Commerce in Data and the Dynamically Limited Alienability Rule

Commerce in some data is, and should be, limited by the law because some data embody values and interests (in particular, human dignity) that may be detrimentally affected by trade. In this article, drawing on the Roman law principles regarding res extra commercium, we investigate the example of personal data as regulated under the EU Charter and the GDPR. We observe that transactions in personal data are not forbidden but subject to what we call a dynamically limited alienability rule. This rule is based on two dynamic variables: the nature of data and the legal basis for commercially trading such data (at primary or secondary level). Accordingly, in order to deal with such dynamism and the uncertainty it poses, we propose a general two-stage reasonableness test that should help legal practitioners, judges and law-makers in considering when trade in data is illicit and who (if anyone) shall be held responsible for this mischief. Finally, we show how the two-stage test and the limited alienability rule can advance European contract law and help enforce legal principles associated with such data extra commercium in automated and autonomous data trading systems.


Introduction
Law permits trade in data, so it seems that data are alienable objects (res in commercio). 1 In this article, we argue that commerce in some data is, and should be, prohibited by the law because some data embody values and interests that would be detrimentally affected by trade. We survey the legal limits on trading data in the digital economy and ask whether, and to what extent, a set of principles can rationalise (1) when data qualify as extra commercium and (2) who is to be held responsible for the illicit trade in the data extra commercium. By answering these two questions, we fill an important gap in the existing legal scholarship.
The problem is that, unlike in the case of traditional goods (res), inalienability of data cannot be ascertained ex-ante because the question of whether or not a particular dataset represents values and interests that can be compromised by commerce is not a question about a static property of the dataset. We argue that alienability of data, unlike alienability of traditional goods, dynamically changes. According to our research, this change takes place at the level of informational properties of data (e.g., when data are processed in a new context by a new analytic algorithm) and at the level of legal bases for trading data (e.g., when a data subject withdraws her consent in relation to processing of personal data (Article 7(3) GDPR 2 ). This means, inter alia, that alienability of data can be limited even ex post. Along these lines, by analysing the legal framework around personal and sensitive data protection, we develop a 'dynamically limited alienability rule' that concisely describes the principles of (in)alienability of personal and sensitive data under the GDPR. This paper is structured as follows. Section 2 introduces the Roman law doctrine of res extra commerium and shows why it is inspiring in relation to trade in data. While the doctrine cannot account for the fluid nature of data and for the technology-driven virtual environment in which data are processed and traded, (the infosphere 3 ), the rationales for excluding some data from trade do not change and have legal implications very similar to the rationales behind res extra commercium. Accordingly, responsibility for trade in data extra commercium can be allocated almost fully in line with the principles behind the Roman law doctrine. Section 3 surveys positive law. We observe that no legal provision expressly addresses the question of (in)alienability of data, although data protection laws seem clearly to protect human flourishing. One thus cannot easily ascertain whether and when trade in data is illicit due to those data being qualified as extra commercium. We fill this gap by identifying and compiling legal rules that limit alienability of data, namely personal and sensitive data. To help advance the EU law and transnational data trade, and while ensuring protection of the fundamental values that the law excludes from trade, we formulate what we call a 'dynamically limited alienability rule'. In Section 4, we seek to help legal practitioners, judges and law-makers in considering who (if anyone) shall be held responsible and eventually also liable for this mischief. Building on Roman law and modern contract law principles, we thus propose a general two-stage test that satisfies our goal. In Section 5 we discuss how the twostage test and the limited alienability rule may help link the EU data protection law with contract law rules and principles, and help enforce legal principles of data extra commercium in fully automated and autonomous data trading systems, i.e. systems with increasing practical significance.
Overall, our main original claims are that data are subject to a dynamically limited alienability rule and that responsibility for the consequences of inalienability of data can be determined using the two-stage test that we propose. We argue that data extra commercium is a useful dynamic concept that helps protect certain values and interests in the infosphere and that can be employed in traditional European contract law.
For reasons set out below, we focus primarily on trade regarding personal data and other sensitive data. For reasons also set out below, we restrict this article to questions of when and how we should protect these data. In contrast, we do not look at how we should protect parties if their contract is negatively affected by data protection tools (ie what remedies should be available to them). In addition, when we discuss allocation of responsibility, we do not mean to say that the law imposes a duty on the party to observe certain rules with respect to data or that the law imposes liability on the party for failing to respect certain rules. These issues would need to be resolved at the level of national legal systems, which is beyond the scope of this paper. What we mean instead is that the national legal solutions should adhere to the principles we describe.

