Beyond ownership: we need better control and rights over data

Thu Aug 2, 2018

Jeni Tennison’s short discussion paper on intellectual property and data ownership for the new UK Centre for Data Ethics and Innovation

The new UK Centre for Data Ethics and Innovation is starting to take shape. It recently appointed a chair, Roger Taylor, and published a consultation to help determine its role, activities and operating model. The consultation is open until 5 September 2018. We’ll be submitting our thoughts and would encourage other people to do the same.

The centre also asked our CEO, Jeni Tennison, to write a short discussion paper about intellectual property and data ownership. This is what she wrote for them.

A paper for the UK Centre for Data Ethics and Innovation

Data is a new form of intangible infrastructure that underpins every sector of our society and economy. It increasingly supports the fundamental services and systems that enable our economies to function, allow us to communicate, and improve our lives. Like other infrastructure, we have to design our data infrastructure to meet our societal and economic needs. That includes designing the laws and institutions that govern who can own — or more broadly control — our data infrastructure, and what limits are placed on them.

There are five types of overlapping rights over data in legislation:

  • IP (intellectual property) rights
  • data protection rights
  • data access rights for people and businesses
  • government’s right to data to carry out its democratic responsibilities
  • citizen’s rights to data about their governments

These rights have different motivations, implementations and challenges.

Intellectual property rights (IPR) grant controls to data creators and maintainers. They were invented to encourage people to innovate by ensuring they can benefit financially from the intangible assets they create. While copyright over creative works is recognised globally, only the European Union and a few other countries grant database rights to those who invest in creating and maintaining databases. More traditional IPR tends to expire after a period of time, during which it is expected that the creator has received adequate reward for this investment; database rights are designed to reward ongoing maintenance and curation of the intangible asset. Creators get these rights automatically, by law; except for some special circumstances, others must get permission from the rights holder (through a licence) to use that intellectual property.

There are several challenges in applying existing intellectual property regimes to data. The cost of investment in creating some forms of data is minimal but at the same time, data is most valuable when it is combined with other data. If accessible, data will frequently validate, augment or be brought together with other datasets in ways that are unanticipated and that unlock value that would never otherwise be realised. The resulting data may itself be valuable as input for another process. But a lack of clarity in legislation, and case law to provide precedents, makes it hard to know whether particular uses of data are lawful or not, and the degree to which the holder of rights in one set of data can assert rights in data derived from it. Equally, new technology models, such as the Internet of Things and Artificial Intelligence combine ownership of physical things, data IPR and software IPR in ways that may not benefit consumers and that make it difficult to determine how to fairly reward multiple creators and maintainers. It is unclear whether the existing IPR framework around data are really stimulating innovation, and whether they are rewarding value creation or value extraction.

Data protection rights give controls to individuals to allow or prevent the collection and use of data. They are designed to enforce human rights, primarily the right of privacy, and have been strengthened as use and capability of technology has advanced. Their aim is to protect citizens and consumers, and reduce bad use of data and bias. The most recent iteration of data protection rights in the EU and UK are the General Data Protection Regulation (GDPR) and the 2018 Data Protection Act (DPA). Following the recent Facebook/Cambridge Analytica scandal there have been calls for these rights to be strengthened further to give individuals ownership of data about them in a model akin to property rights. This would be a significant departure from Europe’s current rights framework and create new difficulties. Proposed data ownership models, current data protection legislation and most online services take a hyper-individualistic approach. They give control to single individuals while most data is about multiple people, whether friends and families in social media data or the groups of people that can be identified and targeted by data analytics techniques.

Data access rights aim to encourage competition and innovation by giving individuals and organisations the right to access data within a defined framework. The GDPR and DPA both contain rights of data access and portability for individuals. These data rights enable people to use data themselves or provide it to trusted third parties who can perform analysis or build services using it. There are also data access rights within specific sectors such as banking, in which payments providers must provide access to data under the EU Payment Services DIrective 2 (PSD2). The UK open banking initiative complements PSD2 in the retail banking sector and the UK Government is exploring building a similar initiative in the energy sector. There is still work to do to understand the risks of data access rights, their impact on the market, and government’s role in making them work.

Governments have rights to data to allow them to perform their democratic responsibilities to their citizens. For example, health services can access data to reduce the chance and impact of outbreaks of infectious diseases; national statistics bodies can access data from businesses to produce statistics; police forces can access data to investigate crimes; and the intelligence services can access data to reduce the chance of terrorism. In line with democratic norms, government’s rights to data must be subject to democratic scrutiny both before they are put in place and during their operation and use.

Citizens have rights to data held by governments to allow them to perform their democratic responsibilities by scrutinising government and holding them to account. These rights also provide access to data infrastructure controlled by the public sector. These rights are embodied in legislation such as the Freedom of Information Act (FOI) and Reuse of Public Sector Information (PSI) Regulations. They help to create a public data infrastructure that is as open as possible, support open democracy and encourage citizen engagement with government. These rights are challenged by government’s desire to control the flow of information about policy, and by the legacy business models of public data infrastructure stewards who have historically been encouraged to make revenues by selling the data they hold.

Recommendation

Each of these types of data rights have different motivations – such as protecting people, encouraging innovation, and supporting the democratic process – and challenges. Some of them lack clarity in themselves while others overlap or conflict.

A major challenge for the future, and one that the Centre for Data Ethics and Innovation should help the UK take a lead on, is how to grow them into a coherent data rights framework, with a corresponding monitoring, resolution and enforcement regime, that supports ethical innovation and greater use of data to make better decisions while managing any harmful impacts.

What’s next

These are important issues and ones that many countries around the world are grappling with. If you’d like to discuss them then do drop us a mail to [email protected]