Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Dr. Francesco Banterle
MPI, Munich, 21 October 2016
The Interface between Data Protection and IP Law
The Case of Trade Sec...
Data is the new oil
The value of personal
data has changed
marketing strategies
and business models
based on data
analysis...
Processing customers’ data for commercial purposes is allowed
and regulated by EU privacy laws (GDPR and e-Privacy Directi...
Trade secrets
trade secrets regime varies significantly at the EU level, different legal
protection models: IP right v. un...
Secrecy
• the information, as a
body or in the precise
configuration, must not
be generally known or
easily accessible in ...
• a general duty of confidentiality is imposed by EU Privacy Laws on
the data controller (Recital 39 of the GDPR)Secrecy
•...
Database sui generis right
The Database Directive sets out a wide definition of database
•collection of independent works,...
Database right on sets of customers’ personal data
Personal data processed for
commercial purposes appear to
meet all requ...
The interface between data protection and IP
Database and trade secret rights on sets of customers’ personal data can comb...
An example of the data ownership issue: big data and cloud-based
systems
Big data
•method for collecting and re-aggregatin...
Ownership of data in the big data context: Privacy aspects
EU Privacy laws application?
• do the user online details used ...
Ownership of data in the big data context: IP aspects
Database sui generis right
• broad protection (against any kind of
e...
Is there a general ownership regime in case IP and privacy laws do
not apply?
Big data
• stimulate needs to access data
• ...
Thanks!
fbanterle@gmail.com linkedin.com/in/francescobanterle
Upcoming SlideShare
Loading in …5
×

The interface between data protection and ip law

400 views

Published on

The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis

Paper presented at the Max Planck Institute's conference "Personal data in competition, consumer protection and IP law Towards a holistic approach?", held on 21 October 2016

