportional computational distance from sensitive information.Footnote 65 How this distance can be covered depends on advancements in technology, but also on the collection of further data. For example, our health conditions can be statistically predicted even from our daily location data. Accordingly, data traders should not only consider the uncertain and dynamic nature of data, but also the uncertainty and dynamism of the subcategory of sensitive data, which have implications for the legal bases for trading data.
2. The Second Variable: Legal Bases for Primary Data Trade
Insofar as data qualify as personal data or even sensitive data, data traders need a legal basis for the commercial exchange of such data. Legal bases for processing personal data are listed in Article 6 GDPR. For sensitive data there is an additional and more demanding list of conditions in Article 9 GDPR.Footnote 66
Let us consider personal data first. We will focus on consent, a contract, and a legitimate interest as the potential bases for trading data lawfully (Article 6(1)(a), (b), (f) GDPR).Footnote 67 As mentioned above, consent, can serve as a legal basis for collecting data for monetization purposes.Footnote 68 However, according to Article 7, this consent must be unambiguous, fully informed, including being informed of the commercial purpose of the data processing, and it must be revocable and free, meaning not conditional on the provision of services with no other genuinely equivalent alternatives. Accordingly, businesses who trade personal data must ascertain that consent has been provided unambiguously, that it was informed, free, and that it remains valid. The consent remains valid if it has not been withdrawn by the data subject.
Another legal basis for monetizing personal data could then theoretically be a contract, but commentators have dismissed this possibility.Footnote 69 Even Art 29 WP has clarified that the provision of Article 6(1)(b) GDPR, stating that processing is lawful if it is “necessary for the performance of a contract to which the data subject is party”, “must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller”.Footnote 70 Art 29 WP thus effectively excluded the use of contract as a legal basis for processing data for monetization purposes, including marketing purposes.Footnote 71 We agree with Art 29 WP’s view.
The last variant is a legitimate interest as a basis for lawful processing of personal data. Pursuant to Article 6(1)(f) GDPR, this could be where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. This legal basis thus requires us to take account of several tests, including the necessity test; the legitimacy test; and the balancing test, considering the counter-interests of the data subject.Footnote 72
The use of “legitimate interest” as a legal basis for monetization purposes is problematic,Footnote 73 especially with regard to the necessity test. Art 29 WP has indeed clarified that data controllers should “consider whether there are other less invasive means to reach the identified purpose of the processing and serve the legitimate interest of the data controller”.Footnote 74 In data trade, the identified purpose might be an economic profit from personal data, but such a purpose would probably be considered insufficiently specific to meet the necessity test.Footnote 75 In addition, one could always argue that the desired economic profit could be achieved through less invasive means, such as when the content providers would provide some premium services upon a payment.
The legitimacy test allows for more freedom and can be interpreted expansively.Footnote 76 Still, the interest must always be lawful, sufficiently clear, and represent a real and present interest.Footnote 77 Finally, the balancing testFootnote 78 should take into account the controller’s legitimate interest, impact on the data subjects such as intrusiveness of profiling, provisional balance, and additional safeguards applied by the controller to prevent any undue impact on the data subjects—transparency, ease of exercising the right to object, et cetera.Footnote 79
All these considerations make it extremely difficult to use the category of legitimate interest as a legal basis for trading personal data. It will be necessary to evaluate on a case-by-case basis whether a specific data transaction involves intrusive profiling, unclear information about purposes or commercial implications, alongside other legal requirements. And even though “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, as is confirmed in recital 47 of the GDPR, the data subject has the right to object at any time to such processing (Articles 21(2) and 21(3) GDPR). Accordingly, the legal basis for data transactions could be invalidated ex post, which seems to be very similar to the right to withdraw consent in case of processing based on consent.
