/ writings ·

Data is property, not privacy

Privacy law is the wrong layer. Personal data needs the legal grammar of property: ownership, transfer, consent, royalty.

By Abhishek Krishna

Privacy frameworks try to hide data. Property frameworks let people own it, sell it, and withdraw it. The latter is what AI actually needs to be legal at scale.

Most of the policy energy around AI and personal data is spent in a frame that doesn’t fit the problem. The frame is privacy: assume the default is “hidden,” and design rules for when data is allowed to leave that hidden state.

This was a reasonable frame in a world where personal data was mostly an externality of using the internet. It is not a useful frame in a world where personal data is an input to industrial-scale production.

The grammar mismatch

Privacy law is built on concealment. Property law is built on transfer. Concealment can’t price a thing; transfer can. Concealment can’t reward a creator; transfer can. Concealment can’t be revoked partially; transfer can.

Every interesting move you’d want to make with personal data is a property move: sell it, license a slice, withdraw it from a model, pay the person whose face it is. Trying to do it with privacy primitives is like trying to render 3D with a typewriter.

Fig. 02 · Which moves each legal frame can actually express PRIVACY FRAME PROPERTY FRAME concealment / consent title / transfer / royalty Sell a slice License for a time, for a use Withdraw from a model Collect a royalty Machine-readable at runtime (not expressible) ● first-class primitive
Each row is a move that personal data needs to support in an AI economy. Privacy can withdraw (partial) and sometimes consent, but it can't price, license, or settle. Property can do all five. Treating data as property isn't ideology. It's the only frame with the primitives to clear payment.

What treating data as property actually means

Three things, in order:

Ownership. The person whose data it is gets first-class title. Not “consented to processing”: title. Same legal residue as owning a song.

Transfer. Like any property right, the title can be licensed, in part, for a time, for a use, with a price. Crucially, the transfer can be machine-readable: encoded in a way that a model, an agent, or a pipeline can check at runtime.

Royalty. When the asset is used commercially, payment flows back. Not as charity. As the default contractual outcome.

Why this is harder than it sounds

The honest objection to a property framing is that the unit is fuzzy. What exactly is the “asset”? A photo? A face? A behavioral fingerprint across ten apps? A health record?

The answer is the same answer music gave: the asset is whatever you can identify well enough to clear. Music had to invent ISRCs, ISWCs, neighboring rights, and mechanical rights to make a fuzzy thing tradeable. Personal data needs an equivalent stack of identifiers, registries, and settlement rails. Most of it is buildable today.

Human Data Rights exists to do that work in public, alongside the IPTO licensing rails that make property meaningful at runtime.

The other reason this matters

The AI labs cannot pay royalties to a hidden right. They cannot license what privacy law treats as concealed. The longer we keep the privacy frame, the longer creators and citizens get nothing, because there is no contractual surface to receive payment.

Property is not the colder framing. It’s the warmer one. It’s the one where you get a check.