The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis
Paper presented at the Max Planck Institute's conference "Personal data in competition, consumer protection and IP law Towards a holistic approach?", held on 21 October 2016
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
The interface between data protection and ip law
1. Dr. Francesco Banterle
MPI, Munich, 21 October 2016
The Interface between Data Protection and IP Law
The Case of Trade Secrets and Database Sui Generis Right in Marketing
Operations, and the Ownership of Raw Data in Big Data Analysis
2. Data is the new oil
The value of personal
data has changed
marketing strategies
and business models
based on data
analysis
Knowledge of customers’ interests
allows companies to predict trends
People usually get free digital
services by ‘paying’ with their
data
Can sets of personal data collected for being commercially
exploited be the subject matter of IP rights?
Trade secrets Database sui generis right
3. Processing customers’ data for commercial purposes is allowed
and regulated by EU privacy laws (GDPR and e-Privacy Directive)
direct
marketing
processing data to
send commercial
offers
profiling
automated processing of
personal data aimed at
evaluating personal
aspects of users’
personalities
transfer to third
parties
assignment of
customers’ data to
third parties for
their own
marketing
Consent as main legal basis - The GDPR sets out additional safeguards:
mitigation of risks transparency control for data subjects
(e.g. right to object)
4. Trade secrets
trade secrets regime varies significantly at the EU level, different legal
protection models: IP right v. unfair competition
recently regulated by Directive (EU) 2016/943 - partial harmonization
through a minimal standard of protection, exclusively against
misappropriation (no property approach)
Trade Secrets
any information,
including know-how and
business information
(i) that is secret;
(ii) that has commercial
value; and
(iii) that has been subject
to reasonable steps
Business information
may include
information such as
lists of
clients/customers,
internal datasets
containing research
data, or anything that
may include personal
data (see the Impact
Assessment)
Personal information
relevancy
The EDPS highlighted
the relevance of
personal data to the
concept of trade
secrets and
considered lists of
customer data as a
type of business
information
5. Secrecy
• the information, as a
body or in the precise
configuration, must not
be generally known or
easily accessible in that
particular field
• relative concept rather
than absolute
Commercial
value
• either actual or
potential, and may be
present where its
unlawful use is likely to
harm the interest of the
right holder
• connected with
significant utility to the
holder, since creating
this information
requires an economic
investment
Reasonable
steps
• “reasonable” recalls a
concept of
proportionality -
factual assessment on a
case-by-case basis
• internal (practical
security measures)
• logical (organisational
aspects, such as
functional division of
information in
separate areas with
different or limited
access criteria)
• physical (restrict
access to the
information)
• external (legal
measures towards third
parties) , e.g. NDA
Trade secret requirements under the Directive and the Italian Case law
6. • a general duty of confidentiality is imposed by EU Privacy Laws on
the data controller (Recital 39 of the GDPR)Secrecy
• processing data for commercial purposes entails costs, in terms of IT
infrastructures, human resources, and time investments (e.g., for
collecting data subject consents). Therefore, the lawful acquisition of
personal datasets and the consequential ability to exploit them
constitute a precious asset
Commercial
value
•personal data processing is a risky activity and the GDPR is increasing security
standards for processing data:
•performing a risk assessment;
•security measures:
•limiting access to personal data only to authorized employees (Article 29)
(logical measures);
•adopting passwords or further access restrictions (Recital 39) (physical
measures)
•segregating data processed for commercial purposes (logical measures)
•adoption of privacy by design solutions and further security mechanisms
against data leaks or intrusion, such as data encryption (physical measures)
•execution of data processing agreements generally including confidentiality
measures (external measures)
Reasonable
steps
The particular nature of personal data processed for commercial
purpose should play a role in assessing trade secret requirements
7. Database sui generis right
The Database Directive sets out a wide definition of database
•collection of independent works, data or other material arranged in a systematic or methodical way and
individually accessible by electronic or other means
•the nature of the data is irrelevant and can include any material such as tests, sounds, images, numbers, and
data
•contents shall be arranged in a systematic way, retrievable, and independent from each other
The database right arises if there is a substantial investment in obtaining, verifying and
presenting database contents
•any type of investment, whether in terms of human, technical and financial resources, or expending time,
effort and energy. The substantial investment can be in either obtaining, verifying or presenting the content
The CJEU rejected the database right protection where the investment refers to the
creation of data
•the investment in obtaining the contents of the database must refer to the resources used to collect existing
independent material into the database
•creation/obtaining is similar to idea/expression dichotomy
•it is often difficult to distinguish between creating and obtaining data
8. Database right on sets of customers’ personal data
Personal data processed for
commercial purposes appear to
meet all requirements for
database protection
•lists of clients and behavioural
profiles need to be
systematically organized, as
well as accessed and retrieved
through data management
software
•customers’ data are
independent and have
autonomous commercial
value
Does the investment lie in
the creation or collection
of customers personal
data?