From Res Extra Commercium to Data Extra Commercium
The civil (Roman) law protected multiple types of thing (res) by excluding them from commerce (extra commercium). The commercial inalienability of these things was entrenched in values and interests that res extra commercium embodied. Accordingly, Roman law prohibited trade in free humans (liberi homines), 4 things of divine interest (res divini iuris), 5 and things of secular public interest (res publicae). 6 Although we no longer use the Roman law doctrine of res extra commercium, these categories evoke some strong parallels with the recent prohibitions regarding human trafficking, 7 trade in human organs, 8 trade in some religious and cultural artefacts, 9 unlicensed commerce in publicly dangerous or invaluable things, 10 or traffic in publicly important things which are either considered common to everyone or that belong to no-one. 11 A purported sale of any of these three categories of thing was first deemed void 12 as legally impossible, except where the purchaser, without fault on his part, was unaware of their real nature. 13 The tendency to protect the buyer is understandable as 'it can be difficult to distinguish a free man from a slave'. 14 It is also understandable to consider the buyer's fault, because 'even the greenest provincial on his first visit to the mother city could [not] honestly believe that he could take effective possession […] of, say, the Temple of Venus or the Porta Capena or, turning to res publicae, of the Theatre of Pompey or the Via Sacra '. 15 Eventually, the various rules have been compiled into a specific provision of Justinian's Institutes (Inst.III.23.5), according to which a person who, in full awareness of the facts, bought a thing in which trade is forbidden, bought in vain and his contract was void. Yet if the purchase was based on the seller's fraud, deception or (even innocent) misrepresentation, 16 the law granted the buyer a remedy in damages for mischiefs such as eviction, confiscation and misapprehension induced by the seller. To the extent that these remedies were conditioned on a breach of contract, the jurists were pressured not to deem the contract void, but this required an exception to be made to the general rule that fraud renders a contract void ab initio. 17 (although somewhat ambiguously) some data types from commerce, as we will show in Section 3. Thus, it looks as if, effectively, some types of data-due to characteristics of the information they embodycannot be the subject of a sale contract (extra commercium) similarly to how Roman law prohibited trade in certain types of thing. Yet as we have seen in the introduction, trade in data (unlike trade in material objects) poses some very challenging questions. In particular, it seems that we need to think dynamically about the values and interests that the data represent, and it is unclear what implications this may have for validity of contracts and availability of contractual remedies in relation to data extra commercium. Let us start investigating these issues in relation to personal data.
The parallels between res extra commercium and our proposed concept of data extra commercium look particularly strong in the case of free humans and personal data. Illicit trade in free humans (unlike trade in things of divine or public interest) was allegedly an increasingly common source of practical trouble in Roman times. 18 which seems parallel to. An analogy may be drawn with recent illicit handling of personal data by tech-giants such as Facebook. 19 Also, in Roman times, free individuals were not 'things' in legal sense just as data are not considered to be 'things' in many jurisdictions. 20 Finally, the distinction between a slave and a free individual is epistemically obscure, just as there is no clear line between non-personal and personal data. 21 Both a slave and a free individual are humans, although they embodied different values in Roman law. Both non-personal and personal data are data, although they encapsulate different types of valuable information.
Given that the distinction between a free individual and a slave is no longer legally significant, we could instead seek to draw an analogy with trade in human organs. Although organs are different from 'data'and, generally, from intangible goods-what is particularly interesting is that legal protection of human organs has been widely compared with legal protection of personal data. 22 This is perhaps due to the central role of personal data in constructing personal identity and to the inherently 'personal' nature of both organs and data (as components of moral and physical integrity of the human being). 23 Accordingly, if the human body and its components are capable of being considered res extra commercium, one might be tempted to conclude that personal data-ie data that already relate to an identifiable human just like organs pertain to an individual-is likewise inalienable in the European digital market.
Indeed, the rationales for excluding trade in human organs can partly translate to commerce in personal data-as we will see in the next two sections of this article-but the arguments about (non)tradability of data must take a very different form. This is so because non-personal data can become personal, and vice versa. The difficulty with all (not just personal) data is that one must always first 'compute' the information that data embody (digital content) in order to find out their legal status. Data (as an object of digital transactions) can therefore never be excluded from commerce ex-ante, because they can be ex-post linked with values and interests that would be compromised by sale. The dynamic nature of data is unparalleled in the physical world. The closest we could perhaps get is the example of 3D-printed organs. 24 Unlike organs extracted from a human, organs printed on a 3D printer are a tradable commodity. In the physical world, it is relatively easy to understand why the law prohibits trade in human organs but not in 3D-printed organs. The rationale for this protection seems to be based on moral and ethical considerations, grounded on human dignity (in terms of moral and physical integrity). 25 For the same reasons, one could argue that it would be illicit to trade 3D-printed organs that have already been successfully implanted in a human body. However, while this looks like a dynamic change in the nature of those 3D-printed organs, it is important to highlight that this is a onceoff change. In contrast, the nature of data may change repeatedly.
A further complication is that data subjects may ex-post withdraw their consent with processing of personal data for a specific purpose. Again, in the physical world it would be hard to imagine that the producer of 3D organs will terminate the contract and withdraw the organ from the human body. In the infosphere, however, a data subject (as the producer of personal data) can demand her data back, which causes some headaches for the contracts involving those data and attendant remedies. 26 We will get to these issues in Sections 3, 4 and 5.
For now, it suffices to highlight that these dynamic ex-post changes in the nature of data are a new phenomenon that might lead to exclusion of data from trade. This issue seems to have slipped the attention of law-makers as well as many scholars, although it presents a distinct problem for the data economy. As, for instance, Basedow argues, '[i]t should be clarified to what extent personal data are res extra commercium and what this means for contracts covering such data'. 27 The uncertainty over when the law excludes data from commerce is further magnified by the fact that there is no clear set of reasons for treating certain things as res extra commercium such as is the Roman law triad of reasons (free human's liberty, a divine interest, a public interest). Further, the implicit danger that contracts involving data would be invalidated ex-post looms wherever (personal) data are provided instead of a monetary price for the provision of digital content and in other cases of hidden data commodification.
Hence, it seems worth attempting to map the concept of data extra commercium onto the Roman law moral and public policy reasons (or a similar set of reasons) so as to clarify the constraints on trading data which are implicitly baked in our laws and provide a higher degree of certainty for the data economy. Due to the number of parallels and the reasons given, we will use personal data as a vehicle for our argument, although we aspire to make more general claims about limits on trade in data.
