Holding Data Between Possessio and Detentio

I Rechte an Daten II III Rechte an Daten Herausgegeben von Tereza Pertot unter Mitwirkung von Martin Schmidt-Kessel und Fabio Padovini Mohr Siebeck IV Tereza Pertot, geboren 1987; Postdoc-Stipendiatin im Rahmen des Stipendienprogramms „Exzellente Wissenschaftlerinnen für die Universität Bayreuth“ am Lehrstuhl für Deutsches und Europäisches Verbraucherrecht und Privatrecht sowie Rechtsvergleichung an der Universität Bayreuth. orcid.org/0000-0002-3427-6270 Martin Schmidt-Kessel, geboren 1967; Inhaber des Lehrstuhls für Deutsches und Europäisches Verbraucherrecht und Privatrecht sowie Rechtsvergleichung und Direktor der Forschungsstelle für Verbraucherrecht an der Universität Bayreuth; Generealsekretär der Gesellschaft für Rechtsvergleichung. orcid.org/0000-0002-4980-6967 Fabio Padovini, geboren 1956; Inhaber des Lehrstuhls für Zivilrecht an der rechtswissenschaftlichen Fakultät (derzeit „Dipartimento di Scienze Giuridiche, del Linguaggio, dell’Interpretazione e della Traduzione“) der Universität Triest. orcid.org/0000-0002-7965-9275 ISBN 978-3-16-159146-4 / eISBN 978-3-16-159147-1 DOI 10.1628/978-3-16-159147-1 Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliographie; detaillierte bibliographische Daten sind über http://dnb.dnb.de abrufbar. © 2020 Mohr Siebeck Tübingen. www.mohrsiebeck.com Das Werk einschließlich aller seiner Teile ist urheberrechtlich geschützt. Jede Verwertung außerhalb der engen Grenzen des Urheberrechtsgesetzes ist ohne Zustimmung des Verlags unzulässig und strafbar. Das gilt insbesondere für die Verbreitung, Vervielfältigung, Übersetzung und die Einspeicherung und Verarbeitung in elektronischen Systemen. Das Buch wurde von Computersatz Staiger in Rottenburg/N. aus der Minion gesetzt, von Gulde Druck in Tübingen auf alterungsbeständiges Werkdruckpapier gedruckt und von der Buchbinderei Nädele in Nehren gebunden. Printed in Germany. V Vorwort Daten repräsentieren Vermögenswerte. Daher stehen sie längst nicht mehr nur aus datenschutzrechtlicher Perspektive, sondern auch als Gegenstand von Rechten im Fokus der juristischen Betrachtung. Welche Rechte an personenbezogenen und nicht-personenbezogenen Daten bestehen und wie diese gegebenenfalls am Markt zirkulieren können, ist jedoch weitgehend ungeklärt. Teilweise bietet sich ein Vergleich mit Gütern der analogen Welt an. Die Behandlung von Daten als Vermögensgegenstände und die Übertragung bestehender juristischer Konzepte darauf erscheint insoweit verlockend und wird viel diskutiert. Der vorliegende Band präsentiert Vorträge und Diskussionsberichte eines internationalen Workshops, der im Februar 2019 an der Universität Bayreuth stattgefunden hat und mit Unterstützung der Stabsabteilung Chancengleichheit der Universität Bayreuth von Tereza Pertot gemeinsam mit der Forschungsstelle für Verbraucherrecht (FfV) organisiert wurde. Der Workshop, welcher Rechtswissenschaftler aus verschiedenen europäischen Ländern zusammenbrache, ging der oben aufgeworfenen Frage nach, ob eine Übertragung der herkömmlichen Konzepte des Sachenrechts, des Schuldrechts und des herkömmlichen Immaterialgüterrechts auf personenbezogene und nicht-personenbezogene Daten aus rechtspolitischer und rechtstechnischer Sicht geeignet erscheint. Ziel war es, durch eine differenzierte Betrachtung der Frage einen breiten und systematischen Überblick zum T hema „Rechte an Daten“ in allen seinen Facetten zu schaffen. Zu den nicht in diesem Band enthaltenen Referaten von Alberto Gambino und Markus Artz verweisen wir auf den Tagungsbericht von Alisa Rank-Haedler in Heft 20 der Juristenzeitung 2019 (S. 989–991). VI Vorwort Den Vortragenden, Teilnehmern, Diskutanten und Autoren sei für ihre Mitwirkung an der Tagung und an diesem Tagungsband herzlich gedankt. Großer Dank gebührt dann auch dem Bayreuther Lehrstuhlteam für die wertvolle Unterstützung bei der Organisation der Tagung sowie bei der Entstehung dieses Bandes. Bayreuth, im Juli 2019 Tereza Pertot Martin Schmidt-Kessel Fabio Padovini 127 Holding Data between possessio and detentio Dianora Poletti I. Introduction T his paper analyses a complex matter that has so far received little attention in academic literature. T he purpose of this contribution is to highlight the open questions, giving consideration to the fact that solutions to such problems are still to be identified. In this way, I will investigate the issue without preconceptions. T he topic is clearly a follow up to the renewed interest in the ownership approach to data protection. Since the late nineties, Italian scholars devoted studies to the transfer1 and the ownership of personal data2, however no consideration has ever been paid to the subject of possessio of personal information. T he adoption of the Directive 95/46/CE, which belongs to the prehistory of the Internet, has contributed to moving away from the proprietary understanding of information, in order to push towards a “fundamental rights oriented” approach, which has been later confirmed by the Charter of Fundamental Rights of the European Union. In addition, the original data protection framework has been replaced by a sort of controlled regime, aimed at enhancing data subjects’ fundamental rights, as demonstrated by the impossibility of losing control over data or by the right to withdraw consent by the data subject. 1 D. Messinetti, Circolazione dei dati personali e dispositivi di regolazione dei poteri individuali, in Riv. crit. dir. priv., 1998, 359; F. Cafaggi, Qualche appunto su circolazione, appartenenza e riappropriazione nella disciplina dei dati personali, in Danno e resp., 1998, 613; C. Camardi, Mercato delle informazioni e privacy. Riflessioni generali sulla legge n. 675/1996, in Eur. Dir. priv., 1998, 1049. 2 P. Perlingieri, L’informazione come bene giuridico, in Rass. dir. civ., 1990, 33; V. Zeno Zencovich, Sull’informazione come “bene”, in Riv. crit. dir. priv., 1999, 485. 