This article is written by Janhavi Sitaram Dudam who is pursuing a Diploma in Intellectual Property, Media and Entertainment Laws from LawSikho.

Introduction

The rise of the data economy has sparked a growing debate about data rights, which include both intellectual property and privacy issues. It’s crucial to get the debate about data and IP rights, because regimes that move too far toward granting data rights risk suffocating required data sharing, while regimes that lean too far the other way risk restricting incentives for data collection and innovation.

Recent technological advances, such as cheaper storage, faster processing, better algorithms, improved data sensors, and more reliable communication networks, have made collecting, storing, analysing, using, and disseminating data simpler and less costly. For example, GE and Siemens are developing services to collect and analyse data from the machinery they sell. To develop its “Watson Health analytics service”, IBM is combining data from electronic health records, medical imaging, claims, and genetics. Automobile manufacturers use data from connected vehicles to develop their vehicles. Whole sectors, such as health care, agriculture, and consumer goods, are gradually moving toward collecting increasingly large volumes of data about their consumers and products.

A simpler way to describe Data is that it is like some other form of creative development, such as technological innovations or creative material. Both are non-rivalrous (multiple people can use the same “recipe” for an invention) and can be excludable, as inventions and original content are protected by patents or copyrights.

However, unlike an innovation, this framing does not quite work for the simple reason that, while most data are useful, most of it is obvious and not novel. Furthermore, the reason why inventions are patented, and original work is covered by copyright is that both must be introduced out into the world through markets to be useful. Inventions and creative works would be more easily copied if they were not protected by law.

The General Data Protection Regulation (the “GDPR”) came into force on May 25, 2018, in all Member States of the European Union (“EU”), replacing Directive 95/46/CE (“the Directive”). According to the Charter of Fundamental Rights of the European Union (“EU”), “everyone has the right to the protection of personal data concerning him or her.” Under the Charter, intellectual property is also secured as fundamental rights as is freedom of speech. These rights can sometimes overlap.

Inter-relation between IP, Personal Data, and GDPR

Do companies have intellectual property rights to raw data rather than databases, and if so, to what extent and by what means? Patents, copyrights, and trade secrets are the three primary ways that businesses protect their intellectual property.

Since data—at least most raw data—is almost always obvious and not novel, patents are not an effective method. For example, according to U.K. attorney Jo Joyce, “[in Europe] raw machine-generated data are not secured by established intellectual property rights because they are considered not to be the output of an intellectual effort and/or have any degree of originality,”

Furthermore, like genes, at least some data is a “natural product.” Since DNA is a natural product, the United States Supreme Court ruled that genes themselves cannot be patented. The Court decided that DNA manipulated in a lab may be liable for a patent because the DNA sequences are produced by humans and not found in nature. (Molecular Pathology v. Myriad Genetics, Inc.,)

So, what about data that is not present in nature but was created by humans? A computer that creates data about its own operations is, in certain ways, generating data that is not present in nature. However, as previously said, the data may be novel, but it may also be obvious in the sense that it requires little effort to obtain. Furthermore, as Hilty argued, “the introduction of legal exclusivity can have unintended, unstable consequences; rather than promoting the digital economy, such business models may be hampered.” To summarise, it makes little sense to establish a patent right to most data.

Copyright is not the best way to secure IP for most data—at least for data that did not require much creativity to create. Copyright protection is necessary for digital content that requires creativity, such as an ebook, a digital file of a photograph, or an MP3 music file. But this is not that bits should be copyrighted in and of themselves; rather, it’s the mixture of bits that represents creative work.

Many types of data, particularly information that organizations produce on their own or put a lot of effort into curating, come closest to being protected by trade secrets. It is not illegal for a company to have the same data as another company if the information was obtained or generated by the company itself and not taken from the other. Some claim that trade secrets are a vague concept because some data isn’t always kept secret—even when companies don’t want others to use it. The argument isn’t that the data is secret; rather, the data’s “owner” wants to restrict its use. Nonetheless, this is the most comprehensive approach to data security.

Furthermore, much as in the case of copyrights, this does not prohibit the use of contracts to secure a company’s data rights if it shares its data with others. “Of course, contractual agreements between designated parties may be drafted to rule on the licensee’s permitted use of data,” Peter Bittner wrote.

Although trade-secret security is an important safeguard for an organization’s data, there is also a shield provided by computer hacking laws. Data is at risk from cyberattacks even more than conventional trade secrets. Even if an organization keeps its data confidential, the confidentiality is shattered if outsiders gain access to its computer system and steal it. As a result, tougher penalties for hacking and stricter enforcement of computer anti-hacking and trespassing laws would help to boost stronger incentives for data collection.

