[author]Yi Junlin
[content]
On Data Holding as Legal Relationship
Author:Yi Junlin
( Koguan Law School, Shanghai Jiao Tong University, Shanghai 200030, China)
Abstract: Under the "separation of three rights" of data property, " data holding" is a basic concept with foundational significance. Data holding has the duality of facts and norms, and is actually a legal relationship consisting of rights and duties based on the factual control over data resource. from the factual perspective, data holders use data infrastructure as the architecture to control " data copies" . During the data circulation process, new copies are continuously created through replication and sharing operations, and are controlled by different holders. From the normative perspective, data holding has a compound legal relationship structure, which can be divided into static and dynamic dimensions, involving multiple sets of rights and duties related to holder and third parties , the holder and the source, and the previous and the following holders. There is a multi-layered, dynamic relationship network between data holders corresponding to the original information source, In order to balance the conflict of interests, it is necessary to conduct a typed analysis to achieve mutual adjustment between legal facts and value norms. In particular based on the " right to hold" , we can differentiate those with the right to hold and those without the right to hold. Thus, a classification system can be further established to construct more detailed rights and obligations for different types of data holdings.
Key words :data property; data holding; control architecture; data copies; right to hold
The construction of a legal system for data property rights is an important issue that the academic community continues to pay attention to. Since the issuance of the "Opinions of the Central Committee of the Communist Party of China and the State Council on Building a Data Infrastructure System to Better Play the Role of Data Elements" (referred to as the "20 Articles on Data"), the "separation of three rights" design related to data property rights has sparked continuous research in academia.
Under the framework of separation of powers, the concept of "data holding" has important practical and theoretical value. Data holding is at the forefront of the data circulation lifecycle and is a natural entry point for building a data property rights system. Subsequent processing, use, and operation are all based on holding. Among the three rights of data, holding rights are particularly prominent, and the interpretation of holding rights must be based on the concept of data holding. Meanwhile, data ownership is becoming an overlapping consensus area in the data ownership dispute. Agreeing with data rights holders, although there are differences in the construction strategies of data property rights, they mostly consider data ownership as a fundamental right. Those who hold a critical attitude, although questioning the value and significance of data property rights, also attach great importance to the holder's factual ownership (or control) of the data, and use this as the starting point for data rights protection and shared circulation. Therefore, data ownership is a fundamental element in building a data property rights system.
The concept of data holding has a dual aspect of facts and norms, serving as a communication bridge between empirical facts and institutional norms. Data holding is based on factual control, and holders use technological means to control access to data; And the law protects this factual state, and others are not allowed to access data resources without consent. Through data holding as a medium, the technological architecture and control measures of digital space are interrelated with the rights, obligations, and institutional norms of legal space. In view of this, this article comprehensively interprets the concept of data holding from the perspective of legal relationships. After comparing and distinguishing basic concepts, analyze the control basis, object, and control protection mode of data holding from the factual dimension, and then explain the relationship structure of data holding and the rights and obligations between subjects from the normative dimension. Construct a typological framework for data holding to establish the correspondence between facts and norms.
1.Comparison and Analysis of the Concept of Data Holding
The concept of "possession" is both old and new, and it already exists in the traditional fields of criminal law and civil law. With the introduction of the "Twenty Articles on Data", the term "holding" has begun to be associated with the intangible object of "data", giving "data holding" a completely new meaning. In addition, many scholars compare and even equate "data holding" with "possession" when discussing it. Therefore, it is necessary to distinguish and compare data holding and other similar concepts, and define the core area of the concept of data holding.
1.1 The concept of holding as a factual description
The concept of possession is involved in both criminal law and civil law fields in China. In the field of criminal law, possession is a fundamental concept that is quite important. The concept of possession in criminal law is closely related to the crime of possession, and has important value in distinguishing between embezzlement and theft. There is still controversy over whether possession is an "act" or a "state" in criminal law, but its core meaning is clear, that is, the perpetrator's factual control over the object. In the field of civil law, scholars have relatively little exploration of the concept of possession, although the term "holder" can be found in civil legislation.
Whether in the field of civil law or criminal law, possession mainly appears in the form of a factual concept, which can be demonstrated in its comparison with possession. The similarities and differences between criminal law possession and civil law possession are common legal knowledge. Both emphasize the factual domination of the actor over the object, thus there is an overlap between possession and possession in the factual dimension. For example, the relationship between the trustee and the entrusted object satisfies both the definitions of possession in civil law and possession in criminal law. However, the difference between the two is also very obvious. Criminal law possession is mainly a factual concept that emphasizes direct and actual control and domination over objects. In contrast, possession in civil law is actually a legal relationship. Due to the balance of interests and value judgments in norms, there are differences between legal possession and pure factual original possession. Therefore, the difference between criminal law possession and civil law possession lies not only in the application differences caused by different legal departments, but also in the degree of conceptual transformation of norms towards facts. The conceptual level of possession in civil law is relatively high, and possession can be established without the control of facts. The degree of conceptualization held by criminal law is relatively low, and factual domination is a necessary condition. Taking possession inheritance as an example, the inheritor can still acquire possession without establishing factual control, but it does not constitute possession. For example, there is a distinction between direct and indirect ownership, while holding does not have this classification. In the field of civil law, the concept of possession can also be clarified by comparing it with the concept of possession. For example, Savigny made a very insightful discourse on the relationship between possession and possession in "On Possession". In Savigny's view, possession is the factual basis of possession and is a factual concept introduced to discuss the legal concept of possession. The concept of possession itself does not become a separate object of legislation, but is of concern to legal scholars due to its relationship with possession. Compared to possession, the concept of possession in traditional civil law is mainly a factual concept with a weaker degree of conceptualization, unlike possession which "loosens the factual relationship".
