BIG DATA
PROTECTING RIGHTS AND EXTRACTING VALUE
Mike Rebeiro and Marcus Evans of Norton Rose Fulbright LLP explain how big
data can be used by businesses, law fi rms and in-house counsel and outline the
legal and regulatory risks that accompany these uses.
Big data is set to become a pervasive agent for change, helping to fuel a digital industrial revolution. According to the European Commission (the Commission), technology and services that are driven by, or make use of, big data are expected to grow worldwide to $16.9 billion in 2015 at a compound annual growth rate of 40% (http://ec.europa.eu/ digital-agenda/en/towards-thriving-data-driven-economy).
Big data will mean big change for businesses, law fi rms and in-house legal teams. It will also mean big opportunities. When adopting this new and potentially disruptive technology, just as with any new venture, both the advantages and the disadvantages need to be considered. Risks need to be identifi ed and managed. As the Information Commissioner recently observed, big data is not a game played by different rules (https://ico.org.uk/ for_organisations/guidance_index/~/media/ documents/library/Data_Protection/Practical_
application/big-data-and-data-protection. pdf). A failure to address legal and regulatory risk in relation to big data could result in a serious regulatory breach, attracting fi nes, reputational damage and loss of business. A recent survey by Accenture found that 41% of businesses reported a lack of appropriately skilled resources to implement a big data project (www.accenture.com/ SiteCollectionDocuments/PDF/Accenture-Big-Data-POV.PDF). Such expertise will need to include a legal and regulatory compliance review. This article considers how to identify and manage the legal and regulatory risks that result from the use of big data. It also considers what steps law fi rms and in-house counsel might need to take to face the challenges.
WHAT IS BIG DATA?
Big data consists of large, complex data sets generated from sensors (for example, through
networks of interconnected objects or devices other than traditional desktop computers, known as the “internet of things”), internet transactions, mobile payments, email, click streams and other digital interactions. Small and unconnected pieces of data generated from these sources, when amalgamated and subjected to powerful big data analytics, can reveal useful information about the user or a market as a whole, by identifying trends and making predictions about future behaviour and outcomes.
These data sets are so big that they are beyond the capacity of traditional software tools to capture, manage and process within acceptable timeframes. Big data analytics can identify trends, and it enables predictions to be made based on an analysis of existing or historic data.
Sources of big data include combining data sets from publicly available sources (open
© 2015 Thomson Reuters (Professional) UK Limited. This article fi rst appeared in the January/February 2015 issue of PLC Magazine, published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.
data, that is, data freely available to everyone to use and republish without restrictions that might otherwise apply by the operation of intellectual property rights) and privately generated sources (proprietary or licensed data sets).
The fi ve Vs
In 2001, Gartner, a leading information technology research and advisory business, anticipated the advent of big data by proposing a three-fold defi nition of big data encompassing volume, velocity and variety. A fourth “v” was added to this defi nition: veracity, meaning the uncertainty of data (see box “The four Vs”).
The commercial potential of big data now probably requires the addition of a fi fth “v” as well: value. There is enormous potential in the ways in which big data projects may deliver value for businesses, law fi rms, and in-house counsel (see “Extracting value” below).
THE BENEFITS AND RISKS OF BIG DATA
Big data analytics is predictive in character, allowing a business to interact with its customers as individuals on a bespoke basis (refl ecting customer preferences) through tailored advice, offers and related products, with the objectives of obtaining a market advantage and engendering customer loyalty. Beyond this, big data is also used by businesses to make market predictions and, in the future, will increasingly inform business strategy.
Extracting value
Business and investment decisions will be infl uenced by information revealed by big data analytics. Its use will extend far beyond consumer behaviour, healthcare, weather patterns, market movements and other obvious applications.
Uptake in sectors such as energy, transport, fi nancial services, infrastructure, mining and
commodities, technology and innovation, life sciences and healthcare will accelerate as national governments, as early adopters, seek to facilitate the commercial activity that big data analysis will bring, while balancing these benefi ts with the need to implement safeguards against intrusive use of such data by businesses.
As the potential for creating value becomes clear, big data, together with the internet of things, will be the impetus for a range of transactions whose purpose will be to extract that value (see box “How big data can create value”).
