Quiz: Who Owns Your Data?

Test your understanding before moving to the next chapter. Target: 70% or higher to proceed.

Section 1: Multiple Choice (1 point each)

1. According to Section 3.1.1, the primary reason traditional property law struggles with data is that data is:

  • A) Too expensive to value accurately in market transactions.
  • B) Non-rivalrous and practically non-excludable, unlike physical goods.
  • C) Always owned by the person who generated it, creating conflicts with collectors.
  • D) Protected by copyright law, which overrides property law in most jurisdictions.
Answer **B)** Non-rivalrous and practically non-excludable, unlike physical goods. *Explanation:* Section 3.1.1 explains that property law was designed for rivalrous (if I use it, you can't) and excludable (I can prevent access) goods. Data has neither property: copying it doesn't deplete it, and once shared, it is extremely difficult to control further distribution. This makes traditional ownership frameworks produce paradoxes when applied to data. Option A describes a valuation problem, not the fundamental property-law mismatch. Option C assumes a conclusion the chapter explicitly argues is contested. Option D misstates the legal landscape.

2. In the stakeholder map presented in Section 3.1.2, the "algorithm builder" claims rights to data based on:

  • A) Having collected the data directly from the data subject.
  • B) Holding a government license to process personal data.
  • C) Their inventive contribution and intellectual property in the model they created.
  • D) The data subject's explicit consent to algorithmic processing.
Answer **C)** Their inventive contribution and intellectual property in the model they created. *Explanation:* The stakeholder map in Section 3.1.2 identifies the algorithm builder's claim as resting on "inventive contribution, IP in the model." The algorithm builder did not collect the data (that's the collector's role) and does not necessarily hold a government license. The question of consent (D) relates to the data subject's rights, not the algorithm builder's claim. The chapter uses VitraMed's data scientists as the example: they built the predictive models and bore the computational costs, which they argue gives them a proprietary interest in the resulting intelligence.

3. Jaron Lanier's "data as labor" theory proposes that:

  • A) Data collection should be performed exclusively by human workers rather than automated systems.
  • B) Users' data contributions are a form of productive labor that creates value for platforms and should be compensated.
  • C) Companies should hire local workers to collect data rather than relying on user-generated content.
  • D) Data processing jobs should be protected by the same labor laws as manufacturing positions.
Answer **B)** Users' data contributions are a form of productive labor that creates value for platforms and should be compensated. *Explanation:* Section 3.2.2 describes Lanier's proposal that every Google search, Facebook post, and Amazon purchase is an act of productive labor that creates value for the platform. Under this theory, users should receive payment for their contributions, just as workers receive wages. The other options misinterpret the theory: it is not about who performs data collection (A, C) or about extending existing labor law to data jobs (D), but about reframing the act of generating data itself as a form of labor deserving compensation.

4. Eli's objection in Section 3.2.2 — "I don't want to be paid for my data. I want to not be surveilled" — most directly challenges which theory of data ownership?

  • A) Data as property
  • B) Data as labor
  • C) Data as a rights-based framework
  • D) Data as commons
Answer **B)** Data as labor. *Explanation:* Eli's objection directly follows the presentation of the data-as-labor theory and explicitly challenges its core logic. The labor theory frames the problem as one of *compensation* — users aren't being paid enough for their data contributions. Eli argues that the problem is *surveillance itself*, not inadequate payment. Paying him five dollars a month for lamppost data doesn't make the surveillance acceptable. This critique is listed among the "arguments against" the labor theory: it "frames the problem as one of compensation rather than power." Eli's preferred framing aligns more closely with the rights-based approach (C), but his objection is *targeted at* the labor theory (B).

5. The concept of informational self-determination originated in:

  • A) The United States Bill of Rights, as interpreted by the Supreme Court in Roe v. Wade (1973).
  • B) The German Federal Constitutional Court's census decision of 1983.
  • C) The European Convention on Human Rights, Article 8, as amended in 2000.
  • D) The preamble to the EU's General Data Protection Regulation (2016).
Answer **B)** The German Federal Constitutional Court's census decision of 1983. *Explanation:* Section 3.2.3 states directly that the concept of informational self-determination was "articulated by the German Federal Constitutional Court in 1983." This ruling established that data protection is not a property right but a fundamental right, akin to freedom of speech or assembly. This became the foundation for the European rights-based approach to data protection. The other options identify real legal documents but are not the origin of this specific concept.

