Data ownership, control, access, and transfer

Data is produced, collected, analysed and shared at an unprecedented scale by organisations and individuals with a variety of roles. For example, governments publish part of their data – usually aggregated and rarely at the level of individuals – in keeping with the paradigm of open data. In contrast, commercial entities tend to hoard data, sharing it only reluctantly. Several concepts regarding the attribution of rights to data holders have been discussed in the past. Regarding the concept of data ownership, the normative category of property rights runs into problems because legal provisions usually only encompass physical objects, and not data. Data is not material, it can be copied, it is non-rivalrous (which means it can be used by numerous people at the same time without impairing accessibility or utility) and is also generally non-exclusive (being available to many) - the latter two characteristics being also true of public goods. The idea of data ownership therefore lacks relevance, and regulators generally no longer build on the concept of data property. Because of the difficulty in assigning rights to data, it is the access to data and its control – not its potential ownership – that determine how it will be used. The people or institutions holding and processing the data are in effect its owners and have the power to decide how it is used, stored, deleted and transferred. Consequently, regulators usually build on the concept of data access. Some general legal instruments specifically address access to one’s own data. For instance, the data portability right will allow users to transfer the data gathered from one service provider to another. Current regulations implementing rights of data access in Switzerland are found mostly in antitrust law, but also partly in unfair competition law. Their application faces many challenges, for example the design of market delineation, whether data is correct and appropriate, and the definition of market power. Antitrust proceedings are also usually expensive and lengthy, while the competition authority often only delivers its decision after the concrete situation has already evolved.  Data access can be restricted by sector-specific regulations, for example in healthcare.