FB
Uploaded byFrancesco Banterle
653 views

The interface between data protection and ip law

The document discusses the intersection of data protection and intellectual property (IP) law, focusing on trade secrets and database rights concerning personal data in marketing and big data analysis. It explains the legal frameworks, particularly the GDPR and EU privacy laws, that govern the processing of personal data for commercial purposes, emphasizing the importance of consent and transparency. Additionally, it raises questions about the ownership and economic value of personal data in the context of big data and cloud computing, highlighting the complexities and risks involved in data processing.

Embed presentation

Downloaded 24 times
Dr. Francesco Banterle MPI, Munich, 21 October 2016 The Interface between Data Protection and IP Law The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis
Data is the new oil The value of personal data has changed marketing strategies and business models based on data analysis Knowledge of customers’ interests allows companies to predict trends People usually get free digital services by ‘paying’ with their data Can sets of personal data collected for being commercially exploited be the subject matter of IP rights? Trade secrets Database sui generis right
Processing customers’ data for commercial purposes is allowed and regulated by EU privacy laws (GDPR and e-Privacy Directive) direct marketing processing data to send commercial offers profiling automated processing of personal data aimed at evaluating personal aspects of users’ personalities transfer to third parties assignment of customers’ data to third parties for their own marketing Consent as main legal basis - The GDPR sets out additional safeguards: mitigation of risks transparency control for data subjects (e.g. right to object)
Trade secrets trade secrets regime varies significantly at the EU level, different legal protection models: IP right v. unfair competition recently regulated by Directive (EU) 2016/943 - partial harmonization through a minimal standard of protection, exclusively against misappropriation (no property approach) Trade Secrets any information, including know-how and business information (i) that is secret; (ii) that has commercial value; and (iii) that has been subject to reasonable steps Business information may include information such as lists of clients/customers, internal datasets containing research data, or anything that may include personal data (see the Impact Assessment) Personal information relevancy The EDPS highlighted the relevance of personal data to the concept of trade secrets and considered lists of customer data as a type of business information
Secrecy • the information, as a body or in the precise configuration, must not be generally known or easily accessible in that particular field • relative concept rather than absolute Commercial value • either actual or potential, and may be present where its unlawful use is likely to harm the interest of the right holder • connected with significant utility to the holder, since creating this information requires an economic investment Reasonable steps • “reasonable” recalls a concept of proportionality - factual assessment on a case-by-case basis • internal (practical security measures) • logical (organisational aspects, such as functional division of information in separate areas with different or limited access criteria) • physical (restrict access to the information) • external (legal measures towards third parties) , e.g. NDA Trade secret requirements under the Directive and the Italian Case law
• a general duty of confidentiality is imposed by EU Privacy Laws on the data controller (Recital 39 of the GDPR)Secrecy • processing data for commercial purposes entails costs, in terms of IT infrastructures, human resources, and time investments (e.g., for collecting data subject consents). Therefore, the lawful acquisition of personal datasets and the consequential ability to exploit them constitute a precious asset Commercial value •personal data processing is a risky activity and the GDPR is increasing security standards for processing data: •performing a risk assessment; •security measures: •limiting access to personal data only to authorized employees (Article 29) (logical measures); •adopting passwords or further access restrictions (Recital 39) (physical measures) •segregating data processed for commercial purposes (logical measures) •adoption of privacy by design solutions and further security mechanisms against data leaks or intrusion, such as data encryption (physical measures) •execution of data processing agreements generally including confidentiality measures (external measures) Reasonable steps The particular nature of personal data processed for commercial purpose should play a role in assessing trade secret requirements
Database sui generis right The Database Directive sets out a wide definition of database •collection of independent works, data or other material arranged in a systematic or methodical way and individually accessible by electronic or other means •the nature of the data is irrelevant and can include any material such as tests, sounds, images, numbers, and data •contents shall be arranged in a systematic way, retrievable, and independent from each other The database right arises if there is a substantial investment in obtaining, verifying and presenting database contents •any type of investment, whether in terms of human, technical and financial resources, or expending time, effort and energy. The substantial investment can be in either obtaining, verifying or presenting the content The CJEU rejected the database right protection where the investment refers to the creation of data •the investment in obtaining the contents of the database must refer to the resources used to collect existing independent material into the database •creation/obtaining is similar to idea/expression dichotomy •it is often difficult to distinguish between creating and obtaining data
