The Internet of Things, digital platforms and data-driven transactions are creating some real challenges for lawyers. Who actually "owns" data? And who is liable when things go wrong in a complex digital ecosystem?
[This article is based on a presentation given to the Japan-New Zealand Summit on Smart Technologies, on 8 October 2018.]
We hear all the time now that we're in the midst of the fourth industrial revolution, powered by AI and 'big data'. That more data was generated last year than the last 5000 years combined. That this is the new oil. And that we're in the age of the machine economy - as smart devices collect and share data with each other on a massive scale.This is a revolution you hear a lot about. But there is also a quieter revolution occurring in how we understand and address these profound changes in our society from a legal perspective.
The challenge of how we view data as a legal concept, and how we manage it through traditional legal forms, is a big focus for us as tech lawyers. How do we attach legal rights to data? And how do we manage liability when things go wrong in the highly complex and connected tech ecosystem that our world has become?
"Who Owns the Data?"
We often hear this question from clients involved in tech deals or building tech products. And the answer, in the nicest possible way, is it's the wrong question. No one really "owns" data - at least not in a traditional property sense - so it's not usually helpful to think in terms of ownership when addressing data from a legal perspective.
Data is (to borrow a good definition) "the raw value of a qualitative or quantitative variable; a pure unfiltered input from reality"
Fortunately for humanity, no one has yet laid claim to a property right in pure unfiltered reality. But we all know that there is a huge amount of value in these raw inputs from reality -and that value increases as they become structured into information, insights and ultimately, products and services.
So if data has value, but is not capable of ownership in itself, how do we address it from a legal perspective? The answer is that there are various legal rights that can potentially attach to data. These rights may all be held by multiple people at the same time, they often overlap, and they're often contradictory. So that's easy then.Broadly there are 3 places these legal rights come from "“ (1) legislation and case law relating to data privacy (e.g. the Privacy Act in New Zealand and the European General Data Protection Regulation), (2) the law of IP (e.g. copyright, database rights and trade secrets) and (3) perhaps most importantly as we'll see later, contracts.
So to illustrate this interplay of legal rights, let's imagine a future, probably about 3 years from now, where sugar has gone the way of smoking and, following scientific consensus, is being actively eradicated from society by governments.
The Silicon Valley (or Wynyard Quarter) solution to this sugar problem an IoT platform called SugrFree, which consists of:
- a smart device to capture and monitor the user's blood sugar levels;
- a number of IoT sensors placed strategically in the user's fridge, pantry and office drawers which capture the sugar content of food stored within; and
- a link with the user's bank account to monitor purchases of offending goods and automatically block transactions which appear to be sugar-related
And this is all powered by the SugrFree app - which provides users with real-time updates of their sugar levels and purchasing information and allows them to earn tokens when their stats improve - to be redeemed with various partners in the ecosystem - broccoli vendors, yoga instructors, etc etc.
So, coming back to our 3 categories of legal rights:
The data collected from me, the user (and from my fridge, my pantry and my bank account) is personal data - that is, it relates to me, an identifiable individual. Each player in this SugrFree ecosystem which either collects or receives my personal data will have privacy obligations, which in the broadest terms mean that they need to:
- have a legitimate reason to hold my data;
- tell me what data they have collected about me, what they are going to do with it and who they might share it with;
- give me access to it when I ask for it; and
- keep it secure.
Alongside that, certain participants in the ecosystem may have further legal obligations in relation to the data. The bank, for example, has a separate legal duty to keep its customers' information confidential, and may also have specific obligations to regulators or under financial services legislation.
Also, there are often enhanced obligations around treatment of sensitive health information - such as the Health Information Privacy Code in NZ.
So it sounds like I have a lot of rights here. The data is clearly taken from me, it relates to me, and everyone who has access to it needs to comply with a number of obligations in relation to it. So why can we not say I'm the owner of my personal data?
Well these rights are more about privacy than ownership in a property sense. And to illustrate that, we can look at the second category of rights attaching to data.
In the SugrFree example, although the "pure inputs from reality" relate to me, I'm not actually the person generating the outputs of the data, and I'm not in full control of what happens to it. The information about my sugar intake wouldn't actually exist in the form it's in, without the SugrFree application processing the raw data and turning it into useful information. So, in certain circumstances, those who collect and compile data may have IP rights in those compilations or databases.
While the sugar data is about me, it has been generated, and its utility has been in a sense created, by someone else - whether that's SugrFree, the smart fridge manufacturer or the bank. And the data also has much more power when combined and aggregated with data that relates to other people, which I have absolutely no control over.
So, although there is no IP in my own raw personal data, the law of IP might intervene to provide protection over a compilation of many people's data when there has been a sufficient amount of skill, judgement and investment involved in putting it together (the exact legal tests differ depending on the jurisdiction - in some countries there is a specific 'database right' enshrined in legislation). And this is generally considered fair, as it provides some incentive for the investment involved in compiling a database or creating these insights. An example here might be SugrFree aggregating it users' data to provide a snapshot of the sugar consumption habits of everyone in Auckland.