This isn’t a problem of balancing data collection and management with incentives for innovation resulting from wider data use. It is an issue of balancing individual civil liberties with the public interest in national security or crime prevention.

In an increasingly digital economy, courts and legislatures will need to amend rules and laws to accommodate emerging technological applications, such as cloud storage of personal data and the proliferation of connected cars with location-tracking features. So, let’s discuss what are the rules which protect IP about personal data.

Rules under GDPR that offer protection to these IPs which are considered under personal data

The General Data Protection Regulation (GDPR) is the world’s most stringent privacy and security statute. Even though it was drafted and passed by the European Union (EU), it imposes obligations on organizations anywhere that target or collect data about EU citizens. On May 25, 2018, the regulation came into effect.

With the GDPR, Europe sends a strong message about data privacy and protection at a time when more people are entrusting their personal data to cloud providers and data breaches are becoming more common. GDPR enforcement is a challenging prospect, especially for small and medium-sized businesses, since the legislation is broad, far-reaching, and fairly light on specifics.

First, even though you are not in the EU, the GDPR applies to you if you process the personal data of EU citizens or residents, or if you provide goods or services to them.

Second, the penalties for violating the GDPR are extremely high. There are two levels of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.

Definitions 

1. Personal data – Personal data is any information that can be used to identify a person, either directly or indirectly. Personal data can include things like names, email addresses, race, gender, biometric data, religious views, web cookies, and political opinions. Pseudonymous data can also be used if it’s pretty straightforward to identify someone from it.
2. Data processing– Any data-related activity, whether automatic or manual. Collecting, recording, arranging, structuring, storing, using, erasing… are some of the examples provided in the document.
3. Data subject- The individual whose data is being processed. For example, your customers or site visitors.
4. Data controller– The person who determines whether and how personal data will be processed. For example, this is you, if you are an owner or employee in your company who handles data.
5. Data processor – A third party who works on behalf of a data controller to process personal data. Special rules apply to these persons and organizations under the GDPR.

Data protection principles

If you process data, you must follow the seven principles of data protection and accountability outlined in Article 5.1-2:

1. Lawful, fairness, and transparency- Processing must be legal, equitable, and open to the data subject.
2. Purpose limitation- Data processing must be limited to the legitimate purposes stated explicitly to the data subject when the data was obtained.
3. Data minimization – Only collect and process as much data as is absolutely required for the purposes specified.
4. Accuracy – Personal data must be always correct and up to date.
5. Storage limitation – You can only hold personally identifying data for as long as it is needed for the specific purpose.
6. Integrity and confidentiality – Processing must be carried out with the utmost security, integrity, and confidentiality (e.g., by using encryption).
7. Accountability- It is the responsibility of the data controller to show GDPR compliance with all of these principles.

Data Security

You must manage data safely by having in place “appropriate technical and organizational measures.”

Technical measures can range from requiring two-factor authentication on accounts that store personal data to contracting with cloud providers that use end-to-end encryption. Staff training, adding a data privacy policy to the employee handbook, or restricting access to personal data to only those staff in your company who need it are examples of organizational measures.

If there is a data breach, you must notify the data subjects within 72 hours or face fines. (If you use technical protections, such as encryption, to make data useless to an intruder, this notification requirement can be waived.)

Data protection by design and by default 

From now on, data protection must be considered in everything you do in your company “by design and default.” In practice, this means when you design any new product or activity, you must take data protection standards into account. Article 25 of the GDPR addresses this issue.

Consent 

In Art 7 of GDPR, there are specific new guidelines on what constitutes consent from a data subject to process their data such as consent must be freely given, specific, informed, and unambiguous, request for consent must be clearly distinguishable from other matters and communicated in clear and language and you must keep documentary evidence of consent and so on.

Individual’s privacy rights

Chapter 3 (Art 12 to 23) states the privacy rights of You’re a data processor and/or a data controller. However, as a user of the Internet, you are a data subject. The GDPR acknowledges plenty of new privacy protections for data subjects, intending to give people more power over the information they share with businesses. Businesses need to recognize these rights in order to comply with GDPR.

When you can process data

Article 6 specifies when it is permissible to process personal data. Don’t even consider touching someone’s personal data — don’t collect it, don’t store it, don’t sell it to advertisers — unless you have one of the following justifications:

1. You received clear, unambiguous consent to process the data from the data subject. (For example, they have signed up for your marketing email list.)
2. Processing is required to carry out or plan for the execution of the contract of which the data subject is a party. (For example, before leasing property to a prospective tenant, you must conduct a background check.)
3. You need to process it in order to fulfil a legal duty. (For example, suppose you get an order from the court in your jurisdiction.)
4. To save someone’s life, you must process the data.
5. Processing is required to complete a public interest task or to carry out an official operation.
6. When you have a valid reason to process another person’s personal information. This is the most flexible legal basis, but your interests are still trumped by the “fundamental rights and freedoms of the data subject,” particularly if it’s a child’s data.

