www.kempitlaw.

com blog 6 May 2014

Big Data, Part I: Legal Rights in Data

Legal Aspects of Big Data: Part I Legal Rights in Data

When the technology is out there to enable you to know more about your customer than your
competitors, how do you harness the tides of the Big Data ocean for competitive advantage?
Over the past twenty years, the leading edge in IT has moved on from hardware and
software to the data they process. As Big Data sets have grown exponentially in size, they
have until recently outstripped the organisations ability to harness their power the
software, knowledge discovery and best practices tools necessary to get the most from the
data. Thats changing quickly as the enterprise gets to grips with its data assets and, looking
over its shoulder at the competition, where it needs to get to.
The legal analysis and the legal team each have central roles in Big Data projects. In this
Part I of our two-part blog on the legal aspects of Big Data, well be outlining how the legal
analysis of data maps out in terms of rights and obligations. Part II (at www.kempitlaw [])
then applies this analysis to the legal teams role in Big Data projects.
The legal analytical model for Big Data has data rights and duties sandwiched between the
legals of hardware and software infrastructure and data architecture (software licensing,
etc), and the operational aspects of data management and security (see diagram).
Diagram 1: Big Data Legal Analytical Model - IP Rights, Contracts and Regulation

Level 6: information management &

security
Level 5: data regulation

Level 4: contracting for data

strategy, policy, process

standards: PCI DSS, ISO 27001/2, SSAE 16, ISAE 3402

non-sector specific: data protection, competition law

sector specific: financial services, professional services, etc.
contract is king
protection strong (strict liability) but limited (in personam - only
contracting parties)

Level 3: IP rights in relation to data

copyright, database right, confidentiality, patents, trademarks

protection extensive (in rem) but uncertain (extent of IP rights in
relation to data unclear)

Level 2: information architecture

data structure, design, schemas, format

data model as representation of data flows through data entities,
attributes and interrelationships

Level 1: platform infrastructure

software : operating system, database middleware, business

intelligence & analytics applications
equipment: processing, storage, connectivity;

The start point for the analysis is that data is funny stuff in legal terms. There are no rights
in data - you cant steal it, and a recent case has confirmed that you cant hold a lien (a right
entitling you to keep possession) over someone elses database. However, extensive rights
and obligations arise in relation to data, and the distinction is worth bearing in mind. These
rights and duties arise through intellectual property (IP) rights, contract and regulation, and

Big Data, Part I

www.kempitlaw.com blog 6 May 2014

Big Data, Part I: Legal Rights in Data
they are important: breach (even if inadvertent) can give rise to extensive damages and
other remedies (IP rights and contract) and fines and other sanctions (breach of regulatory
duty).
IP rights. The main IP rights in relation to data are copyright, database right and
confidentiality. Copyright is a formal remedy that does what it says on the tin and stops
unauthorised copying. Its of limited value where there are many ways of expressing the
same thing, but where, as in the Big Data world, common message formats, interfaces,
protocols and other standards prescribe that data has to be in a set form, copyright can be
much more valuable.
Database right another formal right protecting the investment in compilations of data has
effectively had its teeth drawn as a powerful right by a number of judgments from the
European Court of Justice in Luxembourg. Since copyright and database right protect
expression and form rather than the substance of information, this means that confidentiality
duties about the substance of data that is not in the public domain (remember the old maxim,
equity will intervene to enforce a confidence) can, somewhat oddly, sometimes confer the
most valuable IP-type right.
IP rights in relation to data are of uncertain scope at the moment, and the law in this area is
likely to develop in the coming years: historically, the development of IP rights has followed
the money, and as the value of Big Data rises, so likely will the IP rights underpinning it.
If the bad news about IP rights in data is that they are uncertain, the good news is that they
are rights in rem enforceable against the whole world, not depending on a pre-existing
relationship.
Contract. The converse is true for contractual rights in relation to data. Contract law confers
strong, enforceable rights and imposes strong, enforceable obligations. Financial market
data is a global $25bn industry that has grown up on the basis of an ecosystem that licenses
and restricts data use and allocates risk around it almost entirely through contract. Theres a
great quote from a 2005 case in the UK supporting the value of contract rights over data
where the judge said that a data supplier:
is entitled in principle to impose a charge for use of its data by users whether or
not it has IP rights in respect of that data1.
If the good news is that data contracts are strong, the bad news is that they operate in
personam unlike IP rights, they dont bind someone who isnt a party to the contract
concerned. (A bit confusingly, contract can impose IP right-type duties under a contractual
wrapper, so you need to consider the two things, contract IP and IP proper, separately).
Regulation. The third area is regulation, where the law is derived from statute. Data
protection conferring rights and imposing obligations on the processing of personal data is the most important, but by no means the only aspect of data regulation. The EU
competition authorities have over the last five years been getting much more interested in
business patterns, licensing and contracting for data in a number of sectors, particularly
financial market data.
Data regulation is also deepening in many sectors. This isnt necessarily a new thing the
rules on the confidentiality of client information and privilege have been cornerstones of the
legal profession for generations. The computerisation of data has, however, changed the
1

Etherton J in Attheraces Ltd & Another v The British Horse Racing Board [2005] EWHC 3015 (Ch) http://www.bailii.org/ew/cases/EWHC/Ch/2005/3015.html

Big Data, Part I

www.kempitlaw.com blog 6 May 2014

Big Data, Part I: Legal Rights in Data
picture fundamentally. So you have extensive rules developing about how digital personal
data can be dealt with in sectors like healthcare (aggregating anonymised clinical outcome
patient data for example) and air travel (like PNR passenger name record data about an
airline customers itinerary).
Again, its in the financial services sector and the vastly expanded rulebooks now emerging
after the 2008 financial crisis where data regulation is pushing the envelope. Here, the rules
about disclosing to the market and reporting to the regulator price data about equities trades
that were introduced by MiFID I in 2007 are about to be extended by MiFID II to trading in
most other financial instrument asset classes in a far reaching reform of financial trading.
These developments mean that data law is emerging as a new area in its own right around
IP rights, contract and regulation. Data law is set to grow quickly in the Big Data era as the
legal analytical underpinning for Big Data projects, which Part II of this blog now moves on to
consider from the legal groups perspective.
richard.kemp@kempitlaw.com
6 May 2014

Big Data, Part I