6. Which of the following best describes a data trust as defined in Section 3.3.1?

  • A) A contractual agreement in which users sell their data to a company for a fixed price.
  • B) A legal structure in which an independent trustee manages data on behalf of beneficiaries, with a fiduciary duty to act in their best interests.
  • C) A member-owned cooperative where data subjects vote democratically on all data use decisions.
  • D) A government agency that holds all citizens' data and releases it for approved research purposes.
Answer **B)** A legal structure in which an independent trustee manages data on behalf of beneficiaries, with a fiduciary duty to act in their best interests. *Explanation:* Section 3.3.1 defines a data trust as "a legal structure in which an independent trustee manages data on behalf of a defined group of beneficiaries" with "a fiduciary duty — a legal obligation to act in the beneficiaries' best interests." Option A describes a data market, not a trust. Option C describes a data cooperative (Section 3.3.2), which is governed democratically by members rather than by a trustee. Option D describes a centralized government data repository, which is a different model entirely.

7. The CARE Principles for Indigenous Data Governance challenge Western frameworks primarily because they:

  • A) Reject all forms of data collection as inherently colonial.
  • B) Assert collective rights over data, whereas Western frameworks typically protect only individual data subjects.
  • C) Require that all indigenous data be permanently deleted after research is completed.
  • D) Demand that indigenous communities receive financial royalties from any data use.
Answer **B)** Assert collective rights over data, whereas Western frameworks typically protect only individual data subjects. *Explanation:* Section 3.4.2 identifies the assertion of collective rights as the first and most fundamental challenge the CARE Principles pose to Western frameworks. "The GDPR protects *individual* data subjects. Indigenous data sovereignty asserts *collective* rights — the right of a people to control data about their language, genome, or sacred sites, regardless of whether any individual data point is personally identifiable." The CARE Principles do not reject all data collection (A), require deletion (C), or focus primarily on financial compensation (D). Their emphasis is on governance authority, collective benefit, responsibility, and ethics.

8. In the fitness tracker scenario (Section 3.5.1), the corporate/contractual framework produces which answer to "who owns this data?"

  • A) The user owns it because it describes their body.
  • B) The community owns it because aggregated health data has public value.
  • C) No one owns it because data cannot be property.
  • D) The manufacturer owns it because the user agreed to its terms of service.
Answer **D)** The manufacturer owns it because the user agreed to its terms of service. *Explanation:* Section 3.5.1 presents a table showing how different frameworks answer the fitness tracker ownership question. Under the "Corporate/contractual" row, the answer is: "The manufacturer does — you agreed to their terms of service when you activated the device." The chapter notes that in practice, most fitness tracker companies retain extensive rights under their terms of service. Options A and B correspond to the property and commons frameworks, respectively. Option C reflects a philosophical position not represented in the table.

9. Mira's dilemma about a patient requesting data erasure from VitraMed (Section 3.3.4) illustrates the problem that:

  • A) Patients lack the technical knowledge to make informed erasure requests.
  • B) Deleting source data does not remove the patterns embedded in machine learning models trained on that data.
  • C) VitraMed's terms of service explicitly prohibit data deletion.
  • D) European data protection law does not apply to health data.
Answer **B)** Deleting source data does not remove the patterns embedded in machine learning models trained on that data. *Explanation:* Section 3.3.4 presents Mira's observation directly: "Technically, we can delete their records. But the predictive model was trained on their data. We can't 'un-train' the model. Their patterns are embedded in the weights. Is that deletion?" This highlights a fundamental limitation of the right to erasure in the machine learning era. The issue is not about patient knowledge (A), contractual prohibition (C), or jurisdictional scope (D), but about the technical impossibility of fully removing a data subject's influence from a trained model.

