The growth of digital and connected technologies has led to a huge increase in the amount of data that is being collected and exploited. Consumer data in particular can be immensely valuable. Most obviously, it can be used to target advertisements or marketing activities to those individuals who are most likely to be interested in the products and services being offered. Many of the biggest names in the digital economy, including Facebook and Google, derive significant revenues from consumer data which they can market to advertisers.
Despite the evident value of consumer data, most legal systems do not grant proprietary rights in data as such, and it is probably not strictly accurate to talk about data ownership at all. Certainly the belief commonly held by members of the public that data about them as individuals is (in any ownership sense) ‘their’ data is wholly misplaced. Instead, individuals may have rights to control third parties’ use of their data under data privacy laws, discussed below. Businesses that collect such valuable consumer data need to rely on a variety of legal rights related to that data which, together with actual possession of the data, may be able to give them a level of control approaching proprietary rights in effect.
Rights and responsibilities
The three key types of rights related to consumer data are:
- intellectual property rights – not usually in the data itself but in databases, i.e. collections of data;
- the law of confidence, which can protect some data as confidential information; and
- contractual rights.
Where there are rights over data, however, there are also responsibilities. Most territories now have some form of data protection regime that addresses concerns over privacy by regulating the use of personal data. There is also increasing pressure to give consumers even greater control over their data, including rights to data portability that would enable them to move their consumer data from one service provider to another. These consumer rights have the potential to have a significant impact on the level of control or practical ownership of consumer data that can be exercised by service providers.
Intellectual property rights in databases
Traditionally, databases have been protected through the law of copyright. Such protection does not usually protect the underlying contents of the database, however, but rather aspects of its layout, structure or format. As a consequence, copyright protection for databases provides fairly limited protection for the underlying data (unless that data is a literary work that attracts copyright protection).
In addition to this, in the European Union, databases are also protected through a “sui generis” database right, which does provide significant additional protection for the contents of databases. In many circumstances, this protection can be akin to proprietary rights in the data itself. However, there are two important limitations to the sui generis database right.
- First, it only protects data if there has been a substantial investment in obtaining, verifying or presenting that data. In the landmark decision of British Horseracing Board v William Hill, the Court of Justice of the European Union (CJEU) ruled that the necessary investment required resources to be used to locate and collect pre-existing materials. The sui generis database right does not protect self-generated data, such as data on internal price information, timetables, consumer IDs and other internally produced information.
- Second, the sui generis database right is only infringed if a substantial part of the contents of the database is extracted or re-utilised. This means that data can be taken and reused by third parties without infringing the sui generis right providing what is taken does not amount to a substantial part of the database. One consequence of this limitation is that consumers may be able to extract data that relates to them, or arrange for that data to be extracted, without any infringement of the sui generis database right taking place.
Most legal systems provide legal remedies for the misuse of information that has been provided in confidence. Article 39(2) of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement), which all members of the WTO are signed up to, requires protection to be given to secret information that has commercial value. The law of confidence, therefore, is often the main legal route to protecting that valuable consumer data on a global basis. This can protect a particular collection of items of consumer data against copying even if the data relating to any one individual is public or is already present in other collections of data. In many cases, the obligation of confidence will be imposed through contract, but the protection provided to confidential information can also provide a legal remedy when data is misappropriated or stolen, where there might otherwise be no contractual relationship between the parties.
However, not all consumer data will be protected as confidential information. In particular, if the data is widely disseminated or made available to a large number of third parties – even if each of those third parties is required to sign up to terms and conditions in order to access it – then it will be harder to establish that the data continues to be confidential or secret. If the data as a collection is made publicaly available, then it is highly likely that it will no longer be confidential, even if the terms and conditions of use of the database place restrictions on use of the data and/or seek to impose obligations of confidence.
Contractual terms can seek to confirm and clarify the ownership of any intellectual property rights related to the consumer data and define the obligations of confidence that are owed. If the data is to be processed or combined with other data then the contract will also need to set out the contractual parties’ respective rights in relation to the resultant data – commonly referred to respectively as ‘derived’ and ‘co-mingled’ data. In addition, contractual terms can also supplement IP and confidentiality protection through restrictions on the use of the data. This is especially important if the data is not secret and any intellectual property rights related to the data are minimal. Issues can arise when the parties’ contractual rights are framed in terms of IP and confidentiality when in reality the data is not protected in this way. Consequently, real care should be taken to ensure that each parties’ rights and obligations related to the data are expressly set out as contractual terms, rather than simply claiming that the consumer data is covered by IP rights and confidentiality and expecting this to provide adequate protection.
There are limitations on the control that can be exercised over data in contractual terms. Most importantly the contractual terms will usually only apply between the two parties and will not cover third parties who may gain access to the data through the performance of the contract unless similar contractual restrictions can be imposed on them. The EU’s Database Directive also prevents contractual terms being imposed which limit a lawful user of a database protected by the sui generis right from extracting and/or re-utilizing insubstantial parts of the database. The CJEU confirmed in its 2015 decision in Ryanair that this limitation does not apply to databases not protected by the sui generis right, so it does not prevent stricter contractual restrictions being imposed on the use of self-generated data.
Possession is nine tenths of the law
Beyond the strict legal rights available, the importance of physical possession and control of the data cannot be overstated. If valuable data has been obtained, can be kept secure and cannot easily be obtained by others, then the value of the data can often be exploited without the need to rely on any legal rights relating to that data. Even when the existence of legal rights is necessary to exercise full control, the practical steps taken to secure the data will usually be of utmost importance in maintaining that effective ownership.
Consumer rights: data protection
As well as knowing the rights that they have over consumer data, businesses need to be aware of the rights of the consumers themselves, and the responsibilities that those impose on businesses. The EU legislature is currently debating a new Data Protection Regulation which is likely to include a number of very strong consumer protection provisions. As well as strengthening the data protection regime generally, the Regulation is expected to include new consumer rights, including rights of access, rectification and the controversial right to be forgotten. In terms of ‘ownership’ of consumer data, the potentially most far-reaching provision proposed is a right to data portability that would give consumers the right to be provided with their data in a format that would enable them to transfer it to another service provider.
A right to data portability along these lines would significantly impact on the ‘ownership’ of consumer data by service providers.
Getting it right
With the rapid growth of always-on, connected devices, wearables and the Internet of Things, the volumes of data have grown exponentially in the last few years and will continue to do so for some time. Businesses are taking full advantage of the value of that data, but commercializing data is only half the battle. Since rights of ownership are not available, the control and protection of that data present significant challenges, but the risks of getting it wrong mean that these are challenges that businesses need to rise to.