Overall, in the traditional fields of criminal law and civil law, possession is mainly a descriptive concept aimed at legal facts. Under the boundary between facts and norms, the concept of possession emphasizes factual control over objects (especially tangible objects), and is therefore used in law to describe specific dominant control behaviors or states.
1.2 Holding data as a legal relationship
In the context of data property rights, data ownership should be positioned as a legal relationship. Legal relationships are the link between the living world and the normative world. Legal relationships are based on empirical factual relationships, but the law does not evaluate the entirety of life, but only extracts partial content as factors for examining legal relationships. This article positions data ownership as a legal relationship, viewing it as a medium between the "life world" of data circulation and the "normative world" of data property rights. Indeed, it cannot be assumed that holding rights are legal rights and data holding is a legal relationship solely based on the presence of the word "right" in the policy document "Data Article 20". Interpreting the concept of data holding from the perspective of legal relationships aims to reveal its dual nature of facts and norms, and based on this, carry out the construction of a data property rights system. One end of the data is located in the digital space of the living world, while the other end is connected to the world of legal norms. Data holding is based on the holder's factual control over the data, but it does not stop at the purely factual level and has a legal normative aspect.
As a legal relationship, the data holding relationship requires the holder's factual control over the data, which produces specific legal effects at the normative level, making the controlled facts the regulated object of the law, and thus having a legal impact on the circulation and transactions of data. After the establishment of a data holding legal relationship, a basic legal effect is to protect the fact that the holder controls the data. However, if data holding is viewed as a simple fact, it confuses the factual control relationship of the holder over the data with the rights and obligations of the holder and other entities. The analysis of data holdings should go beyond the level of pure factual control and enter into the interrelationships between rights holders regarding data resources. The transcendence of data holding over "factual holding" makes the construction and design of data property rights legal system more flexible. As a legal relationship, data holding does not necessarily require pure holding facts as a sufficient and necessary condition, but can allow for normative modifications to its factual composition.
Treating 'data holding' as a legal relationship differs from the factual concept of 'holding' mentioned earlier, but it does not exceed the semantic range of holding. In terms of linguistic expression alone, 'holding' may refer to three levels of categories: holding as a 'fact', holding as a 'legal effect', and holding as a 'legal relationship'. Treating holding as a legal relationship does not mean abandoning the factual dimension of holding, but rather integrating the factual and normative aspects. Therefore, the concept of ownership has a richer connotation in the context of data property rights. Of course, purely in terms of terminology selection, other expressions such as "control" and "management" are also quite similar in meaning to "holding". If replaced with other terms, it does not affect the core logic of this article.
1.3 Data holding does not equal possession of the object
Exploring data persistence can easily lead people to associate it with the concept of possession. With the development of digital technology, humans have long been able to exercise control over data, which seems to be in line with the definition of possession - the factual management and control of things. In fact, incorporating data holding into the property ownership system is an attractive idea. If data possession is a form of possession, then rich literature on civil law possession systems can be directly introduced into the field of data, forming a series of institutional rules and knowledge production. In addition, treating data as an object of possession is not without avenues to follow. Although traditional property law focuses on tangible objects, provisions for intangible objects such as wireless spectrum have also been incorporated into property law. Expanding the possession of objects to intangible objects seems theoretically feasible. If this is indeed the case, the discussion on data holding can be abandoned and directly referred to the relevant theories and institutional norms of property ownership.
Indeed, there is a similarity between data ownership and possession of objects, but this does not mean that the two can be equated. The holding of data and the possession of objects are both based on legal relationships that govern facts, with a strong factual color. Both are based on the factual dominance over the object, and thus produce specific effects and meanings in law. This similarity is reflected in the description of both, where data holding and possession of objects involve similar terms such as "domination," "control," and "management. Therefore, data holding and possession of objects have homogeneity in the factual dimension. However, starting solely from the similarity of words may overlook the differences in factual conditions and normative effects between the two.
Comparing data holding and possession of objects, there are differences in both factual and normative dimensions between the two. On a factual level, there is a significant difference between data resources as holding objects and tangible objects as possession objects. Possession emphasizes the exclusivity of things and cannot be used by many people simultaneously like data. Compared to tangible possessions, data has infinite replicability, and the underlying logic of data circulation is vastly different from traditional commodity circulation. In addition to examining the factual dimension, it is more important to distinguish between the two in the normative aspect. In terms of legal effect and significance, data holding should not be regarded as possession of property. On the one hand, introducing the system of possession into the field of data creates a systemic mismatch. As an important concept in property law, possession is not just a term for describing facts, but has rich legal effects in law. Possession can be transferred, inherited, or merged, and can be used for self-help. It distinguishes between direct and indirect possession and has the function of presumption of rights. There is obviously doubt as to whether these rules can also apply to data holding. Taking indirect possession as an example, based on the intermediary relationship between indirect possessor and direct possessor, a "possession chain" can be formed to expand the protection scope of possession. However, whether there is a distinction between direct and indirect data holding, and how to legally define the scope of protection for holding, should be based on the specific scenario of data circulation and cannot simply copy the possession system. Once the system of possession is directly applied to the field of data, it may become a shackle that restricts institutional innovation. On the other hand, incorporating data into the legal system of possession may lead to the generalization of possession. If the scope of possession includes both physical objects in real space and data in virtual space, and can also exercise quasi possession of the rights to regulate space, an awkward situation will arise where "possession is a basket that can be filled with anything". A concept of possession that is all encompassing and ambiguous in meaning will become vast and powerless in legal terms. If so, using possession to explain holding not only fails to make the latter more rigorous and precise, but also has the opposite effect.
