SlideShare a Scribd company logo

The interface between data protection and ip law

F
Francesco Banterle

The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis Paper presented at the Max Planck Institute's conference "Personal data in competition, consumer protection and IP law Towards a holistic approach?", held on 21 October 2016

Law
1 of 14
Download to read offline
Dr. Francesco Banterle MPI, Munich, 21 October 2016 The Interface between Data Protection and IP Law The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis
Data is the new oil The value of personal data has changed marketing strategies and business models based on data analysis Knowledge of customers’ interests allows companies to predict trends People usually get free digital services by ‘paying’ with their data Can sets of personal data collected for being commercially exploited be the subject matter of IP rights? Trade secrets Database sui generis right
Processing customers’ data for commercial purposes is allowed and regulated by EU privacy laws (GDPR and e-Privacy Directive) direct marketing processing data to send commercial offers profiling automated processing of personal data aimed at evaluating personal aspects of users’ personalities transfer to third parties assignment of customers’ data to third parties for their own marketing Consent as main legal basis - The GDPR sets out additional safeguards: mitigation of risks transparency control for data subjects (e.g. right to object)
Trade secrets trade secrets regime varies significantly at the EU level, different legal protection models: IP right v. unfair competition recently regulated by Directive (EU) 2016/943 - partial harmonization through a minimal standard of protection, exclusively against misappropriation (no property approach) Trade Secrets any information, including know-how and business information (i) that is secret; (ii) that has commercial value; and (iii) that has been subject to reasonable steps Business information may include information such as lists of clients/customers, internal datasets containing research data, or anything that may include personal data (see the Impact Assessment) Personal information relevancy The EDPS highlighted the relevance of personal data to the concept of trade secrets and considered lists of customer data as a type of business information
Secrecy • the information, as a body or in the precise configuration, must not be generally known or easily accessible in that particular field • relative concept rather than absolute Commercial value • either actual or potential, and may be present where its unlawful use is likely to harm the interest of the right holder • connected with significant utility to the holder, since creating this information requires an economic investment Reasonable steps • “reasonable” recalls a concept of proportionality - factual assessment on a case-by-case basis • internal (practical security measures) • logical (organisational aspects, such as functional division of information in separate areas with different or limited access criteria) • physical (restrict access to the information) • external (legal measures towards third parties) , e.g. NDA Trade secret requirements under the Directive and the Italian Case law
• a general duty of confidentiality is imposed by EU Privacy Laws on the data controller (Recital 39 of the GDPR)Secrecy • processing data for commercial purposes entails costs, in terms of IT infrastructures, human resources, and time investments (e.g., for collecting data subject consents). Therefore, the lawful acquisition of personal datasets and the consequential ability to exploit them constitute a precious asset Commercial value •personal data processing is a risky activity and the GDPR is increasing security standards for processing data: •performing a risk assessment; •security measures: •limiting access to personal data only to authorized employees (Article 29) (logical measures); •adopting passwords or further access restrictions (Recital 39) (physical measures) •segregating data processed for commercial purposes (logical measures) •adoption of privacy by design solutions and further security mechanisms against data leaks or intrusion, such as data encryption (physical measures) •execution of data processing agreements generally including confidentiality measures (external measures) Reasonable steps The particular nature of personal data processed for commercial purpose should play a role in assessing trade secret requirements
Database sui generis right The Database Directive sets out a wide definition of database •collection of independent works, data or other material arranged in a systematic or methodical way and individually accessible by electronic or other means •the nature of the data is irrelevant and can include any material such as tests, sounds, images, numbers, and data •contents shall be arranged in a systematic way, retrievable, and independent from each other The database right arises if there is a substantial investment in obtaining, verifying and presenting database contents •any type of investment, whether in terms of human, technical and financial resources, or expending time, effort and energy. The substantial investment can be in either obtaining, verifying or presenting the content The CJEU rejected the database right protection where the investment refers to the creation of data •the investment in obtaining the contents of the database must refer to the resources used to collect existing independent material into the database •creation/obtaining is similar to idea/expression dichotomy •it is often difficult to distinguish between creating and obtaining data
