Regulatory conundrum: Whose data is it anyway?

By Karan Singh Chandhiok and Lagna Panda, Chandhiok & Mahajan

A crisis of trust seems to be brewing over the way data is collected, stored and used. Inadequate and unclear laws, conflicts of interest among stakeholders, and a general lack of understanding about the various aspects of the digital economy are having a debilitating effect on how technology, media and consumers interact.

There are many ongoing debates about regulating the collection and use of data. The debates often centre on the right to own one’s data, and whether laws must expressly provide for it.

Karan Singh Chandhiok
Chandhiok & Mahajan

The General Data Protection Regulation (GDPR), which came into effect last year, regulates the collection and use of personal data of “data subjects” in the EU. However, the GDPR does not expressly provide for the right to own data, but recognizes various other individual rights such as the right to be informed, the right to rectify, the right to restrict processing, the right of erasure, the right to object to processing, and the right to data portability.

In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, regulate the manner in which sensitive personal data is collected and processed by intermediaries, but the right to own personal data remains untouched.

The Personal Data Protection Bill, 2018, has provisions relating to individual rights, including the right to withdraw consent, but the issue of ownership of personal data remains unclear here as well.

Though the notion of data ownership has a universal appeal, it does not do much to address any of the issues raised. In fact, data ownership is likely to give rise to newer questions.

Lagna Panda Partner Chandhiok & Mahajan
Lagna Panda
Chandhiok & Mahajan

The most important question that data ownership raises is the nature of ownership. Data is a “non-rival good”. Data cannot be owned or used like tangible assets, and unlike tangible assets, use of data by one person does not prevent other persons from using it. The right to use an intangible property also allows the user to commercially exploit the associated asset.

On the other hand, access to personal data is generally not given for the purpose of commercial exploitation, but to gain access to goods or services. Given the difference in how data and other forms of property are accessed, equating data with property for the purpose of determining ownership would be unsuitable.

Secondly, there are types of data that are non-personal in nature and are by-products of economic activities, for example sales data of enterprises. Determination of ownership of such non-personal data would not be relevant, given its non-personal nature and the fact that control over such data would remain with the company that creates it.

Thirdly, there might be cases where personal data is “processed” to create datasets that an enterprise relies upon for its business decisions. In such cases, the issue of ownership of datasets is less clear, as the datasets are likely to be aggregated, anonymized or pseudonymized personal data and therefore are non-identifiable.

Lastly, the predictive value of data is not only extracted from the content, but also from the tenor and manner of its expression. For example, shared workspace company WeWork’s offices have sensors that track movements to gauge how office space is utilized.

Based on the data collected by these sensors, WeWork found that the morning queue for self-serve coffee was long, and decided to employ a barista in the office premises. When it comes to data of this nature, not only is it difficult to ascertain the ownership of such data, but the determination of ownership would also not add value to personal rights.

Therefore, the important challenge lies not in resolving the question of ownership of data, but in having a legal regime exercising regulatory oversight over the manner in which personal data is collected and processed. In the case of personal data, as long as there is a framework that strikes a balance between the privacy rights of persons and the collection and processing of personal data, autonomy of individuals would remain sufficiently protected in a digital economy.

A balanced legal framework would be one which provides for a mechanism whereby consent is obtained in a transparent and informed manner, and the data collected is utilized for the purpose for which it is obtained. In effect, control over one’s personal data must remain with individuals.

Karan Singh Chandhiok is a partner and Lagna Panda is a senior associate at Chandhiok & Mahajan.


Chandhiok & Mahajan
C-524, Defence Colony
New Delhi – 110 024

Mumbai | Bengaluru

Contact details
Tel: +91 11 4163 0033
Fax: +91 11 2433 9075