Overall, although there is a certain similarity between data holding and possession of objects, this similarity is more suitable as a thinking tool for analyzing data holding and is not sufficient as a qualitative basis for data holding. By comparing the dimensions of facts and norms, there is a significant difference between data holding and possession of objects, and they cannot be classified into the same category. Therefore, a clear distinction should be made between the two conceptually.
2. The factual control basis of data holding
As a legal relationship, data holding has both factual and normative aspects. The control of data resources by the holder is a factual condition that constitutes the legal relationship of data ownership. If there is no actual data holding status, there is no legal holding relationship. Therefore, the following will first explain the factual domination and control relationship of data holders over data resources.
2.1 Data Control and Infrastructure Architecture
It is necessary to introduce the auxiliary concept of "data control" when explaining the factual basis of data holding. As a legal relationship, data holding establishes a connection between facts and norms. The actual holding status of data resources by data processors is the prerequisite for forming a legal relationship of data holding. As a legal relationship, data holding is logically based on the factual holding state of the data. From this perspective, when it comes to "data holding", it may refer to both "holding facts" and "holding legal relationships". If the content referred to is not clear, it will cause confusion in understanding. The introduction of the concept of "data control" aims to distinguish it from "data holding" as a legal concept by relying on a purely factual concept. In this way, "control" becomes the equivalent of "holding facts", avoiding the repetition of the same language based on the legal relationship of "holding is based on holding facts". The concept of control itself is not a legal concept, nor will it be the object of legal research alone, but due to its association with data holding, it has entered the field of legal research. The control status of data resources by processors constitutes the factual basis for data holding. In fact, as an instrumental concept, it is not impossible to replace control with expressions such as "management" and "domination". The choice of the expression "control" is mainly based on two considerations: firstly, in existing literature, the term "control" is commonly used to describe legal concepts such as criminal law possession and civil law possession, and it is positioned as a factual concept without much normative color. Secondly, in research related to data property rights, many scholars have used the term "control" to describe the factual relationship between processors and data objects. Therefore, this article also uses the concept of control to characterize the factual aspect of data holding.
The control behavior of data is achieved through the use of data infrastructure. Data exists in the digital space, and the control over it can ultimately be reduced to code level operations. The code or algorithm used to implement control is not completely random, but rather has a macroscopic structural stability, which is the technical architecture of data control. By analyzing the 'architecture of control', we can grasp the essential characteristics of data control behavior. The control architecture of data is based on data infrastructure, and the specific control methods mainly involve four levels. One is the physical layer, which involves the physical security of hardware devices, including access control and disaster recovery strategies for data center rooms. The second is the logical layer, which mainly refers to virtualization, process management, administrator privileges, and other related content of the operating system. The third is the network layer, which involves the setup of network communication devices such as routers, switches, and firewalls. The fourth is the application layer, which involves permission control for databases and application software. Data holders control access to data resources through data infrastructure, thereby forming factual control over the data. Therefore, the key to controlling data lies in controlling access permissions. The control of access permissions may involve multiple levels of technical architecture. For example, when using technologies such as network firewalls and encrypted communication to exclude others from accessing, the control over data is reflected at the network layer; When performing permission management on databases and application programming interfaces (APIs), it mainly manifests as control at the application layer.
It is worth noting that controlling hardware devices does not equate to controlling data resources. Data exists in the digital space, and although it cannot be separated from storage and computing devices in physical space, the control architecture of data mainly relies on algorithms and code. Even if data processors store data on someone else's server, they can still have actual control over the data and may become data holders. In contrast, controllers of storage and computing devices who are unable to control access to data resources do not constitute data holders. With the increasing popularity of cloud computing, many units have abandoned building their own data centers and instead rely on leasing cloud services to process and store data resources. At this point, the data is physically stored in the cloud service provider's data center, but this does not necessarily mean that the service provider is the controller of the data resources. Cloud computing users can build a virtual data center that is logically isolated from the outside world through technologies such as data encryption, permission management, security sandboxes, and firewalls, and cloud service providers cannot access the data resources within it. At this point, although cloud computing users do not control the physical layer of the technical architecture, they can still meet the factual conditions of being data holders.
2.2 Copy of data as a control object
The object controlled by the data holder is the data copy, which is the data replica of information in the digital space. At present, when discussing data property rights in academia, it is common to distinguish between data and information, with data at the symbol layer and information at the content layer, with the former being the bit form carrier of the latter. Data cannot be completely separated from information, but distinguishing between the two helps clarify the difference between data property and intellectual property. More precisely, the object controlled by the data holder is the 'data copy'. Before being represented in electronic data form, information may first be carried on original carriers such as books, magnetic tapes, films, etc. At this time, there are also so-called originals or artifacts compared to data copies. If information is directly generated in the digital space, there is actually no need to distinguish between raw data and data copies, and only data copies can be transmitted to each other.
