Conceptualising Data Commodification & Legal Categorisation in The Indian Legal System

**Dr. Niyati Pandey and Ms. Anamika Shukla

Introduction

With the onset of the digital age, India has seen a surge in data generation, data holding and the debate around data sovereignty. India’s digital economy generates a colossal volume of data be it personal, financial, biometric, behavioural, etc. As this data becomes increasingly critical to commercial, governance and innovation processes, the question related to legally conceptualising and categorising data becomes increasingly intense. The problem of regulations stems from the nebulous nature of data and its treatment within any legal diaspora. The legal treatment of data in India is fragmented and unsettled. Terms like asset, property, resource, or service are invariably and inconsistently used. The ambiguity affects ownership, liability, consumer protection, and enforcement. For instance, in the absence of a clear legal classification, data breaches involving cloud storage or data-sharing platforms raise novel but unresolved tortious and contractual questions. The modern day failure to address this is evident in data-related litigations, be it the Aadhaar Case, the WhatsApp controversy, CoWIN breaches, and other prevalent disputes from fintech and edtech sectors point to the urgent need for typological clarity. 

This forms the genesis of a fundamental dilemma for the Indian legal system which questions how data should be legally categorized? Should it be treated as a product under emerging digital economy laws, a good or service under the Sale of Goods Act, 1930 (SGA), or as a sovereign and intangible resource, regulated solely through tort principles?

In this article, the authors attempt to address the ambiguity surrounding data classification in Indian law and evaluate the applicability of the doctrine of bailment to data. The authors argue for the recognition of data as a sui generis legal category. Drawing from doctrinal analysis and comparative insights, the authors propose a “Data as Tradable Commodity” framework that reflects both the economic value of data and the relational rights and duties it carries in the Indian context.

Rights Associated with Data

The question of whether data qualifies as “goods” remains unsettled in Indian jurisprudence. In R.D. Saxena v. Balram Prasad Saxena (2000), the Supreme Court clarified that for an item to fall within the ambit of “goods” under Section 171 of the Indian Contract Act, it must be marketable and saleable for consideration. Since documents lacked intrinsic commercial value, they were held not to be goods. By extension, this raises a more complex question: Can data, which is often non-rivalrous and intangible but holds immense economic value, be treated similarly?

With data increasingly regarded as the “new oil” or “digital gold”, its legal status, the rights of the data originator, and the obligations of subsequent users are yet to be clearly defined. One area where jurisprudence has developed is the right to privacy, recognized as a fundamental right in Justice K.S. Puttaswamy v. Union of India (2017). However, this right is largely confined to the State-subject or fiduciary-subject relationship, and does not encompass proprietary claims, economic rights, or remedies against private third-party misuse.

This gap underscores the urgent need to reconceptualize data rights beyond privacy, by recognizing a broader bundle of rights, including control, possession, transfer, and economic exploitation, grounded in a sui generis legal framework for data.

Why Existing Legal Categories Fall Short in Capturing Data’s Complex Nature

The Data Protection Act, 2023 (DPDP Act) defines data under Section 2(h) as:

“A representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.” 

Under Section 2(1)(o) of the Information Technology Act, 2000, “data” means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;

Both these definitions imply that data is not content per se, but its usable, structured, and representational form, reinforcing the commodification view. Once made suitable for processing or transmission, data becomes capable of economic exchange, valuation, and legal protection.  While these statutory definitions offer a functional description, they fall short of providing comprehensive legal classification of data, due to which questions related to ownership, control, rights of the originators and liability for misuse or unauthorised processing remain unanswered. This unresolved nature of data rights necessitates a deeper exploration into how Indian law currently attempts to classify data meaningfully. Currently there are three perspectives through which data can be classified. 

Data as a service

In modern commercial arrangements, data is often bundled with services such as cloud hosting, software-as-a-service (SaaS), OTT platforms, AI model training datasets, etc. In such cases, data is not the good being sold, but the input/output of a service-based relationship.

While this approach is practical for taxation and licensing, it undermines the independent legal identity of data and ignores its inherent value as a standalone asset. It also fails to acknowledge the rights of authorship, ownership, and post-transfer control especially when the data is misused or further commercialised without user knowledge.

This approach also precludes restitutionary or proprietary claims when data is misappropriated, deleted, or sold without consent.

Data as a product/commodity

In economic terms, data has characteristics that qualify it as a product in the sense that it is collected, curated, packaged, licensed, and sold. This idea is reinforced in European jurisprudence, where data controllers are held liable under product liability regimes if flawed datasets cause harm.