In addition, if the traded data are not only personal, but also sensitive (Article 9(1) GDPR), they can never be processed merely for legitimate interest purposes, because under Article 9 GDPR there is no reference to legitimate interest as a legal basis for processing. In that case, just two legal bases might in principle be adequate for the processing of sensitive data for monetization purposes: (1) When the data subject has given “explicit consent for one or more specified purposes” (Article 9(2)(a) GDPR), given that the consent is free, informed and revocable (Article 7 GDPR); or (2) when processing relates to “[sensitive] data which are manifestly made public by the data subject” (Article 9(2)(e) GDPR). In this second case, however, we observe that if personal data are already made public, this might lower their commercial value for data traders because they would not need to buy these data, they just would need a technology to collect them. Still, even in this second case, it is worth remembering that for processing sensitive data, controllers need a legal basis under both Articles 9 and 6 GDPR, because sensitive data also count for personal data.Footnote 80 Therefore, in the case of processing sensitive data which were manifestly made public by the subject, the data controller should either seek the consent of the subject under Article 6(1)(a) or prove that there is necessity for a legitimate interest under Article 6(1)(f). The route of a legitimate interest then poses multiple hurdles, namely the legitimacy test, the necessity test, and especially the balancing test when trading sensitive data for merely commercial reasons.Footnote 81
Overall, we submit that this second variable is also uncertain and dynamic. In cases of consent, even when the data traders pass the freedom of consent test, consent could be withdrawn in the future.Footnote 82 In cases of legitimate interests, even when the data controllers pass the necessity, legitimacy and balancing tests, the data subject could easily object to data processing and thereby delegitimize it. With regard to the secondary data trade, that is a commercial exchange of data between two data controllers such as a service provider and an advertising company, the same conditions apply. In addition, it might be necessary to obtain a separate consent for exchanging data with a third party: Art 29 WP clarified that in order to respect the principle of “granularity”, the data controller that processes data for her own purposes must ask for a separate consent to communicate the data to a third party.Footnote 83
3. Dynamically Limited Alienability Rule for Personal Data under the GDPR
Given the evidence in the legal sources and literature set out above, we conclude that personal data are not based on an inalienability rule and are, therefore, not res extra commercium. Nonetheless, we also conclude that strict conditions apply to the commercial flow of personal data, and so we can talk about a dynamically limited alienability rule in relation to personal data.
Figure 1. (see below) visualizes how this complex rule might look. Accordingly, the GDPR arguably forbids trade in data when:
1. Data are personal data from the outset or become personal data subsequently AND there is:
a. No free consent of the data subject under Articles 6(1)(a) and 7 GDPR; or
b. No necessity for a legitimate interest under the conditions of Article 6(1)(f) GDPR for processing those data;
2. Personal data are also sensitive data according to Article 9(1) GDPR from the outset or become sensitive data subsequently, AND:
a. There is no free consent of the data subject under Article 9(2)(a) and Article 7 GDPR; or
b. Those data are not manifestly made public by the data subject or, even if made public, there is no necessity for a “legitimate interest” under the conditions of Article 6(1)(f) GDPR for processing those data;
3. The legal basis is subsequently lost, for example:
a. Consent is withdrawn or loses its required qualities (Article 7 GDPR); or
b. In case of legitimate interest basis, the data subject objects to the processing of personal data (Article 21 GDPR).
D. The Two-Stage Data Extra Commercium Test
While Roman law provided a clear and principled test that helped indicate when contracting parties should be held responsible for illicit transactions in res extra commercium, and consequently when the parties’ commercial interests are to be protected by legal remedies,Footnote 84 current law does not feature any similar test in relation to data. The Digital Content and Digital Services Directive provides consumers with some contractual remedies and deals with some aspects of onward data transfers to third parties,Footnote 85 but it is does not address these issues in a complex and principled way that would be useful also for business-to-business contracts. This section fills this gap and proposes a test that is specifically designed for transactions in data extra commercium. We suggest that this test be thought of as a reasonable proxy on the basis of which national contract laws can be interpreted in accord with EU law limits on trade in personal data.
We already know that the Roman law res extra commercium test struggles to identify data that cannot be traded. To this extent, we suggest replacing the test with the dynamically limited alienability rule. As far as the legal implications of there being data extra commercium, however, the Roman law doctrine can play an important role. We can make a connection between the doctrine of res extra commercium and data extra commercium by focusing on the principles that underpin the Roman law test for inalienability of things. It is safe to assume that the test was underpinned by the following set of abstract principles that are based on the authority of reason: (1) If a contracting party—for instance an innocent buyer—is not responsible for the forbidden trade, it would not be unjust to provide that party with a remedy for the spoiled commercial transaction; (2) if the other party—for instance a fraudulent seller—is responsible for the mischief, the law could grant the innocent party a remedy against the defaulter; (3) otherwise, the contract is void and the law protects only the noncorrelative interests vested in the object of trade. The parties are responsible for the void transaction if they knew, or should have known, that the object was extra commercium. Let us translate these principles into the context of data.
The dynamic nature of data implies that all contracting parties can, in full awareness of the factual circumstances of their transaction, foresee that the relevant data may eventually be excluded from commerce on the basis of the reasons outlined in Section B and as demonstrated for trade in personal data in Section C. It could thus be argued that all parties should have known this potential status of the data and, accordingly, would all be responsible for the void or ineffective contract and its consequences. This line of thought would result in legal protection of data extra commercium only. No party would be entitled to a remedy.