Once you’ve determined the lawful basis for your data processing, you need to document this basis and notify the data subject. Further, we will discuss some of the GDPR obligations which conflict with IP rights, they are of particular concern to IP practitioners.

GDPR Obligations that conflict with IP rights

The Right of Access

The “right of access” is already established in EU law through the Directive. Individuals (referred to as “data subjects” in data protection jargon) have the right to request a copy of all personal data gathered about them under the right of access.

What kind of information are data subjects entitled to? A French journalist recently exercised her right of access and asked Tinder to give her all her data after using the dating app for a few years. 

Tinder “sent her 800 pages of her deepest, darkest secrets,” she explained in a Guardian post but declined to send her details about how her matches were personalized using her information.

“Their matching tools are a central part of their technology and intellectual property, and they are essentially unable to share details about their proprietary tools,” they argued. We do not know how a judge would respond to this appeal because the journalist did not consider taking it to court, but Tinder’s objection may have a legal basis.

As a derogation to exercising the right of access, GDPR stipulates that “it does not adversely affect the rights or freedoms of others,” including trade secrets and intellectual property rights, particularly in the context of software. These considerations will restrict the information available to a data issue, but they will not explain a refusal to provide any information, as in the Tinder example.

The Right to Portability

Before the GDPR, there was no such thing as a right to portability. It is primarily intended to assist data subjects in switching from one provider to another. Data subjects have the right to receive their personal information in a standardized, widely used, and machine-readable format that they can share with others.

The right to portability brings concerns for those who believe that supplying personal data in a “reusable way for future competitors” will be a violation of their IP rights or, at the very least, disclosure of their know-how. The GDPR stipulates that the exercise of this right “does not adversely affect the rights and freedoms of others,” which includes IP rights, much as it does with the right of access.

In practice, it is important to remember that data portability only applies to the raw personal data given by the data subjects themselves, and not to data inferred or extracted from the raw data. This is significant because proprietary technology is primarily used after raw data has been obtained from data subjects in order to turn the raw data into more useful information.

Data Protection Requirements and Profiling

Owners and distributors of copyright-protected material on the Internet frequently have access to their customers’ personal information and the ability to track user activity, such as song or e-book downloads. These businesses may use this data for “profiling,” which entails using data to make a series of statistical deductions in order to analyse current behaviors and preferences and predict potential ones.

The European Data Protection Authorities do not like profiling, so IP practitioners should be aware of this. According to the Article 29 Working Party’s Guidelines (an advisory body on which representatives of the Data Protection Authorities of all Member States sit), “Present stereotypes and social segregation may be perpetuated by profiling. It can also confine an individual to their suggested preferences by placing them in a particular category. This can limit their freedom to choose specific goods or services, such as books, music, or news feeds. In certain cases, it can result in wrong predictions, denial of services and products, and unjustified discrimination.

Privacy

When it comes to enforcing IP rights, IP practitioners know that identifying infringers and the various actors involved in the distribution chain, particularly for goods sold on the internet, can be difficult. IP owners collect and process personal data while conducting investigations to detect suspected infringers. IP owners will gather user IP addresses and combine them with publicly accessible data when content is made available on peer-to-peer networks, for example (e.g., using Whois to identify a domain name registrant). They might also be able to gather information from third parties, such as internet service providers or banks, in some cases.

These circumstances raise the possibility of a conflict between the security of IP rights on the one side, and the protection of data on the other, which demands that data be processed only when adequate protections and accountability are in place.

Conclusion

Although it has been argued that privacy rights are not typical property rights, data protection law unquestionably serves a public/social purpose (i.e., the fair processing of personal data). As a result, EU Privacy Laws provide individual rights as well as legal requirements for processing personal data, such as the basic principle to obtain granular consents; rights to access and update data; the right to object to data processing for marketing purposes; data portability, and so on.

EU Privacy Laws, on the other hand, empowers data controllers to commercialize personal data. Data controllers have exploitation privileges in those data as long as all data security conditions are met (and they are subject to an accountability principle). As a result, being in control means having exclusive access to data, which can have competitive consequences. As a result, the complex ownership regime for data is created by data protection and intellectual property laws. 

References

• https://www.mondaq.com/unitedstates/copyright/667144/what-ip-practitioners-should-know-about-gdpr-and-personal-data-protection-in-europe
• https://gdpr.eu/what-is-gdpr/
• https://medlineplus.gov/genetics/understanding/testing/genepatents/

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: