Menu

Personal data as property : A case for data ownership rights in India.

Publications, Research paper

Abstract:

In today’s digital economy, personal data stands as a pivotal asset with substantial economic and strategic value. Yet, in India, individuals lack legally recognized ownership over this critical resource. This paper advocates for the treatment of personal data as a proprietary right, proposing that individuals be vested with tangible legal entitlements over the data they generate. It explores the conceptual foundations of property law, comparative international practices, and normative arguments that justify such a shift. By analyzing the shortcomings of existing privacy regimes and the imbalance of power between data collectors and individuals, the paper argues that recognizing data as property is essential for safeguarding privacy, promoting autonomy, and fostering a just digital ecosystem. The paper also evaluates potential risks, such as over-commercialization, and recommends a balanced approach that integrates ethical and legal safeguards. India, currently at the cusp of a digital revolution, must evolve its legislative framework to empower its citizens and establish digital sovereignty rooted in individual rights.

Key words:

  1. Data ownership.
  2. Privacy
  3. Digital rights.
  4. Property law
  5. Digital sovereignty.

Introduction:

The twenty-first century has witnessed an unprecedented explosion in the generation and use of personal data. Every online activity, from social media interaction to financial transactions, leaves behind a digital footprint that is harvested, processed, and monetized by corporations and governments. Despite being the source of this data, individuals exercise minimal control over its usage. The Indian legal landscape, while evolving with the enactment of the Digital Personal Data Protection Act, 2023, does not yet recognize personal data as a form of property belonging to the individual. This paper explores whether the Indian legal system should move toward granting data ownership rights to individuals, framing data as personal property akin to physical or intellectual assets.

The advent of the digital age has transformed the way societies function, economies grow, and individuals interact with their environment. Every click, swipe, and digital transaction leaves behind a footprint—data that can reveal intimate details about an individual’s preferences, identity, behavior, and economic status. In India, the proliferation of internet connectivity and smartphones has made digital participation nearly ubiquitous. However, this rise in digital engagement has also amplified concerns about privacy, data security, and the lack of control users have over their own personal information.

Despite being the originators of this data, individuals have limited rights over how it is collected, processed, and monetized. Corporations and governments alike harvest personal information, using it to tailor services, generate profits, or exercise surveillance. This reality poses a fundamental question: Should individuals be granted legal ownership of their personal data, akin to how they own tangible or intellectual property?

While the Indian legal framework has taken strides toward data protection—most notably through the enactment of the Digital Personal Data Protection Act, 2023—it stops short of recognizing data as property. Unlike physical goods or intellectual works, personal data remains a grey zone in the domain of ownership rights. Without explicit proprietary claims, individuals are relegated to passive roles in a digital economy that thrives on their data.

This paper addresses this legislative gap by exploring the possibility of framing personal data as a form of intangible property. It draws from philosophical theories of property, comparative legal frameworks such as the European Union’s General Data Protection Regulation (GDPR), and judicial interpretations of informational privacy in India. It also interrogates counterarguments—particularly the fear that commodifying data may erode privacy protections rather than enhance them.

Ultimately, the paper contends that legally recognizing data as personal property is a necessary evolution. Such a shift could rebalance the digital power structure, empower citizens, and ensure that the benefits of the data economy are more equitably distributed. The implications for digital sovereignty, privacy autonomy, and democratic governance are profound—especially in a populous democracy like India that is undergoing rapid digital transformation.

Intersecting interests in personal information

To unpack the private and public interests inherent in personal information, consider the simple case of your name. It is a fundamental part of individual identity, and it is the first item on any list of “personally identifiable information” protected by privacy rules. We each have vital interest in our names and the assets and identities we link to them.

But this interest is not exclusive. Our names are also a way that others recognize us, associated by friends and family with who and what we are, and used by society for voting rolls, property registries, financial accounts, and countless other social, economic, and civic contexts. This makes our names essential social and economic currency that is valuable to others.

It is because of this social and economic significance that naming is regulated. We are assigned names at birth, registered on birth certificates. It takes official approval to change these names. In this way, as personal as our identities are to us, they are also instruments of a well-functioning society.

