Who owns the data?

Tech rulingIn a customer / supplier relationship who owns the data? It’s obvious isn’t it – the customer of course. In general, that’s true, provided there are no assignments of rights in the provider’s terms. As a customer, you do check the terms don’t you?

The data controller bears the primary responsibility for compliance with EU data protection laws so the provider might not want to take on that responsibility anyway. So that works for both the customer and the supplier then.

But what happens where the customer owes money to the supplier? First year law students know that if you take your car to a garage for repair, the garage can exercise a “lien” over the car to refuse to return it to you until you pay. Is it the same for data? Well, no actually. The UK Court of Appeal recently ruled that a provider can’t exercise a form of lien over the customer’s database even if the customer doesn’t pay the supplier’s invoices. This is because databases are intangible assets and liens apply only to tangible assets.

So, cloud providers, to ensure you can exercise rights over the data that you’re holding on behalf of your customer, you need to ensure you specifically write this into your customer contract. Need help writing your contracts? Check out my workshop on 1 October.


Image “Scales Of Justice Key Means Law Trial ” courtesy of Stuart Miles / FreeDigitalPhotos.net”.


  1. Frank
    If Customers can have legal control over their data on the cloud, can companies still access this data? Are they able to view and use that information without your authorization? Using your analogy of the car in the garbage, they are still able to inspect the car once you place it into their garbage. Similarly if I place data on the cloud are they able to see it? If not could they use excuses such as for security reasons to view and use that data? Also since data is not like tangible objects can the company copy or make a backup of each data you upload and use that backup because they in the contract?

    How do customers who use data storage in the future be safe from problems like these?


    • You raise good points. The customer is the data controller which means they’re responsible for the data and will get fined if they fail to comply with their legal obligations around processing & protecting the data. The cloud provider / host is the processor and must adhere to the customer’s instructions regarding use and location of that data. The key is to ensure the customer’s and provider’s rights are defined in the contract.


What's your view? Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.