Database right on sets of customers’ personal data Personal data processed for commercial purposes appear to meet all requirements for database protection •lists of clients and behavioural profiles need to be systematically organized, as well as accessed and retrieved through data management software •customers’ data are independent and have autonomous commercial value Does the investment lie in the creation or collection of customers personal data? •data are not created but gathered from individuals •processing data for marketing requires collecting users’ consent and providing unsubscribe mechanisms, which are formalities connected to obtaining, verifying and updating data (see British Sky Broadcasting v. Digital Satellite Warranty Cover Limited [2011] EWHC) •only in profiling activities some uncertainties may arise, since data are automatically generated Creation v. collection of data in profiling activities •investment can be seen in efficiently collecting the data through analytics software; •the processing phase is essential; •a profiling system requires: •methodically updating the data according to customers’ behaviour (the GDPR warns that incorrect and out-dated profiling is dangerous); •presenting data to allow their exploitation; •update customers’ consent •therefore is the processing that creates valute and requires investment
The interface between data protection and IP Database and trade secret rights on sets of customers’ personal data can combine and give rise to a strong protection mechanism They are limited by the particular (personal) nature of the data and must coexist with privacy rights EU Privacy Laws set out individual rights as well as regulatory provisions •need to obtain granular consents •opt-out mechanisms; •right to access and update data and to object to the processing; data portability, etc. On the other hand, EU Privacy Laws allow data controllers to exploit personal data for commercial purposes – unauthorized use by third party can be sanctioned (public nature of privacy law) The position of control, connected to accountability in processing data, entails a sort of possession on data, which may also have competitive consequences Data protection and IP laws create a complex ownership regime on data
An example of the data ownership issue: big data and cloud-based systems Big data •method for collecting and re-aggregating data on a large scale •advanced profiling: can detect general trends and correlations in data, predict individual attitudes •part of big data is done anonymously (cluster customers into general behavioural categories), however is more effective if based on identified individuals •risk of becoming subject to automated decisions based on data analysis (so - called ‘dictatorship of data’) •even raw data hold value for the insights that can be extracted from them • ownership of information plays a central role Cloud • e.g., outsourced e-commerce platforms, also known as “Commerce-as- a-Service” solutions (CaaS) •the cloud provider is interested in making big data on the client’s users •on which grounds can the cloud client object to that processing? •if the client is not processing such raw data, are they protected? •In the absence of formal assignments in the cloud agreement, the answer may depend on : (i) Privacy aspects; (ii) IP aspects
Ownership of data in the big data context: Privacy aspects EU Privacy laws application? • do the user online details used for big data in the cloud (e.g., IP address, MAC address, mobile advertising identifiers), qualify as personal data? • an information is personal if it can identify - also indirectly - the data subject, considering the means likely reasonably at disposal of the data controller (or of third parties) • yes, in light of the increasing risk of identifying individuals, the GDPR now includes online identifiers in the definition of personal data (Article 4) Consequences: the data controller / data processor relationship • in the cloud context, the primary position of control is generally attributed to the cloud client (depending on contractual power), whereas the provider should act as a mere “data processor” (WP29 2012) • the provider is not legally entitled to process data for its autonomous purposes, and particularly to process the cloud client’s user data • this aspect affects the possibility to apply the grounds on which big data can be based (apart from consent): • secondary purpose principle (e.g. anonymization of data, or research and statistics exception) • legitimate interest
Ownership of data in the big data context: IP aspects Database sui generis right • broad protection (against any kind of extraction, even if indirect, re- utilisation of the extracted contents in a different form or in combination with different materials) • does the database right extend to raw data? • debated: Yes, (i) where the information is not available from other sources (ii) the processing does not transform the information collected • whilst the cloud platform could be the sole source for that data, big data has different processing methodologies • different outcomes > limiting database protection Trade secrets • require reasonable steps • in the absence of an access restriction mechanism, data are not protected • the outcome of big data analytics is generally stored in protected databases • raw data are automatically generated by the platform and cannot be hidden from the cloud provider • trade secret protection is not absolute, and it cannot prevent a third party from autonomously obtaining such information • necessary at least confidentiality provisions about raw data • in the absence of legal measures about raw data, the cloud provider could process them protection to «processed» data only
Is there a general ownership regime in case IP and privacy laws do not apply? Big data • stimulate needs to access data • even raw data can now have potential economic value Property in data? • challenges traditional concepts of civil law • Information has public nature • numerus clausus principle for property and IP rights • res incorporales not included in property rights Modern approach on data? • considering as «natural» the ownership of any utility produced by a private activity where it has economic value • data commoditization? Current ownership regime • Privacy law, IP rights, and contractual mechanisms give rise to a strong protection mechanism on data Towards a new ownership regime? • would require legislative initiative • the Commission has launched a new study • new rights to be carefully assessed • need to ensure open data in certain sectors (possible liability rule)
Thanks! fbanterle@gmail.com linkedin.com/in/francescobanterle

Recommended

DPIA template
DPIA templateDPIA template
DPIA templateTommy Vandepitte
 
The Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanThe Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanKrowdthink
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiKrowdthink
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICECFG
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Michael Adamberry
 
Mcis 2018 DEFeND Project
Mcis 2018 DEFeND Project Mcis 2018 DEFeND Project
Mcis 2018 DEFeND Project DEFeND Project
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreementsBrussels Legal Hackers
 

Recommended

DPIA template
DPIA templateDPIA template
DPIA templateTommy Vandepitte
 
The Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanThe Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanKrowdthink
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiKrowdthink
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICECFG
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Michael Adamberry
 
Mcis 2018 DEFeND Project
Mcis 2018 DEFeND Project Mcis 2018 DEFeND Project
Mcis 2018 DEFeND Project DEFeND Project
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreementsBrussels Legal Hackers
 
GDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
GDPR - Thoughts on the EU Data Protection Regulation, Research and LibrariesGDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
GDPR - Thoughts on the EU Data Protection Regulation, Research and LibrariesLIBER Europe
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPRMyComplianceOffice
 
To Shred or Not to Shred: Spoliation in the Digital Age
To Shred or Not to Shred: Spoliation in the Digital AgeTo Shred or Not to Shred: Spoliation in the Digital Age
To Shred or Not to Shred: Spoliation in the Digital AgeBoyarMiller
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...BCC - Solutions for IBM Collaboration Software
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?BrightPay Payroll and Auto Enrolment Software
 
An introduction to data protection - 2/09/2015
An introduction to data protection - 2/09/2015An introduction to data protection - 2/09/2015
An introduction to data protection - 2/09/2015Rachel Aldighieri
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...BoyarMiller
 
Legal update - Leeds
Legal update - LeedsLegal update - Leeds
Legal update - LeedsRachel Aldighieri
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?Sage HR
 
Privacy in computing & interlectual property
Privacy in computing & interlectual propertyPrivacy in computing & interlectual property
Privacy in computing & interlectual propertyMutongole Benjamin Benjamin
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...NETWAYS
 
Scott Appleton: GDPR - Big Bang or Data Evolution?
Scott Appleton: GDPR - Big Bang or Data Evolution?Scott Appleton: GDPR - Big Bang or Data Evolution?
Scott Appleton: GDPR - Big Bang or Data Evolution?Emily Jones
 
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersInteract 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersIAB Europe
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...m-hance
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...e-SIDES.eu
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
 
Analytics in Action - Data Protection
Analytics in Action - Data ProtectionAnalytics in Action - Data Protection
Analytics in Action - Data ProtectionLee Schlenker
 

More Related Content

What's hot

GDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
GDPR - Thoughts on the EU Data Protection Regulation, Research and LibrariesGDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
GDPR - Thoughts on the EU Data Protection Regulation, Research and LibrariesLIBER Europe
 
To Shred or Not to Shred: Spoliation in the Digital Age
To Shred or Not to Shred: Spoliation in the Digital AgeTo Shred or Not to Shred: Spoliation in the Digital Age
To Shred or Not to Shred: Spoliation in the Digital AgeBoyarMiller
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
An introduction to data protection - 2/09/2015
An introduction to data protection - 2/09/2015An introduction to data protection - 2/09/2015
An introduction to data protection - 2/09/2015Rachel Aldighieri
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...BoyarMiller
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?Sage HR
 
Privacy in computing & interlectual property
Privacy in computing & interlectual propertyPrivacy in computing & interlectual property
Privacy in computing & interlectual propertyMutongole Benjamin Benjamin
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...NETWAYS
 
Scott Appleton: GDPR - Big Bang or Data Evolution?
Scott Appleton: GDPR - Big Bang or Data Evolution?Scott Appleton: GDPR - Big Bang or Data Evolution?
Scott Appleton: GDPR - Big Bang or Data Evolution?Emily Jones
 
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersInteract 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersIAB Europe
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...m-hance
 

What's hot (19)

GDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
GDPR - Thoughts on the EU Data Protection Regulation, Research and LibrariesGDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
GDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
To Shred or Not to Shred: Spoliation in the Digital Age
To Shred or Not to Shred: Spoliation in the Digital AgeTo Shred or Not to Shred: Spoliation in the Digital Age
To Shred or Not to Shred: Spoliation in the Digital Age
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
 
An introduction to data protection - 2/09/2015
An introduction to data protection - 2/09/2015An introduction to data protection - 2/09/2015
An introduction to data protection - 2/09/2015
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
 
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
 
Legal update - Leeds
Legal update - LeedsLegal update - Leeds
Legal update - Leeds
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
 
Privacy in computing & interlectual property
Privacy in computing & interlectual propertyPrivacy in computing & interlectual property
Privacy in computing & interlectual property
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
 
Scott Appleton: GDPR - Big Bang or Data Evolution?
Scott Appleton: GDPR - Big Bang or Data Evolution?Scott Appleton: GDPR - Big Bang or Data Evolution?
Scott Appleton: GDPR - Big Bang or Data Evolution?
 
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersInteract 2018 - GDPR for digital publishers, digital agencies and advertisers
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...
 

Similar to The interface between data protection and ip law

Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...e-SIDES.eu
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
 
Analytics in Action - Data Protection
Analytics in Action - Data ProtectionAnalytics in Action - Data Protection
Analytics in Action - Data ProtectionLee Schlenker
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationIBM Security
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...emermell
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015Jan Dhont
 
MIPLM research projekt data driven business models in healthcare
MIPLM research projekt data driven business models in healthcareMIPLM research projekt data driven business models in healthcare
MIPLM research projekt data driven business models in healthcareMIPLM
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protectionMRS
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)RAKESH S
 
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...stevewood900540
 
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...FutureTDM
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 

Similar to The interface between data protection and ip law (20)

Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
 
Analytics in Action - Data Protection
Analytics in Action - Data ProtectionAnalytics in Action - Data Protection
Analytics in Action - Data Protection
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015
 
MIPLM research projekt data driven business models in healthcare
MIPLM research projekt data driven business models in healthcareMIPLM research projekt data driven business models in healthcare
MIPLM research projekt data driven business models in healthcare
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protection
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
 
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 

Recently uploaded

Introduction to Forensic Science: Medical Evidences
Introduction to Forensic Science: Medical EvidencesIntroduction to Forensic Science: Medical Evidences
Introduction to Forensic Science: Medical EvidencesMayank Raiborde
 
dandan liu need to rot when she dies..pdf
dandan liu need to rot when she dies..pdfdandan liu need to rot when she dies..pdf
dandan liu need to rot when she dies..pdfbraydenstoch777
 
Solidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaSolidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaUniversity of Ferrara
 
Rights of Consumers under Consumer Protection Act, 1986.
Rights of Consumers under Consumer Protection Act, 1986.Rights of Consumers under Consumer Protection Act, 1986.
Rights of Consumers under Consumer Protection Act, 1986.shrishtijain1809
 