Other personal information that we necessarily share alongside our names also involves intersecting interests. The transactions we conduct through a bank become part of the business records of the bank, as the Supreme Court recognized in United states v. Miller. But the bank’s interest in these records does not necessarily mean it has absolute control to do what it wants with this information, as the Gramm Leach Biley Financial Law makes explicit. Courts have relied on Miller to conclude that records of your cell phone calls and other business records can be obtained from the parties that hold these records.

In Carpenter v. United states last year, however, the Court required a warrant for cell phone location data that service providers retain for their use. Although not overturning Miller, the Court also recognized that that the phone users retain expectations of privacy in location data generated from their phones. The same intersecting interests apply to much of the other information we share as we interact with digital services—e-commerce transactions, mobile applications, messaging services and other communications, and pictures or information we share on our social networks among others. It works fairly and consistently with our values because public policy also protects a baseline of protection for individual privacy interests. Baseline privacy requirements for how companies protect individual privacy can do the same in the commercial arena.

For instance, transactional data generated from banking, shopping, or social media is simultaneously part of a person’s digital footprint and a valuable input for businesses and analytics engines. In United States v. Miller (1976), the U.S. Supreme Court ruled that financial records held by a bank are not subject to Fourth Amendment protections against unreasonable searches, as they are considered the bank’s business records. However, subsequent legislation, like the Gramm-Leach-Bliley Act, established privacy standards that recognize customers’ rights in these data flows.

A similar dichotomy was highlighted in Carpenter v. United States (2018), where the U.S. Supreme Court ruled that law enforcement agencies need a warrant to access cell phone location records, acknowledging a reasonable expectation of privacy in digital location data.

These cases emphasize that personal data cannot be viewed in isolation. It exists in relational contexts—created by individuals but often processed and stored by third parties. Hence, a model of ownership must account not only for the personal stakes but also the societal infrastructure that depends on data.

In India, similar intersecting interests arise in Aadhaar data, telecom metadata, and digital health records. Individuals have rights over these data points, but the government also claims a role in ensuring efficient service delivery and national security. Without a clear legal understanding of data ownership, the balance tips in favor of data controllers—whether public or private—often leaving individuals vulnerable to surveillance or exploitation.

By framing personal data as property, the law can better mediate these competing interests. It would enable individuals to assert rights of exclusion and negotiation, while also recognizing legitimate institutional interests under regulated access regimes.

Why property rights in data will not protect individuals effectively

Basing privacy protection on property systems, on the other hand, would reduce privacy to a commodity, double down on a transactional model based on consumer choice, and be enormously complicated to implement. The current notice-and-choice model is failing because it is effectively impossible for users to understand either how their data will be used or the accompanying privacy risks, especially in the constant flow of online engagement in today’s connected world. The result is that people click past privacy notices through to the information or service they want.

Moreover, many of these consumers already agree to  provide personal information in exchange for the perception a benefit. It is hard to imagine people will burrow deeper into privacy disclosures or pause at clicking through to get at communications or transactions 

simply because they are offered what may amount to a few pennies.  It is far from clear that in a market for data, the ordinary user would come out on top—either in relation to economic benefits or privacy harms. On the contrary, by licensing the use of their information in exchange for monetary consideration, they may be worse off than under the current notice-and-choice regime. Indeed, the uncertainties of valuating any one individual’s data suggest that individuals will receive little payment. Estimates vary but The Financial Times has a calculator that one of us (Kerry) ran for his profile. The default value is $0.007, but as a well-to-do professional who travels a lot, the value of the Kerry data was estimated as $1.78. If pricing is set by service providers, then the resulting system is likely to end up being very similar to the current “take it or leave it” outcomes that are common under notice and choice. If pricing is set by consumers or through negotiation, the complexity of the service-user interactions would be even greater. And this new complexity would likely slow users’ access to information and services that they want—and simply turn “click fatigue” into “negotiation fatigue.”

For instance, research suggests that the economic value of individual data is minimal when viewed in isolation. The Financial Times’ data valuation calculator estimated that the average person’s digital profile might be worth only a few cents to a few dollars. Thus, even if users are granted the right to monetize their data, the actual benefits may be trivial compared to the value extracted by corporations through aggregation and analytics.

Moreover, there is the risk of over-commercialization. Treating personal data as property could enable corporations to demand ownership or exclusive rights as a precondition for access to essential digital services. This could create a scenario where individuals are effectively coerced into giving up ownership, turning the system into another form of “consent fatigue” or even “negotiation fatigue.”

