Who owns the information that is subject to privacy law and regulation? Ownership is the right to exclude. If you own a piece of real estate, you can exclude others from entering it. If you own a copyright in a book, you can exclude others from copying the book.

Is the same true of personally identifiable information (PII)? There is no doubt that the collection, use and distribution of PII is a highly regulated activity in which the individual data subject has substantial rights. But does the individual own his or her PII? Can the individual exclude others from collecting, using and distributing it? Or is it owned by the companies that aggregate and exploit the information?

The ownership of PII and digital identity

PII cascades from every visit to a website, from every transaction on the Internet, from every Tweet and from every fact stored in the cloud. The information rushes effortlessly over international boundaries and transactions, and companies assiduously track it. “Real-time ad bidding”—associating online advertisements with browsing history—is fundamental to the business models of companies such as Google and Amazon, and the value of this information in Google’s hands—or Facebook’s, or Amazon’s—is directly measured by the lofty heights of their market capitalizations. A recent study concluded that since November 2010, behavioral tracking has increased 400 percent. The study found that on average, a visit to a website triggers 56 instances of data collection.

Who owns this information? The answer is surprising. Customer lists are considered a classic example of trade secret and are clearly owned by whoever assembles and maintains them. Unlawful appropriation of such information is subject to both civil and criminal sanctions. There is very little doubt that any additional information gleaned from a web visit—what options I considered, how long I was on the site, how I paid, to whom the fruit was delivered, where I was when I placed the order—would be included in the information that the web host could protect as its property.

The law is quite explicit on this point. In Europe, the Database Directive, EU Directive 96/9/EC, adopted by the European Commission in 1996, requires member states to provide protection for databases. UK regulations implementing the Database Directive expressly state, “A property right (database right) subsists, in accordance with this part, in a database if there has been a substantial investment in obtaining, verifying or presenting the contents of the database.” Similarly, the U.S. Copyright Act provides copyright protection for compilations so long as there is copyrightable authorship in their selection or arrangement.

Therefore, the individuals who generate the databases of PII that comprise their digital identities do not own the databases and therefore, in a very real sense, do not own their own identities. One might think of a person’s digital identity by analogy to a pointilliste painting. Thousands upon thousands of tiny bits of digital information about an individual, including what we have called basic facts, sensitive facts and transactional facts, can be assembled to form a picture of the individual, his likes, dislikes, predispositions, resources. The compilations of facts that comprise my digital identities are subject to ownership, but the owner is not me; it’s the compiler.

The conclusion that one does not own one’s own identity might seem jarring at first. On further reflection, though, one realizes that the lack of ownership over one’s digital identity is not very different from one’s identity outside of the digital space. Think of identity as reputation. Do I own my reputation?  I have a reasonably broad opportunity to mold my reputation by word and deed, and I have legal redress if my reputation is unfairly tarnished, but I cannot prevent others from knowing who I am. Because I have no right to exclude, I do not own my identity. It is in a sense community property. The individual builds it, at least in part, but members of the community can then use it—or decide that it would be unfair or unjust to use it—whether the individual wants them to or not.

We might return here to our watershed analogy. No one owns the raindrops falling on the watershed, but when value is created by damming streams of information, it can be owned and exploited by the persons building and running the dams. Eventually, of course, the information returns to the oceanic public domain.

The exploitation of identity

If it is jarring to consider that one’s digital identity is owned by others, not by one’s self, it is still more disturbing to consider that the owners can exploit your identity for their own profit. Hardly a day goes by without a new revelation about the unconsented exploitation of personal information or the unauthorized disclosure of sensitive personal information. The problem is not so much that companies have information about my purchases and habits. The problem is what they do with it and how they safeguard it.

Security breaches are distressingly common. In June, the FTC filed a complaint against Wyndham Hotels for security lapses that allowed hackers to access sensitive financial information of more than 600,000 individuals over a three-year period. In the same month, LinkedIn, eHarmony and Last.fm were all hacked, resulting in the release of millions of users' passwords, and just three months before, the credit card processor Global Payments reported that some 1.5 million Visa and MasterCard account numbers had been stolen by hackers. Even breaches of less sensitive information, such as that of Epsilon in which the e-mail addresses of millions of individuals were inadvertently disclosed, are disturbing and potentially harmful to individuals.

Many of the laws respecting PII can thus be understood as limitations on the ownership rights of the persons, usually businesses, that assemble them. One might analogize the collections of personally identifiable information that comprise one’s digital identities to what the law calls “dangerous instrumentalities.” It is okay to manufacture and own them; indeed, the creation of digital images of individuals represents the generation of an important new form of wealth in the Internet Age—but the use of such information must be regulated to avoid harm or unlawful exploitation.