Legal services
Big data analytics may prove to be an effective tool to analyse the business of providing legal services. For example, big data could be used for an internal analysis focused on maximising cost effi ciencies or determining how particular matters ought to be priced. However, for both law fi rms and in-house counsel, big data
2
The four Vs
Large and complex data sets
These are data sets that are too large and complex to analyse using traditional relational database management methods. Specialised technology and database analytics are relied on to interpret the data usefully.
The four Vs
In 2001, Gartner predated the term “big data” proposing a three-fold definition encompassing the “three Vs”: volume, velocity and variety. This idea now includes a fourth v: veracity, to cover questions of trust and uncertainty.
Predictive
Big data is the derivation of value from
database-driven business decision making, coupled with new sources of unstructured data. Big data is about making predictions based on large and complex data sets.
Diversity
Opportunities exist in organisations generating large volumes of diverse or targeted data. Forms of data include business transactions stored in relational databases, documents, email, sensor data, blogs, and social media.
VOLUME Large data sets
VERACITY Uncertainty VELOCITY Speed VARIETY Complexity
analytics may not be limited to this. They may also use it to change the way in which substantive legal services are delivered. The provision of certain kinds of legal services is about using data (explicit knowledge, such as case law, precedents, regulatory decisions, offi cial guidance, as well as personal or embedded knowledge, such as how to present a party’s argument or case in the most compelling way) to make predictions about outcomes. That data is held in the hands of lawyers, or is at least accessible by them. Much of a lawyer’s role is about making predictions (see “The challenge for law fi rms and in-house counsel” below). However, a lawyer cannot hold in his head the sheer volume of data that an unstructured big data data set contains and so much of a lawyer’s predictive analysis is based on small data sets.
What if big data data sets could be used by law fi rms and in-house counsel, in combination with the variables of the particular case or project, to make predictions, or, for example, to prescribe the outcomes that must be satisfi ed in relation to the roll-out of a particular product or service offering across multiple jurisdictions? How would that affect
the risk profi le of a law fi rm or the role of the legal function within a business?
The question is not simply academic. There are already tools that rely on big data analytics or large data sets for use by lawyers. Lex Machina (which analyses large data sets to try to predict the likely outcome of intellectual property cases), KMS Technology (which undertakes an analysis of the structure and language contained in agreements with the objective of drafting new agreements and auditing and reviewing agreements more effi ciently), and Judicta (which converts unstructured case law into highly structured data for predictive purposes) are recent examples.
While human judgment cannot be replaced by machines, nonetheless big data analytics may reveal patterns and trends that are not apparent to the fallible human brain. It may only be a matter of time before the use of this technology becomes commonplace in law fi rms and by in-house counsel.
Risks
Both law fi rms and in-house counsel need to understand the risk profi le of a big data project, and develop an understanding of the potential commercial applications for
themselves and the businesses that they advise.
Reliability. Among the potential risks that
businesses that create or use big data need to address is the question of data reliability; that is, the veracity of the underlying raw data. Raw data sourced from publicly available sources, from another business, or collated by the business itself may contain errors. These errors may be processing errors or may arise at source (for example, from mistakes in fi eld coding and other inputs). These errors may fl ow through to the outputs of the data analysis processes, such as trend analysis and predictions, on which the business’s strategic and investment decisions may depend. Data sets may have their origins in several different sources. Open data are typically licensed on terms similar to those applicable to open source software (in general terms, software licensed under a “general public licence” or a similar licence which permits access to source code and gives a right to redistribute coupled with an obligation to include subsequent improvements on identical terms when redistributing). These terms usually give little or no comfort to the business that uses the data in relation to the reliability and non-infringing nature of the licensed material.
How big data can create value
Joint ventures and collaboration agreements
Creating and licensing data sets, including by data aggregators
Software, apps and devices
Monetising
Developing new
functionality
Collaborating
Hardware Consultancy services Outsourced services
Contextualising
data/analytics
Sourcing
Supplying processing
capacity
Communications and data carriage
Data storage and management Public sector efficiencies
Supplying infrastructure
Implementing public
policy
© 2015 Thomson Reuters (Professional) UK Limited. This article fi rst appeared in the January/February 2015 issue of PLC Magazine, published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.
Public providers of these data sets, such as local authorities or central government, are seldom willing to accept liability for losses arising from reliance on the data, particularly when the data are provided free or for a nominal charge.