10. Section 3.6 argues that the most appropriate approach to data ownership is:

  • A) Adopting the property framework universally because it provides the clearest legal precedent.
  • B) A pluralistic approach that matches different governance mechanisms to different contexts.
  • C) Deferring to national governments to determine ownership on a case-by-case basis.
  • D) Treating all data as commons to maximize public benefit.
Answer **B)** A pluralistic approach that matches different governance mechanisms to different contexts. *Explanation:* Section 3.6 explicitly concludes: "What emerges from this analysis is not a single answer but a **pluralistic approach** — different governance mechanisms for different contexts, informed by the nature of the data, the power dynamics involved, and the values at stake." The chapter argues that no single theory is adequate for all situations. The property framework (A) works well for clearly individual data but poorly for relational data. Universal commons treatment (D) struggles with boundary-drawing. Government case-by-case determination (C) is not the approach the chapter advocates.

Section 2: True/False with Justification (1 point each)

For each statement, determine whether it is true or false and provide a brief justification.

11. "Under the data-as-property framework, wealthy individuals and poor individuals would have equal power to protect their data because property rights apply to everyone equally."

Answer **False.** *Explanation:* Section 3.2.1 lists among the "arguments against" the property framework that it "deepens inequality — wealthy people can afford to withhold data; poor people may feel compelled to sell it." Formal equality of property rights does not translate into substantive equality when economic pressures differ. A person struggling financially may feel compelled to sell their data for income, while a wealthy person can afford to refuse. The property framework, despite its formal universality, risks creating a two-tiered system where data protection becomes a luxury good.

12. "Data portability, as enshrined in GDPR Article 20, fully solves the problem of platform lock-in by allowing users to seamlessly transfer their data and experience to competing services."

Answer **False.** *Explanation:* Section 3.3.3 describes three significant limitations of data portability in practice. First, the data you can export is often less useful than the *inferences* drawn from it, which are not portable. Second, network effects mean your social graph has no value if your friends don't also switch. Third, technical formats may be interoperable in theory but incompatible in practice. Portability addresses one aspect of control — the ability to take your data and leave — but falls far short of fully solving platform lock-in.

13. "The CARE Principles assert that individual consent from community members is always sufficient to authorize research on indigenous data."

Answer **False.** *Explanation:* Section 3.4.2 presents a thought experiment that directly addresses this question. Under indigenous data sovereignty principles, individual consent is *not* sufficient — collective consent from the community is also required. The CARE Principles assert that indigenous peoples as collectives have the "Authority to Control" the collection, ownership, and application of data about their peoples, lands, and resources. This is one of the key ways indigenous data sovereignty challenges Western frameworks, which typically treat individual consent as the threshold for legitimate data use.

14. "The right to be forgotten, as established in the Google Spain ruling and codified in GDPR Article 17, is an absolute right that cannot be overridden by other considerations."

Answer **False.** *Explanation:* Section 3.3.4 identifies several tensions that limit the right to be forgotten. These include conflicts with freedom of expression (should a newspaper be required to delete a factual article?), jurisdictional questions (should a deletion request in Europe apply globally?), and technical feasibility (truly deleting data from all copies, backups, and derivative works is extraordinarily difficult). The right to erasure under GDPR Article 17 includes specific exceptions and is not absolute — it applies when data is no longer necessary, when consent is withdrawn, or when processing was unlawful, but must be balanced against other rights and interests.

15. "Elinor Ostrom's commons governance framework was originally developed specifically for digital data and has since been adapted for physical resources."

Answer **False.** *Explanation:* Section 3.2.4 describes the "data as commons" theory as *drawing on* Ostrom's Nobel Prize-winning work on commons governance, which concerned "the management of shared resources" — originally physical common-pool resources like fisheries, forests, and irrigation systems. The application to data is a more recent extension, not the original context. Ostrom's design principles for commons governance are being adapted for data, not the other way around.

Section 3: Short Answer (2 points each)

16. Section 3.1.1 uses the analogy of data ownership being "less like owning a car and more like owning a conversation." Explain what this analogy captures about data ownership. Then identify one important way in which data differs even from a conversation, making the analogy imperfect.