•data are not created but
gathered from individuals
•processing data for marketing
requires collecting users’
consent and providing
unsubscribe mechanisms,
which are formalities
connected to obtaining,
verifying and updating data
(see British Sky Broadcasting v.
Digital Satellite Warranty
Cover Limited [2011] EWHC)
•only in profiling activities
some uncertainties may arise,
since data are automatically
generated
Creation v. collection of
data in profiling
activities
•investment can be seen in
efficiently collecting the data
through analytics software;
•the processing phase is
essential;
•a profiling system requires:
•methodically updating the
data according to
customers’ behaviour (the
GDPR warns that incorrect
and out-dated profiling is
dangerous);
•presenting data to allow
their exploitation;
•update customers’ consent
•therefore is the processing
that creates valute and
requires investment
9. The interface between data protection and IP
Database and trade secret rights on sets of customers’ personal data can combine and give rise to
a strong protection mechanism
They are limited by the particular (personal) nature of the data and must coexist with privacy
rights
EU Privacy Laws set out individual rights as well as regulatory provisions
•need to obtain granular consents
•opt-out mechanisms;
•right to access and update data and to object to the processing; data portability, etc.
On the other hand, EU Privacy Laws allow data controllers to exploit personal data for commercial
purposes – unauthorized use by third party can be sanctioned (public nature of privacy law)
The position of control, connected to accountability in processing data, entails a sort of
possession on data, which may also have competitive consequences
Data protection and IP laws create a complex ownership regime on data
10. An example of the data ownership issue: big data and cloud-based
systems
Big data
•method for collecting and re-aggregating
data on a large scale
•advanced profiling: can detect general
trends and correlations in data, predict
individual attitudes
•part of big data is done anonymously
(cluster customers into general
behavioural categories), however is more
effective if based on identified
individuals
•risk of becoming subject to automated
decisions based on data analysis (so -
called ‘dictatorship of data’)
•even raw data hold value for the
insights that can be extracted from them
• ownership of information plays a
central role
Cloud
• e.g., outsourced e-commerce
platforms, also known as “Commerce-as-
a-Service” solutions (CaaS)
•the cloud provider is interested in
making big data on the client’s users
•on which grounds can the cloud
client object to that processing?
•if the client is not processing such
raw data, are they protected?
•In the absence of formal assignments in
the cloud agreement, the answer may
depend on : (i) Privacy aspects; (ii) IP
aspects
11. Ownership of data in the big data context: Privacy aspects
EU Privacy laws application?
• do the user online details used for
big data in the cloud (e.g., IP address,
MAC address, mobile advertising
identifiers), qualify as personal data?
• an information is personal if it can
identify - also indirectly - the data
subject, considering the means likely
reasonably at disposal of the data
controller (or of third parties)
• yes, in light of the increasing risk of
identifying individuals, the GDPR now
includes online identifiers in the
definition of personal data (Article 4)
Consequences: the data controller /
data processor relationship
• in the cloud context, the primary
position of control is generally
attributed to the cloud client
(depending on contractual power),
whereas the provider should act as a
mere “data processor” (WP29 2012)
• the provider is not legally entitled to
process data for its autonomous
purposes, and particularly to process
the cloud client’s user data
• this aspect affects the possibility to
apply the grounds on which big data
can be based (apart from consent):
• secondary purpose principle (e.g.
anonymization of data, or research
and statistics exception)
• legitimate interest
12. Ownership of data in the big data context: IP aspects
Database sui generis right
• broad protection (against any kind of
extraction, even if indirect, re-
utilisation of the extracted contents in a
different form or in combination with
different materials)
• does the database right extend to
raw data?
• debated: Yes, (i) where the information
is not available from other sources (ii)
the processing does not transform the
information collected
• whilst the cloud platform could be the
sole source for that data, big data has
different processing methodologies
• different outcomes > limiting database
protection
Trade secrets
• require reasonable steps
• in the absence of an access restriction
mechanism, data are not protected
• the outcome of big data analytics is
generally stored in protected databases
• raw data are automatically generated
by the platform and cannot be hidden
from the cloud provider
• trade secret protection is not absolute,
and it cannot prevent a third party from
autonomously obtaining such
information
• necessary at least confidentiality
provisions about raw data
• in the absence of legal measures about
raw data, the cloud provider could
process them
protection to «processed» data only
13. Is there a general ownership regime in case IP and privacy laws do
not apply?
Big data
• stimulate needs to access data
• even raw data can now have potential
economic value
Property in data?
• challenges traditional concepts of civil
law
• Information has public nature
• numerus clausus principle for property
and IP rights
• res incorporales not included in
property rights
Modern approach on data?
• considering as «natural» the ownership of any
utility produced by a private activity where it has
economic value
• data commoditization?
Current ownership regime
• Privacy law, IP rights, and contractual
mechanisms give rise to a strong protection
mechanism on data
Towards a new ownership regime?
• would require legislative initiative
• the Commission has launched a new study
• new rights to be carefully assessed
• need to ensure open data in certain sectors
(possible liability rule)