In order to evaluate the compatibility model of EU data legislation between data markets and data protection, I need a unique relevant yardstick, namely a conceptualization of data commodification. While data commodification has been referred to in the literature, there is surprisingly no conceptualization of this phenomenon. Data commodification is oft en pictured as a monolithic phenomenon whereby data would be either ‘commodified‘ or not. Authors engaging with this phenomenon provide little explanation as to which criterion(a) would trigger a qualification as either ‘commodified‘ or not. Because used mainly by fierce opponents to this phenomenon, the term ‘commodification‘ mainly serves to cast shame on certain data governance arrangements. What is missing, for the purpose of the present endeavor, is a conceptualization of data commodification that reports on three main aspects: First, the reasons why data commodification – and ultimately data markets – is a disputed phenomenon, or in other words why data markets and/or commodification is oft en met with discomfort – if not squarely discontent. Second, how the law relates to data commodification and, third, how data commodification relates to values that are not necessarily exchange or market ones such as data protection. The conceptualization of the data commodification phenomenon in a way that report on these specifications constitutes the object of Part I of this book.

ABSTRACT

Chapter 2 maps and analyses the oft en-occurring arguments in the ethics debate concerning human (mood) enhancement technologies. This debate concerns arguments with strong religious and ideological inklings (such as the unnaturalness concern, the playing god argument, medicalisation, the cheating argument, and the selfishness argument). These arguments sometimes have problems of a rhetorical nature, leaving the aim of their objection unclear. The rhetorical problems are not as such arguments but dimensions of ideological, religious and ethical issues, in that they sometimes are mixed and do not clarify whether they concern individuals or species.

Moreover, this debate also involves the arguments dealing with issues of justice, identity, autonomy, dignity, privacy, safety and prevention of harm in the context of human (mood) enhancement technologies. Following their analysis and evaluation, a dedicated section provides an integrated overview of how these arguments connect and overlap.

Mapping and analysis of the oft en-occurring arguments in the ethics debate concerning human (mood) enhancement technologies based on which normative recommendations are formulated for lawmaking and policymaking purposes are performed by applying the wide refl ective equilibrium method developed by John Rawls. The method consists of three levels of considerations that must be distinguished: descriptive and normative theories, moral principles and considered moral judgements. It will be assumed that the equilibrium exists when the three levels cohere and are mutually supportive.

In the last years, data have been increasingly considered as resources, in the midst of various and possibly contradictory values, objectives and interests. For example, data from smart farming equipment can be used to gain insights as to the properties of the farm soils and thus help tailor the required intrants. Data from wearable fitness trackers can provide information on the health of individuals wearing them and thus help tailor medical treatment. Data are also expected to feed the development of AI, for example by training algorithms in various scenarios. Until recently, data were not or little regulated as such. Now, the EU legislature attempts to incorporate the resource function of data in law. Once toyed with, the option to establish data ownership – in the form of a ‘data producer’s right’– was soon abandoned. Following the European Data Strategy of the Commission, the EU has embarked on the path of a data-specific (sui generis) and data-focused set of legislations. The objective of the EU therein is to add to data protection, rules that account for the function of data as a resource with the ambition to establish and support data markets. The Data Act and the DGA – the focus of this book – are thus expected by the EU legislature to constitute the private law for data – or even a ‘data law’. Such EU data legislation will then be complemented with ‘public law’initiatives as part of data spaces regulations.

DATA SUBJECTS AS DATA CONTROLLERS CONCERNING THE PROCESSING OF DATA RELATING TO THEMSELVES?

In order to allocate the responsibility to comply with legal requirements, the GDPR relies mainly on the notion of ‘(data) controller‘, defined as

The data controller is the main person responsible for compliance with the GDPR. 1165 Where several controllers ‘jointly determine the purposes and means of processing‘, they are joint controllers and shall arrange their respective responsibilities for compliance between themselves, in a transparent manner and in a way that ‘duly reflects the respective roles and relationships [that they have] vis-à-vis the data subjects‘. Such an arrangement cannot be enforced against data subjects.

The GDPR regulates other roles, and in particular this of the ‘processor‘, defined as the person who processes personal data on behalf of the controller. 1167 Should the processor process data beyond the instructions given by the data controller, they would then qualify as a controller.

