Long reads

Addressing the IP pitfalls in data monetisation projects

This article was co-authored by Richard Assmus (partner), Oliver Yaros (partner) and Reece Randall (associate) of Mayer Brown LLP. This article is the first in a three-part series from Mayer Brown on digital transformation and its impacts on financial institutions.

            1. Introduction and summary

It is often said that data is the “lifeblood” of modern business. Whilst the hype surrounding such rhetoric may not find favour with all, successfully finding, analysing and relying on “good” data has become the foundation to our increasingly connected and technologically advancing society. It is therefore unsurprising that so many organisations, irrespective of size, industry or geographic region, are seeking to understand the value contained within, and ultimately monetise, the data at their disposal.

A key challenge for organisations seeking to successfully monetise the value of their data is adopting a consistent, informed approach to protecting their rights in the data. It is against this backdrop that many organisations understandably struggle to navigate the various intellectual property and contractual challenges associated with realising the true monetary value of their data. In light of these challenges, we consider:

(a)            the potential value of data;

(b)           the difficulties associated with protecting data under traditional conventions of US and UK intellectual property laws;

(c)            the importance of the contractual regime organisations have in place with third parties when it comes to protecting and sharing access to data; and

(d)           the key pitfalls organisations should be aware of when seeking to realise value in data monetisation projects.

            2. Appreciating the value of data

Modern businesses are generally afforded access to large volumes of data across a wide range of categories. For instance, businesses typically access and use business data, personal data and public data (all of which may be further sub-divided into different categories of one another) in their day-to-day operations. This variety, coupled with technological and societal developments, ultimately paves the way for opportunity in realising the monetary value in the underlying data.

When it comes to appreciating the value of data, it has long been appreciated that structured datasets, or even the layout of databases housing those datasets, can contain inherent value. A common example is datasets used for marketing purposes, which contain personal data relating to individuals interested in a certain product or service. However, the value of data goes a lot further than this and is underpinned by the breadth of instances in which data can be utilised to deliver desired outcomes. It is the ability to assist in the delivery of desired outcomes which, after all, attributes data with its inherently limitless value.

One way in which data can be used to deliver desired outcomes is demonstrated with respect to machine learning algorithms. In particular, datasets can be used to provide training data for these algorithms. For instance, insurance companies can take a set of fairly unstructured data to assist underwriters in assessing risk when it comes to writing insurance policies. Similarly, data deriving from machines, for example, engine control units, can be used to improve machine efficiency and develop new concepts. The data deriving from these engine control units can be used to train computer systems to develop performance such as with respect to fuel efficiency and the development of new products.

It is also important for organisations to appreciate that, unlike other assets, data does not always have a clear or consistently applied “use-by” date. This is partly down to the variety of uses for which the data can be utilised and part due to the pace at which technology and society and develops. As that technological and societal change develops, so does the need for varied datasets in order to train, develop and ultimately optimise the success of those developments. It is therefore the case that data which may appear on its face to be of little commercial value, perhaps due to its age or niche nature, could develop and/or increase its value as a result of technological and societal developments, such as in the expansive field of artificial intelligence.

            3. How intellectual property rights in the US and UK can operate to protect rights in data

As described by the World Intellectual Property Organisation “intellectual property refers to creations of the mind”. It is broadly against this backdrop that traditional intellectual property rights have been developed in the US, UK and generally worldwide for the protection of inventions, literary and artistic works, software, designs and signs indicating origin of goods and services. Broadly speaking:

(a)            an inventor can consider applying for patent protection for their newly invented product;

(b)           an author will seek to protect their creative works through copyright; and

(c)            a company looking to conduct business under a certain name and/or logo may look to trade mark protection.

However, when it comes to protecting rights in data, either generally or as part of a wider data monetisation project, the protection offered by these traditional types of intellectual property law is unlikely to be comprehensive.