In this regard, many readers will find it helpful to refer to Margaret Radin's work in which she challenges the idea of 'paternalism' as a basis for market inalienability. 28 By criticizing Calabresi and Melamed, 29 Radin argues that the real justification of trade limitations (e.g. on children or human bodies) should not be based on traditional liberalism or economics but on a conception of personhood and human flourishing. Human flourishing, a key concept in virtue ethics, 30 means the development and fulfilment of one's own personality, based both on positive freedom (life, health, thought) and negative freedom and autonomy. Allowing individuals to trade their body parts or entire bodies, for instance, would impair the foundation of individuals' freedom, because it would be detrimental to personhood itself. Accordingly, inalienability should not be justified through paternalism but, on the contrary, through human freedom.
Radin was one of the first to discuss personal information in the context of inalienability of human beings. 31 Indeed, she affirms that personal information ('attributes', 'characteristics') is what makes personhood unique and, thus, it cannot be separated from persons themselves. 32 Following this line of argumentation, we can infer that if humans are inalienable, their personal data should be inalienable, since only objects separate from the self are suitable for alienation. For example, the French national advisory committee for ethics, when interpreting Article 16-10 of the French Code Civil, considered the technology of genetic fingerprints ('empreintes génétiques') as 'res extra commercium', 33 because fingerprints are inseparably liked with an individual.
In other words, we think Radin's work identifies a strong rationale for what we call data extra commercium: inalienability of personal information justified through arguments concerned with human flourishing. Interestingly, privacy scholars have recently affirmed that the right to human flourishing might be the general justification (or even the 'raison d'être') for the right to privacy as protected under Article 8 of the European Convention on Human Rights. 34 Overall, it seems that inalienability of personal data could be justified on a moral basis, just like Roman law advanced moral reasons when prohibiting trade in free humans, because the morally-laden values and information that personal data embody would be compromised by sale. So while the nature of data dynamically changes, the rationales for excluding some data from trade can remain unaltered. What dynamically changes is whether data encapsulate values and interests that would be detrimentally affected by trade, not whether we want to protect those values and interests. Building on the existing literature, we submit that human flourishing is regarded one such fundamental value that can justify inalienability of personal data.

When the Law Limits Trade in Data?
The law is, however, not bound to follow such abstract moral arguments. It may build on them to provide a principled legal ground for excluding data from commerce, but it could also disregard those rationales. Accordingly, the aim of this section is to explore whether, and under what conditions, there are already some forms of data extra commercium in EU law and/or in national legislation. 30 See Marta C Nussbaum, 'Capabilities and Human Rights' (1997) 66 Ford L Rev 273, 297. 31 Radin, supra, note 28, at 1932: 'There is certainly the danger that women's attributes, such as height, eye color, race, intelligence, and athletic ability, will be monetized. Surrogates with "better" qualities will command higher prices in virtue of those qualities.'; id. at 1925: 'When the baby becomes a commodity, all of its personal attributes-sex, eye color, predicted I.Q., predicted height, and the like-become commodified as well. This is to conceive of potentially all personal attributes in market rhetoric, not merely those of sexuality' (footnote omitted). 32 Id. at 1885: 'Universal market rhetoric transforms our world of concrete persons, whose uniqueness and individuality is expressed in specific personal attributes, into a world of disembodied, fungible, attribute-less entities possessing a wealth of alienable, severable "objects." This rhetoric reduces the conception of a person to an abstract, fungible unit with no individuating characteristics' (footnote omitted). 33  Before we begin, we stress that several leading commentators consider data to be intra commercium by default. 35 Indeed, Article 2(11) of the Directive on Consumer Rights seems to protect the commercial use of data in sales law by explicitly addressing production and supply of digital content. 36 The Regulation on free flow of non-personal data 37 and the Digital Content and Digital Services Directive 38 support the same conclusion, as they consider data as tradable goods. The Regulation, for instance, explicitly declares the objective of 'removing obstacles to trade' (recital 7). The Digital Content and Digital Services Directive, then, defines 'digital content' as 'data which are produced and supplied in digital forms' 39 and allows for data (even personal data) as an alternative payment for the supply of digital content and services. 40 Although the proposal for this directive has been severely criticized from the perspective of personal data protection, 41 the debate about data (in)alienability is still underdeveloped. 42 Below, we advance this debate.

Inalienability of Personal Data?
The Digital Content and Digital Services Directive goes as far as to assert that 'the protection of personal data is a fundamental right and that therefore personal data cannot be considered as a commodity'. 43 Although this may indicate a clear political aspiration of EU leaders to exclude personal data from commerce, we think that black-letter law is not as clear. Consider, for example, how the EU Charter of Fundamental Rights addresses personal integrity and personal data protection. While Article 3(2) affirms that body parts cannot be 'a source of financial gain' and thus sends a clear message as regards trade in human organs, Article 8 merely declares that everyone has the right to the protection of personal data concerning her. It does not prohibit financial gain from one's own personal data, which suggests that the Charter does not take any position in relation to (in)alienability of personal data.
As regards personal data in general and their being in the nature of inalienable goods, we should take into account EU secondary law, in particular the GDPR, and national data protection legislation. We need also to acknowledge that among personal data, there are some special categories of personal data (hereinafter sensitive data, i.e. racial or ethnic origin, political, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or sex life or sexual orientation data) whose processing is limited to even more restricted cases (Article 9 GDPR, see more below).
The GDPR does not explicitly address inalienability of personal data or their nature as res extra commercium. Nor does it use the terms 'trade' or 'sale' when referring to personal data. However, the centrality of the data subject as a holder of inalienable data protection rights (rights to access, object to 35 e.g. De Franceschi, supra, note 1, at 5; Herbert Zech, "Data as a Tradeable Commodity-Implications for Contract Law processing, revoke the consent, erasure, portability) seems to be the first relevant element to be considered. It is true that personal data can be processed on the basis, among others, of consent and contract and that these are two elements that could also justify tradability of personal data. Nevertheless, consent should be free and revocable (Article 7 GDPR).
