14.3.1.1. An ownership right over data recognized by case law

Data theft was characterized by the transfer of data (customer and supplier files) to a USB key and the court therefore recognized the status of data as a thing, within the meaning of Article 311-1 of the French Criminal Code, “fraudulent removal from the property of another”.

In a subsequent judgment, the Paris Court of Appeal⁴ recognized the theft, by the fraudulent access and storage in the automated data processing system of the Agence Nationale de Sécurité Sanitaire de l’Alimentation, de l’Environnement et du Travail (ANSES), and by the removal of data and then the downloading and recording of these data on several media (hard disk and data center).

14.3.1.2. A right established in the French Criminal Code

Since the law of January 5, 1988 known as the GODFRAIN law, there has been an offence of intrusion by access to a computer system, imprisonment of 1 year and a fine of 15,000 euros. These violations of automated data processing systems are now punishable by up to 2 years in prison and a fine of 60,000 euros. The deletion or modification of data contained in such systems is punishable by 3 years’ imprisonment and a fine of 100,000 euros.

Articles 323-1 to 323-8 of the French Criminal Code, therefore, confirm that data are an asset like any other, which may be concealed by attacks on automated data processing systems. Financial penalties reveal that a value is given indirectly to the data. The value is based on the damage generated by the breach in the system.

In 2017, France was sadly the second most affected country in the world in terms of data theft⁵, showing the urgent need for companies to tackle the issue head-on. Between October 2015 and October 2016, 85.3 million data related to the identity of French were stolen.

Criminal law, therefore, allows for prosecution and indirect reparation through sanctions.

The Cambridge Analytica scandal (see Box 14.1) reinforces the feeling that, more than ever, the right of ownership over personal data for the cyber-consumer shall be instituted in terms of their digital activities to protect this asset from unscrupulous operators.

On June 7, 2018, CNN explained that Facebook had triggered a security breach between May 18 and 22, 2018 for 14 million users by testing a new feature. The personal data of these 14 million had been made public. However, Facebook’s Chief Privacy Officer [UNT 18], Erin Egan, did not seem to understand the danger of security breaches and cyber-consumer privacy breaches.

Only an ownership right, with payment of damages, could change the business model of these operators.

14.3.1.3. A new right of use of our data: the portability of personal data within the GDPR

In several ways, the GDPR reinforces the concept of data ownership, in particular, by introducing a new right, the right to data portability.

Article 20 enforces the right to data portability: the recovery of data and transmission of personal data to another system (operator in practice) to which the controller may not object. The right to the portability of personal data is intended to allow data subjects to retrieve the personal data they have provided to a controller, possibly to transmit them to a new controller. This only concerns automated processing operations based on the consent of the person concerned or the performance of a contract. In this context, it remains to be defined in concrete terms what the modalities of transmission and the associated technical standards are.

The data concerned is specified by the Article 29 Data Protection Working Party (A29⁶) which, in its guidelines on the right to data portability, states that it is data actively and knowingly provided by the subject but also data observed or generated by the use of the service or device. The so-called inferred and derived data, created by the controller on the basis of the data provided, will not be affected.

The controller must inform the data subjects of the existence and scope of the right to portability and must respond to such a request within 1 month. This period may be extended to 3 months if the request is complex.

The Article 29 Data Protection Working Party recommends that data is transmitted over the Internet, but it may be considered to put them on a physical medium (CD, DVD, USB key, etc.) if this allows faster access to the request.

Data portability is also included in Book II of the French Consumer Code: “Article L 224-42-1 – The consumer has a right to recover all their data in all circumstances”.

The data must be retrievable by the cyber-consumer in an open way that must be reusable and exploitable by another automated processing system (Article L 224-42-3 of the French Consumer Code following Article 48 of the law for a digital republic).

Portability therefore clearly demonstrates the ab usus⁷ of personal data by cyberconsumers.

In this respect, portability should not be confused with transfer. In fact, portability does not imply the deletion of data; the data may always be kept by the operator in line with its processing purpose.

Data portability is not, in practice, very effective today, and instead data interoperability and processing issues are emerging. What about processing operations carried out by an ISP that are useful to somebody for administrative and tax declarations, and that would no longer be accessible to them by switching providers? There is a technical lock set up by the operator.

The Article 29 Data Protection Working Party recommends the creation of personal data warehouses, allowing the storage and access to its data on an SFTP (Secure File Transfer Protocol) server with an online application programming interface (API)⁸ or a secure Internet portal, of course.

This new right to the portability of personal data enshrines the cyber-consumer’s rights, such as a user of services and platforms. It tends to reintroduce balance into the economic value chain of the data market. Initiatives to facilitate the exercise of this right are being organized. For example, Onecub⁹ is a start-up that organizes data portability by facilitating the import and export of your personal data, while ensuring that the user controls these data. Onecub supports Internet users by identifying the processing and data concerned by portability, identifies uses, protects privacy from the design stage and defines data exchange formats with the Internet user. This company is supported by the French Data authority (CNIL) and the French Bank for Invesment (BPI).

