The importance of property in the modern materialistic world hardly needs to be emphasised. Property is indispensable for the sustenance and well-being of human beings. It has been widely accepted throughout the centuries of human civilisation that everyone has the right to enjoy the fruits of their labour and industry. The traditional jurisprudence on property tells you that property is either tangible or intangible. However, the rapid development of data analytics, automated manufacturing, probability-based management practices, and machine-based commodities highlights the increasing commercial significance of data as a property.

This article explores how these industrial creations vouch for the recognition of data as a new type of property, possessing all the attributes of property. Data assets can be created, manufactured, processed, stored, transferred, licensed, sold, and even stolen. Indeed, data has achieved economic value in today’s world.

To better understand this, consider a school. At this school, students are appearing for board exams. Many of them will look for tuitions so that they can score better. Now, coaching institutes would love to have data on students’ parents’ contact details to pitch their services. Access to this data thus opens the opportunity for commercial gain.

Commercial Importance of Data

If we attempt to assign economic value to data based on the flow or production of data, such a metric is a flawed approach to ascertaining its value. Data is always a potential asset. Its real value depends on the insights that can be derived by a decision maker, or the capacities an organisation develops by acting on those insights, or how resource allocation is optimised, eventually making data precious. However, the economic value of data today largely depends on how meaningful processing can be done and the valuable insights that can be developed from it.

Big tech companies, such as Google, Amazon, and Facebook, have unprecedented volumes of data at their disposal. Much of this data is personal data, including consumer preferences, locations, networks, and political views. Processing this data and deriving insights from it is not only feasible for big tech companies but also a reality. They monetise these insights to further their business objectives. This also gives them the luxury of denying users access to their services altogether if users do not consent to such data processing.

Copyright Protection on Database and not on Data

Data in its crude form is not protected by legislation across most jurisdictions. Still, personal data is an outlier in this regard, as legislation has recently emerged to safeguard personal data. Data receives protection in its organised form, that is, in its database form, wherein it has been organised and its contents evidence its purpose and its need in commerce. Copyright protection of databases started with the landmark case of Feist Publications v. Rural Telephone Service Co., 449 U.S. at 359-60, where the U.S. Supreme Court held that only databases showing some degree of originality in the selection, arrangement, or organisation of their contents could merit copyright protection.

In this case, the Telephone Company compiled a telephone directory listing the names, addresses, and phone numbers of its subscribers. The publication, which was the petitioner in this case, used this information without permission and created its directory. The court held that the mere publication of a list of subscribers to the Company did not meet the threshold for sufficient creativity and thus did not qualify for copyright protection. The court further held in this case that the selection of facts arranged without any meaningful purpose would not receive protection. However, databases can be protected in other ways. Thus, the current state of data protection, rather than database protection, came into being.

In India, the 1994 amendment to the Copyright Act, 1957, broadened the definition of literary works under Section 2(o) to include computer databases.

Tort/Misappropriation Model for Protecting Data

Trade secret protections are also available to data subjects, provided that a specific agreement classifies the data as a trade secret and confidentiality agreements are in place to safeguard it. Thus, the remedy at hand is highly inadequate to deal with the eventualities of a data breach that arises beyond the ambit of the protection contemplated in the laws mentioned herein.

The tort/misappropriation concept has its shortcomings when it relies on the classification of data as a trade secret, since the Uniform Trade Secrets Act in the US defines a trade secret as

“a piece of information that has independent economic value by not being generally known and can reasonably be maintained a secret.”

Such trade secret protection legislation would thus protect a niche segment of information, such as databases, algorithms, processes, patterns, techniques, and secret formulas, where there is a preexisting apprehension that it should remain secret or a contract exists regarding this matter. Moreover, a non-disclosure or confidentiality agreement must be in place. Furthermore, the information would need to meet the threshold for trade secret protection, i.e., it should have some commercial value at the time of disclosure.

