Data are at the heart of the Internet of Things (IoT). Without connected devices being able to capture, transfer, analyse, report and act on data, the benefits of the IoT cannot be achieved.
The data are hugely valuable. But who owns them? The answer is: no one – there is no property right in a piece of data itself. The owner of a smart thermostat does not, for example, own the data about how he uses it. The only thing that is 'ownable' is an aggregation or collection of such data, provided there has been a relevant investment in carrying out that aggregation or collection (the individual user is very unlikely to have made that investment). It is that investment and who carries it out that are the focus of this article.
Working out what collections can be owned and who can own them is important for at least two reasons. Firstly, there is potentially enormous value that can be generated from exploiting such aggregations, for example, by producing market intelligence, targeting ads or providing better advice. In addition, with that value potential comes a need to identify who is able to exploit it and, more importantly, who can stop others from exploiting it.
The second reason is to separate the potential ownership interests of different players in the data processing chain. A number of players may be involved in the journey of the data (e.g. the user, hardware manufacturer, app developer, provider of database architecture and the purchaser of data). Identifying who in that chain owns the aggregation of the data will, therefore, be crucial in determining who has the economic rights to the aggregation.
Aggregations of data can be protected by database right. Database right is an EU-specific IP right which is designed to incentivise and protect the storage and processing of data.
There will be a database right if three criteria are satisfied:
- there has to be a "database", as defined – this is a collection of independent data which are arranged in a systematic or methodical way and which are individually accessible. The key point here is that the data must be collected in an orderly way to allow for retrieval of those data. This will ordinarily be the case where there is capture, transfer and analysis of data. However, if this is all happening in real time without the data ever being "collected" into a fixed base, there is unlikely to be a database;
- there has been substantial investment in the obtaining, verification or presentation of those data. Obtaining and presenting will be most relevant here – there must be investment in the seeking out and collection of the data and/or in their arrangement and organisation. With so much data being captured by connected devices (that being the whole point of the IoT), the opportunity for substantial investment in collecting and/or arranging them is obvious; and
- the maker of the database (or one or more of them if it was made jointly) has to have a substantial economic and business connection with an EEA state. This may catch out many overseas entities. For example, the maker would have to be: (i) incorporated in an EEA state and have its central administration or principal place of business within the EEA; or (ii) have its registered office in the EEA with its operations being linked on an ongoing basis with the economy of an EEA state.
If those criteria are satisfied, the "maker" will be the first owner of the database right. In a data chain that has a number of players all coming into contact with the data in some way (and no doubt wanting to exploit it), identifying the maker will likely be the most difficult task. The maker will be the entity who:
- takes the initiative in obtaining, verifying or presenting the contents of the database; and
- assumes the risk of investing in that obtaining, verifying or presenting.
This requires an assessment of who is doing what in the process and who is ultimately economically and commercially responsible for it happening. The entity physically doing the collecting or the presenting may not be the "maker", particularly where someone else has brought that entity in to provide a service. Subcontractors, for example, are explicitly excluded from the definition of maker. The entity who made the commercial decision to collect the data and made the investment in carrying it out will be the maker. This suggests that entities towards the top of the chain are more likely to be the maker. To complicate matters further, more than one entity may take the initiative or assume the risk and, if so, they will jointly own the database right.
Of course, like all intellectual property rights, the ownership of database right can be allocated in contract. Given the overlapping responsibilities and roles of those in the data chain, it will be important to put in place appropriate ownership provisions in the relevant agreements. Where ownership has not been appropriately provided for, we can expect to see big disputes between those involved, given the potential value in data captured from the IoT.