There is a mutual relationship between heterogeneity and identity between data replicas and information content. The bit presentation format of data replicas is closely related to the infrastructure for implementing data control. The same information can generate an unspecified number of copies of data, although the content is the same, the copies may have differences in encoding format and persistence scheme, resulting in differences in specific machine representations. However, even if the presentation of data replicas varies greatly, the information core they carry may be consistent. In addition, data replicas have the characteristics of being easy to replicate and distribute, constantly generating new replicas during the data circulation process, and each replica is independent of each other. Each holder can customize and modify the data copies they control according to their needs and preferences, including but not limited to changes in encoding and storage formats, as well as editing and updating the information content contained in the data. Therefore, each data holder can independently process their own data copies, but their control does not apply to the data copies controlled by others.
With the concept of data replicas, behaviors that infringe upon data holdings can be described more accurately. The typical infringement behaviors of data possession mainly include embezzlement, obstruction, and illegal copying. Embezzlement refers to the act of illegally obtaining management privileges from the holder to control a copy of the original data, such as exploiting system vulnerabilities to steal root user privileges. Obstruction refers to the behavior of interfering with the normal use of data replicas by the holder, such as causing data infrastructure to be paralyzed through DDoS attacks, or damaging data keys resulting in data unavailability. Illegal replication refers to the act of illegally accessing a copy of someone else's data and creating a new copy, for example, if the perpetrator intrudes into someone else's data infrastructure system, illegally reads the data and creates a new copy. It is worth noting that there are also acts of infringement such as "usurpation" and "obstruction" when it comes to possession. In contrast, illegal copying is a special form of infringement on data replicas. Data is replicable, so creating a new copy will not cause damage or destruction to the original copy. Therefore, illegal copying is not a damaging act against data replicas, but rather creates a replica of the original replica by temporarily disrupting the holder's permission control over the data replica.
2.3 Control protection mode and its limitations
The prohibitive provisions regarding intrusion, interference, and theft of others' data already exist in the current legal system. The legal protection of data holders' data control status (referred to as "control protection mode") is not a new phenomenon. From this perspective alone, data holding seems to be nothing more than a 'near factual description' of the control state. If this is indeed the case, then there is no essential difference between data holding and data control. Viewing data holding as a legal relationship that goes beyond factual control seems somewhat mystical.
This article regards data holding as a legal relationship rather than a simple fact, so it is necessary to analyze the control and protection mode. The control and protection mode is an alternative boundary power scheme that competes with the property rights mode. Its basic proposition can be summarized in two aspects: firstly, the law should protect the fact that data controllers have control over data resources, and others are not allowed to illegally access data. Secondly, based on the fact of control, all controllers have equal legal status and there is no "master-slave" relationship structure. Legally speaking, any controller has the right to independently dispose of the data copies under their control. In summary, the essence of the control protection mode is to strictly align the legal protection boundary with the data control boundary.
The significant advantage of controlling the protection mode is that it is simple and easy to implement, and can be used without taking any action. With the mutual autonomy of data processors and the technological evolution of control architecture, it seems that a self generated order of data factor market can gradually be formed. Therefore, there is no need to create various concepts of rights such as ownership, usage, and management. In addition, the control protection mode provides a "weak protection" that intuitively helps break the data monopoly and promote data circulation. After all, once data is out of the direct control of the original controller, the law seems to tacitly allow the "trickle down" or "ripple" effect of data, allowing data resources to flow from a few people into the hands of more people, achieving the full release of data value.
However, the control and protection mode has obvious limitations, so it is necessary to go beyond pure factual control and construct the concept of data holding from the perspective of legal relationships. Undoubtedly, control and protection can to some extent suppress some direct infringement behaviors, but there are problems and shortcomings when facing complex scenarios in data circulation. For example, there is insufficient incentive to control and protect the licensed use of data. After the licensor shares the data, the licensee becomes the controller of the new copy. According to the control protection mode, the licensee has the right to process, use, and profit from the copies they control, and even share the copies with third parties without authorization. At this point, the licensor has no right to request a third party to delete the relevant data. In addition, if the licensee goes bankrupt or becomes a subject of enforcement, the licensor may also find it difficult to exercise the right to retrieve the licensee's data copies or raise enforcement objections. For example, the protection range of the control protection mode is too narrow. For the direct perpetrator of infringing on data control facts, the control and protection mode can evaluate the illegality of the behavior. However, when data flows into the hands of a third party, the control and protection mode appears powerless. Once the data is out of control, it will be controlled by others after several transfers, and even enter the public domain as a free resource. In this way, the risk cost of data circulation transactions is mainly borne by the supply side, which can easily lead to resource scarcity in the data factor market due to insufficient supply.
To a certain extent, the control protection mode can be seen as a primary way of constructing data holding relationships. In the process of data circulation, in order to regulate and guide data processing behavior, it is necessary to establish normative boundaries between processors. In the control and protection mode, control behavior is actually a factual behavior that produces specific legal effects, and the concept of legal relationships is already implicit in it. However, the control and protection mode endows all holders with completely equal legal status, resulting in a flattened holding relationship. At this point, people tend to limit their perspective to the factual relationship between rights holders and data, while ignoring the rights and obligations between subjects. Therefore, it is necessary to go beyond the factual perspective of the control and protection mode and reveal the essence of the legal relationship of data holding.
