Data is the oil of the digital economy – whether it’s personal data or other sorts of data.
Following the advent of the General Data Protection Regulation in May last year, people are far more aware of their data protection and privacy rights.
As a result, businesses are rightfully taking data protection far more seriously.
The growth of the Internet of Things – connected cars, home devices and sensors, for example – will only drive up data generation and new 5G mobile networks will help facilitate this.
The protection of personal data is increasingly well understood and applied. However, vast amounts of data now being generated isn’t personal. One of the things lawyers are debating more frequently is whether data (whether personal or non-personal) can be “owned” – is it a form of property?
This question has enormous economic importance and is a separate issue from data protection law, which is rooted in protecting certain fundamental human rights concerning data rather than property rights.
All businesses will be generating and processing data. This data will have considerable value – it may give your business a competitive edge or be a vital business asset. So how do you protect it?
In English law, the legal protection of data is fragmentary and complex. First, it’s generally understood there is no such thing as “property” in information. So, for example, an electronic database of information cannot be said to be property in the way that the IT server on which it sits is property.
The law says that you need to distinguish between the information/data itself (in which there is no right of property), the physical medium where it is recorded (which is tangible property – it can be exclusively “owned” and “possessed”) and the intangible intellectual property rights (copyright, database right and rights in confidential information) that may nevertheless still protect the information.
The EU has been thinking about a new legal right that would protect data – a “data producer’s right” – but such a right is a long way off. Because of the uncertainty surrounding how the law protects data, contracts are often used to deal with the matter even though the legal basis for the protection of the data may be unclear.
Every so often, the courts will explore how data is protected. One recent case decided in May this year concerned rights to horse racing data. Here the data owners tried to rely on a bundle of legal rights they claimed in their data, including:
- Breach of copyright (here the data would need to be an “original” copyright work – a literary work in this case)
- Breach of database right (where there was an investment in creating and maintaining a protected database)
- Breach of confidence (the law of confidence protected the data; the argument was that the data was commercially valuable, and the racecourse owners imposed restrictions on its use, including on those attending the races concerned. It was argued it should be treated as confidential by those who had access to it)
At trial, the claimants or data “owners” failed in all their claims apart from in relation to breach of confidence. Here the court held the pre-race data was commercially valuable, and as the claimants had sought to prevent its distribution off-course they were entitled to protect it – even though the information was potentially publicly available.
What is also interesting is that the court rejected any argument that the relevant data was protected by copyright, deeming it was not “original” enough as an algorithm generated it by “pure routine work”.
They found that compiling the data didn’t involve sufficient skill, labour and judgment to merit copyright protection. As for database right, the use made of the data did not amount to database right infringement.
The case illustrates the challenges that can arise in protecting data. The data “owners” here had to make several arguments only one of which – breach of confidence – succeeded at trial.
However, the case isn’t the last word on the subject – as always cases are fact-dependent, and businesses need to have policies and procedures in place to protect their data.
Obvious areas to focus on are:
- Using the law of confidence where possible by ensuring you have a trade secret policy identifying valuable data you wish to protect and putting steps in place to document it, protect it and keep it confidential. In practice, you can achieve this by limiting access only to those bound by confidentiality restrictions, whether in employment or consultancy contracts or NDAs. Using robust physical and electronic security to keep it confidential is also crucial.
- Ensuring where possible database right and copyright are available through keeping records of how your data and databases are created and maintained. Also, consider reviewing your contracts with creators and database developers to ensure you own the IP rights.
- Where you provide access to your data to others, use appropriately protective contracts to do so and think through whether you can claim rights to what is done with your data.