Revocability of consent is thus an apparent index of the not-fully-tradable nature of personal data. 44 In addition, Article 7(4) states that, '[w]hen assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract'. In other words, when consent to data processing is given merely as a counter-performance in exchange for ('is conditional on') the provision a service, one may doubt the freedom with which consent is given.
The wording of Article 7(4) GDPR has triggered a vivid debate about its proper interpretation. On the one hand, commentators largely recognize the nature of data as a de facto 'price', 'consideration' or 'counter-performance' in the digital market. 45 On the other hand, Article 29 Data Protection Working Party (Art 29 WP) has explicitly affirmed that personal data can never be a 'counter-performance', thus strengthening the argument that personal data should not always be considered alienable. 46 However, Art 29 WP seems to accept that personal data may be monetized if specific conditions are respected, i.e. if the controller offers data subjects genuine choice 'between a service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by the same controller that does not involve consenting to data use for additional purposes on the other hand'. 47 Further, Art 29 WP remarks that 'both services need to be genuinely equivalent'. 48 One might wonder whether a premium service upon payment and a free service upon accepting additional purposes of data processing could ever be 'genuinely equivalent' alternatives. Still, if there is-at least in principle-the possibility of accepting a service delivered by the controller without consenting to the additional data use in question, then the consent could be considered genuinely free.
These considerations seem to suggest that, in principle, the data subject should not be asked to disclose her personal data in exchange for money or as an alternative to money, but if her will (expressed through consent) is genuinely free (consent is not conditional, Article 7(4) GDPR), it is possible that personal data are 'monetized'. Of course, the consent can be always revoked (Article 7(3) GDPR).
Accordingly, we submit that the flow of personal data is based on a limited alienability rule: personal data can be 'traded' in exchange for a monetized service only if specific conditions are met. 49 Interestingly, at least two European Member States' legislation implementing the GDPR-that of the UK and of Denmark-mention the wording 'sale of personal data'. The UK Data Protection Act 2018 (similarly to the UK Data Protection Act 1998) prohibits the 'sale of data' as part of the crime of 'unlawful obtaining of personal data'. 50 In particular, it is prohibited to sell data (or offer to sell data) that have been obtained without the consent of the data controller. However, these provisions criminalize only business-to-business (or more accurately, 'controller-to-controller') data trading. What is protected 44 See, in particular, recital 42 of the GDPR: 'Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment'. 45 See, e.g., Malgieri  here is the consent of the data controller to commercialize personal data that were lawfully obtained and processed.
The UK Data Protection Act 2018 would seem to imply that any 'sale of personal data' is permitted and lawful, provided that the first data controller consents. But that would be a misunderstanding of what the law demands. According to the GDPR, the exchange of personal data from one data controller to another data controller must respect the data protection principles. Namely, it must have a legal basis according to Article 6 GDPR such as is the data subject's consent or is the necessity of processing (more on this principle in Section 3.2.2 below) and the data subject should be informed about any recipient of the personal data (Articles 13(1)(e) and 14(1)(e) GDPR). If and only if all the GDPR safeguards are respected, the exchange of personal data between two data controllers is permitted, even if that exchange is monetized. In other words, we think we can already affirm at this point that personal data are based on a limited alienability rule.
The same argument must apply to other national legal systems in the EU, including the Danish law. The Danish Data Protection Act states that 'data controllers who sell lists of groups of persons for direct marketing purposes or who print addresses or distributes messages to such groups on behalf of a third party may only process: (1) data concerning name, address, position, occupation, e-mail address, telephone and fax number; (2) data contained in trade registers which according to law or provisions laid down by law are intended for public information; and (3) other data if the data subject has given explicit consent'. 51 This confirms the possibility of trading personal data, but again only where the data protection principles set out above are met.
In order to understand tradability of personal data, it is instructive to look outside the EU, for instance to the Silicon Valley in California. Presumably, European businesses would want to trade data with innovative entities incorporated there. Californian laws seem to recognize personal data as res intra commercium. In the California Consumer Privacy Act 2018 (CCPA), for instance, the concept of 'sale of personal data' is largely accepted as the default rule in the relationships between different data controllers. 52 In addition, such 'sale' of data is recognized as the default rule, while the individuals have only the right to be notified that their data will be sold and the right to opt out from any sale of data relating to them. 53 The rights of notification and opt-out seem similar to the requirements of information disclosure and legal bases in the GDPR (Articles 14 and 6) as described above. Thus, alienability of personal data is arguably also limited in California.
Interestingly, the CCPA seems even to declare an absolute inalienability rule. Section 2 acknowledges that 'the right to privacy is among the "inalienable" rights of all people'. However, the same section further clarifies the content of such inalienable right: 'Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information'. In other words, the (inalienable) right to privacy includes basically the right of individuals to limit the trade of data related to them. Overall, we thus submit that one can identify a limited alienability rule for personal data even in the US. 54 in this case, inalienability does not refer to market inalienability of personal data as res extra commercium, but to the 'right to privacy' as a right that cannot be removed from individuals.
In sum, the analysis of personal data as res extra commercium is problematic: their nature as an (in)alienable commodity might appear ambiguous in many legal frameworks. However, regardless of definitions and pronouncements in legal documents, if we focus just on the possibility of processing personal data on a monetization basis (either the data controller asks the data subject for personal data in exchange for money or for a valuable service, or the data controller exchanges personal data with a third recipient, e.g. a business, in exchange for money), we conclude that there is a limited alienability rule. In the following sections we will summarize the 'limits' for trading personal data in EU law.