Sample Answer The analogy captures the entangled, non-exclusive nature of data. In a conversation, both participants contributed — their words, their ideas — but neither can exclusively "own" it. The other person heard the conversation, remembers it, and may have recorded it. Data ownership is similarly entangled: multiple parties contribute to, access, and derive value from data simultaneously, making exclusive ownership claims problematic. However, the analogy is imperfect because conversations are ephemeral by default — they fade from memory unless recorded — while data is persistent by default and can be perfectly copied, aggregated across contexts, and analyzed by parties who were never part of the original "conversation." A conversation between two people stays between two people unless deliberately shared; data, once collected, can be shared with unlimited third parties without the data subject's knowledge. *Key points for full credit:* - Explains the entangled, non-exclusive nature captured by the analogy - Identifies a specific limitation (persistence, perfect copying, aggregation, or third-party access) - Connects the limitation to a concrete governance concern

17. Explain how the VitraMed predictive model scenario (Section 3.5.3) illustrates "the fundamental question of AI-era data ownership." In your answer, identify the competing claims and explain why none of the four ownership theories provides a fully satisfactory resolution.

Sample Answer VitraMed's predictive model — trained on data from 200,000 patients across 500 clinics — produces predictions that are derived from patient data but are not the data themselves. The patients contributed the raw material (their health data), the clinics collected and licensed it, VitraMed designed the algorithm and bore the computational costs, and public health researchers argue the model has social value that should be publicly accessible. The property theory would ask who "owns" the model, but the model is an abstraction of patterns across many people — no individual patient can point to "their" portion. The labor theory would suggest compensating patients, but each individual's contribution is infinitesimal and inseparable from the whole. The rights-based theory gives patients rights over their data, but the model is not their data — it's a derivative intelligence. The commons theory would treat the model as a shared resource, but this conflicts with VitraMed's investment and intellectual property claims. The question — "who owns the intelligence extracted from data contributed by many?" — has no clean answer because the value was created through a transformation that no single party performed alone. *Key points for full credit:* - Identifies at least three competing claims (patients, clinics, VitraMed, public interest) - Explains why the model is distinct from the underlying data - Demonstrates that each theory fails to fully resolve the dispute

18. The chapter identifies a key difference between a data trust and a data cooperative. Describe this difference and explain why it matters for the governance of a community's health data. Which model would you recommend for a community health data initiative, and why?

Sample Answer The key difference is in governance structure: a data trust is managed by an independent trustee who has a fiduciary duty to act in beneficiaries' best interests, while a data cooperative is governed democratically by its members, who collectively own and make decisions about their data. This distinction matters significantly for health data. A data trust may be preferable when beneficiaries lack the technical expertise to evaluate complex data-sharing proposals (e.g., whether a pharmaceutical company's research protocol adequately protects privacy) — the trustee provides professional, expert stewardship. A cooperative may be preferable when community voice and democratic participation are paramount — for instance, when communities have historically been excluded from decisions about their health data (as in the indigenous data sovereignty context). For a community health data initiative, the choice depends on context: a trust offers stronger fiduciary protections and professional management, while a cooperative offers greater democratic legitimacy and community ownership. A hybrid model — a cooperative that appoints expert trustees for specific technical decisions — might capture advantages of both. *Key points for full credit:* - Correctly distinguishes trustee-managed vs. member-governed structures - Applies the distinction to a health data context with specific reasoning - Recommends a model with justification, acknowledging trade-offs

19. Using the "Best Practice" framework from Section 3.6, analyze the following scenario in four to five sentences: A ride-sharing company collects GPS data from drivers and passengers, uses it to optimize routes and pricing, and sells aggregated mobility data to city planning departments.