In India, however, the absence of a specific recognition of ‘data as a product’ impedes the application of consumer protection, GST or civil product liability principles. Since a product is generally a tangible or marketable outcome, data in raw or personal form often eludes this definition. For example, when a fintech app erroneously reports a consumer’s credit score (based on flawed data), the harmed party may struggle to claim product liability, because data is not recognised as a ‘defective product’.

Moreover, commodification becomes problematic when the data principal (originator) is separated from the downstream commercialisation of data. In such cases, economic control shifts to large platforms raising concerns of data colonialism.

Data as a good

Section 2(7) of the Sale of Goods Act, 1930 defines “goods” as:

“Every kind of movable property other than actionable claims and money; and includes stock and shares, growing crops, grass, and things attached to or forming part of the land which are agreed to be severed before sale.”

Indian courts have adopted a functional and expansive approach to this definition, gradually including intangible but utilitarian entities within its fold. In Commissioner of Sales Tax, M.P. v. M.P. Electricity Board, AIR 1970 SC 732, the Supreme Court held that electricity constitutes “goods” for the purposes of taxation. It observed that although electricity is intangible and cannot be touched or physically possessed, it qualifies as movable property because it is capable of abstraction, transmission, consumption, and commercial value, all essential attributes of saleable goods.

Building on this rationale, Indian jurisprudence extended similar treatment to broadcast signals, and notably, in TCS v. State of AP, 2005, the Supreme Court ruled that software, if recorded, transferable, and capable of being stored, qualifies as goods. These decisions reflect a doctrinal evolution where tangibility is no longer a sine qua non for classification as goods, provided the subject matter exhibits identifiability, transferability, utility, and value.

By this analogy, data too may qualify as “goods”, particularly when it is structured, stored, and transferred in identifiable formats, such as datasets on cloud servers, USB devices, or hard drives. Commercial practices involving the licensing, trading, and sale of data further support the argument that data is treated as a valuable, exchangeable resource.

However, this classification triggers new issues. If data is “goods”, can it be bailed or pledged? Does the concept of ownership of goods apply when data can be infinitely copied? Is data still “goods” if its value comes from its aggregation and not its individual utility? Data’s replicability, non-exclusivity, and dual-use nature (public/private, personal/anonymised) are seen as barriers. These difficulties point toward the need for a new legal taxonomy, perhaps recognising data as a sui generis asset. 

Data as a sui generis category

If we were to continue with the existing approach to data, one of the most fundamental challenges that arises is the cross-border storage of Indian data which leads to enforcement issues, especially when companies claim immunity under foreign law. There is a cogent lack of statutory guidance which leaves Indian courts unable to resolve data-centric contractual or civil disputes. Moreover, many digital platforms deny custodianship of user data, limiting liability by claiming they are intermediaries.

Recognising data as a sui generis legal category would not only establish a distinct legal personality for data resolving ambiguities around ownership, access, control, and post-use obligations, but it would also aid in advancing deeper normative goals by bridging the gap between contract law, tort law, and property law. 

Can Bailment Apply to Data

Bailment is defined under Section 148 of the Indian Contract Act 1872 as

  “..delivery of goods by one person to another for some purpose, upon a contract that they shall, when the purpose is accomplished, be returned or otherwise disposed of according to the directions of the person delivering them.” 

 A bailment becomes pledge when goods are delivered as security for a debt or an obligation. 

Thus the essentials for a contract of bailment are that the subject matter must be “goods”, must involve “exclusive possession”, not mere custody and requires a purpose and a clear duty of return or disposal. The question thus remains whether data be bailed? 

The principal hurdle is whether exclusive possession of data can be transferred, given its non-rivalrous and non-exclusive nature. Data can be accessed by multiple parties simultaneously, copied infinitely and distributed across jurisdictions. In fact, even the concept of ‘returning data’ seems vague unless specified whether it means erasing such data from all servers or deleting copies or deactivation of access, or simply cease use? 

Nonetheless, digital bailment may still be conceptualised by fulfilling the criteria of exclusive possession through proxies like control of encryption keys, or placing other access restrictions, employing access control systems, mandating data localization requirements, smart contracts (“use-once-and-return” clauses), etc. 

Moreover, under the DPDP Act, a data fiduciary is bound to not to use personal data without consent, permitted legitimate use and not to make unauthorized use, erase the data when consent is withdrawn or purpose is accomplished and maintain data security. Aforementioned duties of data fiduciary resemble those of a bailee under Indian Contract law, supporting an adoption of a legal system with the possibility of bailment of data and not mere data custodian. 

