All questions

Intellectual property and data protection

i Intellectual property

There are no intellectual property protections that are peculiar to fintech. However, in common with all evolving technologies, some fintech technologies do test the limits of the existing legal framework, this having not been written with these new technologies in mind. The most notable challenges come from blockchain technologies and technologies delivering artificial intelligence and machine learning applications.

The most important intellectual property rights for artificial intelligence are confidentiality, copyright and patent rights. The laws of confidence pose no unusual issues for artificial intelligence. However, from a wider financial services policy perspective, it would be preferable for innovators to disclose AI innovations rather than opt to keep these as trade secrets,24 so other protections come to the fore.

Copyright raises some issues in respect of ownership of the output of artificial intelligence, but otherwise copyright protection of source code remains as applicable to artificial intelligence software systems as it does for more traditional software systems.

It is in the realms of patent that the interesting issues around protection arise. In the UK, and under the European Patent Convention, to be granted a patent, the invention must be new, inventive and capable of industrial application and not specifically excluded from protection as a patent. Mathematical methods are excluded, as are computer programs, which are, of course, at the heart of artificial intelligence development.

This is not to say artificial intelligence and machine learning algorithms cannot form part of a computer-implemented invention where they can be shown to have a 'technical effect'; they are just not patentable in and of themselves. Where they form part of platforms and applications that solve specific technical problems, then the success of a patent application improves significantly. In summary, a combination of copyright and patent protection should provide a good basis for protecting investment in artificial intelligence and machine learning in the UK.

Artificial intelligence is, of course, inextricably linked with the data it consumes and the financial services industry generates vast amounts of data. The data itself comes with a set of intellectual property protections – mostly confidentiality, sometimes copyright and, potentially, the sui generis database right.25 For example, look-up tables (databases accessed by software routines) are potentially protected by copyright in the structure of the database and by the sui generis database right protecting the extraction and reutilisation of the data contained in the database (provided the owner can show substantial investment in obtaining the data).

The database right is a powerful right, and while the protection ostensibly lasts for 15 years, each time substantial investment is expended in obtaining, verifying or presenting the contents of the database, a new database is likely deemed created and thus a rolling protection obtained.26 There has been some debate as to whether aggregations of data – for example, sensor or machine-generated data – can fulfil the 'substantial investment in obtaining' requirement of the database right. The debate continues as to where the threshold of effort lies.

Irrespective of whether or not the contents of a database are protected by confidentiality or database rights, both can provide limitless protection. Because big data is becoming such an integral part of any business dealings, the UK competition authorities are sure to consider moves to counteract potentially monopolistic effects of vast datasets being controlled by relatively few market players.

Turning to blockchain technologies, similar issues are encountered: patent protection for spreadsheets is not available, and there will need to be some actual technical effect, similar to software-enabled inventions. Copyright is the most common form of protection for blockchain, both proprietary and open-source. The basic building blocks of many blockchain technologies are open-source software codes, but those building on top of the originating technologies may want to protect their inventions through more commercial protections, such as more restrictive copyright and patent licensing.

The UK's departure from the EU has some implications for intellectual property protection in the UK and it is worth commenting on how the main types of protection relevant to fintech are affected. The European Patent Convention is not directly linked to the European Union, so European patents should not be affected by Brexit. By contrast, European Union trade marks that cover the UK are linked to membership of the European Union and from January 2021 will cease to provide protection in the UK. Instead, from 1 January 2021, the UK's Intellectual Property Office (UKIPO) has created a comparable UK registered trade mark for every registered EU trade mark, with the same legal status as a UK registered trade mark so no trade mark rights will be lost. A similar approach has been implemented for international trademarks designating the EU.