14.3.2.1. The actors in the data exploitation chain

Several actors in the data exploitation chain with various professions are emerging:

1. 1) the cyber-consumer: the leading provider of personal data, through their digital activity or connected objects;
2. 2) the data collector (data centers, ISPs, operators);
3. 3) the data aggregator: it will be the private (commercial or associative) or public entity (why not a state API that would collect EPIC¹¹ category data?) that will have the technical and financial capacity to manage and analyze these data. The cyber-consumer must receive an income from this collection based on the volume of data and the relevance of the data they generate. The aggregator can sell these data to platforms;
4. 4) the platform: it also seems necessary to reform the status of platforms. In 2014, the Conseil d’Etat in its annual report¹² suggested reserving a special status for platforms that offer classification or referencing services for content, goods or services put online by third parties;
5. 5) the data retailer¹³: the retailer or broker is the one who will sell a service related to the exploitation of the data;
6. 6) the DPO will become the one who will be responsible for defining the content of the usable data and could be able, beyond the application of the GDPR, to decide to whom to sell them on the instructions of the cyber-consumer and the entity that appointed them.

14.3.2.2. A micropayment based on the categorical use of data governed by the legal provisions of the GDPR

The reversion of the actors in the data exploitation chain could be done on the basis of a financial counterpart to the consent to the categorical and temporal exploitation of one’s personal data (pay per loyal use, PPLU¹⁴) integrated into the data collection system.

The system would be as follows:

1. 1) the cyber-consumer creator of data would consent to the categorical and temporal exploitation (with a specific purpose) of part of their data by a platform data manager and could create an income either via connected objects, or via platforms, for a category of data and a specific purpose;
2. 2) this consent would be contained in a license agreement for the categorical exploitation of data for a specific purpose in a blockchain¹⁵ that allows for data security and integrity.

This use of the cyber-consumer’s personal data meets GDPR criteria, i.e. categorical and limited in time and quantity.

This could be valid for any cyber-consumer but also open to any company working on Mega Data¹⁶. A (declare system what you use) DWYU¹⁷ could be imagined. This required consent should be explicit. In concrete terms, one could imagine that the cyber-consumer would go to a data management platform or API of a data management company, where they would register with their personal data. This platform would be a management center for the exploitation of personal data. The cyber-consumer would then receive a request for the categorical use of their data on this platform, and they would respond to the request and expressly consent to accept a fair and monetized use of their data;

1. 3) the platform manager would resell the use of this database to enterprise platforms and/or ISPs and/or GAFAs through a smart contact in the blockchain. From then on the purpose and category of data would be locked up and encrypted by the blockchain;
2. 4) the platforms, FAI and GAFA, would pay a percentage to the cyber-consumer for the exploitation of the data category according to the declared purpose;
3. 5) the manager of the data platform would receive an income through micro-payments based on the use value of the data category;
4. 6) the data would be stored on the platform which would become its data broker;
5. 7) a payment by fair use PPLU¹⁸ (pay per loyal use for what you declare you use) would be introduced. The control of the use of the data would be the CNIL’s responsibility. Any illegal and unfair use, of which the cyber-consumer would be informed by an intelligent alert system, would result in the suspension or withdrawal by the cyber-consumer of the selective exploitation of their data on the platform or API.

There should be an equal correspondence between the DWYU list and the PPLU list, which can be controlled by the CNIL in order to respect the rights of the cyber-consumer who creates data. The CNIL would remain the authority to impose sanctions in the event of exceeding the categorical exploitation that does not comply with the declared purpose.

The latter system is relatively easy to set up because it is based on an existing administrative authority, the CNIL and current mechanisms. It is part of the data production chain, respecting all the actors involved. It is in line with the new GDPR through the use of expressed consent and ratifies the usus (use) and (abusus) abuse of personal data made by Articles 17 and 20 in particular.

14.3.2.3. Concrete models for reselling personal data in France

Several companies have already invented systems for monetizing personal data with a reversion to the cyber-consumer.

Virtuous models:

Zerotrace (https://www.zerotrace.fr/) is a Toulouse-based start-up that monetizes photo privacy by asking individuals for the privacy threshold they want. Users decide who can read and see their information, and then choose a partner who can create advertising content that will be seen by unauthorized third parties by hiding the original photo. The photo is immediately encrypted and the user can distribute it securely according to their privacy level. They receive a micro-income shared between the partner they have chosen, which can be a charity, and also themselves.

Confidentiality is assured, the business model is virtuous and everyone wins.

MyCo.coop (https://www.myco.coop) is the first cooperative of Internet users that pays the Internet user. Navigation is private because it is invisible. The browser, myCo, allows you to have a secure email address with an encrypted message exchange system. The user’s identity is therefore not revealed. The browser also gives the user the ability to manage projects between friends or professional relations, or to participate in tests and quizzes that allow the user to earn myCoins. As soon as a person registers, they become a member of the cooperative and receive a remuneration up to the value created by the cooperative in which they participate. Ultimately, the user can deposit this money into their account or reinvest it in the MyCo community to finance private or public projects.

Business models:

Business models use data from the web to analyze them and provide services to the market sector.

Flux vision (https://www.orange-business.com/fr/produits/flux-vision) is a project launched by the telephone and Internet operator Orange working on presence or mobility data that make it possible to know how many people pass through a given commercial area and their frequency of passage according to gender profiles and shopping baskets.

To date, the sectors concerned are mainly banks, product manufacturers and local authorities.