The difficulty is that such a strategy does not take into account the legitimate interests and reasonable expectations of the parties. For example, it seems unreasonable to expect that a data subject will be able successfully to claim her interests and withdraw her consent in relation to fully anonymized data or to personal data that are collected and processed in the public interest.Footnote 86 Similarly, it would be unreasonable to assume that data regarding levels of humidity around the globe would be eventually analyzed as personal data. In theory, it is possible, but seems as unlikely as the authors of this Article being tenured next year. You would hopefully struggle to say we are responsible for not being tenured next year. By the same token, it is unreasonable to assume that parties can have limitless responsibility for data extra commercium. Given the dynamic nature of data, it is also unreasonable to assume that the parties’ limited responsibility is fixed at the time of the conclusion of a contract or another key event in the digital trade. According to this line of thought, the parties’ limited responsibility should be dynamic, too.
In response to these issues, we propose to translate the corrective element of reasonablenessFootnote 87 into the following two-stage test. Stage 1: A party is responsible for trade in data extra commercium if and when, given the current state of knowledge and technology that is normally available to a person in a similar position, it is reasonably likely that the relevant data could reveal personal or other restricted information. Stage 2: If those conditions are met, the party cannot successfully escape responsibility for infringing on the values and interests in which trade is, or should be, legally prohibited. The party will be responsible for the mischief, unless that party demonstrates a special justifying reason, such as the data subject’s free consent with processing of personal data or a compelling legitimate interest of the controller, that serves as a defense to that party’s liability for consequences caused by transactions concerning data extra commercium.
Stage 1 of the test protects reasonable expectations and legitimate interests in that the basic rule is that data are in commerce and the validity and enforceability of the contract should remain untouched, provided that there is no reasonably likely interpretation which would reveal that the relevant data embody values and interests that would be compromised by sale (as explained in Section B of this Article). Of course, the parties cannot prove negative facts, which is why the Stage 1 test must take a positive form as set out in the preceding paragraph. This positive test helps indicate whether the parties knew, or should have known, that any data in question are excluded from commerce. The “current state of knowledge” requirement allows us to consider the so far speedy developments in the field of data science. The requirement of “technology that is normally available to a person in a similar position” is designed to objectively indicate whether and when the relevant party could have discovered that the data qualify as extra commercium, and therefore whether and when that party has responsibility for trade in that data. This requirement is also justified by recital 26 of the GDPR.Footnote 88
Stage 2 further limits the parties’ responsibility in that it provides the parties with relevant excuses from responsibility and, consequently, defenses to liability. A party that becomes responsible at Stage 1 should prove that they have a relevant excuse that allows them to trade data that would otherwise be extra commercium. This could be freely given consent by the data subject or a compelling legitimate interest of the data controller winning the three tests—the legitimacy, necessity, and balancing tests—under Article 6(1)(f) GDPR. In the case of sensitive data, this could additionally be either explicit consent or demonstration that data were made public by the subject, or any other exemption provided by the law at the time when the party faces Stage 2. In this sense, Stage 2 reasonably limits responsibility for data extra commercium but does not deny it.Footnote 89
If we now reconnect the two-stage test with its Roman law roots, we can see why the reasonable basic position of the law should be to protect only data extra commercium and the valuable information they embody. We can also see why it would often be the case that those who are in control of powerful analytic algorithms would be more likely to be responsible for data extra commercium than those to whom such tools are not available, typically consumers and data subjects. The question of specific legal sanctions and remedies is an important matter which we do not have space to open here. The key point is that the test could potentially be deployed in any type of data transaction and could be seen as a test that enforces requirements that are reasonable, principled, and in this sense non-arbitrary.
E. The Unique Benefits of the Data Extra Commercium Test
The two-stage test helps attribute responsibility for trade in data extra commercium, and thus also for the consequences of purporting such trade, in relation to both problematic scenarios set out in the introduction and Section B, that is in relation to ex post analytic exclusion of data from commerce and ex post withdrawal of consent. The same applies to the specific conditions of trade in personal data as discussed in Section C. These are undoubtedly unique and significant benefits that already justify why we should adopt the two-stage test in our thinking about data transactions in European contract law.
Here we want to highlight two practical benefits of the two-stage test. The first benefit relates to enforcement of the limited alienability rule in technologically advanced data trading and data processing systems where human end users are virtually out of the loop. Think, for instance, of “smart” environments and the Internet of Things. In order to deliver their functions, smart devices and their data processing algorithms often automatedly, and sometimes even autonomously, connect to other devices in order to transfer or process data. This can happen without the end user having any knowledge about such activity or the character of the data traded. Still, legal obligations can arise even in such autonomous environments and, likewise, the reasons for excluding some data from commerce apply there too.Footnote 90
How then, if the human end users—who are traditionally considered the relevant contracting agents—are out of the loop, can we enforce the limited alienability rule? Consider, for instance, how difficult it would be to apply principles relating to defects of consent—mistake, fraud, threat, or undue influence—and misrepresentation in scenarios where the human user is out of the loop. Similarly, consider how difficult it would be to establish that the dynamic change of the nature of data amounts to an unforeseeable change of circumstances.Footnote 91 These issues demonstrate the obstacles relating to enforcement of the limited alienability rule when it comes to automated trading of data between autonomous agents. The existing European contract law tools are simply not designed for the infosphere where our traditional notions of time, space, and identity of objects start breaking down in relation to data and their informational properties.