Businesses that supply these data sets on to other businesses, or that provide services that depend on the data, could potentially face claims in contract, in tort (for example, for negligent misstatement) or for some other form of liability (this could include consumer claims based on statutory rights). They will need to ensure that they limit their own liability on a back-to-back basis with the supplier of the data set where possible, or insure against the risks.
Privacy. Interception, appropriation and
corruption of data will remain an issue for businesses possessing big data data sets, just as with any other data. The data privacy laws in many countries require that the data controller implements appropriate technical and organisational measures to safeguard the security of personal data. Such laws typically require the data controller to pass these requirements on in their contracts with their suppliers. These requirements will apply to the data sets held by businesses that contain personal data.
Businesses will also need to take into account the new EU data protection regulation, which will require that technical and organisational measures ought to be provided for by design (broadly speaking, an approach that is about fi nding ways to build privacy controls into systems from the start) (see News brief “EU data protection regulation: the long road to reform”, www.practicallaw.com/8-565-4665). This will apply to the whole lifecycle of the data, including at the time of collection and in relation to retention. Purely technical solutions, implemented in the absence of a more comprehensive approach to information governance, may not be adequate.
Information governance. Amassing vast
quantities of data for big data projects can give rise to e-discovery risks in relation to this data. For example, it may only be a matter of time before litigation arises where the strategies or decisions that were derived from a business’s big data project become potentially relevant to litigation. Moreover, new e-discovery tools are emerging that will be able to handle the data analytics challenges presented by vast quantities of big data.
Businesses whose commercial models depend on creating and exploiting big data will need to develop an approach to information governance that is capable of addressing the risks presented by these unstructured data sets. Compliance with information retention requirements (including those imposed by law or regulators) will need to be reconciled with the legal and commercial necessity to delete regularly unwanted data as part of a wider risk management strategy.
WHAT IS DRIVING CHANGE?
Developments in both technology and law are driving the increasing use of big data analytics by businesses. Convergence (that is, different technological systems evolving toward performing similar tasks, as well as the evolution of technology-neutral content), the unique addressability of things on the internet (in other words, each “thing” has a unique internet protocol address), the embedded computing nature of many devices, open architecture (a type of computer or software architecture designed to facilitate the changing of components by allowing users to see inside the architecture), and open application programming interfaces (a set of routines, protocols, and tools for building software applications) all support growth of the internet of things, which will generate a vast amount of data that can be used in big data analytics.
Technology
While the collection and use of data now takes place in both fi xed and mobile environments, the trend is moving towards mobile. The growth in the use of mobile-only applications and devices is set to transform the user experience and benefi ts of technology as devices collect information on a user’s location, browsing and buying habits as well as social interactions, lifestyle choices and real-time medical information.
The effect of these changes is that data sets are now far richer in content and detail. The processing of personal data is now the norm. Businesses that are able to capture, access and analyse this data 24 hours a day, seven days a week have a far greater insight into existing and potential customer behaviour than had ever previously been the case. The ubiquitous collection of data is also driven by the nature of the technology itself. The use of big data analytics is supported by the emergence of technologies that can
process large quantities of data, including parallel-processing databases, search-based applications, data-mining grids, distributed fi le systems, and distributed databases. The growth of data storage and processing power, which has grown dramatically over the last 50 years, is key to these developments.
Law
The legal and contractual environment within which big data analytics is developing is likely to encourage uptake where it can deliver certainty and trust among those who provide data (such as consumers) and between businesses that wish to exploit that data in some way.
Examples of developments that might assist in this regard include:
• Existing contractual norms relating to data and security being readily adaptable to contracting for big data.
• Market acceptance of the standard
licensing model for open data (available for use, reuse and redistribution). • The emergence of the presumption of
availability of public sector information (for example, freedom of information legislation and the EU Directive on the Re-use of Public Sector Information (2003/98/EC)).
• Data portability under antitrust laws or under sector-specifi c consumer protection measures (for example, the Midata initiative, which aims to get more private sector businesses to release transactional and consumption data to consumers electronically, to make sure that consumers can access their own data securely, and to encourage businesses to develop applications that will help consumers make effective use of their data).
• Legislative and state encouragement of commercial activity based on the digital economy (for example, the Commission’s Digital Agenda for Europe).
