In the digital economy, data is more than just information – it is an asset with immense economic and strategic value. Yet, despite its significance, a fundamental legal question remains unresolved: Can data be owned? While privacy laws worldwide focus on protecting individuals’ rights over their personal data, they often sidestep the issue of ownership. This has led to legal uncertainty, particularly in South Africa, where the Protection of Personal Information Act (Popia) grants data subjects various rights over their personal information but does not explicitly address ownership.
This gap in legal clarity raises pressing questions: If personal data – such as private health information – exists within a vast and ever-growing digital landscape, can it be owned? And if so, who holds the rightful claim?
Legal academic Donrich Thaldar, whose research focuses on data governance, explores these questions in a recent academic article. He unpacks his findings for The Conversation Africa.
Why does it matter who owns data?
In today’s digital economy, data is the most valuable asset – it’s often referred to as “the new oil”. Whether in commerce, research, or social interactions, the ability to generate, use and trade with data is central to economic competitiveness.
If data ownership is not clearly established, it could stifle innovation and investment. Companies require legal certainty to operate effectively in a knowledge-driven economy.
Countries have taken different legal approaches to tackling the question of who owns data. China, for instance, formally recognises the proprietary rights of data generators, meaning that businesses and individuals who generate data have legally defined rights over its use and commercialisation. This provides legal support for the country’s digital industries.
What does South African law say?
In the past, the South African Information Regulator has taken the position that personal information is automatically owned by the data subject – the person to whom the data relates – rather than by the entity generating the data. In this view, the rights created by Popia imply that data subjects themselves are the owners of their personal data, and nobody else.
I suggest that this stance is legally flawed, as it conflates two different branches of the law: privacy law and property law. Moreover, it could severely disrupt the digital economy. The digital economy depends on data as a tradeable asset – it must be capable of being sold, licensed and commercialised like any other economic object. If ownership must always be with data subjects, businesses face uncertainty in using and monetising data. Uncertainty stifles innovation, discourages investment, and undermines South Africa’s digital competitiveness.
You applied property law to the question of data ownership. Why?
Ownership is a concept in property law, not privacy law. Therefore, to answer the data ownership question, we need to look for answers in property law.
Property law governs the relationship between subjects (legal persons) and objects (things external to the body, whether physical or not). Ownership is about the rights that a subject has over an object. For an object to be capable of being owned, it must be valuable, useful, and – importantly – capable of human control. A bottle of water meets these criteria, but the vast oceans do not, as they are not within human control.
Personal data in the abstract is like the water in the ocean – vast, uncontained, and beyond individual control. However, a digital instance of personal data, such as a computer file, is more like a bottled version of that water – defined and subject to human control. Just like digital money and other valuable digital assets, a specific instance of personal data meets all the requirements under South African common law for private ownership. Thus, in this sense personal data can be owned.
Is the data owner not the data subject?
At first glance this might seem so, but no, not necessarily. The reason that it might seem so, is because some of the privacy rights created by Popia resemble ownership rights. For example, an owner’s agreement is required before someone else can use the owned object (e.g., loan for use and rent). Similarly, a data subject’s consent is in most cases required before personal data can be processed. Furthermore, the owner of a thing has the right to destroy it; similarly, a data subject typically has the right to have personal data deleted.
Do these privacy rights mean that data subjects actually own their personal data? I suggest not. Wearing a feather in one’s hat does not make one a bird. In the same way, privacy rights that resemble ownership rights do not mean that they constitute ownership. Ownership is acquired by following the rules of property law.
So who owns the data?
Because a newly created personal data instance has no antecedent legal object – in other words, it is not created out of another legal object – it initially belongs to no one. It is res nullius. Ownership of res nullius is acquired through appropriation, which requires two elements: control and the intention to own.
This means that the entity generating the data, such as a company or university collecting and recording it, is best positioned to acquire ownership. Since it already has control over the data, the only remaining requirement is simply the intention to be the owner.
If an entity like a university generates data and intends to own it, then – provided it is in control of that data – it will legally become the owner. This in principle allows the entity to use, license and trade the data as an economic asset. Indeed, it is prudent for data-generating entities, such as universities, to explicitly assert ownership over the data they produce. This not only establishes their legal rights with clarity but also serves as a safeguard against unauthorised access and misuse by malicious actors.
Doesn’t this compromise data privacy?
No, it should not. Ownership is always limited by other legal rules. For example, while I might own a car, I cannot drive it in any way I like – I must obey the rules of the road. Similarly, ownership of personal data is subject to strict limitations, particularly the privacy rights of data subjects under Popia.
However, it is also important to understand that privacy rights apply only to personal data. If personal data is de-identified, meaning that it can no longer be linked to the data subjects, privacy rights cease to apply. What remains are the ownership rights in the data itself. It can be a fully tradeable asset.
Recognising that a digital instance of personal data can be owned – and that the rightful owner is typically the data generator – does not undermine the privacy protections of Popia. Rather, it clarifies the legal landscape, ensuring that the rights of both data subjects and data generators are recognised and protected.
Donrich Thaldar receives funding from the NIH.