Another remedy available to the data owner in these cases is to sue for the tort of data breach. Still, more often this remedy would be found to fall short of the intended purpose of the suit, since the jurisprudence of tort ties the hands of the court to award damages, which is only a proximate consequence of the cause of action, i.e., the data breach.

Shortcomings of Existing Laws in Protecting Private Property Rights in the Database

The existing laws fall short of effectively protecting data, particularly organisational data, because the threshold under the Copyright Act is relatively high and not inclusive. To better understand this, let’s consider an example of insider trading. In insider trading, people privy to organisational information leak it to certain parties. These parties can now use this information to act accordingly as stock prices fluctuate. Now, market regulators in most countries prohibit and punish this act.

However, the organisation itself cannot significantly punish the insider who leaked the information if no confidentiality agreement was in place. This data or information further lacks protection because it was not organised in a database but rather as a single instance, such as the procurement of specific new machinery, which would enhance the organisation’s productivity. The remedy of copyright protection thus fails to bite at the root of the issue in this case.

What if there is no Direct Commercial Value?

In such cases, the protection afforded by trade secrets would fall significantly short of its intended purpose. In the last example, consider that this company’s rival learns about the new machinery. They start instigating the workers of the importing organisation to believe that such machines would lead to layoffs, thereby creating an industrial dispute.

The rival organisation can also lobby and lead to government regulations that can disrupt the procurement or installation of such machinery. This can happen due to tariffs or other factors such as emission requirements. Since the data has no direct economic significance, the trade secret protection legislation, as discussed in the last section, would fall short in this circumstance.

In India, on the other hand, there is no direct trade secret protection legislation, and the Contract Act provides protection for trade secrets. Thus, this creates a situation in which protection would depend on the letter and spirit of the contract and the laws of equity, which are again at the discretion of the Court. This creates a very disadvantageous situation for organisations.

Protection Due to GDPR and Other Data Protection Laws

Rights over personal data have evolved to resemble those of property laws in this case. Even after a data fiduciary has acquired data, certain rights of a data principal remain. This has not exactly led to the classification of personal data as personal property, but similar rights now apply to personal data. We may need additional data protection laws that focus not only on personal data. However, a very pro-market law can do more harm than good, as it can lead to the concentration of data in a few hands. It can also lead to bulk data purchases by larger players. Therefore, classifying data as property is a welcome starting point.

Scope of Criminal Laws in India

In the Indian judicial system, criminal laws concerning the misappropriation or theft of property have not been widely applied to data or intellectual property. Protection of data due to a certain extent was available in the form of cyber laws, such as those related to hacking. However, criminal laws had shortcomings in protecting against data breaches or data leaks.

As seen in the case of Wolfgang Prock-Schauer v. State of Maharashtra, a former CEO of GO Airways was accused of disclosing confidential information regarding the business to which he was privy. The prosecution had initially charged him with criminal misappropriation of property under Section 408 of the Indian Penal Code, 1860. However, this charge was later dropped when the court inquired whether the company’s data was considered its property.

The definition of movable property under Section 2(21) of the Bharatiya Nyaya Sanhita, 2023 (BNS) provides an expansive description. It includes every type of property except immovable property. Over the course of the next few years, this should enable the courts to apply criminal misappropriation in cases of data theft or data leaks.

Conclusion

The evolving digital economy necessitates recognising data as property to address legal gaps and challenges in ownership and control. Traditional property laws are inadequate for the unique characteristics of data. Current mechanisms provide limited protection against unauthorised use and exploitation. The expansive definition of movable property in BNS is a welcome step, but still, challenges remain.

While data protection laws protect personal data, they often leave organisational and non-personal data out of their scope. Additionally, the absence of comprehensive criminal provisions for data theft underscores the urgent need for legislative action. Future legislation should classify data as property, establishing clear ownership rights and liability mechanisms. Ultimately, defining data as property is essential for fairness, security, and accountability in the digital age. A well-defined legal structure will help navigate data governance complexities and unlock its full potential for economic and societal benefits.