That this is the case is manifest in examples of privacy legislation as diverse as the EU Directive, the Fair Credit Reporting Act, HIPAA, HITECH, Gramm-Leach-Bliley and the Massachusetts Data Security Regulations. In each case, the assembly of personal information about individuals is not prohibited. Quite to the contrary, such assemblies are affirmatively encouraged, particularly in the areas of financial services and healthcare, since the information can greatly improve the efficient and effective provision of financial and health. However, the use of the information, once assembled, is regulated and controlled.

Some modest proposals

For many, Internet commerce is like visiting a foreign country where the customs and etiquette are new and often disconcerting. To complicate matters further, the citizens of this country—the digital service providers—are making up their customs as they go along, and the pace of innovation, particularly in the realm of the collection and use of personally identifiable information, has outpaced the development of shared expectations as to what is acceptable and what is not.

A great deal of mischief has been caused by the tendency of companies to be cagey about their collection and exploitation of PII, leading to surprise and outrage when the facts come to light. A guidebook, with information about what to expect in terms of the collection and use of personal information, is important. Many of the recommendations of the FTC Framework and the White House’s proposed Privacy Bill of Rights can be understood and applauded in this context.

There is, however, a risk of regulatory overreaction to the collision of cultural expectations. Thanks to the collection of personal information and the assembly of digital identities, consumers obtain better and more personal service than would be possible without it. Consumers can be spared many irrelevant advertisements with which they would be bombarded, commercial television-style, if the information were not collected, and in the end, it is the exploitation of such information that makes so many free Internet services possible. The assembly of such information thus creates enormous new wealth in companies both large and small and facilitates economic activity for all the other enterprises that take advantage of the information. One does not want to kill the goose laying these golden eggs.

Beyond the economic risk, from the author’s parochial standpoint as an intellectual property lawyer, one must consider whether proposals for the creation of new property rights in personal data can be reconciled with long-established principles of intellectual property law that define the public domain. Without a rich source of raw material in the public domain, the creation of new inventions and works of authorship would be curtailed. Surely no one imagines that an individual should be able to prevent an author from using facts about the individual’s life to create a biography, but how does one distinguish this from the assembly of a digital identity by an Amazon? The author, like Amazon, wants to use the information for her own benefit and to sell the information to third parties to earn a profit. Can one make a reasoned distinction between the two activities? In a sense, Amazon’s activity is more benign, since it is quite unlikely to use the information in a way that would offend the individual. Furthermore, if there are “bad facts” about an individual—that he doesn’t pay his debts, that he has committed fraud—should he be able to suppress this information on the ground that it is his “property?”

There are compelling public policy reasons why certain types of information should not inform certain decisions. Race and religious affiliation are perhaps the most obvious examples. Making decisions about the extension of credit, employment, housing, lodging, transport, access to health services and other fundamental needs on the basis of race is, and should be, illegal. This is not because an individual owns the fact that she is of a particular race; it is because discrimination on the basis of race is heinous for more general social and historical reasons. In other words, it is the use of such information, not its assembly and distribution, which merits legal control.

We come, then, to my modest proposal: Wherever possible, regulate the potential misuse of personally identifiable information as opposed to its assembly and dissemination. Section 604(g) of the FCRA is an example of such regulation. It generally prohibits creditors from obtaining and using medical information in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. On the other hand, the statute contains no prohibition on creditors obtaining or using medical information for other purposes that are not in connection with a determination of the consumer’s eligibility, or continued eligibility for credit. One can imagine myriad purposes for obtaining such information, not the least of which is the provision of effective medical treatment.

Proposed regulation that prohibits entirely the collection of certain types of information, or permits it only with prior consent, seems to this author to be overbroad. The proposed Geolocation and Privacy Surveillance Act (S1212) and proposed Location Privacy Protection Act of 2011 (S1223), both of which would require prior express consent to the collection of geolocation information, and the proposed Best Practices Act of 2011, which would, among other things, require prior consent to collect sensitive personal information, are examples. It is not easy for me to understand how or why I can legitimately prevent people from knowing that I’m walking through a particular mall at a particular time when that fact is obvious to everyone else in the mall. On the other hand, the use of that information to, for example, rob my home when I’m not there, seems legitimately actionable. Again, it’s the use of information—not its collection—that deserves regulation.

Identity, and the personal information on which it is built, is inherently relational in nature. It is the opposite of anonymity, and one cannot have it both ways; you can achieve anonymity by refusing to interact with others, but once you begin to interact, you necessarily lose your anonymity and gain an identity, as you are perceived by and in your relations with others. At that point, your identity is not, and by necessity cannot be, your private possession.

Written By

Thomas Hemnes


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»