Sample Answer The data is *relational and behavioral* — GPS traces reveal the movements of both drivers and passengers, generated through their interaction with the platform. The *interests at stake* include driver and passenger privacy, the company's commercial interest in route optimization and data monetization, and the city's interest in using mobility data for infrastructure planning. *Governance mechanisms* include the company's terms of service (which likely authorize this use) and any applicable data protection regulation, but there is likely no independent oversight of the aggregation and sale process, and neither drivers nor passengers were meaningfully consulted about the sale to city planners. The *power dynamics* strongly favor the company: it unilaterally sets terms, controls aggregation, and profits from the sale, while drivers and passengers have no practical alternative if they want to use ride-sharing services. The *desired outcome* should balance legitimate urban planning needs with meaningful transparency about data sales and a mechanism for data subjects to benefit from or object to commercial use of their mobility patterns. *Key points for full credit:* - Applies at least four of the five lenses from the framework - Identifies a specific power asymmetry - Connects governance mechanisms (or their absence) to stakeholder interests

Section 4: Applied Scenario (5 points)

20. Read the following scenario and answer all parts.

Scenario: The Community Health Data Cooperative

Millbrook Community Health Center (MCHC) serves 15,000 patients in a predominantly low-income, racially diverse neighborhood. MCHC has partnered with a university research hospital to create a "Community Health Data Cooperative" — a platform where patients can contribute their anonymized health data for medical research. Patients who join the cooperative receive a $50 annual credit toward prescription costs.

The cooperative's governance board includes three MCHC administrators, two university researchers, and one elected patient representative. The cooperative's data is stored on the university's servers. Researchers at the university can access the data for approved studies. External pharmaceutical companies can purchase access to the aggregated, anonymized dataset for drug development research. Revenue from these sales funds the prescription credits and the cooperative's operations.

After two years, a patient advocacy group raises several concerns: (1) only one of six board members represents patients; (2) the $50 credit may amount to coercion for low-income patients; (3) the pharmaceutical companies accessing the data have historically under-invested in treatments for conditions prevalent in the community; and (4) a neighboring indigenous community's health data has been included without tribal consultation.

(a) Analyze the cooperative's governance structure using the models described in Sections 3.3.1 and 3.3.2. Is this truly a "cooperative" as the chapter defines the term? What structural elements are missing? (1 point)

(b) Evaluate the $50 prescription credit using the data-as-labor theory (Section 3.2.2) and the rights-based theory (Section 3.2.3). Does each framework view this compensation differently? Explain. (1 point)

(c) The pharmaceutical companies profit from research conducted on community data. Using the stakeholder map from Section 3.1.2, identify all relevant stakeholders and analyze whether the current benefit distribution is equitable. (1 point)

(d) Apply the CARE Principles (Section 3.4.1) to evaluate the inclusion of the indigenous community's health data. What specific principles have been violated? What governance changes would be necessary to comply with indigenous data sovereignty? (1 point)

(e) Propose three specific reforms to the cooperative's governance that would address the advocacy group's concerns. For each reform, identify which theory of data ownership (Section 3.2) supports it and explain what problem it solves. (1 point)

