Internet of Things and Data Ownership

Written on 29 Sep 2016

The Internet of Things is based on the technology of digital interconnection of everyday items (e.g. watches, appliances, furniture, energy at home). Nowadays, the Internet of Things is creating a new reality for personal life management through the possibilities offered by the digital world and the subsequent potential economic value of the data (big data) gathered by the connected items, which opens a wide range of possibilities to be exploited.

The data gathered or collected by Internet of Things (“IoT”) devices/sensors is exponentially increasing as every day the number of IoT devices increases. The use and exploitation of such data gathered or collected by these devices is expected to be of utmost relevance in the coming future since, according to the prediction of one the most important research and analysis entities in the field, there will be around 26,000 million connected smart devices (IoT devices) by 2020. Therefore, there is no doubt about the significance of who will be the owner of such data and hence who is legally entitled to carry out ‘business’ with such data.

Due to the way IoT goods are commercialised, a great number of players (entities or individuals) may be involved in the processing, generation and collection of the data (for instance, the entity or individual who has acquired such a device, the marketer of the device, the manufacturer or manufacturers of the hardware, the software developer, the app developer or the database architect). Consequently, most of them would be interested in being the owners of the data and thereby being entitled to use, hold, transmit or sell –i.e. monetising- such data to third parties.

As a consequence of the broad number of players that may be involved in the process of generating, collecting and processing the data, determining the legal ownership of such data may pose a tricky and complicated legal question, even more so taking into consideration that one of the main advantages of the data generated by these devices is the possibility of aggregating them with other data and obtaining market statistics.

Since presently no express regulations exist on this matter in Spanish law –we still await the implementation of the Directive on Trade Secrets into national law, which is likely to “stir the melting pot” in the field-, a legal analysis regarding ownership of the data should be executed on a case-by-case basis in order to determine who will be the legal owner of the data according to the general principles set out in the Spanish Civil Code regarding ownership. The concept of ownership currently in force in Spain derives from the same concept under Roman law. Article 348 (first paragraph) of the Spanish Civil Code establishes that the ‘property is the right to enjoy and dispose of a thing, with no limitations other than those established by law’. Therefore, as long as no contract or agreement governs said ownership of the data between the parties involved, the only entity or individual that should have the right to enjoy and dispose of the data would be the one that has actually generated/produced such data. In this sense, data would be treated similarly to fruits of property under the Spanish Civil law –the fruits obtained from a real estate property would belong, if no other circumstances intervene, to the owner of the property.

This ‘lack’ of applicable law has led companies to conclude agreements relating to the data ownership, access, processing or benefits from the economic exploitation of the data. Therefore, since the parties are almost free to agree whatever they wish (provided that general limits to the free will of the parties are observed (i) mandatory laws, (ii) moral, and (iii) public order), the parties would also be free to agree any type of remedy related to the breach of any provision contained in such agreement in connection with the ownership, access, processing or economic exploitation of data.

Such free will may be somewhat constrained when the data gathered qualifies as personal data since it will be protected by national privacy laws, as pointed out by Article 29 Data Protection Working Party in its opinion on the developments of the Internet of Things (Opinion 8/2014 on the on Recent Developments on the Internet of Things adopted on 16 September 2014). From this it can be inferred that when dealing with individuals´ personal data the ‘owner’ of the data should be the individual, given that consent is required to process such data.

Companies involved in the development, creation or marketing of IoT devices would require a “who is doing what” assessment in the process of the data collection/gathering chain to know who is ultimately economically and commercially responsible for this taking place.

Subsequently, entities should focus on the drafting and content of contractual arrangements so as to determine as far as possible the owner or owners of the data and the exploitation that they may carry out. In some cases more than one entity may take the initiative or assume the risk and, if so, they may jointly own the database right. In any event, the agreements concluded should also deal with closely linked pieces of legislation such as unfair competition rules, intellectual property law provisions, etc.

The agreements should be drafted in accordance with the actual process of data collection and, given the potential overlap of responsibilities and roles, they should clearly foresee the ownership provisions in a clear manner so as to avoid to the maximum extent possible any controversy regarding the ownership of such data.

Finally, we may conclude by stating that the agreements regulating the ownership of the data are to maintain quite a relevant role until the Trade Secrets Directive implementation law is passed.