Embed-1-4.pdf Decision of the High Court
Embed-1-4.pdf Decision of the High CourtEmbed-1-4.pdf Decision of the High Court
Embed-1-4.pdf Decision of the High Courtbhavenpr
 
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...Leks&Co
 
Does Apple Neurotechnology Patents Go To Far?
Does Apple Neurotechnology Patents Go To Far?Does Apple Neurotechnology Patents Go To Far?
Does Apple Neurotechnology Patents Go To Far?Graham Ware
 
Indian Partnership Act 1932, Rights and Duties of Partners
Indian Partnership Act 1932, Rights and Duties of PartnersIndian Partnership Act 1932, Rights and Duties of Partners
Indian Partnership Act 1932, Rights and Duties of Partnersshrishtijain1809
 
INAUGURAL SIPAC FORUM - POST EVENT REPORT.pdf
INAUGURAL SIPAC FORUM - POST EVENT REPORT.pdfINAUGURAL SIPAC FORUM - POST EVENT REPORT.pdf
INAUGURAL SIPAC FORUM - POST EVENT REPORT.pdfliming4real
 
IRDA role in Insurance sector in India .pptx
IRDA role in Insurance sector in India .pptxIRDA role in Insurance sector in India .pptx
IRDA role in Insurance sector in India .pptxShreyasVyas9
 
Starbucks Corp. v. Sardarbuksh Coffee Co.
Starbucks Corp. v. Sardarbuksh Coffee Co.Starbucks Corp. v. Sardarbuksh Coffee Co.
Starbucks Corp. v. Sardarbuksh Coffee Co.aniruddhabamal
 
Streamline Legal Operations: A Guide to Paralegal Services
Streamline Legal Operations: A Guide to Paralegal ServicesStreamline Legal Operations: A Guide to Paralegal Services
Streamline Legal Operations: A Guide to Paralegal ServicesEternity Paralegal Services
 
How Can an Attorney Help With My Car Accident Claim?
How Can an Attorney Help With My Car Accident Claim?How Can an Attorney Help With My Car Accident Claim?
How Can an Attorney Help With My Car Accident Claim?Paisley Law LLC
 
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Mike Keyes
 
Dandan Liu is the worst real estate agent on earth..pdf
Dandan Liu is the worst real estate agent on earth..pdfDandan Liu is the worst real estate agent on earth..pdf
Dandan Liu is the worst real estate agent on earth..pdfbraydenstoch777
 
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODS
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODSREVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODS
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODSCheong Man Keong
 
CHP 5 OF OFFENCES AGAINST WOMEN AND CHILDREN.pptx
CHP 5 OF OFFENCES AGAINST WOMEN AND CHILDREN.pptxCHP 5 OF OFFENCES AGAINST WOMEN AND CHILDREN.pptx
CHP 5 OF OFFENCES AGAINST WOMEN AND CHILDREN.pptxRashmiPandey862734
 
Mergers and Acquisitions in Kenya - An explanation
Mergers and Acquisitions in Kenya - An explanationMergers and Acquisitions in Kenya - An explanation
Mergers and Acquisitions in Kenya - An explanationRovert3
 

Recently uploaded (20)

Introduction to Forensic Science: Medical Evidences
Introduction to Forensic Science: Medical EvidencesIntroduction to Forensic Science: Medical Evidences
Introduction to Forensic Science: Medical Evidences
 
dandan liu need to rot when she dies..pdf
dandan liu need to rot when she dies..pdfdandan liu need to rot when she dies..pdf
dandan liu need to rot when she dies..pdf
 
Solidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaSolidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South Africa
 
Rights of Consumers under Consumer Protection Act, 1986.
Rights of Consumers under Consumer Protection Act, 1986.Rights of Consumers under Consumer Protection Act, 1986.
Rights of Consumers under Consumer Protection Act, 1986.
 