Organisations may benefit from bit-part protection where the arrangement and structure of the database containing their data is protected via US or UK copyright laws, or the UK’s separate database right where there has been substantial investment in seeking and arranging the data in the database. Nonetheless, these database-related rights provide no protection with respect to the data itself. Similarly, US and UK patent laws may protect novel data processing methods associated with the data, such as data analysis methods. However, the underlying data is again not afforded any protection itself by a granted patent in this instance. Moreover, the fundamental concept under patent law that the inventor makes their invention known to the world, in exchange for a time-limited monopoly on that invention, is itself likely to be inconsistent with the objectives of data monetisation projects in that confidentiality in the underlying data will ultimately be lost.

Therefore in the US and the UK the best option for organisations to establish and protect rights in their data is likely to be through trade secrets protection and rights in confidential information. In the US, state and federal trade secrets laws impose a requirement on owners of the information to take reasonable measures to keep that information secret.

A similar requirement is in place for UK trade secrets, where reasonable steps are required by the person controlling the information to keep that information secret under the circumstances.Practically, the number of counterparties who may end up with access to the data, both generally in the course of engaging third parties by also where third parties are granted access for specific data monetisation initiatives, can be vast both in number and geographical reach. It is therefore important that organisations and their in-house legal teams have appropriate policies and procedures in place to preserve data confidentiality and that members of the organisation actively comply with and implement those policies and procedures (and any exceptions to them) in a consistent way.

Ultimately, confidentiality in data is only as strong as the weakest link in the chain of third parties who are granted access to that data. Organisations must therefore, having developed strong contractual confidentiality and trade secrets protection provisions, ensure that these provisions are deployed consistently in contracts with third parties. Failure to do so may expose the organisation to scrutiny when it comes to assessing whether reasonable steps have been taken to safeguard the secrecy of the data and dilute the strength of any breach of confidence or trade secrets claim which the organisation may make in the future.

            4. Key pitfalls which organisations should consider when transacting with their data

In practice, there are a number of common pitfalls which organisations should look out for when transacting with their data. These pitfalls will inevitably vary depending on the context of the transaction, such as whether the arrangement concerns data sourcing, storage, enrichment and/or clean up. Ultimately, it is important pitfalls are recognised and navigated effectively, as failure to do so could ultimately dilute the value of and/or any exclusivity in the underlying datasets.

It is common for organisations to aggregate their data with other data sources, including publicly sourced data, in order to enrich the organisation‘s underlying data. Such activity can provide new meaning to the organisation‘s data and therefore potentially increase the value of that organisation‘s data. Nonetheless, organisations undertaking data enrichment activities should be aware of pitfalls associated with the license terms of data providers - even where the data is publicly sourced. These licences may contain limiting provisions which may dilute an organisation‘s efforts to generate monetary value in its underlying data. For instance, it is not uncommon for data providers to prohibit redistribution of enlarged or enriched datasets, or limit the use of these data sets, which may outweigh the commercial gains the organisation receives through enriching the data in the first place.

Organisations need to also be mindful of arrangements with vendors offering data storage services, such as cloud services and other IT providers who host data on their systems. Typically vendors providing these types of services will have standard terms of business which seek to provide the vendors with usage rights in supplied data. It is not always easy to identify these provisions, but it is common that they are drafted in a way which permits the vendor to use the supplied data to improve the vendor‘s software services and “other business purposes”. Though this may initially appear innocuous, the situation could arise where vendors are using data supplied by clients in a way the client would not suspect – such as to develop new product offerings for the vendors which could culminate in production of a similar or otherwise competing product/serving offering to that of the client. At a minimum, typical contracts do not preclude this competing use.