Database right on sets of customers’ personal data Personal data processed for commercial purposes appear to meet all requirements for database protection •lists of clients and behavioural profiles need to be systematically organized, as well as accessed and retrieved through data management software •customers’ data are independent and have autonomous commercial value Does the investment lie in the creation or collection of customers personal data? •data are not created but gathered from individuals •processing data for marketing requires collecting users’ consent and providing unsubscribe mechanisms, which are formalities connected to obtaining, verifying and updating data (see British Sky Broadcasting v. Digital Satellite Warranty Cover Limited [2011] EWHC) •only in profiling activities some uncertainties may arise, since data are automatically generated Creation v. collection of data in profiling activities •investment can be seen in efficiently collecting the data through analytics software; •the processing phase is essential; •a profiling system requires: •methodically updating the data according to customers’ behaviour (the GDPR warns that incorrect and out-dated profiling is dangerous); •presenting data to allow their exploitation; •update customers’ consent •therefore is the processing that creates valute and requires investment
The interface between data protection and IP Database and trade secret rights on sets of customers’ personal data can combine and give rise to a strong protection mechanism They are limited by the particular (personal) nature of the data and must coexist with privacy rights EU Privacy Laws set out individual rights as well as regulatory provisions •need to obtain granular consents •opt-out mechanisms; •right to access and update data and to object to the processing; data portability, etc. On the other hand, EU Privacy Laws allow data controllers to exploit personal data for commercial purposes – unauthorized use by third party can be sanctioned (public nature of privacy law) The position of control, connected to accountability in processing data, entails a sort of possession on data, which may also have competitive consequences Data protection and IP laws create a complex ownership regime on data
An example of the data ownership issue: big data and cloud-based systems Big data •method for collecting and re-aggregating data on a large scale •advanced profiling: can detect general trends and correlations in data, predict individual attitudes •part of big data is done anonymously (cluster customers into general behavioural categories), however is more effective if based on identified individuals •risk of becoming subject to automated decisions based on data analysis (so - called ‘dictatorship of data’) •even raw data hold value for the insights that can be extracted from them • ownership of information plays a central role Cloud • e.g., outsourced e-commerce platforms, also known as “Commerce-as- a-Service” solutions (CaaS) •the cloud provider is interested in making big data on the client’s users •on which grounds can the cloud client object to that processing? •if the client is not processing such raw data, are they protected? •In the absence of formal assignments in the cloud agreement, the answer may depend on : (i) Privacy aspects; (ii) IP aspects
Ownership of data in the big data context: Privacy aspects EU Privacy laws application? • do the user online details used for big data in the cloud (e.g., IP address, MAC address, mobile advertising identifiers), qualify as personal data? • an information is personal if it can identify - also indirectly - the data subject, considering the means likely reasonably at disposal of the data controller (or of third parties) • yes, in light of the increasing risk of identifying individuals, the GDPR now includes online identifiers in the definition of personal data (Article 4) Consequences: the data controller / data processor relationship • in the cloud context, the primary position of control is generally attributed to the cloud client (depending on contractual power), whereas the provider should act as a mere “data processor” (WP29 2012) • the provider is not legally entitled to process data for its autonomous purposes, and particularly to process the cloud client’s user data • this aspect affects the possibility to apply the grounds on which big data can be based (apart from consent): • secondary purpose principle (e.g. anonymization of data, or research and statistics exception) • legitimate interest
Ownership of data in the big data context: IP aspects Database sui generis right • broad protection (against any kind of extraction, even if indirect, re- utilisation of the extracted contents in a different form or in combination with different materials) • does the database right extend to raw data? • debated: Yes, (i) where the information is not available from other sources (ii) the processing does not transform the information collected • whilst the cloud platform could be the sole source for that data, big data has different processing methodologies • different outcomes > limiting database protection Trade secrets • require reasonable steps • in the absence of an access restriction mechanism, data are not protected • the outcome of big data analytics is generally stored in protected databases • raw data are automatically generated by the platform and cannot be hidden from the cloud provider • trade secret protection is not absolute, and it cannot prevent a third party from autonomously obtaining such information • necessary at least confidentiality provisions about raw data • in the absence of legal measures about raw data, the cloud provider could process them protection to «processed» data only
Is there a general ownership regime in case IP and privacy laws do not apply? Big data • stimulate needs to access data • even raw data can now have potential economic value Property in data? • challenges traditional concepts of civil law • Information has public nature • numerus clausus principle for property and IP rights • res incorporales not included in property rights Modern approach on data? • considering as «natural» the ownership of any utility produced by a private activity where it has economic value • data commoditization? Current ownership regime • Privacy law, IP rights, and contractual mechanisms give rise to a strong protection mechanism on data Towards a new ownership regime? • would require legislative initiative • the Commission has launched a new study • new rights to be carefully assessed • need to ensure open data in certain sectors (possible liability rule)
Thanks! fbanterle@gmail.com linkedin.com/in/francescobanterle

More Related Content

DOCX
DPIA template
byTommy Vandepitte
 
PPTX
The Privacy Advantage 2016 - Ruth Boardman
byKrowdthink
 
PPT
The Privacy Advantage 2016 - Wojciech Wiewiorowski
byKrowdthink
 
PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PPTX
GDPR and evolving international privacy regulations
byUlf Mattsson
 
PDF
Data Protection Seminar_GDPR_ISOLAS_26-06-17
byMichael Adamberry
 
PDF
Mcis 2018 DEFeND Project
byDEFeND Project
 
PPTX
20180619 Controller-to-Processor agreements
byBrussels Legal Hackers
 
DPIA template
byTommy Vandepitte
 
The Privacy Advantage 2016 - Ruth Boardman
byKrowdthink
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
byKrowdthink
 
3A – DATA PROTECTION: ADVICE
byCFG
 
GDPR and evolving international privacy regulations
byUlf Mattsson
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
byMichael Adamberry
 
Mcis 2018 DEFeND Project
byDEFeND Project
 
20180619 Controller-to-Processor agreements
byBrussels Legal Hackers
 

What's hot

PPT
GDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
byLIBER Europe
 
PPTX
Prepare Your Firm for GDPR
byMyComplianceOffice
 
PPTX
To Shred or Not to Shred: Spoliation in the Digital Age
byBoyarMiller
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
PDF
GDPR Overview
byTrish McGinity, CCSK
 
PPTX
ABM Display Advertising Success in the World of GDPR [PPT]
byKwanzoo Inc
 
PDF
Using Social Business Software and being compliant with EU data protection la...
byBCC - Solutions for IBM Collaboration Software
 
PPTX
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
An introduction to data protection - 2/09/2015
byRachel Aldighieri
 
PPTX
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
byCloudWATCH Consortium
 
PDF
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
byBoyarMiller
 
PDF
Legal update - Leeds
byRachel Aldighieri
 
PDF
GDPR - are you ready for the challenge?
bySage HR
 
PPT
Privacy in computing & interlectual property
byMutongole Benjamin Benjamin
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
PDF
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
byNETWAYS
 
PPTX
Scott Appleton: GDPR - Big Bang or Data Evolution?
byEmily Jones
 
PDF
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
byIAB Europe
 
PPTX
GDPR – what does it mean for charities and what you need to consider - Iain P...
bym-hance
 
GDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
byLIBER Europe
 
Prepare Your Firm for GDPR
byMyComplianceOffice
 
To Shred or Not to Shred: Spoliation in the Digital Age
byBoyarMiller
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
GDPR Overview
byTrish McGinity, CCSK
 
ABM Display Advertising Success in the World of GDPR [PPT]
byKwanzoo Inc
 
Using Social Business Software and being compliant with EU data protection la...
byBCC - Solutions for IBM Collaboration Software
 
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
An introduction to data protection - 2/09/2015
byRachel Aldighieri
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
byCloudWATCH Consortium
 
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
byBoyarMiller
 
Legal update - Leeds
byRachel Aldighieri
 
GDPR - are you ready for the challenge?
bySage HR
 
Privacy in computing & interlectual property
byMutongole Benjamin Benjamin
 
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
byNETWAYS
 
Scott Appleton: GDPR - Big Bang or Data Evolution?
byEmily Jones
 
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
byIAB Europe
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
bym-hance
 

Similar to The interface between data protection and ip law

PDF
Ichec dig strat gdpr
byProf. Jacques Folon (Ph.D)
 
PDF
Esc Rennes gdpr oct 2018
byProf. Jacques Folon (Ph.D)
 
PDF
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
byBurton Lee
 
PDF
Data, databases and what you can do with them
byBrowne Jacobson LLP
 
DOCX
General data protection regulation - European union
byRohana K Amarakoon
 
PDF
GDPR Changing Mindset
byNetworkIQ
 
PDF
Scotland legal update 25 sept
byRachel Aldighieri
 
PPTX
GDPR - A Concise Treatise
byDevopam Mittra
 
PPTX
General Data Protection Regulation
byGrittyCC
 
PDF
General Data Protection Regulation (GDPR) for Identity Architects
byWSO2
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PPT
3 - Internet and Communication Technology and the Law.ppt
byStephenTerah3
 
PDF
GDPR - Sink or Swim
byGuy Griffiths
 
PDF
Privacy by Design
byVectr.Consulting
 
PPTX
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
byDr. Donald Macfarlane
 
PPTX
Data protection & security breakfast briefing master slides 28 june-final
byDr. Donald Macfarlane
 
PDF
Gdpr and usa data privacy issues
byStefan Schippers
 
PPT
Lasa European NFP Technology Conference 2010 - Data protection and the cloud
byukriders
 
PPTX
GDPR practical info session for development
byTomppa Kuusi (formerly Järvinen)
 
PDF
Esc gdpr oct 2018
byProf. Jacques Folon (Ph.D)
 
Ichec dig strat gdpr
byProf. Jacques Folon (Ph.D)
 
Esc Rennes gdpr oct 2018
byProf. Jacques Folon (Ph.D)
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
byBurton Lee
 
Data, databases and what you can do with them
byBrowne Jacobson LLP
 
General data protection regulation - European union
byRohana K Amarakoon
 
GDPR Changing Mindset
byNetworkIQ
 
Scotland legal update 25 sept
byRachel Aldighieri
 
GDPR - A Concise Treatise
byDevopam Mittra
 
General Data Protection Regulation
byGrittyCC
 
General Data Protection Regulation (GDPR) for Identity Architects
byWSO2
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
3 - Internet and Communication Technology and the Law.ppt
byStephenTerah3
 
GDPR - Sink or Swim
byGuy Griffiths
 
Privacy by Design
byVectr.Consulting
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
byDr. Donald Macfarlane
 
Data protection & security breakfast briefing master slides 28 june-final
byDr. Donald Macfarlane
 
Gdpr and usa data privacy issues
byStefan Schippers
 
Lasa European NFP Technology Conference 2010 - Data protection and the cloud
byukriders
 
GDPR practical info session for development
byTomppa Kuusi (formerly Järvinen)
 
Esc gdpr oct 2018
byProf. Jacques Folon (Ph.D)
 

Recently uploaded

PPSX
The New Income Tax Bill, 2025 by Altacit Global
byAltacit Global
 
PDF
navdeep-mathur-v-state-of-gujarat-635079-1.pdf
bysabranghindi
 
PPTX
394480113-RA-9262-ppt (1) (1).pptx------
byrenmabasa
 
PDF
Understanding Tortious Liability: Principles and the Calculus of Risk-by Judg...
by Judge Nazmul Hasan.
 
PPTX
Customer Journey Map by Afaldbovwj fjnasfa
byfaisalhelmy3
 
PPTX
Drug Crimes Attorney - Law Office Of Jimmy Cha
byjc4justice1
 
PDF
termination of con. proceedings for cle adr
byasmiipatange
 
PDF
251120-Allahabad-HC-Order-Sabir-Ali-vs-State-of-UP-1.pdf
bysabranghindi
 
PDF
VIETNAM - THE NEW INVESTMENT LAW 2026 - WHAT YOU MUST KNOW
byDr. Oliver Massmann
 
PDF
Understanding Negligence: A Comprehensive Legal Guide-by Judge Nazmul Hasan.pdf
by Judge Nazmul Hasan.
 