Embed-1-4.pdf Decision of the High Court
Embed-1-4.pdf Decision of the High CourtEmbed-1-4.pdf Decision of the High Court
Embed-1-4.pdf Decision of the High Court
 
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
 
Does Apple Neurotechnology Patents Go To Far?
Does Apple Neurotechnology Patents Go To Far?Does Apple Neurotechnology Patents Go To Far?
Does Apple Neurotechnology Patents Go To Far?
 
Indian Partnership Act 1932, Rights and Duties of Partners
Indian Partnership Act 1932, Rights and Duties of PartnersIndian Partnership Act 1932, Rights and Duties of Partners
Indian Partnership Act 1932, Rights and Duties of Partners
 
INAUGURAL SIPAC FORUM - POST EVENT REPORT.pdf
INAUGURAL SIPAC FORUM - POST EVENT REPORT.pdfINAUGURAL SIPAC FORUM - POST EVENT REPORT.pdf
INAUGURAL SIPAC FORUM - POST EVENT REPORT.pdf
 
IRDA role in Insurance sector in India .pptx
IRDA role in Insurance sector in India .pptxIRDA role in Insurance sector in India .pptx
IRDA role in Insurance sector in India .pptx
 
Starbucks Corp. v. Sardarbuksh Coffee Co.
Starbucks Corp. v. Sardarbuksh Coffee Co.Starbucks Corp. v. Sardarbuksh Coffee Co.
Starbucks Corp. v. Sardarbuksh Coffee Co.
 
Streamline Legal Operations: A Guide to Paralegal Services
Streamline Legal Operations: A Guide to Paralegal ServicesStreamline Legal Operations: A Guide to Paralegal Services
Streamline Legal Operations: A Guide to Paralegal Services
 
How Can an Attorney Help With My Car Accident Claim?
How Can an Attorney Help With My Car Accident Claim?How Can an Attorney Help With My Car Accident Claim?
How Can an Attorney Help With My Car Accident Claim?
 
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
 
Dandan Liu is the worst real estate agent on earth..pdf
Dandan Liu is the worst real estate agent on earth..pdfDandan Liu is the worst real estate agent on earth..pdf
Dandan Liu is the worst real estate agent on earth..pdf
 
Trending Topics in ITC Litigation with Knobbe Martens
Trending Topics in ITC Litigation with Knobbe MartensTrending Topics in ITC Litigation with Knobbe Martens
Trending Topics in ITC Litigation with Knobbe Martens
 
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODS
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODSREVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODS
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODS
 
Justice Advocates Legal Defence Firm
Justice Advocates Legal Defence FirmJustice Advocates Legal Defence Firm
Justice Advocates Legal Defence Firm
 
CHP 5 OF OFFENCES AGAINST WOMEN AND CHILDREN.pptx
CHP 5 OF OFFENCES AGAINST WOMEN AND CHILDREN.pptxCHP 5 OF OFFENCES AGAINST WOMEN AND CHILDREN.pptx
CHP 5 OF OFFENCES AGAINST WOMEN AND CHILDREN.pptx
 
Mergers and Acquisitions in Kenya - An explanation
Mergers and Acquisitions in Kenya - An explanationMergers and Acquisitions in Kenya - An explanation
Mergers and Acquisitions in Kenya - An explanation
 

The interface between data protection and ip law

  • 1. Dr. Francesco Banterle MPI, Munich, 21 October 2016 The Interface between Data Protection and IP Law The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis
  • 2. Data is the new oil The value of personal data has changed marketing strategies and business models based on data analysis Knowledge of customers’ interests allows companies to predict trends People usually get free digital services by ‘paying’ with their data Can sets of personal data collected for being commercially exploited be the subject matter of IP rights? Trade secrets Database sui generis right
  • 3. Processing customers’ data for commercial purposes is allowed and regulated by EU privacy laws (GDPR and e-Privacy Directive) direct marketing processing data to send commercial offers profiling automated processing of personal data aimed at evaluating personal aspects of users’ personalities transfer to third parties assignment of customers’ data to third parties for their own marketing Consent as main legal basis - The GDPR sets out additional safeguards: mitigation of risks transparency control for data subjects (e.g. right to object)
  • 4. Trade secrets trade secrets regime varies significantly at the EU level, different legal protection models: IP right v. unfair competition recently regulated by Directive (EU) 2016/943 - partial harmonization through a minimal standard of protection, exclusively against misappropriation (no property approach) Trade Secrets any information, including know-how and business information (i) that is secret; (ii) that has commercial value; and (iii) that has been subject to reasonable steps Business information may include information such as lists of clients/customers, internal datasets containing research data, or anything that may include personal data (see the Impact Assessment) Personal information relevancy The EDPS highlighted the relevance of personal data to the concept of trade secrets and considered lists of customer data as a type of business information
  • 5. Secrecy • the information, as a body or in the precise configuration, must not be generally known or easily accessible in that particular field • relative concept rather than absolute Commercial value • either actual or potential, and may be present where its unlawful use is likely to harm the interest of the right holder • connected with significant utility to the holder, since creating this information requires an economic investment Reasonable steps • “reasonable” recalls a concept of proportionality - factual assessment on a case-by-case basis • internal (practical security measures) • logical (organisational aspects, such as functional division of information in separate areas with different or limited access criteria) • physical (restrict access to the information) • external (legal measures towards third parties) , e.g. NDA Trade secret requirements under the Directive and the Italian Case law
  • 6. • a general duty of confidentiality is imposed by EU Privacy Laws on the data controller (Recital 39 of the GDPR)Secrecy • processing data for commercial purposes entails costs, in terms of IT infrastructures, human resources, and time investments (e.g., for collecting data subject consents). Therefore, the lawful acquisition of personal datasets and the consequential ability to exploit them constitute a precious asset Commercial value •personal data processing is a risky activity and the GDPR is increasing security standards for processing data: •performing a risk assessment; •security measures: •limiting access to personal data only to authorized employees (Article 29) (logical measures); •adopting passwords or further access restrictions (Recital 39) (physical measures) •segregating data processed for commercial purposes (logical measures) •adoption of privacy by design solutions and further security mechanisms against data leaks or intrusion, such as data encryption (physical measures) •execution of data processing agreements generally including confidentiality measures (external measures) Reasonable steps The particular nature of personal data processed for commercial purpose should play a role in assessing trade secret requirements
  • 7. Database sui generis right The Database Directive sets out a wide definition of database •collection of independent works, data or other material arranged in a systematic or methodical way and individually accessible by electronic or other means •the nature of the data is irrelevant and can include any material such as tests, sounds, images, numbers, and data •contents shall be arranged in a systematic way, retrievable, and independent from each other The database right arises if there is a substantial investment in obtaining, verifying and presenting database contents •any type of investment, whether in terms of human, technical and financial resources, or expending time, effort and energy. The substantial investment can be in either obtaining, verifying or presenting the content The CJEU rejected the database right protection where the investment refers to the creation of data •the investment in obtaining the contents of the database must refer to the resources used to collect existing independent material into the database •creation/obtaining is similar to idea/expression dichotomy •it is often difficult to distinguish between creating and obtaining data
  • 8. Database right on sets of customers’ personal data Personal data processed for commercial purposes appear to meet all requirements for database protection •lists of clients and behavioural profiles need to be systematically organized, as well as accessed and retrieved through data management software •customers’ data are independent and have autonomous commercial value Does the investment lie in the creation or collection of customers personal data? •data are not created but gathered from individuals •processing data for marketing requires collecting users’ consent and providing unsubscribe mechanisms, which are formalities connected to obtaining, verifying and updating data (see British Sky Broadcasting v. Digital Satellite Warranty Cover Limited [2011] EWHC) •only in profiling activities some uncertainties may arise, since data are automatically generated Creation v. collection of data in profiling activities •investment can be seen in efficiently collecting the data through analytics software; •the processing phase is essential; •a profiling system requires: •methodically updating the data according to customers’ behaviour (the GDPR warns that incorrect and out-dated profiling is dangerous); •presenting data to allow their exploitation; •update customers’ consent •therefore is the processing that creates valute and requires investment
  • 9. The interface between data protection and IP Database and trade secret rights on sets of customers’ personal data can combine and give rise to a strong protection mechanism They are limited by the particular (personal) nature of the data and must coexist with privacy rights EU Privacy Laws set out individual rights as well as regulatory provisions •need to obtain granular consents •opt-out mechanisms; •right to access and update data and to object to the processing; data portability, etc. On the other hand, EU Privacy Laws allow data controllers to exploit personal data for commercial purposes – unauthorized use by third party can be sanctioned (public nature of privacy law) The position of control, connected to accountability in processing data, entails a sort of possession on data, which may also have competitive consequences Data protection and IP laws create a complex ownership regime on data
  • 10. An example of the data ownership issue: big data and cloud-based systems Big data •method for collecting and re-aggregating data on a large scale •advanced profiling: can detect general trends and correlations in data, predict individual attitudes •part of big data is done anonymously (cluster customers into general behavioural categories), however is more effective if based on identified individuals •risk of becoming subject to automated decisions based on data analysis (so - called ‘dictatorship of data’) •even raw data hold value for the insights that can be extracted from them • ownership of information plays a central role Cloud • e.g., outsourced e-commerce platforms, also known as “Commerce-as- a-Service” solutions (CaaS) •the cloud provider is interested in making big data on the client’s users •on which grounds can the cloud client object to that processing? •if the client is not processing such raw data, are they protected? •In the absence of formal assignments in the cloud agreement, the answer may depend on : (i) Privacy aspects; (ii) IP aspects
  • 11. Ownership of data in the big data context: Privacy aspects EU Privacy laws application? • do the user online details used for big data in the cloud (e.g., IP address, MAC address, mobile advertising identifiers), qualify as personal data? • an information is personal if it can identify - also indirectly - the data subject, considering the means likely reasonably at disposal of the data controller (or of third parties) • yes, in light of the increasing risk of identifying individuals, the GDPR now includes online identifiers in the definition of personal data (Article 4) Consequences: the data controller / data processor relationship • in the cloud context, the primary position of control is generally attributed to the cloud client (depending on contractual power), whereas the provider should act as a mere “data processor” (WP29 2012) • the provider is not legally entitled to process data for its autonomous purposes, and particularly to process the cloud client’s user data • this aspect affects the possibility to apply the grounds on which big data can be based (apart from consent): • secondary purpose principle (e.g. anonymization of data, or research and statistics exception) • legitimate interest
  • 12. Ownership of data in the big data context: IP aspects Database sui generis right • broad protection (against any kind of extraction, even if indirect, re- utilisation of the extracted contents in a different form or in combination with different materials) • does the database right extend to raw data? • debated: Yes, (i) where the information is not available from other sources (ii) the processing does not transform the information collected • whilst the cloud platform could be the sole source for that data, big data has different processing methodologies • different outcomes > limiting database protection Trade secrets • require reasonable steps • in the absence of an access restriction mechanism, data are not protected • the outcome of big data analytics is generally stored in protected databases • raw data are automatically generated by the platform and cannot be hidden from the cloud provider • trade secret protection is not absolute, and it cannot prevent a third party from autonomously obtaining such information • necessary at least confidentiality provisions about raw data • in the absence of legal measures about raw data, the cloud provider could process them protection to «processed» data only
  • 13. Is there a general ownership regime in case IP and privacy laws do not apply? Big data • stimulate needs to access data • even raw data can now have potential economic value Property in data? • challenges traditional concepts of civil law • Information has public nature • numerus clausus principle for property and IP rights • res incorporales not included in property rights Modern approach on data? • considering as «natural» the ownership of any utility produced by a private activity where it has economic value • data commoditization? Current ownership regime • Privacy law, IP rights, and contractual mechanisms give rise to a strong protection mechanism on data Towards a new ownership regime? • would require legislative initiative • the Commission has launched a new study • new rights to be carefully assessed • need to ensure open data in certain sectors (possible liability rule)