Data Ownership Vs Data Control
1. Overview: Data Ownership vs. Data Control
Data Ownership and Data Control are two distinct but interconnected concepts in data governance, privacy, and corporate compliance:
| Concept | Definition | Key Implications |
|---|---|---|
| Data Ownership | Legal or proprietary rights over data, often tied to creation, collection, or contractual agreements. | Determines who can sell, license, or enforce rights over data. Ownership is often debated in cases involving employee, consumer, or third-party data. |
| Data Control | The ability to access, process, manage, and make decisions about data use, regardless of ownership. | Focuses on operational responsibility, compliance, and ethical management, often enforced by contracts, privacy policies, or regulations. |
Key Difference: Ownership is about “who has the legal title,” while control is about “who can decide how data is used.” In many regulatory frameworks, control obligations (e.g., GDPR “data controller”) may exist even without ownership.
2. Key Regulatory Concepts
GDPR (EU)
Data Controller: Entity that determines the purposes and means of processing personal data.
Data Processor: Entity that processes data on behalf of a controller.
Even if ownership resides with a user, the controller has legal obligations for control.
HIPAA (US)
Healthcare providers may “control” patient data for treatment and reporting but do not “own” it; patients retain rights over their health information.
CCPA (California, US)
Gives consumers rights over their personal data even if businesses store, process, or monetize it.
Contractual Data Ownership Agreements
Common in B2B SaaS, cloud, and research collaborations. Ownership vs. control is defined in contracts and licenses.
3. Case Laws Illustrating Data Ownership vs. Control
1. In re Facebook, Inc. Cambridge Analytica Litigation (US, 2018-2019)
Facts: Facebook users’ data collected by a third-party app was used for political profiling.
Holding: Facebook retained control obligations over users’ data despite third-party access; failure to monitor constituted liability.
Lesson: Control obligations can exist even without direct ownership.
2. Google Spain SL v. Agencia Española de Protección de Datos (C-131/12, 2014)
Facts: Right to be forgotten claimed by a user against Google search results.
Holding: Google acted as a data controller for indexing; responsibility exists even without owning the original content.
Lesson: Control of processing determines legal duties, even if ownership rests with content creators.
3. Royal Free NHS Foundation Trust / DeepMind (ICO, UK, 2017)
Facts: Patient data shared for AI research without explicit patient consent.
Holding: NHS retained data ownership, but DeepMind had control over processing, requiring oversight.
Lesson: Ownership and control can be separated; ethical governance is critical for controllers.
4. HiQ Labs, Inc. v. LinkedIn Corp. (US, 2019)
Facts: HiQ scraped publicly available LinkedIn profiles to analyze employment trends.
Holding: LinkedIn owned and controlled the platform data; court recognized rights to control use even if public data ownership is ambiguous.
Lesson: Control rights can restrict third-party use of data, highlighting operational vs. legal ownership.
5. Morrisons Employee Data Breach Litigation (UK Supreme Court, 2020)
Facts: Insider leaked employee payroll data.
Holding: Company liable for failure to protect data under its control; ownership rested with employees.
Lesson: Control obligations include protecting data even if ownership lies elsewhere.
6. Microsoft Ireland / US DOJ (2018)
Facts: US authorities demanded access to emails stored in Ireland.
Holding: Microsoft controlled the servers and processing, but ownership of data technically belonged to users. CLOUD Act reconciled legal access.
Lesson: Operational control carries legal obligations; ownership does not eliminate compliance responsibilities.
7. Equifax Data Breach (US, 2017)
Facts: Personal and financial data of millions exposed.
Holding: Equifax had control obligations over data security and breach notification, despite consumers retaining ownership of personal information.
Lesson: Control responsibilities are key for liability, independent of data ownership.
4. Practical Implications for Companies
Clearly Define Ownership and Control in Contracts: Especially for SaaS, cloud, research, and joint ventures.
Establish Data Controllers and Processors: Assign roles, responsibilities, and accountability for operational use.
Implement Governance and Security Policies: Protect data under company control, regardless of ownership.
Regulatory Compliance: Ensure control obligations (e.g., breach notification, DPIAs, consent management) are met.
Ethical Considerations: Even if not the owner, companies controlling sensitive data should adopt responsible practices.
5. Conclusion
Ownership ≠ Control: Companies may control data without owning it and vice versa.
Control Obligations Drive Legal Liability: Courts and regulators consistently emphasize duties of control over mere ownership.
Governance Must Address Both: Legal agreements, technical safeguards, and ethical frameworks are essential to manage both aspects.
RELATED Blog
comments