As a reminder, Part I of the book was dedicated to the understanding of the data commodification phenomenon. I designed a data commodification spectrum ranging from data complete commodification to data complete noncommodification, on the basis of four ‘data-specific commodification indicia‘. Thus designed, the data commodification spectrum serves as a unique yardstick to compare and cluster how respective schools of thoughts engage with the tradability of data.

In Part II, I analyzed EU data legislation – namely the Data Act and the DGA – systematically against the background of data commodification. I clustered them on the data commodification spectrum on the basis of the data-specific commodification indicia. I found that both the Data Act and the DGA can be placed in between the ‘efficient‘ and the ‘fair‘ data market paradigms. They both lay down sui generis rules for data, with the steady objective of commodifying them despite their specificities. From the perspective of data commodification, the Data Act and the DGA display a rather high level of consistency with one another, especially at the conceptual level. The Data Act and the DGA are generally embedded into market values and a market rhetoric, which can be traced back to the efficient data market paradigm.

The conceptualization of data control as the right for data subjects to control data processing-incurred risks to the autonomous exercise of their fundamental rights and freedoms, heavily relies on the notion of ‘purpose‘ as a means to understand and circumvent such risks. Consensually described in the legal literature as a (or even the ) cornerstone of data protection, this notion had been little addressed head on by the Court until recently. In its recent case law, the Court has addressed both the constitutive criteria of purpose and the functions of purpose as per the GDPR. At this point, it is therefore necessary to evaluate how this case law impacts on the conceptualization of data control and especially whether it calls for a re-examination of the above findings. I conduct this analysis against the background of data commodification.

First, I recapitulate how ‘purpose‘ plays out in the GDPR namely, by general opinion, as a (if not squarely the) cornerstone of it, before I turn to the recent case law of the Court, which deals with ‘purpose‘ in two distinct ways. A first line of inquiry is the new strand of the case law of the Court that, first arising in the context of controllership, amounts to a shift in focus from purpose to data processing operations. The second line of inquiry is the case law on the constitutive criteria for the notion of purpose, to determine such purposes that the GDPR deems acceptable.

DATA PROTECTION, DATA CONTROL AND DATA COMMODIFICATION: A RATHER OLD CONUNDRUM

Adopted in 2016, the General Data Protection Regulation (GDPR) recast the Data Protection Directive of 1995. This famous Regulation applies, in principle, to any processing of personal data across the EU, namely any processing of data that allows for the identification of (an) individual(s). Any personal data processing shall comply with a list of principles, namely lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality. Lawfulness implies that data processing be based on at least one of the listed legal bases, of which the consent of data subjects for one or more specific purposes is the most referred to when it comes to data transactions. Specific – i.e. more stringent – conditions are applicable in case of ‘sensitive data‘ such as health data.

The GDPR provides data subjects with rights (data subjects ‘ rights) the list of which has been broadened compared to the Data Protection Directive: Rights to transparency, information and data access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, right not to be subject to automated processing.

Compared to the Data Protection Directive, the GDPR also reinforces security obligations and creates a new obligation to conduct a ‘data protection impact assessment‘ prior to any personal data processing that is likely to result in a high risk to the fundamental rights of individuals.

SEEING BEYOND THE LEX SPECIALIS PROVISIONS OF THE DGA

As it clearly appears from the Data Strategy, the Data Act and the DGA, the Commission and the EU legislature see both such legislative frameworks as connected one to the other. They together form the horizontal framework for data, which I identified as the decentralized private law ordering for data, to be further complemented with sector- or domain-specific ‘public law‘ initiatives. As discussed in the previous chapter, the Data Act follows mainly the property law objective to provide a primary allocation of data (use and value). Then, the expectation of the EU legislature is that the actors, namely, in the context of the regulation of connected product data, mainly users and selected third parties, can then make further use of data and especially share them in various ways through the support of data governance institutions as regulated under the DGA. While the Data Act requires mandatory data access or making available as a means to re-allocate and distribute data, the DGA lays down a range of mechanisms that support voluntary data sharing.

The DGA consists of three main chapters, pertaining allegedly to three different types of scenarios in which data are voluntarily shared. Chapter II applies to data held by public sector bodies on which third parties have rights (thus deemed outside of the scope of the Open Data Directive).

ABSTRACT

Human mood enhancement technology offers promising benefits for their users ‘ health and well-being while raising critical legal issues that must be addressed. This chapter, therefore, analyses the applicable human rights legal frameworks at the UN, CoE and EU levels concerning this type of technology.

Chapter 3 focuses on the principles and rights applicable to mood HETs stemming from the International Covenant on Civil and Political Rights (hereinaft er: ICCPR), the International Covenant on Economic, Social and Cultural Rights (hereinaft er: ICESC), the Universal Declaration of Bioethics and Human Rights (hereinaft er: UDBHR), the Convention on Human Rights and Biomedicine (hereinaft er: the Oviedo Convention), the Framework Convention on artificial intelligence, human rights, democracy and the rule of law (hereinaft er: the AI Convention), the European Convention on Human Rights (hereinaft er: ECHR), the Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (hereinaft er: the Convention 108 + ), the European Social Charter (hereinaft er: ESC), the Charter of Fundamental Rights of the European Union (hereinaft er: CFREU), including the secondary EU legislation whose applicability is established on the example of a case study technology outlined in the Introduction. This analysis also includes the examination of the jurisprudence of the European Court of Human Rights (hereinaft er: ECtHR) and the Court of Justice of the European Union (hereinaft er: CJEU).