128 Dianora Poletti Nowadays, the debate around data has reemerged within Italian academic literature, but the perspective of data ownership is not considered valid3 and, in fact, it has been defined “misleading”4. In this scenario, the notion of data ownership appears blurred and the concepts of possessio and detentio are basically replaced by the different concept of “use”, which we could consider as a kind of practical translation of the data processing. II. The New Ownership Approach to Data Protection Nowadays, we wonder if the policy option that focuses on self-determination of the data subjects and their control over information is still realistic, when data processing is increasingly the result of automated processes and algorithmic decisions. In this context, the recent debate on the proprietary approach in data protection5 is not a mere return to the past6, rather it is an attempt to ensure a better protection of personal data, due to the limitations often affecting the traditional remedies offered by data protection law. In this way, the discussion could reconcile the approach as to data based on personality/privacy rights on the one hand as well as the approach based on property rules (and on data as a tradeable commodity) on the other hand7. 3 G. Alpa, La “proprietà” dei dati personali, in N. Zorzi Galgano (ed.), Persona e mercato dei dati. Riflessioni sul GDPR, Milano, 2019, 11 et seq. 4 According to N. Zorzi Galgano, Le due anime del GDPR e la tutela del diritto alla privacy, in N. Zorzi Galgano (ed.), Persona e mercato dei dati. Riflessioni sul GDPR, Milano, 2019, 89 et seq., in personal data, the lack of exclusivity does not allow to apply the Italian concept of “proprietà”. 5 See in particular A. Boerding – N. Culik – C. Doepke,T. Hoeren – T.Juelicher – C. Roettgen – M. von Schoenfeld, Data Ownership – A Property Right Approach from a European Perspective, in Journal of Civil Law Studies, 2018, 323 et seq. The discussions on this topic distinguish between data and information, considering the latter to be expressed in the binary code. In according to E. Tjong Tjin Tai, Data Ownership and Consumer protection, in Tilburg Private Law Working Paper Series, No. 2017, available at http://www.ssrn. com/link/Tilburg-Private-Law.html, 2 et seq., ownership should only apply to data files, not to information. 6 S. Gutwirth – G. Gonzáles Fuster, L’éternel retour de la propriété des données: de l’insistance d’un mot d’ordre, in C. Degrave – C. de Terwangue – S. Dussolier – R. Queck (eds.), Law, Norms and Freedoms in Cyberspace – Liber Amicorum Yves Poullet, Bruxelles, 2018, 1, speak of “déjà-vu” about the debate on the ownership of data, rekindled after the enactment of the Regulation 2016/679. 7 J. Drexl, Legal Challenges of the Changing Role of Personal and Non-Personal Data in Holding Data between possessio and detentio 129 This is why the topic deserves careful consideration and why we must investigate whether it is possible to apply the legal categories typical for the relation with material objects and, more specifically, the concepts of “de facto relationships” 8 to personal data. The revival of the debate is particularly topical, because reality has shown that personal data are important assets9; moreover, today the same data subject is interested in participating actively in the data flow. While the digital economy has replaced intermediaries in many sectors, the data market is creating new actors, namely the so-called infomediaries or data-brokers. At a regulatory level, the debate on data ownership is encouraged by the European Commission10, and in particular by the Digital Content and the Digital Service Directive (Directive 2019/770/EU). Although such Directive does not prejudice the application of the EU General Data Protection Regulation, the fact that personal data may be transferred in exchange for digital services, as provided for by Art. 3, gives rise to new legal scenarios, which are changing the way to address data protection. This paper will not specifically analyse personal data as an object of contractual obligations11, rather it will examine the factual circumstances connected to personal data, although there is still a link between these two profiles12. T he chosen perspective moves us away from the European harmonised notions adopted in the field of data protection. T he adoption of an eclectic term (property) referring, in the European language, to both the indithe Data Economy, in A. De Franceschi and Reiner Schulze (eds.), Digital Revolution – New Challenges for Law, Munich – Baden-Baden, 2019, 19 et seq. 8 The expression used in the text does not intend to overlook the legally protected nature of the possessio: in Italian legal doctrine see, for all, L. Bigliazzi Geri et al., Diritto civile- 2, Diritti reali, Torino, 1988, 347 et seq. Moreover, possessio is not always considered as a unitary concept: see B. Troisi – C. Cicero, I possessi, in P. Perlingieri (ed.), Trattato di diritto civile del Consiglio nazionale del Notariato, Napoli, 2005. 9 See, in general sense, S. van Erp, Ownership of Digital Assets, in EuCML, 2/2016, 73 et seq. 10 See in particular: European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A digital Single Market Strategy for Europe, 6 July 2015, COM (2015) 193. 11 A. De Franceschi – M. Lehmann, Data as Tradeable Commodity and New Measures for their Protection, in The Italian Law Journal, 2015, 51–72; A. De Franceschi, La circolazione dei dati personali nella proposta di direttiva UE sulla fornitura di contenuti digitali, in A. Mantelero – D. Poletti (eds.), Regolare la tecnologia: il reg. UE 2016/679 e la protezione dei dati personali. Un confronto tra Italia e Spagna, Pisa, 2018, 203. 12 See infra, § 5. 130 Dianora Poletti vidual right and the legal subject, being it corporeal or incorporeal, allows to keep a more or less uniform approach to the topic. Instead, the use of a different theoretical and technical framework of in rem rights, and in particular of the related de facto situations, raises important issues in terms of different national approaches. In my analysis, I will mainly focus on the Italian legal framework, in which these de facto situations are classified as possessio or detentio. In the Italian legal system, a person can possess directly or through another person, who has the detentio of a thing, as stated in Art. 1140 (2) of the Civil Code13. Detentio always stems from a contract that produces only binding effects and generates obligations (for example, an obligation to keep custody of things as in a deposit agreement) or rights, different from in rem rights (for example, the right to use an asset in a lease). In particular, in the Italian Civil Code, like in the French one, the hypothesis of § 868 BGB includes both possessio (e.g. the usufructuary) and detentio (e.g. the depositary) situations. III. A de facto Relationship for Personal Data? The Fragmentation of the Scenario Reasoning in terms of possessio or detentio of data is very difficult, since it involves not only the property dimension, but also the idea of a de facto relationship between the data subject and third parties, when personal data are available to those who have access to data or hold personal information (e.g. cloud service providers). Again, it is not just a matter of deciding whether “digital possession” is admissible. Rather, a further step is needed, moving from a concept of property rights on personal data to the assumption of personal data as object of a contract, namely a good14, even if data is completely different from other goods. 