Nothing on the Internet is really free. If users do not pay in euros for a service, then they pay with their personal data and privacy. In this way, companies collect large amounts of data about their users. Personal data is valuable because it allows companies to create a detailed profile about someone. This enables them, for example, to approach people in a targeted manner. The government also processes personal data of everyone in the Netherlands. For example, local authorities keep personal data of citizens in the Personal Records Database (Basisregistratie personen, BRP). When someone marries, has a child or moves house, the local council records this. The law struggles with the phenomenon of data. For example, there is often disagreement about who actually ‘owns’ certain (personal) data. State Secretary Knops has informed (in Dutch) the House of Representatives about a possible ownership by the citizen of its own personal data processed by the government, to be regulated in the Dutch Civil Code (BW). Is this the solution?
Control over own personal data
Under the General Data Protection Regulation (GDPR), citizens have several rights to control the processing of their personal data. For example, citizens have the right to access their own personal data and the right to rectify incorrect/incomplete data. For the citizen, ownership of personal data is often linked to these rights. The aim of State Secretary Knops is therefore to give him or her as much control as possible over these data.
One point of attention is that this control is not and cannot be unlimited. The fact that the citizen does not have full control is primarily due to the fact that the government needs this information in order to carry out its legal tasks. Public authorities must have sufficient guarantees that these data are correct, up to date, available and reliable. For this reason, a citizen cannot, for example, prevent the government from recording his or her name, address and date of birth. Only if such data has been incorrectly administered or factually amended it can be rectified.
Ownership of personal data
At the moment, there is no legal ownership of personal data under Dutch law. The Dutch ownership right is not specifically designed for this purpose. The law states that ownership is the most comprehensive right a person can have on a thing. And things are tangible objects that can be controlled by humans. Obvious examples are a chair, a house or a piece of land. Personal data are therefore not covered by this concept.
State Secretary Knops points out that it seems logical to consider the citizen as the owner of the personal data. After all, the data is about him or her. According to the State Secretary, however, it is not a good idea to make legal ownership of personal data possible. One of the reasons for this is that control over one’s own data cannot be unlimited.
According to the State Secretary, it is much better to protect the rights and obligations of citizens with regard to their personal data in a different way as much as possible. This is possible, for example, by virtue of the right of access and rectification included in the GDPR. In a policy letter (in Dutch), the rights and obligations laid down in the GDPR are further specified and broadened. Not only with regard to access and rectification, but also with regard to the provision of data, and the possibility of sharing one’s own data with third parties digitally.