The Possibility of Data Pledge and Lien 

If classified as goods or a sui generis tradable property, data can be pledged as collateral by AI-holding firms, academic repositories, or financial institutions holding proprietary datasets. Moreover lenders, data processors and storage providers could exercise lawful lien i.e., withholding access in case of unpaid dues at par with rights under Sections 170–171 of the Contract Act. Resultantly, this would encourage a market for securitised data assets, regulatory clarity for cloud account freezes and access denials, risk underwriting on data backed lending. 

The Economic Imperative: Data is new Oil 

Economic theory recognizes data as a value-generating asset. It is collected and curated from consumer behaviour, IoT sensors, transaction, bought, sold and licensed via digital platforms, taxed, monetised and accounted for in balance sheets. The Government of India has even considered policy models where non-personal data is viewed as a community resource and can be used for economic purposes implying recognition of its underlying asset-like nature. Thus, the legal hesitation to categorise data as goods/ commodifiable entity is increasingly incongruent with practice. 

Suggestions

To resolve this legal vacuum and typological anomaly, the authors propose that data be treated as a sui generis legal category which recognises its hybrid nature, part personal, part economic and part relational. While existing models and classifications may have certain strengths like treatment of data as service aligns with commercial use, or when treated as a privacy right, protects autonomy, they fall short for multiple reasons . Data when dealt as service overlooks data’s residual value and ownership issues or when treated as privacy right, fails to address the economic rights or third party misuse. These limitations can be tackled by recognising data as goods or conceptualizing data as quasi-property, one can expand  rights and provide robust remedies not only for the data subject but also for legitimate downstream holders. The most significant benefit of this new classification is that it recognises data as a tradable commodity with critical legal attributes such as proprietary interests, usage rights (which may be consent-based, purpose-limited, and time-bound), remedial claims and duties concerning confidentiality, stewardship, and lawful disposal.

Such a reconceptualization allows data to be governed in a more pluralistic and context-sensitive way, providing remedies not only to the data originator but also to downstream holders with legitimate claims. It balances commercial viability, individual autonomy, and third-party accountability, moving toward a coherent legal regime that reflects data’s unique, multidimensional character.

To address these gaps, the authors propose recognising data as a “Tradable Commodity” under a framework of entrusted custodianship.

1. Large-scale data processors and licensed fiduciaries (e.g., cloud providers, large fintech and healthtech platforms) would serve as “data custodians”, governed by obligations akin to traditional bailees and pledgers under the upcoming DPDP Rules.
2. Enact a codified form of digital bailment, where the elements are:
   1. Control (over access/use)
   2. Consent (documented through smart contracts or DPDP compliance)
   3. Custody (secure storage, accountability) 
   4. Control/ exclusive possession: Encryption or API key transfer indicating control 
   5. Return: Data erasure certificates; third-party audit verification 
   6. Lien Rights: Enabled via contract or statute for unpaid dues

India’s digital future depends on legally recognizing data as a valuable, tradable, and relational commodity that may not adapt into existing legal categories of “goods,” “services,” or “products” without friction. Instead, if data is treated as a sui generis, entrusted commodity, Indian law could resolve longstanding ambiguity around its ownership and liability, thereby empowering users and data principals. It would also provide guidance to courts in data-related civil and contractual disputes, and develop a future-ready, human rights–respecting data governance regime.

As India moves toward implementing the Digital India Act, it is time to conceptualise data not just as an asset, but as an entrusted value object, embedded in relationships, rights, and duties.

About the authors: 

**Dr. Niyati Pandey is an Assistant Professor of Law at Gujarat National Law University, Gandhinagar, and a Gold Medallist in both UG and PG studies. With over eight years of experience teaching Contract Law, she is known for her clear, practical approach that blends academic depth with real-world insights. Her expertise covers traditional principles as well as contemporary issues like e-contracts and government procurement. She can be reached at npandey@gnlu.ac.in.

**Ms. Anamika Shukla is an Assistant Professor of Law at Gujarat National Law University, Gandhinagar, and a Gold Medallist in Technology and Law. Her work bridges law, technology, and policy, with a focus on the legal nature of data, AI governance, and digital rights. She has trained law enforcement and armed forces on cybercrime and digital laws and frequently writes and speaks on how emerging technologies are reshaping legal frameworks. She can be reached at ashukla@gnlu.ac.in.

**Disclaimer: The views expressed in this blog do not necessarily align with the views of the Vidhi Centre for Legal Policy.