Trading Personal Data under the GDPR: Conditions and Uncertainty
In order to understand the conditions under which the GDPR allows 'trade' in personal data we should first clarify what 'trading data' means and then differentiate amongst relevant scenarios. We accept here that trading data means obtaining personal data in exchange for money or for other valuable assets (digital services, other valuable information, etc). Two different scenarios should be addressed here. Primary data trade where the data controller obtains personal data from the data subject, and secondary data trade where the data controller exchanges personal data with a third recipient (e.g. a business that can thus become a second data controller).
In both primary and secondary data trade, the trader(s) need to consider two variables: 1. the nature of data (Are they personal or non-personal data? If they are personal data, are they sensitive or non-sensitive data? See Section 3.2.1); and 2. the legal basis for trading data (These variables shall be considered not as merely static, but as dynamic. See Section 3.2.2).

The first variable for limited alienability of data: the dynamic and uncertain nature of data
As regards the nature of data, Article 4(1) GDPR clarifies that 'personal data' means any information relating to an identified or identifiable natural person. More interestingly, recital 26 explains that when determining whether a natural person is identifiable 'account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly'. To ascertain whether some means are reasonably likely to be used to identify the natural person 'account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments' (recital 26). If, considering reasonable efforts (time, cost, available technology), it is not possible to link the information to a natural person, the information shall be considered anonymous. 56 As discussed in Section 2, it appears clear that the nature of data is relative. Several variables such as reasonable costs, time, or available technology significantly affect our realistic capacity to single out individuals. 57  the 'identifiers' that would turn those 'anonymous' data into 'personal' data, personal data shall be considered anonymous. 59 Owing to a broad interpretation of the CJEU's statement, it is sometimes thought that pseudonymous data (personal data separated from identifiers) 60 could also be considered as anonymous data for a third party that cannot (technically or legally) access the identifiers. 61 It is noteworthy that the nature of data is also variable across time. For example, advancements in technology could make it easier to reidentify some originally anonymous data; or a party processing anonymous data could ex-post obtain the identifiers in a lawful way. It thus should be accepted as given that the nature of data is not only 'uncertain' for traders at the moment of the trade (e.g. when it is not clear whether some data are really anonymous or relatable to an identifiable person), but also dynamically uncertain in the future (anonymous data might become personal data).
Once it has been verified that traded data are personal data under the GDPR, another test should be performed to find out whether that data are of a sensitive nature. This extra categorization exercise is necessary in the context of trading data because Article 9(1) provides for stricter rules for processing sensitive data. Accordingly, sensitive data are based on a 'more limited' alienability rule than personal data generally.
For the reasons given above, the border between sensitive and non-sensitive data is uncertain, relative and dynamic. 62 In particular, it has been affirmed that in the age of Big Data, machine learning and data mining it becomes increasingly easier to infer sensitive information from (apparently) non-sensitive data. 63 All personal data have a certain degree of intrinsic sensitiveness and an inversely proportional (computational) distance from sensitive information. 64 How this distance can be covered depends on advancements in technology (e.g. our health conditions can be statistically predicted even from our daily location data) but also on the collection of further data. Accordingly, data traders should not only consider the uncertain and dynamic nature of data, but also the uncertainty and dynamism of the subcategory of sensitive data, which have implications for the legal bases for trading data.

The second variable: legal bases for primary data trade
Insofar as data qualify as personal data or even sensitive data, data traders need a legal basis for the commercial exchange of such data. Legal bases for processing of personal data are listed in Article 6 GDPR. For sensitive data there is an additional (stricter) list of conditions in Article 9 GDPR. 65 59 Case C-582/14, para 47. 60 See Art 4(5): '"pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person'. 61 See Information Commissioner's Office, Anonymisation: managing data protection risk code of practice (Wilmslow 2012) Let us consider personal data first. We will focus on consent, a contract and a legitimate interest as the potential bases for trading data lawfully (Article 6(1)(a), (b), (f) GDPR). 66 As mentioned above, consent, can serve as a legal basis for collecting data for monetization purposes. 67 However, according to Article 7, this consent must be unambiguous, fully informed (about, inter alia, the commercial purpose of the data processing), revocable and free (not conditional on the provision of services with no other genuinely equivalent alternatives). Accordingly, businesses who 'trade' personal data must ascertain that consent has been provided unambiguously, that it was informed, free and that it remains valid. The consent remains valid if it has not been revoked by the data subject.
Another legal basis for monetizing personal data could then theoretically be a contract, but commentators have dismissed this possibility. 68 Even Art 29 WP has clarified that the provision of Article 6(1)(b) GDPR (stating that processing is lawful if it is 'necessary for the performance of a contract to which the data subject is party') 'must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller'. 69 Art 29 WP thus effectively excluded the use of contract as a legal basis for processing data for monetization purposes including marketing purposes. 70 We agree with Art 29 WP's view.