Published in: Law
  • Be the first to comment

  • Be the first to like this

The interface between data protection and ip law

  1. 1. Dr. Francesco Banterle MPI, Munich, 21 October 2016 The Interface between Data Protection and IP Law The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis
  2. 2. Data is the new oil The value of personal data has changed marketing strategies and business models based on data analysis Knowledge of customers’ interests allows companies to predict trends People usually get free digital services by ‘paying’ with their data Can sets of personal data collected for being commercially exploited be the subject matter of IP rights? Trade secrets Database sui generis right
  3. 3. Processing customers’ data for commercial purposes is allowed and regulated by EU privacy laws (GDPR and e-Privacy Directive) direct marketing processing data to send commercial offers profiling automated processing of personal data aimed at evaluating personal aspects of users’ personalities transfer to third parties assignment of customers’ data to third parties for their own marketing Consent as main legal basis - The GDPR sets out additional safeguards: mitigation of risks transparency control for data subjects (e.g. right to object)
  4. 4. Trade secrets trade secrets regime varies significantly at the EU level, different legal protection models: IP right v. unfair competition recently regulated by Directive (EU) 2016/943 - partial harmonization through a minimal standard of protection, exclusively against misappropriation (no property approach) Trade Secrets any information, including know-how and business information (i) that is secret; (ii) that has commercial value; and (iii) that has been subject to reasonable steps Business information may include information such as lists of clients/customers, internal datasets containing research data, or anything that may include personal data (see the Impact Assessment) Personal information relevancy The EDPS highlighted the relevance of personal data to the concept of trade secrets and considered lists of customer data as a type of business information
  5. 5. Secrecy • the information, as a body or in the precise configuration, must not be generally known or easily accessible in that particular field • relative concept rather than absolute Commercial value • either actual or potential, and may be present where its unlawful use is likely to harm the interest of the right holder • connected with significant utility to the holder, since creating this information requires an economic investment Reasonable steps • “reasonable” recalls a concept of proportionality - factual assessment on a case-by-case basis • internal (practical security measures) • logical (organisational aspects, such as functional division of information in separate areas with different or limited access criteria) • physical (restrict access to the information) • external (legal measures towards third parties) , e.g. NDA Trade secret requirements under the Directive and the Italian Case law
  6. 6. • a general duty of confidentiality is imposed by EU Privacy Laws on the data controller (Recital 39 of the GDPR)Secrecy • processing data for commercial purposes entails costs, in terms of IT infrastructures, human resources, and time investments (e.g., for collecting data subject consents). Therefore, the lawful acquisition of personal datasets and the consequential ability to exploit them constitute a precious asset Commercial value •personal data processing is a risky activity and the GDPR is increasing security standards for processing data: •performing a risk assessment; •security measures: •limiting access to personal data only to authorized employees (Article 29) (logical measures); •adopting passwords or further access restrictions (Recital 39) (physical measures) •segregating data processed for commercial purposes (logical measures) •adoption of privacy by design solutions and further security mechanisms against data leaks or intrusion, such as data encryption (physical measures) •execution of data processing agreements generally including confidentiality measures (external measures) Reasonable steps The particular nature of personal data processed for commercial purpose should play a role in assessing trade secret requirements
  7. 7. Database sui generis right The Database Directive sets out a wide definition of database •collection of independent works, data or other material arranged in a systematic or methodical way and individually accessible by electronic or other means •the nature of the data is irrelevant and can include any material such as tests, sounds, images, numbers, and data •contents shall be arranged in a systematic way, retrievable, and independent from each other The database right arises if there is a substantial investment in obtaining, verifying and presenting database contents •any type of investment, whether in terms of human, technical and financial resources, or expending time, effort and energy. The substantial investment can be in either obtaining, verifying or presenting the content The CJEU rejected the database right protection where the investment refers to the creation of data •the investment in obtaining the contents of the database must refer to the resources used to collect existing independent material into the database •creation/obtaining is similar to idea/expression dichotomy •it is often difficult to distinguish between creating and obtaining data
  8. 8. Database right on sets of customers’ personal data Personal data processed for commercial purposes appear to meet all requirements for database protection •lists of clients and behavioural profiles need to be systematically organized, as well as accessed and retrieved through data management software •customers’ data are independent and have autonomous commercial value Does the investment lie in the creation or collection of customers personal data? •data are not created but gathered from individuals •processing data for marketing requires collecting users’ consent and providing unsubscribe mechanisms, which are formalities connected to obtaining, verifying and updating data (see British Sky Broadcasting v. Digital Satellite Warranty Cover Limited [2011] EWHC) •only in profiling activities some uncertainties may arise, since data are automatically generated Creation v. collection of data in profiling activities •investment can be seen in efficiently collecting the data through analytics software; •the processing phase is essential; •a profiling system requires: •methodically updating the data according to customers’ behaviour (the GDPR warns that incorrect and out-dated profiling is dangerous); •presenting data to allow their exploitation; •update customers’ consent •therefore is the processing that creates valute and requires investment
  9. 9. The interface between data protection and IP Database and trade secret rights on sets of customers’ personal data can combine and give rise to a strong protection mechanism They are limited by the particular (personal) nature of the data and must coexist with privacy rights EU Privacy Laws set out individual rights as well as regulatory provisions •need to obtain granular consents •opt-out mechanisms; •right to access and update data and to object to the processing; data portability, etc. On the other hand, EU Privacy Laws allow data controllers to exploit personal data for commercial purposes – unauthorized use by third party can be sanctioned (public nature of privacy law) The position of control, connected to accountability in processing data, entails a sort of possession on data, which may also have competitive consequences Data protection and IP laws create a complex ownership regime on data
  10. 10. An example of the data ownership issue: big data and cloud-based systems Big data •method for collecting and re-aggregating data on a large scale •advanced profiling: can detect general trends and correlations in data, predict individual attitudes •part of big data is done anonymously (cluster customers into general behavioural categories), however is more effective if based on identified individuals •risk of becoming subject to automated decisions based on data analysis (so - called ‘dictatorship of data’) •even raw data hold value for the insights that can be extracted from them • ownership of information plays a central role Cloud • e.g., outsourced e-commerce platforms, also known as “Commerce-as- a-Service” solutions (CaaS) •the cloud provider is interested in making big data on the client’s users •on which grounds can the cloud client object to that processing? •if the client is not processing such raw data, are they protected? •In the absence of formal assignments in the cloud agreement, the answer may depend on : (i) Privacy aspects; (ii) IP aspects
  11. 11. Ownership of data in the big data context: Privacy aspects EU Privacy laws application? • do the user online details used for big data in the cloud (e.g., IP address, MAC address, mobile advertising identifiers), qualify as personal data? • an information is personal if it can identify - also indirectly - the data subject, considering the means likely reasonably at disposal of the data controller (or of third parties) • yes, in light of the increasing risk of identifying individuals, the GDPR now includes online identifiers in the definition of personal data (Article 4) Consequences: the data controller / data processor relationship • in the cloud context, the primary position of control is generally attributed to the cloud client (depending on contractual power), whereas the provider should act as a mere “data processor” (WP29 2012) • the provider is not legally entitled to process data for its autonomous purposes, and particularly to process the cloud client’s user data • this aspect affects the possibility to apply the grounds on which big data can be based (apart from consent): • secondary purpose principle (e.g. anonymization of data, or research and statistics exception) • legitimate interest
  12. 12. Ownership of data in the big data context: IP aspects Database sui generis right • broad protection (against any kind of extraction, even if indirect, re- utilisation of the extracted contents in a different form or in combination with different materials) • does the database right extend to raw data? • debated: Yes, (i) where the information is not available from other sources (ii) the processing does not transform the information collected • whilst the cloud platform could be the sole source for that data, big data has different processing methodologies • different outcomes > limiting database protection Trade secrets • require reasonable steps • in the absence of an access restriction mechanism, data are not protected • the outcome of big data analytics is generally stored in protected databases • raw data are automatically generated by the platform and cannot be hidden from the cloud provider • trade secret protection is not absolute, and it cannot prevent a third party from autonomously obtaining such information • necessary at least confidentiality provisions about raw data • in the absence of legal measures about raw data, the cloud provider could process them protection to «processed» data only
  13. 13. Is there a general ownership regime in case IP and privacy laws do not apply? Big data • stimulate needs to access data • even raw data can now have potential economic value Property in data? • challenges traditional concepts of civil law • Information has public nature • numerus clausus principle for property and IP rights • res incorporales not included in property rights Modern approach on data? • considering as «natural» the ownership of any utility produced by a private activity where it has economic value • data commoditization? Current ownership regime • Privacy law, IP rights, and contractual mechanisms give rise to a strong protection mechanism on data Towards a new ownership regime? • would require legislative initiative • the Commission has launched a new study • new rights to be carefully assessed • need to ensure open data in certain sectors (possible liability rule)
  14. 14. Thanks! fbanterle@gmail.com linkedin.com/in/francescobanterle

×