3. Legal relationship structure of data holding
Based on the factual control of data resources by data holders, the legal relationship of data holding is formed and produces specific legal effects in the normative dimension. The previous text has analyzed data control as a factual requirement, and the following will focus on discussing the rights and obligations between subjects in the data holding relationship.
3.1 The essence of the relationship between data holders
As a legal relationship, data holding is essentially a mutual relationship between rights holders. On the surface, data holding can be easily understood as the "object to object relationship" between the subject (holder) and the object (data). However, the essence of legal relationships is the normative relationship between subjects and between individuals. As Kant said, it is absurd to imagine a right within a thing as if that thing had a responsibility towards me. Robinson, who is on an isolated island, can actually control the things on the island, but this is only the factual domination of people over things, rather than a legal relationship based on rights and obligations. When there are two or more entities, the factual relationship between people and things will transform into a legal relationship between people. Therefore, as a legal relationship, data holding is not a factual relationship between the holder and the data, but a legal relationship between the rights holders, with data resources as the relevant item. From this perspective, the difference between data holding and data control is clarified - control is the factual basis of holding, emphasizing the physical and factual relationship between the holder and the data, while holding produces legal effects based on control, emphasizing the personal and legal relationship between the holder and other entities.
Data holding is a comprehensive entity consisting of multiple legal relationships, forming a set of rights and obligations. Legal relationships are often a holistic structure composed of multiple relationships, which may include more than one set of rights and obligations. In a data holding relationship, the holder not only has the right to independently manage the data in the control architecture, but also has the obligation to properly safeguard the data, and may have to tolerate the reasonable use of the data by others. In addition, legal relationships may not necessarily involve only one pair of rights holders, but may be complex relationships between multiple subjects. For data holding relationships, there may be multiple interrelationships between rights holders and unspecified third parties, data holders and data sources, and different data holders.
3.2 Static orientation of data holding relationships
The composite relationship structure of data can be analyzed from both static and dynamic dimensions. When data is controlled by a single holder and has not yet flowed between processors, the relationships between relevant parties in this situation can be referred to as static relationships to distinguish them from the dynamic rights and obligations of data in the process of circulation transactions. At this point, the law should protect the data holder's factual control over the data resources, while preventing the holder from infringing on the legitimate rights and interests of the data source.
The most typical static relationship in data holding relationships is the relationship between the data holder and an unspecified third party. The factual control of data resources by the holder is protected by law. "In the absence of legal reasons or consent from the data processing subject, others should respect the data holder's autonomous holding status of the data and shall not intrude arbitrarily. The law protects the holder's freedom to independently control data, therefore, the holder can use the control architecture to implement factual control over the data, including storage, cleaning, processing, use, deletion, and other operations. The law establishes an exclusive protection zone between the holder and other unspecified individuals, and others are not allowed to privately disrupt the holder's control over the data. It should be pointed out that this protective effect is not related to whether the ownership is legal in terms of its causes. It goes without saying that legitimate holders should be protected, and for illegal data holding, the law also provides corresponding protection. For example, if the perpetrator illegally crawls other people's data resources, the resulting data holdings obviously lack a legal basis. Nevertheless, all others, including the crawled party, shall not arbitrarily infringe upon the perpetrator's factual control over the data through technical means. The principle of protecting holders by law is to prevent data processors from using private technology to attack each other, thereby ensuring order and peace in the digital space.
In addition, there is a mutual relationship between data holders and data sources. The so-called data source mainly refers to the main source of data information, including natural persons, legal persons, and other organizations. The types of data sources are diverse, so the responsibilities and obligations of data holders are also diverse. With the legislative protection of personal information in various countries, individuals have become a particularly valued source. When a personal information subject requests the deletion, correction, transfer, or withdrawal of relevant data, the data holder must respond promptly to the request in accordance with laws and regulations. For public data sourced from government departments or public service agencies, the holder may be the market entity responsible for authorized operation, and their rights and obligations will be subject to the authorization operation agreement and legal regulations. When a company acts as a data source, the rights and obligations of the holder and the source may also be subject to confidentiality agreements and trade secret protection. In addition, regardless of the type of source, the holder should bear the obligation of secure storage and should properly control and record the data processing process.
3.3 The dynamic dimension of data holding relationships
The dynamic dimension of holding relationships mainly focuses on the process of data circulation and trading. Data flows from one party to another, forming complex and multi-layered relationships between entities. At this point, transaction security and balance of interests have become important considerations, thereby promoting efficient utilization of data while safeguarding the legitimate rights and interests of all parties. The dynamic relationship mainly involves the rights and obligations of the previous and subsequent holders in the "continuous holding" process, which is quite common in the process of data replication and sharing. Before further exploration, it is necessary to distinguish between "consecutive holdings" and "parallel holdings" and limit the relevant discussion to the case of consecutive holdings. If there is a flow chain between two data holders, consisting of several data replication operations, then there exists a continuous holding relationship between the two. If the data copies controlled by two holders are identical or similar in content, but do not have the aforementioned circulation chain, it constitutes parallel holding. A typical example of parallel holding is when two data processors independently collect data from the same information source, but do not have any contact with each other's data in any way. In the case of parallel holding, there is no rights and obligations relationship between two holders based on the fact of holding.