The last variant is a legitimate interest as a basis for lawful processing of personal data. Pursuant to Article 6(1)(f) GDPR, this could be where 'processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject'. This legal basis thus requires us to take account of several tests, including (1) the necessity test; (2) the legitimacy test; and (3) the balancing test considering the counter-interests of the data subject. 71 The use of 'legitimate interest' as a legal basis for monetization purposes is problematic, 72 especially as regards the necessity test (1). Art 29 WP has indeed clarified that data controllers should 'consider whether there are other less invasive means to reach the identified purpose of the processing and serve the legitimate interest of the data controller'. 73 In data trade the identified purpose might be an economic profit from personal data, but such a purpose would probably be considered insufficiently specific to meet the necessity test. 74 In addition, one could always argue that the desired economic profit could be achieved through less invasive means (e.g. the content providers might provide 'premium' services upon a payment). 66 We do not discuss the possibility to 'monetize' data on the basis of a legal obligation to which the controller is subject (Art 6(1)(c)), vital interests of the data subject (Art 6(1)(d)) or a performance of a task carried out in the public interest (Art 6(1)(e)), because these bases do not fit the private commercial nature of data trade which we want to address. 67  : 'For these reasons, a purpose that is vague or general, such as for instance "improving users' experience", "marketing purposes", "IT-security purposes" or "future research" will-without more detail-usually not meet the criteria of being "specific".' The legitimacy test (2) allows for more freedom and can be interpreted expansively. 75 Still, the interest must always be lawful, sufficiently clear, and represent a real and present interest. 76 Finally, the balancing test (3) 77 should have regard to the controller's legitimate interest, impact on the data subjects (e.g. intrusiveness of profiling), provisional balance, and to additional safeguards applied by the controller to prevent any undue impact on the data subjects (transparency, ease of exercising the right to object, etc). 78 All these considerations make it extremely difficult to use the category of legitimate interest as a legal basis for trading personal data. It will be necessary to evaluate on a case-by-case basis whether a specific data transaction involves intrusive profiling, unclear information about purposes or commercial implications, etc. And although even '[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest' , as is confirmed in recital 47 of the GDPR, the data subject has the right to object at any time to such processing (Articles 21(2) and 21 (3)). Accordingly, the legal basis for data transactions could be invalidated ex-post, which seems to be very similar to the right to revoke consent in case of processing based on consent.
In addition, if the traded data are not only personal, but also sensitive data (Article 9(1) GDPR), they can never be processed merely for legitimate interest purposes, since under Article 9 there is no reference to legitimate interest as a legal basis for processing. In that case, just two legal bases might in principle be adequate for processing of sensitive data for monetization purposes: (1) when the data subject has given 'explicit consent for one or more specified purposes' (Article 9(2)(a)), given that the consent is free, informed and revocable (Article 7); or (2) when processing relates to '[sensitive] data which are manifestly made public by the data subject' (Article 9(2)(e)). In this second case, however, we observe that if personal data are already made public, this might lower their commercial value for data traders since they would not need to 'buy' these data (they just would need a technology to collect them). Still, even in this second case, it is worth remembering that for processing sensitive data, controllers need a legal basis under both Articles 9 and 6 (since sensitive data also count for personal data). 79 Therefore, in the case of processing sensitive data which were manifestly made public by the subject, the data controller should either seek the consent of the subject under Article 6(1)(a) or prove that there is necessity for a legitimate interest under Article 6(1)(f). The route of a legitimate interest then poses the multiple hurdles, namely the legitimacy test, the necessity test, and especially the balancing test when trading sensitive data for merely commercial reasons. 80 Overall, we submit that this second variable is also uncertain and dynamic. In cases of consent, even when the data traders pass the freedom of consent test, consent could be revoked in the future. 81 In cases of legitimate interests, even when the data controllers pass the three tests (necessity, legitimacy and balancing tests), the data subject could easily object to data processing and thereby delegitimize it.  80 See Id. at 35 which affirms that when processing data for purely consumer profiling reasons, 'the inference of sensitive data (health data) […] contributes to tipping the balance in favour of the data subject's interests and rights'. Similarly, Id. at 59 (discussing an example of an on-line pharmacy performing extensive profiling). Generally, Id. at 38-39 (arguing that processing sensitive data (or even data that could reveal sensitive data) contributes to set the balance test in favour of the data subject because 'the more sensitive the information involved, the more consequences there may be for the data subject'). 81 In this case the processing of data before withdrawal is not unlawful (Art 7(3) GDPR), but no new processing of such data is allowed. At the same time, if there are no more legal bases, such data should be erased (see European Data Protection Board, Art. 70.1.b) 7). regards secondary data trade, i.e. a commercial exchange of data between two data controllers such as a service provider and an advertising company, the same conditions apply. In addition, it might be necessary to obtain a separate consent for exchanging data with a third party: Art 29 WP has clarified that in order to respect the principle of 'granularity', the data controller that processes data for her own purposes must ask for a separate consent to communicate the data to a third party (e.g. an advertising company). 82

Dynamically limited alienability rule for personal data under the GDPR
Given the evidence in the legal sources and literature set out above, we conclude that personal data are not based on an inalienability rule and are, therefore, not res extra commercium. Nonetheless, we also conclude that strict conditions apply to the commercial flow of personal data, and so we can talk about a dynamically limited alienability rule in relation to personal data. Figure 1 (see below) visualizes how this complex rule might look. Accordingly, the GDPR arguably forbids trade in data when: 1. data are personal data from the outset or become personal data subsequently AND there is: a. no free consent of the data subject under Articles 6(1)(a) and 7 GDPR or b. no necessity for a legitimate interest under the conditions of Article 6(1)(f) GDPR for processing those data; OR 2. personal data are also sensitive data according to Article 9(1) GDPR from the outset or become sensitive data subsequently, AND: a. there is no free consent of the data subject under Article 9(2)(a) and Article 7 GDPR or b. those data are not manifestly made public by the data subject or, even if made public, there is no necessity for a 'legitimate interest' under the conditions of Article 6(1)(f) GDPR for processing those data; OR 3. the legal basis is subsequently lost, i.e. 82 Art 29 WP, supra, note 46, at 10.