13 “One can possess directly or by means of another person, who has custody of the thing”. T his is the official (or usual) translate in English language (see M. Beltramo – G.E. Longo – J.H. Merryman, T he Italian civil code, Oceana Publications, Dobbs Ferry, N.Y., 1969): “custody” means detentio. 14 One can omit the analysis of the characteristics of private goods as endowed with the requisites of exclusion, scarcity and rivalry, both because the reconstructions in a different and functional key of the concept of good are more and more frequent in the Italian legal doctrine (e.g..: A. Vesto, I beni. Dall’appartenenza egoistica alla fruizione solidale, Torino, Holding Data between possessio and detentio 131 For the sake of simplification, I will assume that the immaterial nature of data15 does not prevent us from imagining their possessio16, and the application of the possession’s rules imply a de facto power over data expressed externally in a sufficiently recognisable manner17. I will focus on the usefulness of the concepts of possessio and detentio in relation to data and on the possibility to enforce, fully or partly, the rules governing de facto situations. Everybody agrees, I believe, that the configuration of de facto situations over personal data has to deal with data protection regulation. Moreover, the analysis should take into account an added layer of complexity due to the differences emerging from the different kinds of data considered. In this regard, Open Data and Big Data raise different problems. Open Data is usually public data (rectius, data that are available to public institutions and public companies) which by definition can be shared and re-used. In this case, the legal model is the opposite of the proprietary approach, where data must be protected against individual appropriation (see in this regard the latest Re-use of Public Sector Information Directive 2019/102418). In this framework, the re-use of data, enhanced by the limitation of legal and economic constraints, is justified by a public interest in information. In the Big Data context, especially in the Big Data analytics context, it is frequent that data collected from a natural person will also embed infor2014, especially 79 et seq.), and because the great concentrations of oligopolistic power on the data has by now generated different scenarios from the past. 15 In according to J. Ritter – A. Majer, Regulating Data as Property: a New Construct for Moving Forward, in Duke Law and Technology Review, 16, 2018, 257, “data, industrial data, personal information, factual data, and fictional data each exist in tangible form”. T his approach is based on the assumption that data become tangible when electronically or digitally recorded. 16 On the opening of the rules of ownership provided by the Italian Civil Code in Art. 810 and subsequent articles, contained in Book III, dedicated to property also to the incorporated goods, see C. Sganga, Dei beni in generale. Artt. 810–821. in Commentario al Codice Civile, Schlesinger-Busnelli, Milano, 2015, especially page 102. However, it should be pointed out that Art. 810 of Italian Civil Code, even if it traditionally refers only to corporeal things, does not contain this adjective, unlike the explicit wording of § 90 BGB. 17 C. Wendehorst, Verbraucherrelevante Problemstellungen zu Besitz- und Eigentumsverhältnissen beim Internet der Dinge, Berlin, Dezember 2016, 62 et seq., 71 et seq. 18 Previously, the subject was dealt with by Directive 2003/98/EC, updated by Directive 2013/37/EU. See on this subject, F. Faini, Internet e il diritto a conoscere nei confronti delle pubbliche amministrazioni, in P. Passaglia – D. Poletti (eds.), Nodi virtuali, legami informali. Internet alla ricerca di regole, Pisa, 2017, 337. 132 Dianora Poletti mation about third parties. Moreover, in the collection of fragments of personal data there is no longer the need to identify the data subject, but rather to classify the features of an anonymous profile. T his leads us to consider the remedies available at collective/group level (super-individual)19. Furthermore, regarding these two types of data, issues related to intellectual property may emerge. It is well known that some data circulate in regulated markets, such as trade secrets20 or databases. In this framework, the legislation on intellectual property and databases allows the use and exchange in business-to-business relationships, in which data are considered as economic assets. However, this property context sometimes does not tell us anything about the information stored in the database and its legal regime21, and even the use of licenses does not exclude a de facto relationship problem, which will be discussed below. T he recent Regulation for the Free Flow on Non-Personal Data in the EU shifts the focus towards business freedom and data portability22. T he objective of removing (legal, contractual and technical) restrictions that 19 See the deep analysis of A. Mantelero, La privacy all’epoca dei Big Data, in V. Cuffaro – V. Ricciuto – R. D’Orazio (eds.), I dati personali nel diritto europeo, Torino, 2019, 1181; A. Mantelero, Regulating Big Data. T he Guidelines of the Council of Europe in the Context of the European Data Protection Framework, in Computer Law and Security Law, 2017, 5, 584. See also F. Casarosa, La tutela aggregata dei dati personali nel Regolamento UE 2016/679: una base per l’introduzione di rimedi collettivi?, in A. Mantelero – D. Poletti (eds.), Regolare la tecnologia: il Reg. UE 2016/679 e la protezione dei dati personali. Un confronto tra Italia e Spagna, Pisa, 2018, 235 et seq. 20 Trade secret is considered as “the most interesting and flexible (quasi)property right that can meet the challenge of appropriating consumer data in the 3.0 economy” by G. Malgieri, Titolarità (intellettuale) e privacy. Un contributo alla “quasi-proprietarizzazione” dei dati personali, in P. Passaglia – D. Poletti (eds.), Nodi virtuali, legami informali. Internet alla ricerca di regole, Pisa, 2017, 259 et seq. T he expression “quasi-proprietarization” is used, in a more general sense, to indicate the approach of the GDPR, leveraging the erga omnes effect of the remedies provided in it: see M. Schmidt-Kessel, Consent for the Processing of Personal Data and its Relationship to Contract, in A. De Franceschi – R. Schulze (eds.), Digital Revolution – New Challenges for Law, Munich – Baden-Baden, 2019, 77 et seq., 79, 81, 21 G. Resta – V. Zeno Zencovich, Volontà e consenso nella fruizione dei servizi in rete, in Riv. trim. dir. proc. civ., 2018, 411 et seq., highlight how the right deriving from the directive No. 96/9/CE on the legal protection of databases does not allow to deduce information on the type of right in relation to the individual data and on the model of circulation that governs the transfer from the original owner of the data to the owner of the database. 22 J. Drexl, Legal Challenges of the Changing Role of Personal and Non-Personal Data in the Data Economy, in A. De Franceschi and R. Schulze (eds.), Digital Revolution – New Challenges for Law, Munich – Baden-Baden, 2019; A. Wiebe, Protection of Industrial Data – a New Property Right for the Digital Economy?, in Journal of Intellectual Property Law & Practice, Vol. 12, No. 1, 2017 Holding Data between possessio and detentio 133 hinder or prevent users from storing data or other processing services from transferring their data from one service provider to another or returning to their IT systems, “not least in the event of termination of the contract with a service provider” (recital 5), shows the acceptance of a logic of full and free circulation of the data. In this context, the factual relationship with non-personal data23 is solved through contract. But a differentiation appears necessary with regard to personal data. Some data (such as genetic ones) embody values and fundamental interests (in particular, human dignity) which justify their specific regulation24 that consequently determines its proprietary statute. For example, body tissues, which reveal important personal information, cannot be returned to the owner but must be destroyed if they are not used for scientific research purpose. T his is in conflict with the idea of third party’s possessio of the data. T he closer data are to the individual (e.g. identification data in the strict sense, or data produced by a pacemaker or by a skin-implanted chip), the stricter the property right approach becomes. Whereas, when data has a less intimate relationship with the individual, de facto relations with third parties can become relevant, mainly when the data is explicitly provided to third parties by the data subject. T here are also data that are often not consciously released (e.g. data collected by cookies); in this case, in order for data subjects to exercise their rights firstly, they need to become aware that such data exists and are related to them, and secondly aknowledge that they may establish a relationship (perhaps a proprietary one) with the data. 23 In the “Communication for the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Region “Building a European Data Economy”, 10 January 2017, COM (2017)9 Final”, 11, the European Commission has observed, regarding the context of machine-generated-non personal data, that often manifacturers are a sort of “de facto” owners of the data generated by their machines or processes by them, even if those machine are owned by the user. T his “de facto” control can be a source of competitive power, but the context is problematic because “user is often prevented by the manufacturer from authorising usage of the data by another party ”. 24 See, in Italian law, Art. 2–septies d. lgs. No. 101/2018 (act of integrating GDPR). On genetic data and their specificities see, in Italian legal doctrine, E. Palmerini, Informazione genetica e tutela della persona. Implicazioni giuridiche delle analisi genetiche, Pisa, 2004; F. Agnino, Nozione di dati genetici ed il decalogo di legittimità al loro trattamento, in Danno e resp., 2014, 1, 43. 134 Dianora Poletti IV. Holding Data as possessio? Defining the relationship with data in terms of possessio raises several theoretical issues. Firstly, as the notion of ownership of data is something different from the ‘classic’ property model25, we cannot use the notion of possessio with regard to personal data in order to apply all the possession rules, starting from those concerning its transfer. As the factual situation of relation will have to adapt to the specific context26. In addition, it is not possible to imagine the application of the rule of the ‘a non domino’ purchase based on possession and good faith (see Article 1153 of the Italian Civil Code, which allows to purchase the property free from third party rights27), or the rules on unlawful possession to personal data – even if considered as a movable good. Furthermore, the Italian Civil Code provides more safeguards to the unlawful possessor than the German Civil Code, as there is not a rule such as § 859 and the owner is not allowed to use self-protection, even against unlawful interference. T his different legal framework affects also the different approaches adopted in Italian and German debates on this topic28. T he main issue concerns the identification of the possessor: is it possible that a third party, different from the data subject, holds possessio (stricto sensu) of personal information? T he academic debate on the right to data protection in terms of property rules should serve to reinforce the guarantees of data subjects. Given that possessio is a situation that can be detached from ownership and can be transferred independently, the risk is provid- 25 P. Schweiz, Property, Privacy and Personal Data, in Harvard Law Review, 2004, 2056 et seq., already proposed “a model of propertized personal information” that took into account an adaptation to the needs and privacy regulations. 