BIG DATA AND LEGAL COMPLIANCE
Any business, including a law fi rm, must consider data protection in relation to the creation and use of big data. While these laws vary from country to country, in the EU there are certain common features. An analysis of
the status of a big data project in relation to data privacy laws involves a consideration of a number complex issues (see box “Data privacy and other regulatory considerations”). Where a big data project involves the possible use of personal data, a central issue in the analysis is that big data typically involves the reuse of data that were originally collected for another purpose. Among other things, in order for the reuse to be permitted it would need to be “not incompatible” with the original purpose for which the data were collected.
In 2013, the Article 29 Working Party (consisting of the data privacy regulators across the EU) set out a four-stage test to determine whether this requirement is met ( http://ec.europa.eu/justice/data- protection/article-29/documentation/opinion-recommendation/fi les/2013/wp203_en.pdf). In summary, the four limbs of the test are: • The relationship between the primary
and secondary purpose.
• The context of collection and reasonable expectations of the data subjects. • The nature of the data and the impact of
further processing on data subjects. • The safeguards to ensure fair processing
and prevent undue impact on data subjects.
Anonymisation
The fourth limb of the four-stage test includes a requirement that safeguards are put in place to ensure fair processing of the data and to prevent an undue impact on the relevant individual. This could include anonymising or pseudonymising the base data or aggregating the results.
Anonymisation is a critical concept in data protection compliance. This is because once a data set has been anonymised, the data protection rules (such as those in the Data Protection Act 1998 (DPA), in the UK) cease to apply. However, given the ubiquity of, and ease of access to, information about individuals over
the internet and other publicly or commercially accessible databases (coupled with ever increasing processing power and sophisticated data matching techniques), certain data that would have been regarded as anonymous fi ve years ago may not safely be assumed to be so today. The position in a further fi ve years’ time will be even less certain.
Data protection regulators are alive to this issue, and the lengths to which a data controller may need to go to achieve the requisite level of anonymity might make anonymisation financially unattractive. Moreover, the objective of a big data project may well be for the data controller to make decisions about the specifi c individuals, so anonymisation would not provide an adequate safeguard in such a business model. On the other hand, the reuse of data is more likely to be compatible with the original purpose if it is impossible to take decisions regarding any particular individual based on the reused data (known as “functional separation”).
Data privacy and other regulatory considerations
Data privacy
Anti-trust and sector-specific measures
Businesses need to consider:
• Big data allowing business to act independently of competitors and customers: prices/volume/ non-price term.
• Mergers and market concentration.
• The enforcement of standard essential patents. • Access to big data sets and interoperability with competitors’ platforms.
• Whether the exemption for legitimate use of intellectual property rights applies
• Whether portability of data is required in particular industry sectors and to protect consumers. • Healthcare and other sector-specific regulation. • Consumer protection measures.
• Government restrictions on cross-border data transfers: barriers to market and increasing domestic market power.
Taxation
Businesses need to consider: • Proposals to legislate against
multinationals allocating profits to low-tax jurisdictions. • Which country should tax the profits generated by big data? • How to attribute the value of
big data use to particular jurisdictions.
• Ongoing duties to retain originals of certain tax documents.
Discrimination
Businesses need to consider: • The inadvertent creation of filter
bubbles on search engines and information portals, leading to selective information provision. • How employers use big data in
employment and interview decisions.
• The potential to discriminate under the guise of neutral algorithms.
• The prohibition against discrimination against consumers in many jurisdictions. Key issues include:
• What did the individual understand the personal data were being used for? • Is the processing compatible with the original purpose?
• Does analytics processing require new privacy notice and opportunity to opt out? • What legal ground supports the processing?
• Does a research exemption apply?
• Can the data be effectively anonymised before processing?
• Can the results of the analytics link with the individual be effectively severed (functional separation)? • Is there data minimisation in collecting and retaining data?
• What is the privacy impact assessment of the effect of processing? • Can the subject access right be complied with?
6 © 2015 Thomson Reuters (Professional) UK Limited. This article fi rst appeared in the January/February 2015 issue of PLC Magazine, published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.
In many cases, the only way to overcome data protection concerns in relation to big data will be by way of adequate consent notifi cations. However, obtaining effective consent in relation to big data analytics is not straightforward. While it may be reasonable for a business to use consent as a condition for processing in a big data project, a business will need to be sure that it is an appropriate condition. If individuals do not have a real choice and are not able to withdraw their consent if they wish, then the consent is unlikely to meet the standard required by the DPA. If a business is relying on the original consent obtained by a third-party data supplier, it should ensure that this covers the further processing it plans for the data.