But there are some big limitations when trying to enforce IP rights in relation to data. First, you've got to show you've used sufficient skill, judgement and investment in the first place. Then you have to prove that someone else has literally copied you (not always easy when we're talking about raw data). There are also a number of exceptions to copyright (often termed "fair use" or "fair dealing", depending on where you are) which could also come into play.
Also, to show you have a compilation or a database that is protectable, you need to show there has been an orderly capture, transfer and analysis of the data. However, in the context of the Internet of Things, if data is shooting from device to device in real time without ever being "collected" into a fixed base, it may be difficult to show a database capable of IP protection.
So in practice, most companies sitting on valuable data won't rely solely on their IP rights, but also more practical mechanisms like keeping it technically secure and confidential - so no one can copy or use it without permission in the first place. Then as a back-up they'll have confidentiality agreements in place so there is a clear legal agreement to point to when it comes to enforcement.
Importantly, SugrFree's rights to protect its sugar intake databases (either through copyright or as confidential information or trade secrets) don't affect my rights under data protection law. SugrFree may prevent other commercial parties from copying or accessing its databases, but at the same time it needs to protect and give me access to the data it holds about me.
So as my sugar intake data wings its way from my body (and my fridge) to my SugrFree app (and my bank and my yoga instructor) - each of those third parties could potentially assert some IP or confidentiality right over portions, compilations or outputs of that data, even as my rights under data privacy law sit over the top of them.
The third and perhaps most important layer in the data rights pyramid is contracts.
We all know that freedom of contract is one of the underpinnings of our modern capitalist system. People are generally able to agree what they want with each other "“ as long as they are capable of doing so and are complying with the law.
So in the area of data, which has this uncertain legal status, is created in infinitely larger quantities and is used in ingenious new ways on a daily basis, legislators and courts can struggle to keep up. And where there's a legal void, the private sector and their lawyers will often fill it with contracts.
This is nicely illustrated in the context of our SugrFree application. Let's think about all the contractual terms likely to be at play here:
Each user will have to agree app access and privacy terms with Sugrfree, a purchase agreement and licence with the smart fridge supplier, an end user licence agreement with the smart watch manufacturer, terms & conditions with the bank, and membership or sales terms with the commercial partners.
SugrFree will need to have commercial partnership or licence agreements with each player in this ecosystem, and some of those players may have similar agreements with each other.
If you're counting, we've probably identified around 15 separate sets of legal terms. And we haven't even considered the other potential parties in the ecosystem - mobile platform providers like Apple and Google, internet service providers, cloud hosting companies and other back-end tech vendors, potentially scores of other commercial partners. And what about government? The Ministry of Health would certainly be interested in the insights generated from this data and the behavioural impact of the service.
All of these contracts between all of these parties will have something to say about the data that is being collected and used within this ecosystem. And although we lawyers would like to assume they'll all be completely clear and won't contradict each other, in reality many of the contracts we see are seriously inadequate when it comes to dealing with data.
Some contracts will be completely silent on what happens to data (apart from maybe a general confidentiality clause), some will attempt to say that one party "owns" all the data, some will conflate data with IP and try to deal with data rights in a generic licence clause, some will say things that completely undermine a party's ability to comply with data protection legislation. The list goes on.
More worryingly for individual users, many of these terms (which most of us never read) provide for very large transfers of rights in users' data. Have a look at the user terms of any major tech platform and see for yourself.
This is not always a bad thing - and we often have to accept that tech providers have a legitimate need for flexibility to use data they collect in the broadest way possible to support and build their platforms. But the value of the collective data (and the money that can be made from it) are usually in stark contrast to the value being delivered to each individual who makes up the dataset.
When Things Go Wrong
So how does this all play out in the real world? Well it's really about what happens when things go wrong. As much as we like to tell ourselves otherwise, people are only really interested in our beautifully crafted agreements or advice on legal rights, if stuff has hit the fan.
So let's say there was a major data breach at some point in the SugrFree ecosystem. What could be at stake here? Bank account details and sensitive health information gets into the wrong hands, users can't monitor their sugar intake causing a mini health crisis, smart fridges start going rogue and recommending cupcakes - everyone in this ecosystem could suffer reputational damage and potential knock-on economic loss.
Now let's think about that interconnected ecosystem, that web of contracts, and the three layers of overlapping and potentially contradictory legal rights attaching to data, all of which are potentially at play. The chain of liability in this connected world is hugely complex. In fact it's a legal nightmare - or dream, depending on your worldview.Now the big players in this system can (often) afford lawyers and court battles and appearances in front of senate committees to state their case. But where does this leave the individual user? Some academics looking at contracting for the IOT a couple of years back did a case study about a particular 'smart home' solution - and worked out that each user needed to read at least 13 different legal items to get a comprehensive picture of the rights, obligations and responsibilities of the various players in that supply chain (*). They also asserted that if you added the 13 sets of legal terms to those of devices, apps and appliances which could potentially connect to the platform, over 1000 contracts could apply to that single product. How many users do you think would have read even one of these contracts?