Data Rights
The third Part of the Principles deals with legally protected interests that arise from the very nature of data as information recorded in any form or medium or as it is being transmitted.
- Principles 16 and 17 include general provisions for data rights.
- Principles 18 to 23 deal with data rights with regard to co-generated data.
- Principles 24 to 27 refer to data rights for the public interest.
Chapter A – Rules and Principles governing data rights
The Principles recommend the recognition of new data-specific rights of a party against a controller of data that arise from the nature of the data and the way it is generated (e.g. data is a non-rivalrous good, see characteristics of data), or from the law for reasons of public interest.
Such data rights may include, in particular, the right to:
- be provided access to data by means that may, in appropriate circumstances, include porting the data;
- require the controller to desist from data activities;
- require the controller to correct (incorrect or incomplete) data;
- receive an economic share in profits derived from the use of data.
There may be other (related) data rights not explicitly mentioned in Principle 16, such as the right to receive information about data held by a particular controller.
Chapter B – Data rights with regard to co-generated data
In particular, data rights can be based on the idea that the person exercising the right had a share in generating the data ('co-generated data'). Factors to be taken into account in determining whether, and to what extent, data is to be treated as co-generated by the party, include (in the following order of priority) the extent to which:
- a party is the subject of the information coded in the data or is the owner or operator of an asset that is the subject of that information;
- the data was produced by an activity of that party, or by use of a product or service owned or operated by that party;
- the data was collected or assembled by that party in a way that creates something of a new quality; and
- the data was generated by use of a computer program or other relevant element of a product or service, which that party has produced or developed.
Such data rights are based on notions of fairness. The Principles do not propose a uniform concept of data rights, but rather leave it up to the applicable law to determine what is considered fair in the case at hand.
The Principles identify five factors to be considered in determining whether to afford a party a data right:
- the share of that party in the generation of the relevant data,
- the weight of grounds a party can put forward for being afforded the data right,
- the weight of any legitimate interests the controller or a third party may have in denying the data right,
- imbalance of bargaining power between parties involved, and
- public interest considerations (e.g. to ensure fair and effective competition).
These factors are not ordered by their relative weight, but should be balanced against one another in a flexible manner. Such a flexible system allows for the implementation of the Principles in various legal systems.
Chapter C – Data Rights for the Public Interest
In this Chapter, the Principles refer to data rights that are not based on the share a party had in the generation of data, but rather on public interest considerations. For example, legislators may afford data sharing rights to promote innovation and growth (e.g. in the field of medical research). However, Principle 24 makes clear that the public interest needs to be carefully weighed against the interests and rights of the controller as well as legitimate third party interests (e.g. interests of data subjects regarding their personal data) – the affording of data rights requires a justification (proportionality test).
The Principles do not take any position regarding the question when data rights for the public interest may be afforded. Rather, the Principles provide general guidance on some core aspects of affording data rights for the public interest.
In cases where the law affords data such data rights, Principles 25 and 26 deal with duties of the controller and data use by the recipient. For example, the law should provide that the controller must provide access under conditions that are fair, reasonable and non-discriminatory (FRAND) within the class of parties that have been afforded the right (e.g. car manufacturers who have to disclose technical information to repair service providers may charge fees for access that are reasonable and proportionate).
Principle 27 is based on reciprocity: where the law affords a data access right on the grounds of public interest, that law ordinarily should reciprocally provide the original controller with access to comparable data of the party to whom access is provided in the first place, except when this would be inconsistent with the purpose of the provision of access.