Big data policy
In addition to analysing the legal position under data protection laws, businesses that use big data will need to consider putting in place a big data policy regulating the internal use of collected data or imported data sets in conducting big data analytics. A big data policy will act as an adjunct to existing privacy policies, which may themselves require updating in light of the use of big data by a business.
Among other things, a big data policy will need to set out guidelines for the business on things such as:
• The receipt of data sets from third parties and the associated risks of infringing intellectual property rights in that data. • The use of data sets from public sources. • The use of webcrawler technology to
collect data.
• Due diligence considerations in relying on consent in relation to personal data. • The need to obtain fair processing
warranties in relation to personal data that has been sourced from third parties. • How anonymisation, functional separation
or other safeguards will be implemented where necessary to use the data.
Sector issues
Sector-specifi c regulation will also need to be considered in relation to particular types of businesses that seek to use big data. Banks and fi nancial institutions, for example, are among the most heavily regulated businesses
globally. In the UK, the Financial Conduct Authority’s (FCA) expectation is that a bank or fi nancial institution will conduct due diligence on a technology solution sourced from a third party, including by considering whether: its data will be segregated; it will be encrypted during transmission and storage; and it will be held and processed in compliance with the DPA (www.fca.org.uk/static/documents/ barriers-to-entry-third-party-technology-considerations.pdf).
Where they outsource the provision of a solution, banks and fi nancial institutions must ensure that their legal and regulatory responsibilities can be complied with, and SYSC 8 (Systems and Controls: Outsourcing) of the FCA Handbook lays down specifi c considerations. Banks wishing to outsource the provision of credit risk control or credit risk analysis through the use of big data analytics, for example, might need to comply with these requirements.
Similar requirements apply to banks in many other countries. For example, banks with a US presence proposing to rely on third-party solutions, or to outsource, must comply with the Offi ce of the Comptroller of the Currency’s Bulletin 2013-29 and similar Federal Reserve Bank guidance ( http://occ.gov/news-issuances/bulletins/2013/bulletin-2013-29. html; www.federalreserve.gov/bankinforeg/ srletters/sr1319a1.pdf).
Law fi rms wishing to use big data analytics will have to consider what their own regulators require (such as the Solicitors Regulatory Authority in England and Wales). Such regulators impose strict confi dentiality obligations on law fi rms in relation to client data, and these requirements will need to be complied with in relation to any big data projects that depend on using client data. A range of issues should be considered in the use of data in big data analytics in various industry sectors, including where the data is collected through the internet of things (see box “Case studies”).
Other legal issues
The possession by a business of large data sets can confer market power on it and exclude other market entrants. A range of competition law considerations could potentially be relevant in this context (see box “Data privacy and other regulatory considerations”). Of particular concern for businesses in possession of large data sets
is that competition authorities concerned about (or competitors aggrieved by) a lack of access to this data may attempt to use competition law to force the provision of such access. Aggregations of data sets arising by virtue of merger and acquisition activity may also attract the attention of competition regulators.
Tax laws may also have an impact on big data projects for businesses, particularly as international tax rules develop in response to the Organisation for Economic Co-operation and Development’s Centre for Tax Policy and Administration’s Base Erosion and Profi t Shifting (BEPS) project (www.practicallaw. com/4-565-5049). This seeks to align more closely the profi ts reported in a particular jurisdiction with the activities carried on there. One of the key elements of the tax analysis to be performed by digital businesses is how to attribute the value of, and profi ts resulting from, big data among the jurisdictions in which they operate.
The UK Chancellor’s Autumn Statement 2014 pre-empted this by proposing a new diverted profi ts tax (a so-called Google tax) that aims to counter two types of arrangement used by some multinationals to “divert” taxable profi ts from the UK, namely arrangements designed to prevent a taxable presence (permanent establishment) in the UK and transactions with connected parties in lower tax jurisdictions which lack economic substance there (see News brief “Diverted profits tax: the surprise of the Autumn Statement 2014”, this issue). Because the legislation is drafted very widely, it may be particularly relevant for businesses engaged in big data analytics. Profi ts diverted from the UK in this way will be taxed at a rate of 25% from 1 April 2015.