Electronic copy available at: https://ssrn.com/abstract=3466089 a. consent is revoked or loses its required qualities (Article 7 GDPR) or b. in case of legitimate interest basis, the data subject objects to the processing of personal data (Article 21 GDPR). Electronic copy available at: https://ssrn.com/abstract=3466089 similar test in relation to data. The Digital Content and Digital Services Directive provides consumers with some contractual remedies and deals with some aspects of onward data transfers to third parties, 84 but it is does not address these issues in a complex and principled way that would be useful also for business-to-business contracts. This section fills this gap and proposes a test that is specifically designed for transactions in data extra commercium. We suggest that this test be thought of as a reasonable proxy on the basis of which national contract laws can be interpreted in accord with the EU law limits on trade in personal data.
We already know that the Roman law res extra commercium test struggles to identify data that cannot be traded. To this extent, we suggest to replace the test by the dynamically limited alienability rule. As far as the legal implications of there being data extra commercium, however, the Roman law doctrine can play an important role. It is possible to make connections with the doctrine of res extra commercium via the underlying principles of the Roman law test in its historical variations. It is safe to assume that the test was underpinned by the following set of abstract principles that are based on the authority of reason: (1) if a contracting party is not responsible for the forbidden trade (e.g. an innocent buyer), it would not be unjust to provide that party with a remedy for the spoiled commercial transaction; (2) if the other party is responsible for the mischief (e.g. a fraudulent seller), the law could grant the innocent party a remedy against the defaulter; (3) or else, the contract is void and the law only protects the noncorrelative interests vested in the object of trade. The parties are responsible for the void transaction if they knew, or should have known, that the object was extra commercium. Let us translate these principles into the context of data.
The dynamic nature of data implies that all contracting parties can, in full awareness of the fact, foresee that the relevant data may eventually be excluded from commerce on the basis of the reasons outlined in Section 2 and as demonstrated for trade in personal data in Section 3. It could thus be argued that all parties should have known this (potential) status of the data and, accordingly, be responsible for the void or ineffective contract and its consequences. This line of thought would result in legal protection of data extra commercium only. No party would be entitled to a remedy.
The difficulty is that such a strategy does not take into account the legitimate interests and reasonable expectations of the parties. For example, it seems unreasonable to expect that a data subject will be able successfully to claim her interests (and withdraw her consent) in relation to fully anonymized data or to personal data that are collected and processed in the public interest. 85 Similarly, it would be unreasonable to assume that data regarding levels of humidity around the globe would be eventually analysed as personal data. In theory, it is possible, but seems as unlikely as the authors of this article being tenured next year. You would (hopefully) struggle to say we are responsible for not being tenured next year. By the same token, it is unreasonable to assume that parties can have limitless responsibility for data extra commercium. Given the dynamic nature of data, it is also unreasonable to assume that the parties' limited responsibility is fixed at the time of the conclusion of a contract or another key event in the digital trade. According to this line of thought, the parties' limited responsibility should be dynamic, too.
In response to these issues, we propose to translate the corrective element of reasonableness 86 into the following two-stage test. Stage 1: A party is responsible for trade in data extra commercium if and when, given the current state of knowledge and technology that is normally available to a person in a similar position, it is reasonably likely that the relevant data reveal personal (or other restricted) information. Stage 2: If those conditions are met, the party cannot succeed in arguing that they are not responsible for infringing the values and interests in which trade is (or should be) legally prohibited, unless they have a special justifying reason (e.g. the data subject's free consent with processing of personal data or a compelling legitimate interest of the controller) that serves as a defence to their liability for consequences caused by transactions concerning data extra commercium.
Stage 1 of the test protects reasonable expectations and legitimate interests in that the default rule is they are in commerce and the validity and enforceability of the contract should remain untouched, provided that there is no reasonably likely interpretation which would reveal that the relevant data embody values and interests that would be compromised by sale (see Section 2). Of course, the parties cannot prove negative facts, which is why the Stage 1 test must take a positive form as set out in the preceding paragraph. This positive test helps indicate whether the parties knew, or should have known, that data are excluded from commerce. The 'current state of knowledge' requirement allows us to have regard to the (so far speedy) developments in the field of data science. The requirement of technology that is 'normally available' to a person in a similar position is designed so as to indicate objectively whether and when the relevant party could have discovered that the data qualify as extra commercium, and therefore whether and when that party has responsibility for trade in that data. This requirement is also justified by recital 26 of the GDPR. 87 Stage 2 further limits the parties' responsibility in that it provides the parties with relevant excuses to responsibility and, consequently, defences to liability. A party that becomes responsible at Stage 1 should prove they have a relevant excuse that allows them to trade data that would otherwise be extra commercium. This could be a free consent by the data subject, or a compelling legitimate interest of the data controller winning the three tests (the legitimacy, necessity and balancing tests) under Article 6(1)(f) (and in case of sensitive data either explicit consent or data made public by the subject and legitimate interests winning the tests under Article 6(1)(f), or any other exemption provided by the law at the time when the party faces Stage 2. In this sense, Stage 2 reasonably limits responsibility for data extra commercium but does not deny it. 88 If we now reconnect the two-stage test with its Roman law roots, we can see why the reasonable default position of the law should be to protect only data extra commercium and the valuable information they embody. We can also see why it would often be the case that those who are in control of powerful analytic algorithms would be more likely to be responsible for data extra commercium than those to whom such tools are not available (typically consumers and data subjects). The question of specific legal sanctions and remedies is an important matter which we do not have space to open here. The key point is that the test could potentially be deployed in any type of data transaction and could be seen as a test that enforces requirements that are reasonable, principled and in this sense non-arbitrary.