Clarifying the rights and obligations between the first and second holders is crucial for ensuring transaction security and promoting the prosperity of the data market. Specifically, it can be classified and discussed based on whether the subsequent holder obtained a copy of the data through infringement behavior. Firstly, if the previous holder permits the subsequent holder to copy and use the data, the rights and obligations of both parties are subject to the license agreement. The subsequent holder usually only uses the data during the term of the agreement. After the expiration of the agreement, the holder should stop using and delete the copy of the held data, otherwise it would infringe on the rights of the previous holder. Secondly, when the possession of the posterior hand is formed by infringing upon the possession of the anterior hand, the legal relationship becomes even more tense. At this point, the previous holder who has been infringed has the right to request the subsequent holder to delete or return the data. In addition, if the later owner further shares the data with a third party, the conflicts of interest between the parties become more complex. Unlike the control protection mode, this article believes that there are also rights and obligations between holders who have not had direct contact. For example, if a specific entity copies data from an illegal holder, it may inherit the flaws of its direct predecessor and have a legal obligation to delete or return the data to indirect predecessor holders.
Due to the replicability and ease of dissemination of data, the complexity of handling the rights and obligations between different holders in the process of data circulation is even greater than the interrelationships between different holders in the process of physical logistics transfer. The following will introduce the concept of holding relationship networks to more clearly depict dynamic data holding relationships.
3.4 Conflict of Interest in Holding Relationship Networks
With the dynamic flow of data, different entities form a holding relationship network around the data through legal or illegal sharing and copying operations. Data can be infinitely replicated, so new copies can be continuously copied and disseminated without compromising the original holder's copy of the data. The flow of data from the first holder to an unspecified number of subsequent holders is like a river weaving a complex water system network from upstream to downstream, from the main stream to tributaries. Similarly, data from the same information source is shared and replicated layer by layer to generate a series of data replicas, gradually forming a complex network of data holding relationships. In this relational network, an unspecified number of data holders control different copies of data, and all relevant copies of data can be traced back to a specific information source.
In the data holder relationship network, there may be conflicts of interest between different entities. Here is an example to illustrate. A independently collects geographic information data and shares it with B for a fee, prohibiting B from sharing it again. C illegally copied the data held by B and shared it with D and E for a fee. D is aware that the data was illegally obtained and intentionally purchased at a lower price; E is unaware that the data source is illegal and has paid a fair price. The above flow process of data outlines a network of data holding relationships. Among them, there are two continuous holding chains, one is A-B-C-D, and the other is A-B-C-E. In addition, D and E form parallel holdings. All parties control the data copy, but the reasons for obtaining it are vastly different: A obtained it through independent collection, B obtained it based on an agreement with A, C illegally copied B's copy, D knew the source of the purchased data was illegal, and E was unaware and paid reasonable consideration.
If the legal status of all parties is exactly the same and their rights and obligations are no different, it is difficult to achieve a proper balance of interests. Firstly, the rights of the original holders lack sufficient protection. In the above example, if D further resells or discloses the data held by A online, the economic value of the data held by A will be greatly reduced or even reduced to zero. Secondly, law-abiding traders suffer losses, while malicious traders benefit. Taking B and D in the previous example as an example, B is bound by the license agreement and can only use the data for its own purposes, while reselling the data incurs breach of contract liability. In contrast, D knows that the data it holds has source flaws, but since D has not directly infringed on A's possession, there seems to be no reason to prevent it from disposing of the data it holds. In addition, it is unfair to consider all data circulation activities based on illegal holdings as illegal in order to protect the rights and interests of the original holders. In the previous example, although both D and E held data from illegal holder C, the final source can be traced back to A. If both D and E are required to delete their held data and return the profits to A, it completely ignores the protection of the trader's trust interests. In fact, if data traders have to trace every step of the data circulation process to the original source of rights in order to prove the legality of their trading behavior, they will fall into the dilemma of "monster proof", resulting in excessively high transaction costs. Therefore, it is necessary to differentiate and treat different types of holders to provide varying degrees of legal protection for the interests of all parties.
At this point, it can be seen that the static protection effect of data holding is mainly judged by factual control, but the holder's pursuit effect on third parties and the adversarial effect on the source should be further classified and discussed based on the reasons for the formation of data holding.
4. Types of data held and ownership rights
There are complex conflicts of interest among different rights holders in the data holding relationship network. Merely analyzing abstract concepts is insufficient to grasp the diverse manifestations of life phenomena or meaning contexts. Therefore, it is necessary to shift our focus between norms and facts, typify data holdings, enrich the conceptual connotation of data holdings, and balance conflicting interests more finely and properly.
4.1 Typological thinking of data holding
The law protects all types of data holders, regardless of the specific reasons for holding them, but the legal status of different types of holders may not be entirely consistent. With the typification of data holdings, priority order can be determined in case of rights conflicts, and different types of data holders can be treated differently. Meanwhile, typification, as a classic legal methodology, can fill the gap between empirical facts and legal norms.