26 It is no coincidence that H. Zech, Data as a Tradeable Commodity, in A. De Franceschi (ed.), European Contract Law and the Digital Single Market. T he Implications of T he Digital Revolution, Cambridge-Antwerp-Portland, 2016, 56, replaces the possession of corporeal property with access. 27 Effects of acquisition of possession (Art. 1153 Italian Civil Code): “He to whom movable property is conveyed by one who is not the owner acquires ownership of it through possession, provided that he be in good faith at the moment of consignment. And there should be an instrument or transaction capable of transferring ownership. Ownership is acquired free of rights of others in the thing, if they don’t appear in the instrument or transaction and the acquirer is in good faith”. 28 See especially T. Hoeren, Datenbesitz statt Dateneigentum, in MMR, 2019, 5 et seq., 6 et seq., according to which the admission of a possession on the data may involve also the application of § 859. Holding Data between possessio and detentio 135 ing better protection to data controllers or third parties rather than data subjects, contrary to the objectives of the GDPR. If this is true, then it is necessary to ask whether data subjects really need possessio with respect to their data, aimed only at strengthening the granted remedies. V. Holding Data as detentio? On the other hand, the concept of detentio seems perhaps more in line with the aim of protecting the data subjects’ position. In this case, the holder is necessarily an individual different from the owner, because the detentio situation arises from a contractual relationship between owner-possessor and holder, or between holder and owner. According to many scholars, the holder, unlike the possessor, does not have the animus possidendi or animus domini, i.e. the intention to behave and be considered as an owner. While possessio may be without a legal right and it is presumed when there is a relationship with a thing, detentio (which has to be proven) is always based on a title, i.e. a contract , like I explained above. Moreover, the effects of possessio cannot be applied to detentio. T his distinction may raise doubts about the use of the notion of data detentio, because detentio depends on contractual conditions and this may entail information asymmetries. In other words, the platform that collect personal data or the social network where data is uploaded, plays the role of a holder and can set the contractual conditions. T hese conditions are usually accepted by the user, although they may limit the data subject’s rights (for example, with regard to data access), as users are often unaware of these consequences. In this perspective, it is known the current debate about consumer “data sovereignty”29. 29 “T he concept of data sovereignty” – another central idea in the consumer policy discourse – is integrated within our approach as being an important aspect of digital sovereignty: namely the freedom enjoyed by consumers to make choices about the collection, processing and utilisation of their personal data. For instance, it should be for consumers themselves to decide whether their personal data can be donated for charitable purposes or sold, or whether their data should not even be collected in the first place. Taking this line of thought, digital sovereignty and data minimisation are not mutually exclusive opposites as it is sometimes assumed”. See Report by the Advisor Council for Consumer Affairs, Digital Sovereignty, Berlin, July 2017, 2. 136 Dianora Poletti If we want to continue to use the concepts designed for corporeal things, detentio seems suitable to better describe the relationship of an individual (the data gatherer in particular) with third parties’ data, because detentio allows the data subject to maintain some control over data and assumes that the holder, who receives the data on the basis of a contractual relationship, acknowledges the prevalence of third parties’ rights (in this case, the data subject’s rights). To qualify the relationship with the data of the supplier as, for example, detentio, means to investigate the situation underlying the communication of data to third parties or to the circulation of contractual information. In other words, we must take a step further and investigate what kind of relationship with the data triggers its release. Since the consent to the processing of data is revocable, a data transfer agreement will necessarily give rise to a temporary use situation. According to some scholars, this situation can be assimilated to that of a lease30 or license for use, similar to the copyright one31. Consequently, it will be possible to qualify the relation with data as detentio: in case of contract termination the data must be returned, deleted or transferred to another holder if the data subject has exercised the right to portability. However, the issue of transformation of detentio into possessio, permitted by the Italian Civil Code (Art. 1141(2)) remains to be addressed. T his could, for example, lead to the voidness of the contract by which the data is transferred to others, which eliminates the title of detention32. T he strict application of this rule, as a result, could lead to the creation of situations of illegal possession of data related to other subjects. 30 In a doubtful approach, V. Ricciuto, La patrimonializzazione dei dati personali. Contratto e mercato nella ricostruzione del fenomeno, in V. Cuffaro – V. Ricciuto – R. D’Orazio (eds.), I dati personali nel diritto europeo, Torino, 2019, 49, according to which the models of circulation of the data must still be constructed. 31 I.A. Caggiano, Il consenso al trattamento dei dati personali tra Nuovo Regolamento Europeo e analisi comportamentale, Università degli Studi Suor Orsola Benincasa, Annali 2016–2018, 27, recalls the derivative-constitutive effectiveness of the act establishing the economic exploitation of individual attributes, as “a licensing contract within the scope of copyright”, mentioning G. Resta, Autonomia privata e diritti della personalità, Napoli, 2005, 336. 