When the technology is out there to enable you to know more about your customer than your competitors, how do you harness the tides of the Big Data ocean for competitive advantage?
Over the past twenty years, the leading edge in IT has moved on from hardware and software to the data they process. As Big Data sets have grown exponentially in size, they have until recently outstripped the organisation’s ability to harness their power – the software, knowledge discovery and best practices tools necessary to get the most from the data. That’s changing quickly as the enterprise gets to grips with its data assets and, looking over its shoulder at the competition, where it needs to get to.
The legal analysis and the legal team each have central roles in Big Data projects. In this Part I of our two-part blog on the legal aspects of Big Data, we’ll be outlining how the legal analysis of data maps out in terms of rights and obligations. Part II then applies this analysis to the legal team’s role in Big Data projects.
The legal analytical model for Big Data has data rights and duties sandwiched between the ‘legals’ of hardware and software infrastructure and data architecture (software licensing, etc), and the operational aspects of data management and security (see diagram).
The start point for the analysis is that data is funny stuff in legal terms. There are no rights in data – you can’t steal it, and a recent case has confirmed that you can’t hold a lien (a right entitling you to keep possession) over someone else’s database. However, extensive rights and obligations arise in relation to data, and the distinction is worth bearing in mind. These rights and duties arise through intellectual property (IP) rights, contract and regulation, and they are important: breach (even if inadvertent) can give rise to extensive damages and other remedies (IP rights and contract) and fines and other sanctions (breach of regulatory duty).
IP rights. The main IP rights in relation to data are copyright, database right and confidentiality. Copyright is a formal remedy that does what it says on the tin and stops unauthorised copying. It’s of limited value where there are many ways of expressing the same thing, but where, as in the Big Data world, common message formats, interfaces, protocols and other standards prescribe that data has to be in a set form, copyright can be much more valuable.
Database right – another formal right protecting the investment in compilations of data – has effectively had its teeth drawn as a powerful right by a number of judgments from the European Court of Justice in Luxembourg. Since copyright and database right protect expression and form rather than the substance of information, this means that confidentiality duties about the substance of data that is not in the public domain (remember the old maxim, ‘equity will intervene to enforce a confidence’) can, somewhat oddly, sometimes confer the most valuable IP-type right.
IP rights in relation to data are of uncertain scope at the moment, and the law in this area is likely to develop in the coming years: historically, the development of IP rights has followed the money, and as the value of Big Data rises, so likely will the IP rights underpinning it.
If the bad news about IP rights in data is that they are uncertain, the good news is that they are rights ‘in rem’ – enforceable against the whole world, not depending on a pre-existing relationship.
Contract. The converse is true for contractual rights in relation to data. Contract law confers strong, enforceable rights and imposes strong, enforceable obligations. Financial market data is a global $25bn industry that has grown up on the basis of an ecosystem that licenses and restricts data use and allocates risk around it almost entirely through contract. There’s a great quote from a 2005 case in the UK supporting the value of contract rights over data where the judge said that a data supplier:
“is entitled in principle to impose a charge for use of its data by users whether or not it has IP rights in respect of that data”.
If the god news is that data contracts are strong, the bad news is that they operate ‘in personam’ – unlike IP rights, they don’t bind someone who isn’t a party to the contract concerned. (A bit confusingly, contract can impose IP right-type duties under a contractual wrapper, so you need to consider the two things, contract IP and IP proper, separately).
Regulation. The third area is regulation, where the law is derived from statute. Data protection – conferring rights and imposing obligations on the processing of personal data – is the most important, but by no means the only aspect of data regulation. The EU competition authorities have over the last five years been getting much more interested in business patterns, licensing and contracting for data in a number of sectors, particularly financial market data.
Data regulation is also deepening in many sectors. This isn’t necessarily a new thing – the rules on the confidentiality of client information and privilege have been cornerstones of the legal profession for generations. The computerisation of data has, however, changed the picture fundamentally. So you have extensive rules developing about how digital personal data can be dealt with in sectors like healthcare (aggregating anonymised clinical outcome patient data for example) and air travel (like PNR – passenger name record – data about an airline customer’s itinerary).
Again, it’s in the financial services sector and the vastly expanded rulebooks now emerging after the 2008 financial crisis where data regulation is pushing the envelope. Here, the rules about disclosing to the market and reporting to the regulator price data about equities trades that were introduced by MiFID I in 2007 are about to be extended by MiFID II to trading in most other financial instrument asset classes in a far reaching reform of financial trading.
These developments mean that ‘data law’ is emerging as a new area in its own right around IP rights, contract and regulation. Data law is set to grow quickly in the Big Data era as the legal analytical underpinning for Big Data projects, which Part II of this blog now moves on to consider from the legal group’s perspective.
 Etherton J in Attheraces Ltd & Another v The British Horse Racing Board  EWHC 3015 (Ch) – http://www.bailii.org/ew/cases/EWHC/Ch/2005/3015.html