The classification method of analogical possession can theoretically distinguish data ownership into a series of distinctions, such as entitled ownership and unauthorized ownership, autonomous ownership and ownership by others. Firstly, based on whether the holder holds the data for legal reasons, it can be divided into those who have the right to hold and those who do not have the right to hold. There are significant differences in the legal rights and obligations between holders with rights and holders without rights, which are closely related to the concept of holding this right. The following text will analyze this classification in more detail. Secondly, the classification of autonomous ownership and ownership is based on whether the holder has all the meanings. The so-called 'all' actually has nothing to do with the concept of data ownership, but only refers to the subjective belief of the holder that the data resources belong to themselves and exclude others from accessing or using them. For example, social networking platforms control a large amount of users' personal data, but the platform cannot hinder users from accessing, using, or even deleting related data, so the platform enterprise is its owner. Thirdly, in theory, holding can also be divided into direct holding and indirect holding. Direct holding refers to the holder directly controlling the data, while indirect holders do not directly control the data, but can request the direct holder to delete or return the data based on certain legal relationships. For example, A shares data with B and allows them to hold and use relevant copies of the data for one year. After copying the data, B becomes the direct holder of the new data copy, while A is the indirect holder. Fourthly, based on whether the holder controls the data based on a subordinate relationship and according to the instructions of others, it is possible to distinguish between self holding and holding assistance. For example, when a personal information subject directly controls personal data, it constitutes their own possession. Employees who engage in activities related to enterprise data based on their employment relationship constitute holding assistants, while the enterprise is the data holder. In addition to the above classifications, other dimensions can also be used for classification. In summary, by categorizing data holdings, it is helpful to classify and process them legally based on different factual scenarios.
The above classification aims to reflect the theoretical diversity of data holdings, and whether each type has legal significance still needs to be analyzed specifically based on the characteristics of data circulation and transactions. The distinction between having the right and not having the right to hold, as well as the distinction between autonomy and hosting, holds significant theoretical and practical value. However, for the types of auxiliary and indirect holdings, they may not necessarily meet the factual conditions or regulatory objectives of data holding. For example, 'holding assistance' may not be very common in real-life situations. For tangible objects in physical space, the act of receiving, storing, and maintaining them often relies on human labor, so the concept of possession assistance is quite common. Data is located in the digital space, and its collection, storage, and replication operations generally rely on data infrastructure, algorithms, and code. Even if individuals within an organization have access to data, the control over the data infrastructure is generally in the hands of the organization, and individuals do not actually have control over the data. For example, data holding should be strictly based on factual control, and it is not advisable to simply copy the concept of "indirect possession" in property law and construct the concept of "indirect holding". A tangible object has certainty and exclusivity, with only one direct possessor on top of it. Although indirect possession can form multiple layers through possession chains, possession is unique. In contrast, data circulation is a more complex process. Each holder independently controls their data copies and does not lose the original copies when sharing data, but only creates more data copies. At the same time, the subsequent holders can further share data and generate more copies. Therefore, there is no non-linear chain relationship between holders, but rather a criss crossing network relationship. If the concept of indirect ownership is acknowledged, the data holder directly holds their own copy and indirectly holds another person's copy. At this point, the direct and indirect holdings merge with each other, and the number of rights holders and obligations increases radially, which is not conducive to clarifying the rights and obligations between the subjects. In addition, the term 'possession' inherently emphasizes direct control over the object. If the concept of indirect possession is introduced, it excessively expands the semantic range of possession, causing confusion between the concepts of possession and possession.
In summary, data holding is more related to the allocation and management of data control permissions, rather than simply physical contact or storage. The typification of data holdings needs to go beyond the framework of traditional possession theory, comprehensively consider the replicability, ease of dissemination, and dependence on technical architecture of data, to ensure that the classification of data holdings can meet the practical needs of the digital age.
4.2 Right to hold and no right to hold
In the classification of data holding, having the right to hold and not having the right to hold are the most important types. Based on the concepts of ownership and non ownership, further concepts such as goodwill, malicious ownership, and defective ownership can be constructed. Therefore, it is necessary to provide a detailed explanation of those who have the right to hold and those who do not have the right to hold.
There is a subtle difference between the concept of ownership and 'lawful ownership'. In fact, when discussing data property rights, the theoretical and practical circles generally confine the relevant discussions to the data control facts formed by "legality" and "legality". As a legal relationship based on facts, data holding may not be easily distinguished between "legal" and "illegal". For example, a good faith holder may purchase data from an illegal actor, but it is not appropriate to simply consider a good faith holder as an illegal holder. For example, if the illegal perpetrator publicly discloses the stolen data online, the data holding relationship formed by unspecified entities downloading the data is also difficult to simply classify as legal or illegal. In addition, legality and illegality are the conclusive evaluations made by the legal system on specific legal facts. But before making this evaluation, it is necessary to analyze the reasons for the data holding, especially considering whether it is based on informed consent or the existence of legal reasons. In this sense, the classification of having the right to hold and not having the right to hold is based on the dimension of legal facts.
Different rights and obligations should be legally assigned to holders with rights and holders without rights. Firstly, when the data source or other rights holder requests the deletion of data, the obligations of the rights holder and the unauthorized holder are different. Authorized holders can resist corresponding requests, while unauthorized holders should fulfill their obligations when faced with requests to delete data. For example, A signs a data license agreement with B, and B copies the data from A and has the right to hold the new copy. During the term of the agreement, B may resist A's request to delete data; After the expiration of the agreement, B shall fulfill the obligation to delete data, otherwise it constitutes both breach of contract and infringement. Secondly, on the premise of not infringing upon the legitimate rights and interests of others, authorized holders should be allowed to engage in utilitarian activities such as processing, using, and operating data. In contrast, the law clearly does not grant usufructuary rights to unauthorized holders. Indeed, unauthorized holders have direct control over data resources in fact, so others are not allowed to privately intervene in the unauthorized holders' implementation of data use behavior. But after litigation, if the law makes a negative evaluation of the unauthorized holder, the unauthorized holder should delete their data copy and return the income obtained. Thirdly, entitled holders can, in principle, demand that the infringer return the profits generated based on the data, while unauthorized holders do not have this right.
On the basis of the classification of ownership and non ownership, more subtypes can be further divided. For example, based on subjective perception, goodwill holding and malicious holding can be distinguished under unauthorized holding. If an unauthorized holder mistakenly believes that they have the right to hold without suspicion, it constitutes good faith holding; otherwise, it is a malicious holder. For well intentioned holders, the law may allow them to continue holding relevant data depending on the situation, while malicious holders should delete or return the data they control. In addition, there are other subtypes such as public holding and secret holding, flawless holding and flawed holding, which will not be discussed here due to space limitations.
(3) The concept of ownership of data holdings
When distinguishing between those who have the right to hold and those who do not have the right to hold, it actually implies the concept of the "right" (or "source") held. In existing literature, the concept of ownership mainly appears in the possession theory of property law. The right of possession refers to the "right to possess", that is, the "right to possess based on certain legal reasons". The distinction between ownership and non ownership can be made based on the presence or absence of ownership. This article repeatedly emphasizes the difference between data ownership and possession of property, but the core concept of this right lies in the "legal reasons" behind specific facts. Therefore, the concept of this right can be abstracted and introduced into the research field of data property rights. In the context of data property rights, the right held is the "right that can be held", which can be divided into those who have the right to hold and those who do not have the right to hold. In fact, in existing research on data holding, although the academic community has not separately extracted the concept of holding ownership, similar ideas are already embedded within it. For example, some scholars believe that the significance of data property rights lies in confirming the legitimacy of the value and distribution order of data, that is, recognizing the "right" of relevant entities to organize the production, distribution, and value release of data resources. The reason why the law protects the rights and interests of data processors is simply because they have "legally controlled the data" and avoid others from arbitrarily interfering with their private rights prohibited by law. The emphasis on legality in these discussions, more precisely, refers to "legal reasons or bases", which precisely correspond to the concept of this right.
Data holding and ownership rights should be strictly distinguished between the two. Firstly, the fact of data control itself cannot serve as a basis for the legality of data holding, and legal justifications must be sought outside of this fact. Otherwise, the data control formed by illegal activities also constitutes the right to hold, which is obviously absurd. Secondly, the owner may not necessarily be the actual holder. For example, natural persons collect personal data such as heart rate, step frequency, and exercise time generated during exercise through authorized mobile devices and related apps. At this point, the natural person is the rightful owner, but does not directly control the data and needs to rely on the software and hardware architecture of the service provider to access the data. APP services are data holders and constitute authorized ownership based on natural person authorization. Again, the protection of data holdings by law is not based on this right. Holding with ownership rights is considered holding, while holding without ownership rights is also considered holding and protected by law.
In addition, with the concept of proprietary rights, the relationship between data ownership and data property rights can be clarified. In short, data property rights should be regarded as a form of ownership of data. This statement in this article can be interpreted from three aspects. Firstly, data ownership based on data property rights constitutes right ownership. Undoubtedly, the discussion on data ownership is still ongoing, and there is still no consensus on how to construct data property rights. However, if new types of rights such as data creator rights, public dissemination rights, and industrial data rights arise in legislation in the future, these new property rights may serve as the ownership rights of data holdings. Secondly, the establishment of data ownership relationships is not based on the premise of data property rights. As mentioned earlier, both having the right to hold and not having the right to hold belong to data holding, and this right is not a prerequisite. Thirdly, holding this right may not necessarily be a specific right, but may arise from various types of rights or legal relationships. In addition to data property rights, holders can also form a right to hold based on personal information rights, trade secret rights, copyright and other rights. In this sense, data ownership can exist independently of the concept of data property rights, thus avoiding academic debates on data ownership.
Conclusion
How to establish a data property rights system is a highly challenging issue of the times. The Chinese style exploration of data law is still ongoing, and the gap between practice, theory, and theoretical doctrine is still widening, and a satisfactory consensus has not yet been formed. Focusing solely on practical experience can easily overlook the systematic operation of the overall system; Inferring from abstract rights from top to bottom may lead to a disconnect from reality and fall into the dilemma of "speaking for oneself". In view of this, this article positions the concept of data holding as an overlapping consensus area that bridges the differences among all parties. As a legal relationship, data holding can establish a meaningful connection between empirical facts and institutional norms. Data holding is based on the factual control and domination of data resources, and thus generates a series of legal effects in the normative dimension. By copying, replicating, and diffusing data replicas, a dynamic and hierarchical network of ownership relationships is formed among holders, accompanied by conflicts of interest among various parties. In the process of balancing interests and resolving conflicts, it is necessary to classify data holdings and classify them into situations such as authorized holding, unauthorized holding, goodwill holding, and malicious holding. In addition, it is worth mentioning that there is a close relationship between "data holding" and "data holding rights". The right to data ownership, as a legal right, is based on the understanding of the legal relationship of data ownership, but there is a certain degree of diversity in the construction path of ownership. This article focuses on discussing data holding, laying the groundwork for future research from legal relationships to legal rights while setting aside disputes.