Anthony W. and Lulu C. Wang Professor in Chinese Law, Cornell University Law School
Professor, Faculty of Law, Chinese University of Hong Kong
Outstanding Fellow of the Faculty of Law
Data is a vital new resource. It is so powerful that some argue that whoever acquires, possesses, and masters data will win the Tianxia, the world. The field of data governance engages such questions, prompting us to consider who commandeers our vast quantities of data, how, and with what repercussions. Though many have discussed the commercial significance of data governance, largely focusing on its technological and organizational aspects, we are only beginning to skim the surface of its social, political, ethical, and legal implications.
Meridian180’s April forum endeavored to foster a clear understanding of some of the issues and concerns around data governance. Discussion participants identified several approaches to data protection, ranging from property and human rights to duty and enforcement.
Some participants contended that the only effective way to protect personal data is to regard it as a property right, or as part of an individual’s existence, like blood or skin. In this view, data governance is grounded in the attribution of data rights, and the content and form of data (namely, data information and data files) must be clearly determined to protect it. Yet, the challenge of considering data property is that, because data can be duplicated, it is hard to possess exclusively. Moreover, some participants see the property-rights argument as a dead end. As data cannot be correctly classified as ‘goods’ or ‘services’ and should not be treated as such. Instead, data privacy is a human right, like freedom of speech or religion.
In contrast to the “data as property” approach, other participants suggested qualifying governing personal data as a human right. The human rights-based approach advocates guiding principles for “good data,” which engage time-honored ethical, political, and legal values. Furthermore, some argued that we need to distinguish between our different relationships to information/data, for instance: data subject, possessor of physical media on which data is stored, data processor, entities who can access data, etc. Only then can we determine which rights, powers, duties and liabilities to attach to each. For example, in reference to the right to data portability under the Consumer Data Right in Australia and the GDPR, a discussion participant warned us that the “data as property” argument might turn profound questions about democratic structures into issues of transactional processes predicated on market forces.
Also present in our discussion was a duty-based approach, which argues for a shift from the paradigm of individual rights to the paradigm of the duties of the trustees (IT giants). In this approach, big data includes both personal information protected by the individual right to privacy and personal information as “property,” with potential value. Yet the property-rights argument and the privacy argument have their limitations, and the conventional tort-law framework should be transformed into a framework of trust. A skeptical view questions whether trustees can be properly constrained and underscores the need for proper governance from supervisory institutions.
Discussion participants also upheld a more pragmatic view that our general understandings of law and legal frameworks might not provide the best means of understanding issues around data governance. This vantage point urges us to investigate modes of implementation, while also guiding us to reconsider issues beyond the recognition of data as a property right, even encouraging us to rethink rights discourse and the concept of law itself.
Our far-ranging discussion also touched upon questions of what is to be governed, by whom, and how. We addressed the importance of data literacy and data proficiency. Through reflecting upon the concept of relational data and parsing the distinctions between my data and data about me, we further enriched our understanding of personal data and began to reevaluate our approaches to it. Discussion participants likewise assessed the problems of the misuse and/or abuse of personal data without the data subjects’ consent. They worried about the challenge of basing the use of personal data on data subjects’ informed consent, given that individuals may not be adequately informed to understand when and upon what they should consent.
This forum complemented our many previous online and off-line discussions on this or similar topics. It has outlined various possibilities for future engagement, either in theory or in practice. Future endeavors could focus on any or all of the approaches articulated in this forum; research projects might entail in-depth investigations on the pros and cons of these approaches for formulating relevant legislation and policy or establishing practical business models around data and its management.
The forum organizers feel deeply honored and fully content that this forum has drawn attention from such a group of brilliant scholars. Of course, we have more questions to ask and answer. We hope our discussion will continue in the future.