Data can be many things to many people. The versatility of data is why it is so valuable, particularly in the age of 'big data' where enormous datasets are revolutionising the development of technology in virtually every field. However, the versatility of data also explains why protecting property rights subsisting in it presents a serious challenge.
No one can truly own a piece of data, the only thing that can be possessed is an aggregation or collection of such data, provided there has been a relevant investment in carrying out that aggregation or collection. In this article we will consider the types of intellectual property rights that can be utilised to protect collections of data and the individuals' rights in personal data that are beginning to present a challenge for commercial exploiters of data.
The same data can be exploited by different parties in totally different ways and, done properly this can be achieved without diminishing the value of data for any of its beneficiaries. We now live in a world in which more data is being generated and captured than ever before and with the growth of the Internet of Things - computing devices embedded in everyday objects, enabling them to send and receive data - the scale of this data explosion grows exponentially year on year.
Copyright and Database right
Until 1997 and the implementation of the EU Directive 96/9/EC on the legal protection of databases (the Database Directive) through UK national Regulations (The Copyright and Rights in Databases Regulations), datasets could only be protected in the UK as works enjoying literary copyright. To qualify for copyright protection there was a requirement of originality but it was not a challenge to meet; the requirement was for sufficient skill, judgment or labour to be expended by the author of the compilation to make it his own work. Data concerning the entrants in a greyhound race was held to attract copyright protection (BAGS v Wilf Gilbert (Staffordshire) Ltd) under this test in 1994.
The protection offered by copyright may still cover the structure of a database or the work as a compilation but, for qualifying datasets, it is now supplemented by a standalone database right created by the Database Directive. There will be a database right if three criteria are satisfied:
- there has to be a "database". This is a collection of independent data, arranged in a systematic or methodical way in which pieces of data are individually accessible. The key point here is that the data must be collected in an orderly way to allow for retrieval of specific data points. This will ordinarily be the case where there is capture, transfer and analysis of data. However, if this is all happening in real time without the data ever being "collected" into a fixed base, there is unlikely to be a database;
- there has been substantial investment in the obtaining, verification or presentation of the data. Obtaining and presenting will be most relevant here – there must be investment in the seeking out and collection of the data and/or in their arrangement and organisation. With so much data being captured by connected devices, the opportunity for substantial investment in collecting and/or arranging them is obvious; and
- the maker of the database (or one or more of them if it was made jointly) has to have a substantial economic and business connection with an EEA state. This may catch out many overseas entities. For example, the maker would have to be: (i) incorporated in an EEA state and have its central administration or principal place of business within the EEA; or (ii) have its registered office in the EEA with its operations being linked on an ongoing basis with the economy of an EEA state.
Who owns the rights?
If the criteria to establish a qualifying database are satisfied, the "maker" will be the first owner of the database right. In a data chain that has a number of players all coming into contact with the data in some way (and no doubt wanting to exploit it), identifying the maker will likely be the most difficult task. The maker will be the entity who:
- takes the initiative in obtaining, verifying or presenting the contents of the database; and
- assumes the risk of investing in that obtaining, verifying or presenting.
This requires an assessment of who is doing what in the process and who is ultimately economically and commercially responsible for it happening. The entity actually engaged in the collecting or the presenting may not be the "maker", particularly where someone else has brought that entity in to provide a service. Subcontractors, for example, are explicitly excluded from the definition of maker. The entity who made the commercial decision to collect the data and made the investment in carrying it out will be the maker. This suggests that entities towards the top of the chain are more likely to be the maker. To complicate matters further, more than one entity may take the initiative or assume the risk and, if so, they will jointly own the database right.
There is potentially enormous value that can be generated from exploiting data aggregations, for example, by producing market intelligence, targeting ads or simply by better predicting the wants or needs of individuals based on the trends in the data. In addition, with that potential comes a need to identify who is able to exploit it and, more importantly, who can stop others from exploiting it. Identifying who in that chain owns the aggregation of the data will, therefore, be crucial in determining who has the economic rights to the aggregation.
Of course, like all intellectual property rights, the ownership of database right can be allocated in contract. Given the overlapping responsibilities and roles of those in the data chain, it will be important to put in place appropriate ownership provisions in the relevant agreements. Where ownership has not been appropriately provided for, we can expect to see significant disputes between those involved, given the potential value in data captured from the IoT. The ability of database owners to rely upon database right in resolving these disputes is debatable, however, so clear contractual provisions are more important than ever.
The aim of the Database Directive was to encourage the creation of more databases within the EU. In 2005 the European Commission published a report which identified serious flaws in the provisions of the Database Directive and concluded that it had failed in its objective. The report proposed various ways of remedying the situation (including getting rid of the database right altogether) but the Commission did not act upon any of the proposals.
Although infringement of database right is often pleaded alongside other causes of action in data breach cases (often along with breach of confidence or misuse of confidential information claims) it is not an easy right to defend and. as a result. it has proven to be of limited use to database owners. It remains to be seen whether the UK government will take advantage of the opportunity afforded by Brexit to significantly reform the protection given to databases.
Personal data and portability
There has long been an inherent tension between the rights of individuals in their own data and the rights of those compiling databases including that personal information. The right of Data Subject Access (through s.7 of the Data Protection Act in the UK) means that individuals are entitled to know what personal data relating to them a data controller holds and, ordinarily, to receive a copy of that data. Although this process can be disruptive to business, it rarely poses a threat to the integrity of the database or the rights of the data controller. However, with the forthcoming General Data Protection Regulation into which will be enshrined a right to data portability, the tension between personal data rights and the interests of database owners become clearer.
The right to data portability means that data subjects will have a new, express right to obtain a copy of their personal data from the data controller in a commonly used and machine-readable format and have the right to transmit those data to another controller (for example, an online service provider). In exercising their right, the data subject can request the information be transmitted directly from one controller to another, where this is technically feasible (although that will not always entail the original data controller having to delete the data). This move to greater rights over personal data for individuals is mirrored by a trend for greater rights to content for consumers.
On 7 February 2017, The Council, European Parliament (EP) and European Commission negotiators reached an informal agreement on the text of the Commission's proposal for a Regulation on the portability of online content services in the EU. This means that there should be fewer barriers to cross-border portability of content, so that consumers can also access online content that they have subscribed to or bought in their own Member State when they are temporarily present in another Member State. Although audio visual content is, of course, technically very different to personal data in databases, the move to create cross-border access rights in subscribed-for content is indicative of a general move to expand individuals' entitlement to access information in which they have an interest.
The move in public policy towards greater transparency and individual rights of access at a time when data is becoming increasingly valuable to those who can collect and control it, is one of the many challenges faced by data aggregators. Uncertainty around the future of database right in light of Brexit is another. Database owners must take all contractual and practical steps possible to clarify, secure and protect their interests whilst accepting that in the future not all data can be secured.