updated on 13 March 2018
QuestionCan intangible property rights (IPRs) and rights in personal data exist in harmony?
Data can be many things to many people. The versatility of data is why it is so valuable, particularly in the age of 'big data' where enormous datasets are revolutionising the development of technology in virtually every field. However, the versatility of data also explains why protecting property rights subsisting in it presents a serious challenge.
No one can truly own a piece of data; the only thing that can be possessed is an aggregation or collection of such data, provided there has been a relevant investment in carrying out that aggregation or collection. In this article we will consider the types of intellectual property rights that can be utilised to protect collections of data and the individuals' rights in personal data that are beginning to present a challenge for commercial exploiters of data.
The same data can be exploited by different parties in totally different ways and, done properly, this can be achieved without diminishing the value of data for any of its beneficiaries. We now live in a world in which more data is being generated and captured than ever before and with the growth of the Internet of Things - computing devices embedded in everyday objects, enabling them to send and receive data - the scale of this data explosion grows exponentially year on year.
Until 1997 and the implementation of the EU directive on the legal protection of databases (the Database Directive) through UK national regulations (The Copyright and Rights in Databases Regulations), datasets could only be protected in the United Kingdom as works enjoying literary copyright. To qualify for copyright protection there was a requirement of originality, but it was not a challenge to meet; the requirement was for sufficient skill, judgment or labour to be expended by the author of the compilation to make it his own work. Data concerning the entrants in a greyhound race was held to attract copyright protection under this test in 1994 (see BAGS v Wilf Gilbert (Staffordshire) Ltd).
The protection offered by copyright may still cover the structure of a database or the work as a compilation, but for qualifying datasets it is now supplemented by a standalone database right created by the Database Directive. There will be a database right if three criteria are satisfied:
If the criteria to establish a qualifying database are satisfied, the "maker" will be the first owner of the database right. In a data chain that has a number of players all coming into contact with the data in some way (and no doubt wanting to exploit it), identifying the maker will likely be the most difficult task. The maker will be the entity who:
This requires an assessment of who is doing what in the process and who is ultimately economically and commercially responsible for it happening. The entity actually engaged in the collecting or the presenting may not be the "maker", particularly where someone else has brought that entity in to provide a service. Subcontractors, for example, are explicitly excluded from the definition of maker. The entity who made the commercial decision to collect the data and made the investment in carrying it out will be the maker. This suggests that entities toward the top of the chain are more likely to be the maker. To complicate matters further, more than one entity may take the initiative or assume the risk and, if so, they will jointly own the database right.
There is potentially enormous value that can be generated from exploiting data aggregations, for example, by producing market intelligence, targeting ads or simply by better predicting the wants or needs of individuals based on the trends in the data. In addition, with that potential comes a need to identify who is able to exploit it and, more importantly, who can stop others from exploiting it. Identifying who in that chain owns the aggregation of the data will, therefore, be crucial in determining who has the economic rights to the aggregation.
Of course, like all intellectual property rights, the ownership of database right can be allocated in contract. Given the overlapping responsibilities and roles of those in the data chain, it will be important to put in place appropriate ownership provisions in the relevant agreements. Where ownership has not been appropriately provided for, we can expect to see significant disputes between those involved, given the potential value in data captured from the Internet of Things. However, the ability of database owners to rely upon database right in resolving these disputes is debatable, so clear contractual provisions are more important than ever.
The aim of the Database Directive was to encourage the creation of more databases within the European Union. In 2005 the European Commission published a report which identified serious flaws in the provisions of the Database Directive and concluded that it had failed in its objective. The report proposed various ways of remedying the situation (including getting rid of the database right altogether), but the Commission did not act upon any of the proposals.
Although infringement of database right is often pleaded alongside other causes of action in data breach cases (often along with breach of confidence or misuse of confidential information claims), it is not an easy right to defend and, as a result, it has proven to be of limited use to database owners. It remains to be seen whether the UK government will take advantage of the opportunity afforded by Brexit to significantly reform the protection given to databases.
There has long been an inherent tension between the rights of individuals in their own data and the rights of those compiling databases which include that personal information. The right of data subject access (through the Data Protection Act in the United Kingdom) means that individuals are entitled to know what personal data relating to them a data controller holds and, ordinarily, to receive a copy of that data. Although this process can be disruptive to business, it rarely poses a threat to the integrity of the database or the rights of the data controller. However, with the forthcoming General Data Protection Regulation into which will be enshrined a right to data portability, the tension between personal data rights and the interests of database owners becomes clearer.
The right to data portability means that data subjects will have a new, express right to obtain a copy of their personal data from the data controller in a commonly used and machine-readable format, and have the right to transmit that data to another controller (for example, an online service provider). In exercising their right, the data subject can request that the information be transmitted directly from one controller to another, where this is technically feasible (although that will not always entail the original data controller having to delete the data). This move to greater rights over personal data for individuals is mirrored by a trend for greater rights to content for consumers.
On 7 February 2017 the Council, European Parliament and European Commission negotiators reached an informal agreement on the text of the commission's proposal for a regulation on the portability of online content services in the European Union. This means that there should be fewer barriers to cross-border portability of content so that consumers can also access online content that they have subscribed to or bought in their own member state when they are temporarily present in another member state. Although audio-visual content is, of course, technically very different to personal data in databases, the move to create cross-border access rights in subscribed-for content is indicative of a general move to expand individuals' entitlement to access information in which they have an interest.
The move in public policy toward greater transparency and individual rights of access, at a time when data is becoming increasingly valuable to those who can collect and control it, is one of the many challenges faced by data aggregators. Uncertainty around the future of database right in light of Brexit is another. Database owners must take all contractual and practical steps possible to clarify, secure and protect their interests while accepting that in the future, not all data can be secured.
Jo Joyce is an associate in the IP and media team at Taylor Wessing. She is based at the firm’s London office.