Another concern lies in the non-rivalrous and relational nature of data. Unlike physical property, data can be copied, shared, and reused without diminishing its value. Moreover, data often involves multiple parties. For example, a photo on social media may include multiple individuals, raising questions about joint ownership and consent. Property frameworks that fail to consider these complexities could lead to legal ambiguities and social friction.

Finally, commodifying data might inadvertently weaken dignity-based approaches to privacy, especially for sensitive information such as health records, biometric data, or intimate communications. When privacy is viewed as a tradeable good rather than an inherent right, marginalized communities may be at risk of disproportionate exploitation due to financial pressures or digital illiteracy.

In conclusion, while the property-based model offers a compelling framework for empowering users, it is not a silver bullet. It must be complemented by strong regulatory oversight, ethical constraints, and rights-based safeguards to ensure that it does not become a tool for further exploitation.

Research methodology:

This research adopts a doctrinal and comparative legal methodology. Primary sources such as statutes, constitutional provisions, and case law from India and other jurisdictions (notably the EU and the US) are analyzed to assess the treatment of personal data within existing legal frameworks. Secondary sources, including scholarly articles, books, and policy papers, are critically reviewed to understand theoretical and practical perspectives on data ownership. The study also undertakes a comparative analysis of international regulations (e.g., GDPR, CCPA) to identify best practices and evaluate their applicability to the Indian context. Philosophical and jurisprudential interpretations of property rights are employed to ground the argument in normative legal theory. No empirical data collection has been conducted, as the study is conceptual and normative in nature.

In parallel, a comparative legal approach is used to analyze international frameworks that influence global data governance. This includes the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and select U.S. Supreme Court rulings like Carpenter v. United States (2018) and United States v. Miller (1976). These comparisons help to contextualize the Indian legal landscape and identify best practices that could be adapted for the local socio-political environment.

Secondary sources, including academic publications, policy white papers, and expert commentaries, are reviewed to capture diverse perspectives on the conceptualization of data ownership. Works by leading scholars such as Shoshana Zuboff, Ryan Calo, and Joshua Fairfield provide valuable insights into the philosophical, economic, and legal implications of treating personal data as property.

The methodology also incorporates a normative framework, drawing from theories of property, autonomy, and digital ethics. Concepts such as Lockean labor theory, utilitarian property theory, and personhood-based models are used to critically assess the legitimacy and desirability of proprietary data rights.

This research is conceptual and qualitative in nature, and no empirical fieldwork or quantitative data analysis has been conducted. The focus is on legal reasoning, interpretive synthesis, and forward-looking policy recommendations. As such, the findings aim to contribute to academic discourse and inform legislative and judicial deliberations on data governance in India.

Review of Literature:

Scholars like Shoshana Zuboff in “The Age of Surveillance Capitalism” highlight how personal data has been commodified without consent. Ryan Calo’s work on “digital market failures” emphasizes the imbalance of power between data subjects and data controllers. In the Indian context, legal scholars such as Usha Ramanathan and Justice B.N. Srikrishna have argued for stronger individual control over personal data.

Internationally, the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) have paved the way for greater user control, though not explicit ownership. However, legal commentators such as John Tasioulas and Joshua Fairfield have proposed treating data as property to rectify the structural imbalance in the data economy. These insights form the foundation for proposing a property-based approach to data governance in India.

Suggestions:

  1. Legislative Recognition of Data Ownership Rights :  Parliament should consider amending existing data protection laws or introducing a new statute that explicitly grants individuals ownership rights over their personal data—including rights to use, exclude, transfer, and monetize such data.
  2. Creation of a National Data Ownership Registry (NDOR) :  To operationalize ownership rights, India could establish a public registry or decentralized ledger system where individuals can register their data profiles, track usage, and grant or revoke permissions in real time.
  3. Integration with Consent Architecture : Ownership should not be symbolic; it must be tied to granular, revocable consent frameworks. Data subjects should be able to negotiate and modify data-sharing agreements just as property owners lease or sell their assets.
  4. Legal Remedies for Unauthorized Use :  The law should provide civil and criminal remedies against unauthorized access, sale, or manipulation of personal data, treating such acts as violations of ownership akin to theft or trespass.
  5. Public Awareness and Digital Literacy :  A nationwide campaign should educate citizens about their digital rights and the implications of data ownership, particularly in rural and semi-urban regions where exploitation risks are higher.
  6. Adoption of International Best Practices : India should adapt core principles from GDPR, California Consumer Privacy Act (CCPA), and OECD Guidelines, but modify them to include a proprietary framework suited to India’s socio-economic context.
  1. Encouragement of Data Cooperatives : Promote community or data co-ownership models—especially for marginalized groups—where collective bargaining power can be used to negotiate better data terms with platforms and corporations.
  2. Judicial Guidelines on Data as Property : The Supreme Court and High Courts should be encouraged to interpret privacy and property rights in data-related cases, thereby developing a coherent jurisprudence of “informational property” under Article 300A of the Constitution.
  3. Safeguards Against Over-Commodification : While data monetization can empower individuals, the government must ensure ethical boundaries are in place so that essential personal data (health, identity, biometric) is not overly commodified or exploited.
  4. Interdisciplinary Collaboration : The future of data rights must involve collaboration among lawmakers, technologists, ethicists, and economists, ensuring the policy balances innovation, equity, and fundamental rights.

Conclusion:

Recognizing personal data as property is not a panacea but a powerful shift in legal perspective that could empower individuals, recalibrate corporate power, and reinforce democratic digital governance. India, standing on the threshold of a data-driven economic transformation, must consider this approach to bridge the gap between technological advancement and individual rights. A data ownership regime would enhance accountability, enable informed consent, and allow individuals to monetize or withhold their data as they see fit. It is time for India to reimagine the relationship between people and their data, moving from passive subjects to rightful owners.

A legal recognition of personal data ownership would provide individuals with tangible rights over how their information is accessed, used, and monetized. This could result in a paradigm shift in the way data-driven enterprises operate, potentially fostering greater transparency, fairness, and user autonomy. It also opens the door to economic empowerment, as data owners could negotiate the value of their data or choose to remain private.

Moreover, recognizing personal data as a proprietary right would offer more robust remedies against unauthorized use and exploitation. It would align with constitutional protections of privacy and liberty, building upon landmark jurisprudence such as the Puttaswamy judgment. Through appropriate legislation and judicial interpretation, this right could be embedded into the broader framework of fundamental and economic rights.

This research has examined the conceptual, legal, and ethical underpinnings of data ownership, identifying both the strengths and the shortcomings of a property-based model. It has shown that while property rights alone cannot solve all privacy concerns, they can provide individuals with enforceable claims—rights that extend beyond fragile consent forms or vague data policies.

India’s current legal framework, though progressing with the Digital Personal Data Protection Act, 2023, still lacks mechanisms for full personal autonomy in data governance. Recognizing data as an intangible form of property would not only align with constitutional values under Articles 21 and 300A but also ensure that citizens are not reduced to passive participants in the data economy. It would grant them the legal language and institutional tools to assert control, seek compensation, and hold data controllers accountable.

Furthermore, treating personal data as property can promote transparency and fairness in digital markets. It offers the potential for individuals to engage in data-based transactions with informed consent, possibly even creating new avenues for income and innovation. However, such benefits must be tempered with safeguards to prevent over-commodification, especially of sensitive information.

For this vision to materialize, India must commit to a collaborative, interdisciplinary, and forward-thinking approach. Lawmakers, judiciary, technologists, and civil society must come together to design a framework that upholds both individual dignity and collective responsibility.

In an era defined by data, the power to control one’s personal information is foundational to freedom, autonomy, and citizenship. Reimagining personal data as property is not merely a legal innovation—it is a democratic imperative.

To successfully implement such a model, India must engage in a multi-stakeholder effort involving lawmakers, technologists, ethicists, and civil society. The journey from data as a mere byproduct to data as a personal asset is not only about legal reform—it is about empowering individuals in the age of digital capitalism.

A property-based approach to personal data can thus serve as the foundation for a more just, transparent, and inclusive digital ecosystem. As India seeks to assert its digital sovereignty on the global stage, ensuring that its citizens have full control and ownership of their personal data is a necessary and urgent step forward.

Author:

Manohar Singh B

2nd Sem, BCOM LLB

Christ academy institute of law