Building on our introductory discussion of data analytics and use restrictions from last week, in this post, we describe in more detail some potential restrictions, under applicable law and contracts, of a company’s ability to use data for analysis purposes.
- Third-Party Terms. If a company plans to use data owned or sublicensed by a third party, or jointly owned by the company and a third party, for analysis purposes, the applicable license, services, or other agreement should be reviewed because it may control the company’s use rights with respect to the data. The company should confirm that it has the necessary rights to use the data and, if applicable, whether the third party that owns or licenses the data has the right to grant such a license. If the company’s right to use the data is unclear in any way, it should obtain consents to such use from the owning or controlling party or parties. Companies should also consider seeking from the third party that owns or licenses the data an indemnity against third-party claims that arise from any failure to have such necessary rights to use the data.
- Applicable Laws. Particularly with respect to personal information, some states and countries have enacted laws that regulate companies’ data use. Perhaps the best known example is the European Union, which imposes the following central requirements with respect to individuals’ data:
- Personal data must be collected only for “specified, explicit, and legitimate” purposes.
- Personal data must not be further processed in a way that is “incompatible” with such specified purposes.
The nuances of both of these central principles have been a matter of significant interpretation and fact-specific analysis. However, the key concern for data analytics is that, as the relationship between the purpose of the analysis and the purpose for which the data was originally disclosed becomes more tenuous, the less likely the processing will be permitted under the law.