Another common pitfall arises with respect to the onward transmission of data. Practically, the transferring organisation may not own all the rights in the data which they make available to third parties. Therefore, where the third party vendor is seeking to acquire ownership or usage rights in the data, the situation may arise where the transferring organisation cannot provide standard warranties, such as those surrounding the data usage having been at all times in accordance with applicable laws and/or that there has been no breach of confidentiality provisions or licensing terms associated with the transferring data. This not only becomes an issue where the transferring organisation may own the data, but also where that organisation owns the data but has lost ability to monitor how the data is being used by other vendors – such as the situation previously discussed in the context of storage and hosting services.

Organisations should also remain vigilant that exclusivity in their data is not lost once a third-party engagement concludes. It is typical for third-party vendors to delete or return data acquired during the course of an engagement. However vendors may seek to retain derivative data which they assert constitutes an output of the services. This may lead the third-party vendors to seek a license to your data in order for those vendors to receive continued use of the asserted derivative data. This can ultimately reduce the value of the data, and organisations should think carefully about entering into arrangements which grant these rights, or later granting such rights at the conclusion of a third-party engagement.

            5. Steps organisations can consider when undertaking due diligence or negotiating contracts for data monetisation initiatives

The first step organisations should consider when it comes to protecting the value in their data is to ensure that:

(a)            appropriate internal policies and governance procedures are in place;

(b)           that these policies and procedures are enforced; and

(c)            that the organisation has adequately scoped the boundaries surrounding how the organisation is prepared to transact with its internal data.

Each of these steps requires the organisation to analyse and continually monitor its own data collection and other processing operations and to identify those particularly valuable categories of data. Once achieved, an internal classification scheme may be developed and maintained based on the organisation‘s internal data analysis. This scheme could categorise an organisation‘s internal data types and outline how those types are to be uniformly marketed based on the data sharing rights the organisation is willing to provide for each data type. Any decisions in this regard should be made pursuant to the organisation‘s internal policies and procedures. Particularly given the potential for the value in the underlying data sources to develop over time, as previously discussed.

Accurately mapping an organisation‘s legal and other contractual obligations with respect to its data sharing activities is another important step and once which dovetails with those discussed above. Understanding what an organisation can and cannot provide in terms of data rights will be essential to developing any successful data monetisation strategy. In this regard, organisations must carefully consider third-party terms which they may be agreeing to and where appropriate push for the organisation‘s own internal terms, or negotiate a middle ground which provides adequate protection for rights in data the organisation deems valuable.

This approach coincides with the overarching need for organisations to undertake appropriate due diligence on third-party vendors whose organisations intend to share personal data with. Moreover, during early negotiations with potential third-party vendors, organisations should make it clear where the boundaries lie with respect to material rights in their data. Should positions be adopted which deviate from those contained in the organisation‘s internal policies and procedures, the organisation should ensure that steps are taken to record these deviations. Ensuring this is documented effectively will assist the organisation to control where its data is, what rights is has retained in that data and what rights have been granted to the third-party vendor.

            6. Successfully unlocking the value in data

As the value of data continues to develop and new uses spring up in light of technological and other societal change, it is important that organisations are getting in right when it comes to protecting this valuable asset class.

As we have discussed, the contractual arrangements which govern the utilisation of data can be just as important, if not more determinative than relying on the protections afforded through traditional means of US and/or UK intellectual property law. Therefore, the effectiveness of an organisation‘s data monetisation efforts is predominantly dependent on the organisation‘s ability to regulate its use of data by adopting and consistently applying appropriate policies and procedures to the data it collects, generates and exploits. If these policies and procedures are deployed successfully and consistently across the organisation, it stands to benefit from the potentially limitless value harvested from its proprietary data sources.

Comments: (1)

Francis Hellawell
Francis Hellawell - Endava - London 27 January, 2022, 07:52Be the first to give this comment the thumbs up 0 likes

Wow! Its at least as massive issue as I thought... My initial reaction is to think how a bank (or financial institution) who has traditionally thought of itself as a data owner, is actually impacted when they are a 3rd party processor in such as Embedded Finance business? It would seem from the above that the rights in the 2 different business channels massively varies?