Likewise, discrimination laws protecting consumers in the UK and across the EU may need to be considered. For example, the inadvertent creation of fi lter bubbles (an outcome of a search in which a website algorithm selectively chooses what information a user wishes to see based on information about the user) on search engines and information portals could lead to the selective provision of information. There may also be the potential for discrimination under algorithms that otherwise appear to be neutral. Laws such as the Equality Act 2010 (2010 Act) may be relevant where, for example, the outcome of big data analytics is to offer goods and services selectively in a way
Case studies
Energy: smart metering programme Key issues:
Transport: intelligent transport systems Key issues:
Life sciences and healthcare: remote patient Key issues:
monitoring devices
Infrastructure, mining and commodities:
Key issues:
infrastructure management
Use of data. Under UK new supply licence terms, with some exceptions,
suppliers can access:
• Monthly (or less granular) energy consumption data without customer consent, for billing purposes.
• Daily (or less granular) energy consumption data for any purpose except marketing, with a clear opportunity for the customer to opt out. Suppliers must obtain explicit (opt-in) consent from the customer in order to access half-hourly energy consumption data, or to use it for marketing purposes.
Data use restrictions. There are restrictions on supplier reuse of collected
data.
What is a smart meter?
• Hardware that includes real-time or near real-time sensors.
• Enables two-way communication between the meter and the central system.
• Permits data to be gathered for remote reporting.
Use of data. The data are evaluated for problems by a healthcare
professional or via a clinical support algorithm, and appropriate alerts are issued if a problem is detected. The data can also be used for long term diagnosis and monitoring of chronic conditions. The data lends itself to big data analytics when collected as part of wider clinical trials.
Sensitive personal data. Data collected and transmitted includes
sensitive personal data.
Explicit opt-in consent. This consent will be required. What is a remote patient monitoring device?
• Technology that enables monitoring of patients outside clinical settings.
• May consist of sensors that measure physiological parameters, an interface between the sensors and a centralised data repository or healthcare provider (including through the internet), and diagnostic application software that develops recommendations and alerts based on the analysis of collected data. • Collects physiological data (such as blood pressure,
heart functioning, and glucose levels) by sensors on peripheral devices.
Use of data. Data collected may include travel time and speed data for
vehicles, emergency vehicle notifications (under an EU Regulation concerning Type-approval Requirements for Deployment of eCall In-vehicle System (2013/0165(COD)), and vehicle-to-vehicle and
vehicle-to-infrastructure data (and vice versa). These data can be used to detect rain (wiper activity) and congestion (frequent braking activities) and to predict likely traffic flows and volumes at any given time and date.
Geo-locational data. It may be possible to identify individual drivers via
geo-locational data despite attempts to anonymise data.
Informed consent. As sensors will be included in vehicles as standard,
there will be a need to obtain informed consent.
What are intelligent transport systems?
• Integrated communications, control, and information processing across transportation systems, including in relation to vehicles and infrastructure through the internet of things.
• Interacts between these components to enable communication with and between vehicles, smart traffic control, smart parking, toll collection, logistics and fleet management, vehicle control, and safety and road assistance.
• Create data sets from these interactions that can be used in big data analytics projects.
Use of data. Data connected by sensing devices can be analysed to
determine the form of intervention required (from an emergency call-out to routine maintenance).
Supply chain co-ordination. This data could also be used to co-ordinate
supplier co-operation or involvement in the provision of services related to the particular infrastructure.
What is infrastructure management?
• Deploy the internet of things to monitor and control the operation of infrastructure such as bridges, railway tracks, and wind-farms by sensing changes in structural conditions that might compromise safety or that otherwise require some form of intervention. • Using the internet of things to schedule maintenance
activities.
• Using the internet of things in this way may improve incident management and emergency response coordination in relation to this infrastructure.
8 © 2015 Thomson Reuters (Professional) UK Limited. This article fi rst appeared in the January/February 2015 issue of PLC Magazine, published by Practical Law, part of Thomson Reuters (Professional) UK Limited, and is reproduced by agreement with the publishers.
that is discriminatory. This is as much an issue for law fi rms (for example, those that focus on a particular section of the buying public, such as consumers) as it is for businesses. Under the 2010 Act, prohibited conduct in relation to a person with a protected characteristic (broadly speaking, age, disability, gender reassignment, pregnancy and maternity, race, religion or belief, sex, and sexual orientation) includes, for example, not providing the person with the service, goods or facilities in the manner in which, or on the terms on which, the service provider usually provides the service to the public. A service provider is a person concerned with the provision of a service, goods or facilities to the public or a section of the public, whether or not for payment.