The Unique Benefits of the Data Extra Commercium Test
The two-stage test helps allocate responsibility for trade in data extra commercium, and thus also for the consequences of purporting such trade, in relation to both problematic scenarios set out in the introduction and Section 2, i.e. in relation to ex-post analytic exclusion of data from commerce and expost withdrawal of consent. The same applies to the specific conditions of trade in personal data as discussed in Section 3. These are undoubtedly unique and significant benefits that already justify why we should adopt the two-stage test in our thinking about data transactions in European contract law.
Here we want to highlight two practical benefits of the two-stage test. The first benefit relates to enforcement of the limited alienability rule in technologically advanced data trading and data processing systems where human end users are virtually out of the loop. Think, for instance, of 'smart' environments and the Internet of Things. In order to deliver their functions, smart devices and their data processing algorithms often automatedly, and sometimes even autonomously, connect to other devices in order to transfer or process data. This can happen without the end user having any knowledge about such activity and the character of the data traded. Still, legal obligations can arise even in such autonomous environments and, likewise, the reasons for excluding some data from commerce apply there too. 89 How then, if the human end users-who are traditionally considered the relevant contracting agentsare out of the loop, can we enforce the limited alienability rule? Consider, for instance, how difficult it would be to apply principles relating to defects of consent (mistake, fraud, threat or undue influence) and misrepresentation in scenarios where the human user is out of the loop. Similarly, consider how difficult it would be to establish that the dynamic change of the nature of data amounts to an unforeseeable change of circumstances. 90 These issues demonstrate the obstacles relating to enforcement of the limited alienability rule when it comes to automated trading of data between autonomous agents. The existing European contract law tools are simply not designed for the infosphere where our traditional notions of time, space, and identity of objects start breaking down in relation to data and their informational properties. This is where the two-stage test is likely to help. The law is well positioned to provide a legal (not technological) tool to open black-boxed algorithmic trading systems, and thereby to protect the values and interests that certain types of data embody. The two-stage test could steer these challenges at the technological level by incentivising development and implementation of suitable algorithms that would be designed to protect data extra commercium. Such protection by design could result in various auditing algorithmic protocols (regulation by code) 91 that would flag up potential issues in the black box. Stage 1 of the test explains why it would be reasonable for stakeholders to use such auditing technologies and responsibly to develop the necessary technical standards. 92 The second implication relates to Stage 2 in that it demands development of adequate legal and technical standards for ex-post authorisation of processing of autonomously derived or inferred data. From a traditional European contract law perspective, trade in these derived or inferred data would be permitted if they were derived or inferred from data in commercio. The traditional contract law approach-we may call it a pre-Big Data or pre-infosphere paradigm-looks at data as a mere accidental form of goods, rather than as primary objects of transactions. 93 If the primary good is excluded from commerce, data are too; if not, data are in commercio. We already know, however, that the relationship between data and the information they embody is not this straightforward and that, once the human user is out of the loop, we could lose sight of trading data that should be dynamically excluded from commerce. In other words, even derived and inferred data might eventually infringe upon non-tradable values and interests as set out in Section 2.
Again, this is where the two-stage test might help. Unlike existing European law which addresses issues of ex-post withdrawal of consent and, relatedly, the legal implications of this ex-post exclusion of data from the relevant transactions (including the some implications for onward transfers of such data extra commercium to third parties), the two-stage test incentivizes development of reasonable legal and technical standards that would allow for ex-post authorisation of data and, accordingly, ex-post inclusion of derived or inferred data in commerce. This second benefit is, again, characteristically significant for enforcement of the limited alienability rule in the era of Big Data and the infosphere and demands us to adopt some new contract law rules for allocating responsibility for data extra commercium. The shape these rules will take in national legal systems, or whether there will be pan-European standard terms or implied terms for business-to-business and business-to-consumer contracts, are questions ripe for further consideration that exceeds our article. 94 Overall, the two-stage test could incentivize more efficient legal and technical standards for detecting and protecting data extra commercium even in fully automated and autonomous trading systems.

Conclusions
No matter how tempting the intellectual parallel may be, data are not res extra commercium and we should seek to avoid thinking about them in these terms. This does not mean, however, that data are res in commercio. That would also be a misunderstanding. The nature of data is more complicated than that and we cannot simply apply traditional concepts and contract law doctrines to them.
In this article, we argued that transactions in data can be limited and that data are subject to what we call a dynamically limited alienability rule. In Section 3, we demonstrated how this rule would apply in the context of the laws regarding trade in personal data. We also visualised the rule in Figure 1, so that our readers might easily refer to it in their own work or legal practice.
Further, we argued that the dynamically limited alienability rule can be explained on a principled basis (Section 2) and, therefore, applied more generally to trade in any data. In this regard, Section 4 pioneered a general two-stage test that should help legal practitioners, judges and law-makers to navigate in considering when trade in data is illicit and who (if anyone) shall be held responsible for this mischief.
Finally, we showed how the two-stage test and the limited alienability rule may help link EU data protection laws with contract law rules and principles, and help enforce legal principles of data extra commercium in fully automated and autonomous data trading systems.
We thus proposed that data extra commercium be thought of as a dynamic concept for future European contract law or national laws implementing the Digital Content and Digital Services Directive. After all, in a world of speedy technological advancements and changes in business practices and models, it seems a more efficient, and sustainable, regulatory strategy to link contractual sanctions and remedies with the object that is traded-ie data-rather than with the specific types of contractual transaction. Besides, a standard requirement of commercial law is that the object of a transaction is lawful, and it would be difficult to conceive of the law permitting otherwise. commercium and the two-stage test to help enforce the limited alienability rule pertaining to all data transactions. As such, data extra commercium may even serve as an elementary tool of data protection. 95