PDF
Race Discrimination in the Workplace: Know the Signs. Know Your Rights.
byAzadian Law Group, PC
 
PDF
AHRP LB - Indonesia’s Updated Mining Policy An Overview of Government Regulat...
byAHRP Law Firm
 
PPTX
Digital Personal Data Protection Rules, 2025
byAltacit Global
 
PPTX
Legal Issues in Esports and Gaming by Altacit Global
byAltacit Global
 
PPT
Indian Constitution important points discuissed unit II.ppt
byvmahescse
 
PPTX
Indian Ports Act 2025.pptx by Altacit Global
byAltacit Global
 
PDF
E-book- The Limitation Act, 1908 for BJS Written Exam by Judge Nazmul Hasan.pdf
by Judge Nazmul Hasan.
 
PPTX
Richard Ramirez “The Night Stalker” ​PPT
byWilliamB29
 
PPTX
Can Foreign Shipowners Own a Cyprus Shipping Company Legal Rules Explained
byAGP Law | A.G. Paphitis & Co. LLC
 
PPTX
Crime_ A Global Perspective...........pptx
byashishyadav1300706
 
The New Income Tax Bill, 2025 by Altacit Global
byAltacit Global
 
navdeep-mathur-v-state-of-gujarat-635079-1.pdf
bysabranghindi
 
394480113-RA-9262-ppt (1) (1).pptx------
byrenmabasa
 
Understanding Tortious Liability: Principles and the Calculus of Risk-by Judg...
by Judge Nazmul Hasan.
 
Customer Journey Map by Afaldbovwj fjnasfa
byfaisalhelmy3
 
Drug Crimes Attorney - Law Office Of Jimmy Cha
byjc4justice1
 
termination of con. proceedings for cle adr
byasmiipatange
 
251120-Allahabad-HC-Order-Sabir-Ali-vs-State-of-UP-1.pdf
bysabranghindi
 
VIETNAM - THE NEW INVESTMENT LAW 2026 - WHAT YOU MUST KNOW
byDr. Oliver Massmann
 
Understanding Negligence: A Comprehensive Legal Guide-by Judge Nazmul Hasan.pdf
by Judge Nazmul Hasan.
 
Race Discrimination in the Workplace: Know the Signs. Know Your Rights.
byAzadian Law Group, PC
 
AHRP LB - Indonesia’s Updated Mining Policy An Overview of Government Regulat...
byAHRP Law Firm
 
Digital Personal Data Protection Rules, 2025
byAltacit Global
 
Legal Issues in Esports and Gaming by Altacit Global
byAltacit Global
 
Indian Constitution important points discuissed unit II.ppt
byvmahescse
 
Indian Ports Act 2025.pptx by Altacit Global
byAltacit Global
 
E-book- The Limitation Act, 1908 for BJS Written Exam by Judge Nazmul Hasan.pdf
by Judge Nazmul Hasan.
 
Richard Ramirez “The Night Stalker” ​PPT
byWilliamB29
 
Can Foreign Shipowners Own a Cyprus Shipping Company Legal Rules Explained
byAGP Law | A.G. Paphitis & Co. LLC
 