32 In Italian case-law, a decision of the Court of Cassation (4 September 2004, No. 17890) dealt precisely with the problem of the return of computer data following the declaration of invalidity of the contract. Holding Data between possessio and detentio 137 VI. Practical Cases The Italian Civil Code presents two types of detentio, pursuant to Art. 1140 (2). Unlike German law, which includes all de facto relationships with goods under the same term (“Besitz”), the Italian Civil Code not only knows the distinction between possessio and detentio, but it also distinguishes further between qualified detentio (or autonomous detentio) and not-qualified ones (non-autonomous detentio). T he first one, autonomous detentio, may be for one’s own interests or in the interest of others. The second one is the detentio of those who have an occasional relationship with the object for reasons of service, work or hospitality33. Now, we will try to apply the Italian legislative notions of detentio to cases emerging in the digital context. For example, we could imagine applying the situation of unqualified detentio to the individual authorised to process personal data under the direct authority of a controller or a processor. On the other side, we could consider as qualified holders: the supplier of digital content who receives personal data as an economic compensation or in exchange of services; the platform on which the information is uploaded; and a borrower or the person to whom the data are granted free of charge or in exchange for the reduction of the price of the service provided. T he detentio in the interest of a third party may be applicable to the case of a data wallet or of a cloud service provider34. In addition, under Italian law, the situation of detentio also offers protection of the holder in case of deprivation against third parties (except 33 More diffusely, R. Caterina, Il possesso, in A. Gambaro – U. Morello (eds.), Trattato dei diritti reali, I. Proprietà e possesso, Milano, 2008, 402 et seq. T he word “service”, according to the historical meaning adopted by the Italian Civil Code, is obviously different from the long-standing meaning used for activities (services) in the digital environment. 34 Italian law would allow a very refined exercise to be carried out, for example, on the approach of H. Zech, Information as property, in JIPITEC 6(2015), 192. If we distinguish the data from three points of view – material support, syntactic data (binary code) and semantic data (meaning) – it seems reasonable to consider the problem of the overlap between ownership-factual situations. T he data subject would always be the possessor of the semantic data (personal data are by definition data-meaning), while the data processor has detentio of the data-meaning and, if ever, is possessor of the syntactic data (binary-software code) on which they develop. T he Cloud Provider would be considered as the possessor of the material support (the server) on which the user of the cloud space would have a detentio relation. T he problem of identifying the different factual situations on the data generated by autonomous car is discussed by T. Hoeren, Datenschutz statt Dateneigentum, in MMR, 2019, 8. 138 Dianora Poletti for non-autonomous detentio): if a database is plagiarized or if the data is stolen by third parties, there would be no limit to the data controller (re-) action, except for a short-term prescription (one year). In particular, autonomous holders – holding data in their own interests or in the interest of other parties – can act against the theft of data. Moreover, the autonomous holder can act against the owner itself. T his example also helps to demonstrate that we cannot apply a mere ownership logic to personal data: such approach would otherwise grant the hacker the role of an owner, an unlawful one, but still an owner, similar to a thief35. It has been said that the possessio approach helps the owner to claim its data against anyone by virtue of its ownership rights, which are not affected by contractual obligations. T his opinion refers to the use of property remedies, mainly property claims, as rei vindicatio36. According to Italian law, this thesis could instead lead to situations in which the possession approach protects not only the owner, but also third parties that may have acquired possessio of the stolen data. Even before the Digital Content and the Digital Service Directive, several academic scholars recognised that the data subject can stipulate agreements characterised by contractual asymmetry. This has stimulated a debate on strengthening the information regime and relevant contractual protection. The best protection for the data subject is not achieved by abandoning a contractual logic and adopting a different view on possessio, but instead this can be fulfilled through a careful control of the act of autonomy37. T he goal shall always be to ensure the protection of the fundamental rights of the person and safeguarding the data subject’s self-determination in relation to the attributes of its personality. 35 It could be argued whether the hacker that processes the stolen data can acquire trade secrets over it. However, the issue is too complicated to be addressed here. 36 Cf E. Tjong Tjin Tai, Data Ownership and Consumer protection, in Tilburg Private Law Working Paper Series, No. 2017, 6. See also C. Wendehorst, Verbraucherrelevante Problemstellungen zu Besitz- und Eigentumsverhältnissen beim Internet der Dinge, Berlin, Dezember 2016, 62 et seq., 71 et seq. 37 G. Resta – V. Zeno Zencovich, Volontà e consenso nella fruizione dei servizi in rete, Riv. trim. dir. proc. civ., 426. Holding Data between possessio and detentio 139 VII. Problematic Cases Towards the end, we can try and test the use of possessio and detentio in some cases already analysed by scholars, but with different and unclear results. In some cases, the results are positive for the data subject, in others the results are more favourable for others stakeholders. T he first case is the one of the semi-automated vehicle. In case of self-driving cars, it is difficult to determine who owns the data (for example, data concerning the reaction of the passenger who intervenes in driving in an emergency situation). In this case, there is a blurred boundary between what belongs to the data subject and what can be acquired in another legal sphere and protected through intellectual property. Intellectual property marks the clash between two types of property: the property of those who “produced” the data and the property of those who “invested” in third parties’ data. If we identify the material relationship of the data controller (for example, the final producer of driver-less cars) with these data as detentio (even “qualified”, according to Italian law), the same subject could not acquire intellectual property rights or exclusive rights over the data to the detriment of the rights of the vehicle’s owner or of the car-passenger38. T he second case concerns the personal data of deceased persons. According to Italian law, and similarly to German law, possession passes to the heir without the need for a material relationship to the good (Art. 1146 (1) of the Italian Civil Code). Given the silence of the GDPR on this point, the Italian legislator has recently regulated this case39. Art. 2–terdecies of the Italian act integrating the GDPR40 provides that the rights relating to 38 According to T. Hoeren – P. Bitter, (Re)structuring Data Law: Approaches to Data Property, in K. Bergener et al. (eds.), T he Art of Structuring, Basel, 2019, 300, due to so-called “Skripturakt”, the data ownership could be assigned to the technical manifacturer of the data or to the person who initiated the “Skripturakt”, without prejudice to the enforcement of intellectual property rights or the protection of trade secrets on data content. According to the reference to § 950 BGB, it seems that the objective is enhancing the contribution of work over data. Following this approach, in the case considered here, the data concerning the reaction of the passenger should belong to him, but if the programmer or the producer (e.g. Tesla) technically processed the data, as will usually happen, the ownership – it seems to understand – should shift. 39 T he case is well studied by G. Resta, La successione nei rapporti digitali e la tutela post-mortale dei dati personali, in A. Mantelero – D. Poletti (eds.), Regolare la tecnologia: il Reg. UE 2016/679 e la protezione dei dati personali. Un confronto tra Italia e Spagna, Pisa, 2018, 397 et seq. 40 For a comment see I. Sasso, Privacy post-mortem e “successione digitale”, in E. Tosi 140 Dianora Poletti the personal data of the deceased person may be exercised by the following individuals: those who have a personal interest; those who act to protect the data subject; and those who acts for family reasons deserving protection. Moreover, the data subject may prohibit the execution of the rights in relation to post-mortem data by means of a written declaration submitted to the data controller. Now, let us assume that the user of a social account – where data with a certain economic importance is stored (e.g. an intellectual creation) – has excluded the execution of rights on this post-mortem data on the basis of an agreement with the Internet Service Provider, and the latter has not arranged for subsequent deletion of the data. How do we solve this case? Can we consider the factual relationship and qualify the Internet Service Provider as possessor of the data granting him a property right, rather than holder? In theory, this would be possible under Italian law, which allows the change of detentio into possessio: Art. 1141 of the Italian Civil Code establishes that “if someone begins by having detentio he cannot acquire possessio until the title is changed by something done by a third person or by force of his opposition to the possessor. The same applies to successors by universal title”. Finally, we should also consider the application of these de facto categories to solve the problem of ownership of data inferred from other data. Can we provocatively say that, fully applying a possessio approach, data is a fruitful good and therefore inferred data always belongs to the owner of the “mother-thing” (that is to say the data subject)? T he question is not so eccentric, because each link in a data value chain usually produces new data. A marginal opinion in the German debate considers data inferred as the fruit of the initial personal data disclosed by the data subject to the data controller. Thus, according to the law on possession, such fruits automatically would belong to the owner of the thing (i.e. the data subject)41. T he main argument against this theory is that even if data might be classified as fruits, the outcome would not automatically be a right over data itself, since no ownership right could be recognised in fa- (ed.), Privacy digitale. Riservatezza e protezione dei dati tra GDPR e nuovo Codice Privacy, Milano, 2019, 570 et seq. 41 L. Grosskopf, Rechte and Privat Erhobenen Geo-und Telemetriedaten, in IRPB, 11, 2011, 259, 261 and in J. Strobl – T. Blaschke – G. Griesebner (eds.), Angewandte Geoinformatik 2012, Berlin/Offenbach, 2012, 171, 173 et seq. Holding Data between possessio and detentio 141 vour of the data subject on the initial personal data disclosed to the data controller. It is also necessary to consider the possible conflict of this conclusion with other intellectual property rights that may have been generated by the re-processing of such “fruits”. In Italian academic literature, it has been argued that the creation of a new good as the “fruit” of the elaboration of the primitive datum makes the data controller acquire an exclusive right on this new information42. VIII. Conclusion I will now try and draw some conclusions concerning this complex issue, even if these are still tentative ones. T he application of factual patterns (in terms of possessio and detentio) to personal data cannot be full and complete, but it is an option to be carefully considered. T his topic recalls the debate concerning the possibility to allow possessio or detentio over personal data, intended as immaterial objects or goods, which are also expressions of individual personality. Usually, this different issue is addressed from an intellectual property perspective (for example, the Italian provisions on copyright allow the lawful possessio of intellectual property rights, but the Court of Cassation has refused the application of all the possessio rules, considering that usucapio cannot be applied to these rights43). So, it is necessary to investigate this topic more deeply, in a context that is increasingly moving away from the material dimension. Accordingly, it seems necessary to abandon a black or white logic between protection of fundamental rights versus property approach. T he protection of personal data and the logic of fundamental rights prevents us from considering data as goods in the traditional sense and allowing a free trade of personal information44. For this reason, if we want to adopt 42 V. Ricciuto, La patrimonializzazione dei dati personali. Contratto e mercato nella ricostruzione del fenomeno, in V. Cuffaro – V. Ricciuto – R. D’Orazio (eds.), I dati personali nel diritto europeo, Torino, 2019, 49. 43 Corte di Cassazione, 14 July 2015, No. 1386. 44 V. Janecĕk – M. Malgieri, Data Extra Commercium, in S. Lohsse – R. Schulze – D. Staudenmayer (eds.), Data as Counter-Performance—Contract Law 2.0? (Hart Publishing/ Nomos 2019) (Forthcoming). Available at SSRN: https://ssrn.com/abstract=3400620, configure the category of data excluded from marketability, identifying the assumptions in 142 Dianora Poletti an approach – necessarily eclectic – based on proprietary legal categories, we should attribute to these goods the feature, as someone said, of “Humanistic Property”45. If the language of property rights is just another way of asserting data protection rights, we must prevent the notion of possessio of personal data from being used to strengthen the position of “digital giants”. As a result, the answer to the question whether it is really necessary to configure a possessio on personal data is more a negative rather than a positive one. T he reality is that we are trying to limit the oligopolistic concentration of control over personal data in the hands of a limited number of big players, which extract value from the information available in an interconnected world. T herefore, we try to create several individual property rights over data that are different from the general and common property right, but are exclusive rights as property right46. It has been said that the right to data portability, provided by the GDPR, is the one that shows more clearly the ownership approach: in fact, it could be considered as a sort of reparation in kind that allows the re-entry of files or data packages in the data subject legal sphere (or assets), regardless of the legal classification in terms of possession of the data. T he highly debated right to be forgotten or right to erasure encompasses the right established under Art. 17(2) of the GDPR, which provides that the data controller shall inform controllers which are processing the personal data in relation to which the data subject has requested the erasure (a kind of jus sequelae). Beyond the scenarios of machine learning and Artificial Intelligence, compared to which these rules are clearly insufficient47, which the law regarding data and digital content seem to exclude some data types from commerce. 45 S. Mann, Computer Architectures for Protection of Personal Informatic Property: Putting Pirates, Pigs, and Rapists in Perspective, First Monday, Vol. 5 No. 7 (July 2000), quoted by J.E.J. Prins (Corien), Property and Privacy: European Perspectives and the Commodification of Our Identity. Information Law Series, Vol. 16, 2006, 223–257. Available at SSRN: https:// ssrn.com/abstract=929668. 46 See N. Purtova, Do Property Rights in Personal Data Make Sense after the Big Data Turn? Individual Control and Transparency, in Tilburg Law School Legal Study Research Paper Series, No. 21/2017; N. Purtova, T he Illusion of Personal Data as No One’s Property: Reframing the Data Protection Discourse, in Law, Innovation and Technology, 2015, 7, 87. See also E. Tjong Tjin Tai, Data Ownership and Consumer protection, in Tilburg Private Law Working Paper Series, No. 2017 47 In practice it will be next to impossibility “for data subjects to effectively exercise their rights against and subsequent controllers once the data have been passed on by the first controller … because controllers are too many in too remote places”, see C. Wender- Holding Data between possessio and detentio 143 these rights appear characterised by a connotation of absoluteness, just like property rights. It is no coincidence that these two rights (the right of portability and the right to erasure of data) are expressly referred to by the Directive 770/2019 and are the basis for contractual remedies48. I believe that the GDPR is less neutral towards data property than it is usually affirmed in the academic debate. T he relationship between individuals and their data legitimates a “strong” factual relationship with the data, while the detentio would be the “weak” factual relationship that a third party establishes by virtue of a specific relationship with the data subject. If we admit that data subjects never separate themselves from their data, even when data use is granted to third parties, detentio is perhaps the only factual situation that can be useful to reconstruct the relationship with the data of others. T his is a fascinating topic, which requires further research to interpret and apply the traditional legal categories in a field that is increasingly having high impact on our society. We can now see what Professor Stefano Rodotà envisaged some years ago: the fragmentation of the human being in its data49, which nowadays is combined with the advance of an extractive capitalism that has data as its object50. T his fragmentation seems increasingly difficult to recompose: to avoid the risk of a dramatic dissolution of natural persons, we shall consider all possible remedies, without preconceptions but not without caution. host, On Elephants in T he Room and Paper Tigers: How to recouncile Data Protection and the Data Economy, in S. Losse – R. Schulze – D. Studenmayer (eds.), Trading Data in the Digital Economy: Legal Concepts and Tools, Baden-Baden, 2017, 347. 48 See Recital 38: “T his Directive should be without prejudice to those rights, which apply to any personal data provided by the consumer to the trader or collected by the trader in connection with any contract falling within the scope of this Directive, and when the consumer terminated the contract in accordance with this Directive”. 49 S. Rodotà, Il mondo nella rete. Quali i diritti, quali i vincoli?, Roma-Bari, 2014, 41. 50 S. Byrnes – C. Collins, T he Equity Crisis: T he True Costs of Extractive Capitalism, in D. Lerch (ed.), T he Community Resilience Reader, Washington, 2017, 95.