As for the sui generis database right, since leaving the EU the reciprocal recognition for new database rights between the EU and the UK has ceased. However, the UK and the EU agreed to continue the reciprocal recognition where those rights had already been awarded (i.e., UK databases created before 1 January 2021 will continue to be protected in the EU and vice versa).27

ii Data protection

The provisions in the General Data Protection Regulation (GDPR) relating to the processing of personal data (now re-named the EU GDPR) have been merged with the UK version of the GDPR (the Data Protection Act 2018) to become the UK GDPR. The UK is one of the most connected countries in the world, and, post Brexit, the maintenance of dataflows between the UK and the EU is an obvious priority. The UK has sought to obtain an 'adequacy' decision from the European Commission as part of the future trading relationship. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). On 19 February 2021, the European Commission published a draft decision on the UK's adequacy under the EU GDPR which found the UK to be adequate. The draft decision will now be considered by the European Data Protection Board, among others. If the decision is approved, the EU can formally adopt it as a legal adequacy decision. If approved, most of the data protection rules affecting fintechs prior to Brexit will stay the same.

If, however, the decision is not approved, at the end of the bridge, the UK will become a third country as far as EU dataflows are concerned, and companies will have to put in place more cumbersome compliance mechanisms to govern these, such as binding corporate rules, EU standard contractual clauses (SCCs) or other approved arrangements. The recent Schrems II decisions will also apply to transfers from the EU to the UK and vice versa. This decision requires that you make an assessment as to whether those SCCs provide protection that is 'essentially equivalent' to the protections in the UK data protection regime, and if necessary, put in place additional measures.28

In the same way as for intellectual property, financial services technologies also test the existing legal framework around data protection, despite the GDPR being of very recent provenance.

The UK Information Commissioner's technology priorities for 2020 include establishing good practice in artificial intelligence and supporting digitalisation, both highly pertinent to technologies within the financial services sector.

AI and big data analytics again poses difficulties for data protection law. Difficulties include: (1) running large numbers of algorithms against vast datasets to find correlations; (2) the opacity of the processing; (3) the tendency to collect 'all the data'; (4) the repurposing of data and the use of new types of data; not to mention (5) the hurdles of distinguishing between data controllers and data processors and obtaining access to sufficient training data. Clearly, all of these activities have implications for data protection.29

The Information Commissioner's Office is reaching out to partners as part of its Technology Strategy to better understand these technologies, and has established a regulatory sandbox, drawing on the successful sandbox process that the FCA has developed. From a fintech perspective, one of the themes of interest in the 2020 ICO sandbox is data sharing, looking at projects where there is genuine uncertainty about what compliance looks like and aiming to show that data protection law is not a barrier to proportionate sharing of personal data. More generally, the ICO sandbox is expected to enable organisations to develop innovative digital products and services, while engaging with the regulator, who will provide advice on mitigating risks and data protection by design.30

New blockchain technology also poses data protection challenges. There has been significant debate as to whether or not the hashed information contained on the blockchain could be considered personal information and, if it is, how the GDPR can be reconciled with the benefits of the blockchain being an immutable source of the truth without the need for trusted intermediaries. This question has yet to be resolved.

In addition to the GDPR, PSD2 includes a number of specific rules concerning the processing of personal data. For example, PSD2 provides for 'explicit consent' raising the question of whether this constrained the use of the various other bases for processing set out in the GDPR. The European Data Protection Board has clarified that it did not. 'Explicit consent' referred to in PSD2 is a contractual consent that is an additional requirement of a contractual nature. Payment services are always provided on a contractual basis between payment service user and payment service. There still needed to be a requisite basis for processing the data under the GDPR; for example, processing necessary for the performance of a contract to which the data subject is party.

Where the financial sector is undergoing huge digital transformation in readiness for the 'smart' world, data is itself a building block of modern living; an extremely valuable economic asset provided its flow can be properly controlled and harnessed.31 To this end, Data Trusts are a recent development, enabling sensitive commercial data (whether commercially confidential or personal or both) to be shared between multiple parties. In additional to the ICO's Data Sharing Code published in December 2020 and its sandbox initiatives, the UK's Open Data Institute is pioneering standards for the data stewardship and sharing, to build trustworthy data ecosystems, maximising the societal and economic value of sharing data, while limiting and mitigating potential harms.