EU data legislation and the GDPR do respectively not engage in the same manner with data commodification, which notably manifests in different ways in which they respectively seek to empower individuals by granting them ‘data control‘. The misalignment is not a problem as such but evidences the fact that the enhancement of data control of individuals, by both EU data legislation and the GDPR, cannot constitute the bridge the two. In other words, the compatibility model of EU data legislation between data markets and data protection is based on what turns out to be a myth of congruence. Part IV of this book is dedicated to the analysis of the implications of the misalignment between EU data legislation and the GDPR concerning data commodification, for the compatibility model of EU data legislation between data markets and data protection. I focus on two sets of problems. In Chapter 7, I discussed the heightened likelihood that data subjects qualify as data controllers within the meaning of the GDPR, as a result of EU data legislation. I found that the decentralized data processing environment that EU data legislation establishes as well as the type of data control that EU data legislation puts forward and the tools and mechanisms for enhancing it, do indeed heighten the risk that data subjects act and qualify as data controllers.

ETHICS VERSUS LAW OR ETHICS AND LAW ?

INTRODUCTORY REMARKS

572. Chapter 2 mapped and analysed arguments oft en raised in the ethics debate concerning human (mood) enhancement technologies. As outlined there, some of them cannot be meaningfully used in the form in which they are commonly presented for the legislative debate concerning these technologies based on the principle of neutrality of law. These are mostly the arguments with strong religious and ideological inklings (such as unnaturalness, playing god, cheating and similar arguments), as well as arguments with the problem of rhetorical types, whereas the object of criticism they are trying to address is left ambiguous, vague, imprecise, or simply unclear (these are considered to be the meta-arguments or arguments with methodological issues).

BUILDING INSTRUCTIONS TOWARD A DATA COMMODIFICATION SPECTRUM

The present chapter conceptualizes data commodification as a spectrum, following the approach of Radin (as explained in the previous chapter) except where deviations are made necessary because of the local specificities of data. This chapter builds a spectrum, ranging from complete data commodification on the one hand to complete data non-commodification on the other hand. On the spectrum, I systematically identify and cluster the various schools of thoughts that engage with the data commodification phenomenon depending on the degree to which they aim for data commodification, why and how. Then, I will use this spectrum to situate and cluster how EU data legislation and the GDPR respectively engage with data commodification. To do that, and just like Radin, I need two main things. First, I need thematerials, namely, and just like Radin, the relevant literature that reports on the data commodification phenomenon. Second, I need commodification indicia that are well-suited for data commodification.

The relevant literature can be found with data governance, a rich literature that includes various disciplines including economics, philosophy, law, sociology and others, more or less structured around schools of thoughts. Data governance can be defined, broadly, as the system of rights and responsibilities that determine who can take what actions with respect to data, including how such rights and responsibilities interact one with the others.

FOCUS ON CONNECTED PRODUCT DATA

At the time of writing, the Data Act is not yet in force. Hotly debated during its legislative adoption, the Data Act seeks to walk a ridgeline. On the one hand, its goal is to unleash the potential of data held by private actors to fulfil their alleged potential in being used and reused for various purposes, thus requiring data sharing. On the other hand, the Data Act recognizes that data sharing may have to be qualified for a number of reasons including the preservation of incentives for private actors to keep investing – which takes the legal form of the utmost care for their trade secrets – and personal data protection. To walk this ridgeline, the Data Act proceeds with surgical touches. While the Open Data Directive is based on the principle that data held by public sector bodies should be made available to the general public for further reuse, the Data Act regulates more or less extensively a few – non-exhaustive – situations in which data sharing is required, accompanied with conditions.

In this chapter, I focus on one such situation: Connected product data, namely data generated by the use of products such as smart wearables, smart farming machinery, connected cars, etc. Connected product data constitute a prime example of the attempt of the EU legislature to lay down provisions that look and taste like property law for data while accounting for what are considered to be their specificities. Connected product data have long been a key concern of the EU data policy and especially the key focus on the ‘data producer‘ s right ‘ option once contemplated by the Commission (and then abandoned).

In Part I of the book, I designed a data commodification spectrum, based on dataspecific commodification indicia. In Parts II and III respectively, I used the spectrum to identify how the Data Act and the DGA (together, EU data legislation) and the GDPR engage with data commodification or, in other words, to what extent and how they commodify data. On the one hand, I found that both the Data Act and the DGA display a high level of consistency between them. I clustered them both (EU data legislation) between the efficient and the fair data market paradigms, and especially fair data distribution under the latter paradigm. In the parlance of Radin, EU data legislation pursues a ‘negative liberal approach‘ in the sense that data markets constitute the only principle. Limitations to data commodification are laid down but within market framework and values and without a positive approach, which, according to Radin, offers a slippery road to complete data commodification.

On the other hand, I clustered the GDPR on the data commodification spectrum, with a focus on data control, which EU data legislation features as a bridge between data markets and data protection or, in other words, for the compatibility model of EU data legislation.