Crime_ A Global Perspective...........pptx
byashishyadav1300706
 

The interface between data protection and ip law

  • 1.
    Dr. Francesco Banterle MPI,Munich, 21 October 2016 The Interface between Data Protection and IP Law The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis
  • 2.
    Data is thenew oil The value of personal data has changed marketing strategies and business models based on data analysis Knowledge of customers’ interests allows companies to predict trends People usually get free digital services by ‘paying’ with their data Can sets of personal data collected for being commercially exploited be the subject matter of IP rights? Trade secrets Database sui generis right
  • 3.
    Processing customers’ datafor commercial purposes is allowed and regulated by EU privacy laws (GDPR and e-Privacy Directive) direct marketing processing data to send commercial offers profiling automated processing of personal data aimed at evaluating personal aspects of users’ personalities transfer to third parties assignment of customers’ data to third parties for their own marketing Consent as main legal basis - The GDPR sets out additional safeguards: mitigation of risks transparency control for data subjects (e.g. right to object)
  • 4.
    Trade secrets trade secretsregime varies significantly at the EU level, different legal protection models: IP right v. unfair competition recently regulated by Directive (EU) 2016/943 - partial harmonization through a minimal standard of protection, exclusively against misappropriation (no property approach) Trade Secrets any information, including know-how and business information (i) that is secret; (ii) that has commercial value; and (iii) that has been subject to reasonable steps Business information may include information such as lists of clients/customers, internal datasets containing research data, or anything that may include personal data (see the Impact Assessment) Personal information relevancy The EDPS highlighted the relevance of personal data to the concept of trade secrets and considered lists of customer data as a type of business information
  • 5.
    Secrecy • the information,as a body or in the precise configuration, must not be generally known or easily accessible in that particular field • relative concept rather than absolute Commercial value • either actual or potential, and may be present where its unlawful use is likely to harm the interest of the right holder • connected with significant utility to the holder, since creating this information requires an economic investment Reasonable steps • “reasonable” recalls a concept of proportionality - factual assessment on a case-by-case basis • internal (practical security measures) • logical (organisational aspects, such as functional division of information in separate areas with different or limited access criteria) • physical (restrict access to the information) • external (legal measures towards third parties) , e.g. NDA Trade secret requirements under the Directive and the Italian Case law
  • 6.
    • a generalduty of confidentiality is imposed by EU Privacy Laws on the data controller (Recital 39 of the GDPR)Secrecy • processing data for commercial purposes entails costs, in terms of IT infrastructures, human resources, and time investments (e.g., for collecting data subject consents). Therefore, the lawful acquisition of personal datasets and the consequential ability to exploit them constitute a precious asset Commercial value •personal data processing is a risky activity and the GDPR is increasing security standards for processing data: •performing a risk assessment; •security measures: •limiting access to personal data only to authorized employees (Article 29) (logical measures); •adopting passwords or further access restrictions (Recital 39) (physical measures) •segregating data processed for commercial purposes (logical measures) •adoption of privacy by design solutions and further security mechanisms against data leaks or intrusion, such as data encryption (physical measures) •execution of data processing agreements generally including confidentiality measures (external measures) Reasonable steps The particular nature of personal data processed for commercial purpose should play a role in assessing trade secret requirements
  • 7.
    Database sui generisright The Database Directive sets out a wide definition of database •collection of independent works, data or other material arranged in a systematic or methodical way and individually accessible by electronic or other means •the nature of the data is irrelevant and can include any material such as tests, sounds, images, numbers, and data •contents shall be arranged in a systematic way, retrievable, and independent from each other The database right arises if there is a substantial investment in obtaining, verifying and presenting database contents •any type of investment, whether in terms of human, technical and financial resources, or expending time, effort and energy. The substantial investment can be in either obtaining, verifying or presenting the content The CJEU rejected the database right protection where the investment refers to the creation of data •the investment in obtaining the contents of the database must refer to the resources used to collect existing independent material into the database •creation/obtaining is similar to idea/expression dichotomy •it is often difficult to distinguish between creating and obtaining data
  • 8.