Sample Answer **(a)** This is not truly a cooperative as defined in Section 3.3.2. A data cooperative is "a member-owned organization where data subjects collectively own, manage, and benefit from their data," governed "democratically by its members." The MCHC cooperative fails this test: only one of six board members represents patients, meaning the people who generate the data have minimal governance power. The structure more closely resembles a poorly designed data trust — except it also lacks the core feature of a trust, which is an independent trustee with a fiduciary duty to beneficiaries. Instead, the governance is dominated by institutional actors (administrators and researchers) whose interests may diverge from patients'. Key missing elements: democratic member governance, majority patient representation on the board, transparent decision-making processes, and member veto power over external data sales. **(b)** Under the data-as-labor theory, the $50 credit is an attempt at compensation for the value patients create through their data contributions — but a likely inadequate one. If pharmaceutical companies are purchasing dataset access, the revenue generated from patient data almost certainly exceeds $50 per patient per year. The labor theory would demand fairer compensation proportional to the value extracted. Under the rights-based theory, the $50 credit is more troubling: it introduces an economic incentive that may undermine the voluntariness of consent. The rights-based framework treats data protection as an inalienable fundamental right, not something that can be purchased. For low-income patients, $50 in prescription credits may create economic pressure to participate even if they have privacy concerns — effectively pricing their data rights at $50. The rights-based framework would insist that participation must be genuinely voluntary, not economically coerced, and that data protection rights should not depend on whether someone can afford to forgo the credit. **(c)** Stakeholders include: patients (data subjects who contribute health data), MCHC (data collector that operates the health center), the university (data processor that stores and manages the dataset), university researchers (algorithm builders who design studies and analyze data), pharmaceutical companies (commercial entities purchasing access), the broader community (which may benefit from research findings), and the indigenous community (a collective with distinct sovereignty claims). The current benefit distribution is inequitable: pharmaceutical companies derive potentially enormous commercial value from drug development research, while patients receive $50 annually. MCHC and the university receive operational funding and research opportunities, respectively. The community at large receives no guaranteed benefit — the chapter notes that pharmaceutical companies have "historically under-invested in treatments for conditions prevalent in the community," meaning the research may not even produce treatments relevant to the people whose data made it possible. The greatest asymmetry is between the commercial value extracted by pharmaceutical companies and the minimal, potentially coercive compensation offered to patients. **(d)** The inclusion of the indigenous community's health data violates multiple CARE Principles. **Authority to Control:** The indigenous community's data was included "without tribal consultation," directly violating the principle that indigenous peoples have rights to govern data collection and use concerning their communities. **Collective Benefit:** There is no evidence the cooperative was designed to enable the indigenous community to derive specific benefit from the data. **Responsibility:** Those working with the data failed in their responsibility to support indigenous data governance by not seeking tribal consent. **Ethics:** Including the data without consultation fails to make indigenous rights and wellbeing a primary concern. To comply with indigenous data sovereignty, the cooperative would need to: (1) immediately segregate and remove indigenous community data pending tribal consultation, (2) establish a separate governance agreement with tribal authorities that grants the tribe authority over how their community's health data is used, (3) ensure tribal representation on the governance board for any decisions involving their data, and (4) negotiate benefit-sharing arrangements directly with the tribal government. **(e)** Three reforms: 1. **Restructure the governance board to ensure patient majority representation** (e.g., four patient representatives, one MCHC administrator, one university researcher). This reform is supported by the *commons* theory (Section 3.2.4), which holds that community-determined governance rules should control shared resources. It solves the democratic deficit: the people whose data powers the cooperative should have majority control over its governance decisions. 2. **Replace the $50 prescription credit with a non-monetary benefit model** — for example, guaranteed access to any treatments or diagnostics developed from the cooperative's research, plus transparent annual reporting on how data was used and what revenue was generated. This reform is supported by the *rights-based* theory (Section 3.2.3), which holds that data protection is a fundamental right that should not be conditioned on economic exchange. It solves the coercion concern by removing the financial incentive that may pressure low-income patients to participate. 3. **Establish a separate indigenous data governance protocol** with tribal authorities, granting the tribe full authority to consent to, modify, or withdraw participation in the cooperative. This reform is supported by the *CARE Principles* and the indigenous data sovereignty framework (Section 3.4), which asserts collective rights to control data about indigenous peoples. It solves the violation of collective consent by creating a governance mechanism that respects tribal authority over communal health data.

Scoring & Review Recommendations

Score Range Assessment Next Steps
Below 50% (< 15 pts) Needs review Re-read Sections 3.1-3.3 carefully, redo Part A exercises
50-69% (15-20 pts) Partial understanding Review specific weak areas, focus on Part B exercises for applied practice
70-85% (21-25 pts) Solid understanding Ready to proceed to Chapter 4; review any missed topics briefly
Above 85% (> 25 pts) Strong mastery Proceed to Chapter 4: The Attention Economy
Section Points Available
Section 1: Multiple Choice 10 points (10 questions x 1 pt)
Section 2: True/False with Justification 5 points (5 questions x 1 pt)
Section 3: Short Answer 8 points (4 questions x 2 pts)
Section 4: Applied Scenario 5 points (5 parts x 1 pt)
Total 28 points