PROTECTING RIGHTS IN BIG DATA
A number of aspects of a big data project that has been created by a business may be protected by intellectual property (IP) rights. Owners of IP rights may prevent third parties from infringing those rights. The following IP rights may be relevant to big data projects.
Database
In accordance with Article 7 of the Database Directive (96/9/EC), which applies across the EU, a database right subsists in a database where there has been a substantial investment in obtaining, verifying or presenting the contents of the database. A database under the Database Directive is defi ned as a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means (Article 1). It will be an infringement of that database right to extract (extraction means the permanent or temporary transfer of all or a substantial part of the contents of a database to another medium by any means or in any form (Article 7)) or re-utilise (re-utilisation means any form of making available to the public all or a substantial part of the contents of a database by the distribution of copies, by renting, by online or other forms of transmission (Article 7)) the whole or a substantial part of the contents of that database, without the owner’s consent. Given its focus on investment rather than originality, the EU database right may provide protection to businesses that have made investments to obtain large amounts of (non-original) data in order to create big data.
The database protection regime has limitations for generators of data. The European Court of Justice has construed the Database Directive literally, denying any database protection to the maker of a database whose investment primarily related to the creation of the underlying data (British Horseracing Board Ltd v William Hill Organisation Ltd C-203/02). However, that person should still be able to avail itself of the database protection if it can show that substantial investment has been made in verifying or presenting that original data. A database may also attract copyright protection, requiring a third party to obtain a licence from the database owner to reproduce, alter, or distribute that database. However, while copyright provides some protection for databases, or, more precisely, the structure of databases, in many jurisdictions it provides little comfort for those who have invested in the collection and creation of data sets that comprise big data. Common cross-jurisdictional themes in relation to copyright include a requirement to demonstrate that the selection or arrangement of the data amounts to an original expression of the creative freedom of its author (rather than, as may be the case with many big data data sets, merely collecting it and arranging the data in a conventional way). In any event, the copyright protection of a database does not extend to its contents.
In some jurisdictions (for example, the UK), the database and copyright protection that is available is subject to an exception that entitles researchers who have lawful access to protected material to carry out text and data analysis for non-commercial purposes, provided that suffi cient acknowledgement is given where possible (The Copyright and Rights in Performances (Research, Education, Libraries and Archives) Regulations 2014 (SI/2014/1372)).
Information
The law of confi dential information may also offer some legal protection to the owner of data sets making up big data and used by it for its own internal business affairs. On the other hand, where exploitation of the raw data extends beyond a business using it for internal purposes and instead the data are licensed to third parties, it may be more diffi cult to demonstrate that the information is, in fact, confi dential. For example, it may be diffi cult to satisfy a court that a data set is
truly confi dential if any third party can obtain access to that information on payment of a fee to the owner of the information. Similarly, it may not be possible to establish that data sourced from publicly available sources (such as open data), when put together in big data data sets, has acquired the requisite character of confi dentiality to justify protection in some jurisdictions. Whether any information contained in the data has the quality of confi dence necessary for protection under the law of confi dence will depend on the facts surrounding the case, such as an unusually high price paid for the data, complexity of technical measures put in place to control access to the data, or how access to the data is monitored.
As the law in this area may provide only limited protection, a return to the basics may be required. That is, a business that wants to protect the big data it has created should ensure that any disclosure to third parties is coupled with adequate contractual confi dentiality provisions and measures limiting the third parties from disclosing the data, and restricting the purpose for which the data may be used.
Software
In parallel to copyright covering the content of big data data sets, source codes and object codes themselves, rather than their functionalities, in software can be protected by copyright law.
In the EU, the functional features within a computer program may be eligible for patent protection if those functionalities are new, inventive and make a technical contribution (Aerotel Ltd v Telco Holdings Ltd; Macrossan’s Patent Application [2006] EWCA Civ 1371; see News brief “Patenting inventions: the Court of Appeal’s four-step programme”, www.practicallaw.com/5-206-3960). The patentability of computer implemented inventions is a highly complex issue, especially because the term “technical” is undefi ned. However, as a general rule, computer-implemented inventions will be more likely to be patentable if it can be shown that those functional features make the computer better, in the sense of running more effi ciently and effectively as a computer (Gemstar-TV Guide International Inc v Virgin Media Ltd [2009] EWHC 3068 (Ch); HTC Europe Co Ltd v Apple Inc [2013] EWCA Civ 451; www.practicallaw.com/9-532-4127).