This is where the two-stage test is likely to help. The law is well positioned to provide a legal, that is not technological tool to open black-boxed algorithmic trading systems, and thereby to protect the values and interests that certain types of data embody. The two-stage test could steer these challenges at the technological level by incentivizing development and implementation of suitable algorithms that would be designed to protect data extra commercium. Such protection by design could result in various auditing algorithmic protocols which would enforce the compliance with the law by computer codeFootnote 92 that would flag up potential issues in the black box. Stage 1 of the test explains why it would be reasonable for stakeholders to use such auditing technologies and responsibly to develop the necessary technical standards.Footnote 93
The second benefit relates to Stage 2 in that it demands development of adequate legal and technical standards for ex post authorization of processing of autonomously derived or inferred data. From a traditional European contract law perspective, trade in these derived or inferred data would be permitted if they were derived or inferred from data in commercio. The traditional contract law approach—we may call it a pre-Big Data or pre-infosphere paradigm—looks at data as a merely accidental form of goods, rather than as primary objects of transactions.Footnote 94 If the primary good is excluded from commerce, data are too; if not, data are in commercio. We already know, however, that the relationship between data and the information they embody is not this straightforward and that, once the human user is out of the loop, we could lose sight of trading data that should be excluded from commerce. In other words, even derived and inferred data might eventually infringe upon non-tradable values and interests as set out in Section B.
Again, this is where the two-stage test might help. The current European law addresses issues of ex post withdrawal of consent and, relatedly, the legal implications of this ex post exclusion of data from the relevant transactions, including some implications for onward transfers of such data extra commercium to third parties. By contrast, the two-stage test incentivizes development of reasonable legal and technical standards that would allow not only for exclusion of data from commerce but also for ex post authorization of such data and, accordingly, ex post inclusion of derived or inferred data in commerce. This second benefit is, again, characteristically significant for enforcement of the limited alienability rule in the era of Big Data and the infosphere and demands us to adopt some new contract law rules for attributing responsibility for data extra commercium. What shape these rules will take in national legal systems, or whether there will be pan-European standard terms or implied terms for business-to-business and business-to-consumer contracts, are questions ripe for further consideration that exceeds this Article.Footnote 95 Overall, the two-stage test could incentivize more efficient legal and technical standards for detecting and protecting data extra commercium even in fully automated and autonomous trading systems.
No matter how tempting the intellectual parallel may be, data are not res extra commercium and we should seek to avoid thinking about them in these terms. This does not mean, however, that data are res in commercio; that too would be a misunderstanding. The nature of data is more complicated than that and we cannot simply apply traditional concepts and contract law doctrines to them.
In this Article, we argued that transactions in data can be limited and that data are subject to what we call a dynamically limited alienability rule. In Section B we argued that the dynamically limited alienability rule can be explained on a principled basis and, therefore, applied more generally to trade in any data. In Section C, we demonstrated how this rule would apply in the context of the current laws regarding trade in personal data. We also visualized the rule in Figure 1, so that our readers might easily refer to it in their own work or legal practice. Further, Section D proposed and defended a general two-stage test that could help legal practitioners, judges, and lawmakers to determine when trade in data is illicit and who, if anyone, shall be held responsible for this mischief. Finally, we showed not only how the two-stage test and the limited alienability rule may help to link EU data protection laws with contract law rules and principles, but also how the test might help to enforce legal principles of data extra commercium in fully automated and autonomous data trading systems.
We thus proposed that data extra commercium be thought of as a dynamic concept for future European contract law or national laws implementing the Digital Content and Digital Services Directive. After all, in a world of speedy technological advancements and changes in business practices and models, it seems a more efficient and sustainable regulatory strategy to link contractual sanctions and remedies with the object that is traded—that is data—rather than with the specific types of contractual transaction. Besides, a standard requirement of commercial law is that the object of a transaction is lawful, and it would be difficult to conceive of the law permitting otherwise. For this reason, we coined the term data extra commercium and the two-stage test to help enforce the limited alienability rule pertaining to all data transactions. As such, data extra commercium may even serve as an elementary tool of data protection.Footnote 96