Faculty of law blogs / UNIVERSITY OF OXFORD

Who Owns ‘Your’ (Business’s) Digital Data? New EU Law in the Making


Simon Geiregat
Postdoc Fellow at FWO Research Foundation–Flanders and at the Max Planck Institute for Innovation and Competition


Time to read

5 Minutes

Who ‘owns’ digital data generated by one’s devices and the data uploaded to a cloud? In most jurisdictions, the current answer would be: no-one, unless and to the extent that a data set is either protected by an intellectual property (IP) right, which will often not be the case, or comprised of personal data to which individuals can exercise GDPR-like prerogatives. By contrast, digital data cannot be subject to ownership rights from an English, Belgian and French or German property-law perspective—or at least not independently from its carrying medium.

Data ownership: stake and initial debate

As a corollary of the lack of a meaningful property-law status for data, it has proven difficult for business and private users to obtain access to data generated by their own use of a device, as well as to recover the data that they uploaded or to transfer that data from one cloud provider to another. This is a reason for concern because users may often have an interest in accessing ‘their’ data and because a refusal to share certain data can undermine competition, for instance, by preventing third parties from providing derivative products and services like spare parts and repair services. In a way, precluding access undermines the potential of an important economic characteristic of data, that is that is non-rivalrous in the sense that multiple parties can use it in parallel without consuming it.

In the 2010s, legal academia and policymakers began to explore the idea of mitigating the non-rivalry nature of digital data by creating exclusive ‘data ownership’ or ‘data producers’ rights’ in the EU. The debate soon shifted away from exclusivity and focused on data access instead. Concerned by the plausibility that new exclusive rights would bring about numerous unwanted effects and re-enforce market power instead of breaking it, the time was found ripe for the legislature to create rights to access or use specific data in particular instances.

Data Act Proposal

Following years of stalling, the European Commission published its proposal for a Data Act (DA) in February 2022. The proposed Regulation is intended to remove barriers to a well-functioning internal market for data featuring ‘optimal allocation of data for the benefit of society’ and ‘user empowerment’ through the harmonization of targeted rules on data generated by products and related services and on data holders and data recipients.

Two proposed DA chapters are particularly interesting. First, chapter II intends to introduce data sharing obligations to the benefit of both consumers and businesses in relation to products connected to the Internet of Things (IoT) and related services: an IoT access right. Second, chapter VI aims at facilitating switching between cloud services (called ‘data processing services’). To this end, cloud providers will be obliged to provide business and private customers with a contractual right to either retrieve their data, applications and digital assets or ‘port’ them to another cloud provider: a cloud portability right.


The newly proposed rights have been critically analyzed by eminent scholars, including Wolfgang Kerber, Matthias Leistner and Lucie Antoine, and Josef Drexl, Carolina Banda et al at the Max Planck Institute for Innovation and Competition. In line with their findings, it seems fair to conclude that a lot is still open for improvement. The proposed IoT access right is very far-going, for instance. It puts users, whether businesses or consumers, in the driver’s seat: only they are eligible to determine the further use of data generated by ‘their’ devices, and their choices as to the purposes of use are enforceable upon third parties. Although this approach has its merits, the DA should not go so far as to grant a novel form of exclusive, IP-like right to data. Besides, the proposed delineation of the scope of this right is problematic: definitions are vague and exclusions too wide. Moreover, the legislature should also consider the immanent conflicts with IP rights.

Concerning the cloud portability right, the DA Proposal equally leaves many questions unanswered. Its proposed scope is very wide. It is neither clear what cloud users would exactly be entitled to retrieve or ‘port’ nor how the cloud portability right would relate to IP rights. It would also seem that the drafters have erroneously excluded online content services from the scope of cloud portability rights due to a mix-up of buzzwords in recent EU legislation. More fundamentally, the proposed legislative design is quite peculiar: the DA would not provide a statute-based right straight away but require cloud providers to grant portability rights by virtue of a contract. Nonetheless, the provisions should be interpreted as bestowing professional and private cloud users with a self-standing, non-exclusive entitlement, directly enforceable against their cloud provider, to choose, at the termination of their agreement, between retrieving or transferring (‘porting’) all the data, applications and ‘digital assets’ that were either imported by them, (co‑)created directly by them, or (co-)generated indirectly by their use of the service. Hopefully, these and other uncertainties will be mitigated in the fiery legislative negotiations that are expected to take place.

Analysis ‘as objects of property’

The DA is not intended to create exclusive ownership of data, properly speaking. In its current reading, the two proposed rights will neither constitute ownership rights nor property rights (rights in rem) nor IP rights. However, the latter does not preclude that the DA will mark a shift towards a more ‘proprietary’ approach to (IoT and cloud) data. Indeed, by introducing an IoT access right and a cloud portability right, the DA should be understood as awarding statute-based rights in personam in data.

It is contended that the novel rights be considered non-waivable and non-transferable inter vivos, but eligible for licensing. They ought not to be perpetual but subject to time bars. In the case of joint ownership, individual co-owners should each be entitled to exercise their rights to the maximum extent possible because the non-rivalrous nature of data does not prevent other co-owners from accessing and using the data again. Interestingly, the newly proposed data rights also have the potential to be considered individuals’ and companies’ assets. Indeed, through the creation of these rights, people and entities would soon have property-like claims to data. Hence, it is not inconceivable that right-holders will want to monetize their rights, for instance, by giving them as security or by establishing derivative property rights, like usufruct. Whether that is allowed or not will primarily be determined by national law. Nonetheless, it is argued that the current reading of the DA does not preclude this from the outset, and that the rights in IoT data and cloud data ought to be able to form part of an inheritance or a bankrupt’s estate as an intangible asset on its own, independent from the property rights in the IoT device or the fate of the cloud contract.

Concluding remarks

In its proposed reading, the DA will not create ownership entitlements in data, properly speaking. However, a closer analysis of the proposed IoT data right and cloud portability right begs the question whether, ultimately, the DA will not put the holders of those rights in a legal position that is substantially similar to what ‘ownership’ of data would have looked like for those types of data. Indeed, we will be able to claim access to data that our or our business’s IoT devices created and to reclaim data, applications and digital assets that we uploaded to the cloud. Abstracting from the lack of a general prerogative to exclude others from using the same data, one may ask what greater entitlement we can reasonably expect to have to a substance that does not meet the thresholds for IP protection and that owes its value in part to the very fact that it is non-rivalrous?

This post presents a summary of some key findings of a paper published on SSRN in September 2022, which also touches on other sub-topics and offers some suggestions for the legislature.

Simon Geiregat is a postdoc fellow at FWO Research Foundation – Flanders and at the Max Planck Institute for Innovation and Competition; he is a visiting professor of intellectual property law at Ghent University and an assistant professor at eLaw, University of Leiden.


With the support of