Algorithms
Algorithms, such as those used in big data analytics, are very diffi cult to protect by way of patents, because they generally involve a series of calculation steps and do nothing “technical” to a computer. For example, an algorithm does not normally make a computer faster, more reliable or have a higher resolution.
Accordingly, algorithms used in big data analytics might be better protected by copyright, if someone has actually copied the formula, rather than the concepts underlying the formula. As there is likely to be uncertainty over the patentability of an algorithm, a safer option may be to keep it a secret and rely on the law of confi dential information. As is apparent from what is said above, it will be essential to check that the compilation of a big data data set has not infringed a third party’s IP or contractual rights. Furthermore, as a due diligence consideration, anyone acquiring a big data data set will need to ensure that its licensor owns the IP in it and so has the rights to license its use.
THE CHALLENGE FOR LAW FIRMS AND IN-HOUSE COUNSEL
While the benefi ts for businesses may seem obvious, what does all this mean for their in-house counsel and for the law fi rms that advise them? Like big data analytics, a key
function of a lawyer in many areas of work is to predict outcomes. For example:
Advice. Lawyers make predictions on the
likely impact of regulation based on the law and regulations, precedent, knowledge of the regulators’ approach, and knowledge of the business.
Litigation. Lawyers make predictions on the
likely outcome of a case based on the facts, previous judgments, knowledge (perhaps anecdotal or personal) of the court or judge, the current state of the law, and who may be representing the other side.
Contracting. Lawyers decide what to include
in a contract based on the requirements of the transaction and their knowledge of current market practice, the state of the law, awareness of the business’s risk appetite and assumed knowledge of the counterparty.
In all cases. Lawyers give advice, and make
predictions, based on an analysis of a limited data set which they can access.
The data on which lawyers rely in making these predictions comes from a wide variety of sources, including: knowledge databases and document management systems; books; internet research; personal knowledge; and the knowledge of other lawyers. In bringing these and other data sets together on a scale not possible by human agency alone, big data analytics may, over time, allow
lawyers to make more accurate predictions of commercial and legal outcomes, and to do so in faster and more cost-effective ways. Big data analytics is therefore likely to give rise to challenges as well as opportunities for law fi rms and in-house counsel, such as: • A change of emphasis from technology
supporting the back offi ce to front offi ce technologies.
• Technology, including big data analytics, will move up the value chain from document and data management to artifi cial intelligence decision-making systems.
• Big data analytics may allow lawyers to take decisions based on better data sets and adopt a far more sophisticated approach to risk management.
• Law fi rms may be able to use big data analytics to price transactional risk for fi xed pricing models.
• In-house counsel may need larger
capital expenditure budgets to invest in technology or leverage off their external law fi rms’ own technology platforms.
• Effective knowledge management
through big data and other technologies will be a cost and quality differentiator for law fi rms.
• Law fi rms will need to invest in new technologies to remain competitive and to deliver value (that is, more for less). This may lead to partnering relationships
between law fi rms and technology
suppliers that are keen to establish new channels to market.
The amount of available data on which big data technology and services depend is growing exponentially. The challenges of data management and big data analytics in the digital economy could overwhelm organisations that are not familiar with the risks and opportunities that big data technologies present. As with many aspects of the provision of legal services, whether in-house or within a law fi rm, it is a case of being prepared for the future. The future is not very far away. Mike Rebeiro and Marcus Evans are partners at Norton Rose Fulbright LLP and specialise in the technology and innovation sector.
Related information
This article is at practicallaw.com/1-595-7246
Other links from practicallaw.com/ Topics
Information technology topic5-103-2074
Data protection topic8-103-1271
Internet topic8-383-8686
Practice notes
Overview of UK data protection regime 7-107-4765
Overview of EU data protection regime 8-505-1453
Data protection and new technologies 5-204-0488
Data protection and the internet 9-107-4774
Big data and data protection 3-585-2205
Legal aspects of managing big data 1-581-1225
Previous articles
Data transfers in the cloud: the struggle for compliance (2014) 8-581-9685 For subscription enquiries to Practical Law web materials please call +44 207 202 1200