As a reminder, Part I of the book was dedicated to the understanding of the data commodification phenomenon. I designed a data commodification spectrum ranging from data complete commodification to data complete noncommodification, on the basis of four ‘data-specific commodification indicia‘. Thus designed, the data commodification spectrum serves as a unique yardstick to compare and cluster how respective schools of thoughts engage with the tradability of data.

In Part II, I analyzed EU data legislation – namely the Data Act and the DGA – systematically against the background of data commodification. I clustered them on the data commodification spectrum on the basis of the data-specific commodification indicia. I found that both the Data Act and the DGA can be placed in between the ‘efficient‘ and the ‘fair‘ data market paradigms. They both lay down sui generis rules for data, with the steady objective of commodifying them despite their specificities. From the perspective of data commodification, the Data Act and the DGA display a rather high level of consistency with one another, especially at the conceptual level. The Data Act and the DGA are generally embedded into market values and a market rhetoric, which can be traced back to the efficient data market paradigm.

The conceptualization of data control as the right for data subjects to control data processing-incurred risks to the autonomous exercise of their fundamental rights and freedoms, heavily relies on the notion of ‘purpose‘ as a means to understand and circumvent such risks. Consensually described in the legal literature as a (or even the ) cornerstone of data protection, this notion had been little addressed head on by the Court until recently. In its recent case law, the Court has addressed both the constitutive criteria of purpose and the functions of purpose as per the GDPR. At this point, it is therefore necessary to evaluate how this case law impacts on the conceptualization of data control and especially whether it calls for a re-examination of the above findings. I conduct this analysis against the background of data commodification.

First, I recapitulate how ‘purpose‘ plays out in the GDPR namely, by general opinion, as a (if not squarely the) cornerstone of it, before I turn to the recent case law of the Court, which deals with ‘purpose‘ in two distinct ways. A first line of inquiry is the new strand of the case law of the Court that, first arising in the context of controllership, amounts to a shift in focus from purpose to data processing operations. The second line of inquiry is the case law on the constitutive criteria for the notion of purpose, to determine such purposes that the GDPR deems acceptable.

DATA PROTECTION, DATA CONTROL AND DATA COMMODIFICATION: A RATHER OLD CONUNDRUM

Adopted in 2016, the General Data Protection Regulation (GDPR) recast the Data Protection Directive of 1995. This famous Regulation applies, in principle, to any processing of personal data across the EU, namely any processing of data that allows for the identification of (an) individual(s). Any personal data processing shall comply with a list of principles, namely lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality. Lawfulness implies that data processing be based on at least one of the listed legal bases, of which the consent of data subjects for one or more specific purposes is the most referred to when it comes to data transactions. Specific – i.e. more stringent – conditions are applicable in case of ‘sensitive data‘ such as health data.

The GDPR provides data subjects with rights (data subjects ‘ rights) the list of which has been broadened compared to the Data Protection Directive: Rights to transparency, information and data access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, right not to be subject to automated processing.

Compared to the Data Protection Directive, the GDPR also reinforces security obligations and creates a new obligation to conduct a ‘data protection impact assessment‘ prior to any personal data processing that is likely to result in a high risk to the fundamental rights of individuals.

SEEING BEYOND THE LEX SPECIALIS PROVISIONS OF THE DGA

As it clearly appears from the Data Strategy, the Data Act and the DGA, the Commission and the EU legislature see both such legislative frameworks as connected one to the other. They together form the horizontal framework for data, which I identified as the decentralized private law ordering for data, to be further complemented with sector- or domain-specific ‘public law‘ initiatives. As discussed in the previous chapter, the Data Act follows mainly the property law objective to provide a primary allocation of data (use and value). Then, the expectation of the EU legislature is that the actors, namely, in the context of the regulation of connected product data, mainly users and selected third parties, can then make further use of data and especially share them in various ways through the support of data governance institutions as regulated under the DGA. While the Data Act requires mandatory data access or making available as a means to re-allocate and distribute data, the DGA lays down a range of mechanisms that support voluntary data sharing.

The DGA consists of three main chapters, pertaining allegedly to three different types of scenarios in which data are voluntarily shared. Chapter II applies to data held by public sector bodies on which third parties have rights (thus deemed outside of the scope of the Open Data Directive).