    Database right onsets of customers’ personal data Personal data processed for commercial purposes appear to meet all requirements for database protection •lists of clients and behavioural profiles need to be systematically organized, as well as accessed and retrieved through data management software •customers’ data are independent and have autonomous commercial value Does the investment lie in the creation or collection of customers personal data? •data are not created but gathered from individuals •processing data for marketing requires collecting users’ consent and providing unsubscribe mechanisms, which are formalities connected to obtaining, verifying and updating data (see British Sky Broadcasting v. Digital Satellite Warranty Cover Limited [2011] EWHC) •only in profiling activities some uncertainties may arise, since data are automatically generated Creation v. collection of data in profiling activities •investment can be seen in efficiently collecting the data through analytics software; •the processing phase is essential; •a profiling system requires: •methodically updating the data according to customers’ behaviour (the GDPR warns that incorrect and out-dated profiling is dangerous); •presenting data to allow their exploitation; •update customers’ consent •therefore is the processing that creates valute and requires investment
  • 9.
    The interface betweendata protection and IP Database and trade secret rights on sets of customers’ personal data can combine and give rise to a strong protection mechanism They are limited by the particular (personal) nature of the data and must coexist with privacy rights EU Privacy Laws set out individual rights as well as regulatory provisions •need to obtain granular consents •opt-out mechanisms; •right to access and update data and to object to the processing; data portability, etc. On the other hand, EU Privacy Laws allow data controllers to exploit personal data for commercial purposes – unauthorized use by third party can be sanctioned (public nature of privacy law) The position of control, connected to accountability in processing data, entails a sort of possession on data, which may also have competitive consequences Data protection and IP laws create a complex ownership regime on data
  • 10.
    An example ofthe data ownership issue: big data and cloud-based systems Big data •method for collecting and re-aggregating data on a large scale •advanced profiling: can detect general trends and correlations in data, predict individual attitudes •part of big data is done anonymously (cluster customers into general behavioural categories), however is more effective if based on identified individuals •risk of becoming subject to automated decisions based on data analysis (so - called ‘dictatorship of data’) •even raw data hold value for the insights that can be extracted from them • ownership of information plays a central role Cloud • e.g., outsourced e-commerce platforms, also known as “Commerce-as- a-Service” solutions (CaaS) •the cloud provider is interested in making big data on the client’s users •on which grounds can the cloud client object to that processing? •if the client is not processing such raw data, are they protected? •In the absence of formal assignments in the cloud agreement, the answer may depend on : (i) Privacy aspects; (ii) IP aspects
  • 11.
    Ownership of datain the big data context: Privacy aspects EU Privacy laws application? • do the user online details used for big data in the cloud (e.g., IP address, MAC address, mobile advertising identifiers), qualify as personal data? • an information is personal if it can identify - also indirectly - the data subject, considering the means likely reasonably at disposal of the data controller (or of third parties) • yes, in light of the increasing risk of identifying individuals, the GDPR now includes online identifiers in the definition of personal data (Article 4) Consequences: the data controller / data processor relationship • in the cloud context, the primary position of control is generally attributed to the cloud client (depending on contractual power), whereas the provider should act as a mere “data processor” (WP29 2012) • the provider is not legally entitled to process data for its autonomous purposes, and particularly to process the cloud client’s user data • this aspect affects the possibility to apply the grounds on which big data can be based (apart from consent): • secondary purpose principle (e.g. anonymization of data, or research and statistics exception) • legitimate interest
  • 12.
    Ownership of datain the big data context: IP aspects Database sui generis right • broad protection (against any kind of extraction, even if indirect, re- utilisation of the extracted contents in a different form or in combination with different materials) • does the database right extend to raw data? • debated: Yes, (i) where the information is not available from other sources (ii) the processing does not transform the information collected • whilst the cloud platform could be the sole source for that data, big data has different processing methodologies • different outcomes > limiting database protection Trade secrets • require reasonable steps • in the absence of an access restriction mechanism, data are not protected • the outcome of big data analytics is generally stored in protected databases • raw data are automatically generated by the platform and cannot be hidden from the cloud provider • trade secret protection is not absolute, and it cannot prevent a third party from autonomously obtaining such information • necessary at least confidentiality provisions about raw data • in the absence of legal measures about raw data, the cloud provider could process them protection to «processed» data only
  • 13.
    Is there ageneral ownership regime in case IP and privacy laws do not apply? Big data • stimulate needs to access data • even raw data can now have potential economic value Property in data? • challenges traditional concepts of civil law • Information has public nature • numerus clausus principle for property and IP rights • res incorporales not included in property rights Modern approach on data? • considering as «natural» the ownership of any utility produced by a private activity where it has economic value • data commoditization? Current ownership regime • Privacy law, IP rights, and contractual mechanisms give rise to a strong protection mechanism on data Towards a new ownership regime? • would require legislative initiative • the Commission has launched a new study • new rights to be carefully assessed • need to ensure open data in certain sectors (possible liability rule)
  • 14.