This document discusses data rights and protections in the United States. It notes that while data is increasingly valuable, there is no single comprehensive law protecting it. Instead, protection comes from various areas like copyright, trade secret, contract, and privacy/security laws. The document outlines the limited protections each area provides and how protections are inconsistent based on the type of data. It concludes that as data value increases, understanding these complex and varying protections will be important for transactions and litigation involving data.
Handwritten Text Recognition for manuscripts and early printed texts
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2013)
1. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Copyright 2013 BryanCave LLP
May 30, 2013
Jason D. Haislmaier
jason.haislmaier@bryancave.com
Data “Property” Rights
Copyright 2013 BryanCave LLP
2. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
This presentation is intended for general informational purposes only and should not
be construed as legal advice or legal opinion on any specific facts or circumstances,
nor is it intended to address specific legal compliance issues that may arise in
particular circumstances. Please consult counsel concerning your own situation and
any specific legal questions you may have.
The thoughts and opinions expressed in this presentation are those of the individual
presenters and do not necessarily reflect the official or unofficial thoughts or opinions
of their employers.
For further information regarding this presentation, please contact the presenter(s)
listed in the presentation.
Unless otherwise noted, all original content in this presentation is licensed under the
Creative Commons Creative Commons Attribution-Share Alike 3.0 United States
License available at: http://creativecommons.org/licenses/by-sa/3.0/us.
3. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Data
Privacy
Security
Rights
4. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Increasing importance
Increasing value
Data
8. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
?Data
Rights
Data
Privacy
Data
Security
Copyright
Trade
Secret
Contract
Industry
Practice
State
Law
FTC
Action
9. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Data Rights
• No specific comprehensive protections under US law
• Protection is available through generally applicable legal areas
– Copyright
– Trade secret
– Contract
– Other legal theories (but generally limited)
• Growing data privacy and security protections are also shaping
rights in data
– General purpose laws
– Industry-specific federal laws
– State data security and privacy laws
– Increasing federal (and state) enforcement actions
In General
10. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Data Rights
• Limited attempts at comprehensive protection exist outside of the US
• Focused on data in the form of databases
• EU Database Directive (96/9/EC)
– Protection for non-original portions of databases not protected by copyright law
– Based on the investment in obtaining, verifying, or presenting the contents of
the database
– Prevents extraction or re-utilization of all or a portion of the contents of a database
• Limited examples of analogous laws in other countries as well
Protections Outside of the US
11. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Trademarks
Branding and
Identity
Patents
Ideas and
Inventions
Trade Secrets
“Know-How”
Copyrights
Creative
Expressions
Traditional IP Rights In Data
12. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Traditional IP Rights In Data
• Patents
– Available to protect databases
• Structure
• Method of operation
• Business methods employing databases
– But the databases must meet the criteria for patent protection
– Less applicable in the case of unstructured “raw” data
• Trademarks
– Applicable in connection with the name or brand for a product or service
– Not applicable to data or databases themselves
Patents and Trademarks
13. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• U.S. copyright law does not provide specific or express protection to
data or databases
• Copyright protection for data and databases is analyzed
like any other work of authorship
• The standard for obtaining a copyright is relatively low
– Original work of authorship
– Fixed in a tangible medium of expression
• But, data and databases are not always afforded protection
Copyright
Traditional IP Rights In Data
14. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
“The vast majority of works make the grade quite easily,
as they possess some creative spark, no matter how
crude, humble or obvious. ”
Justice Sandra Day O’Connor
Feist Publications, Inc. v. Rural
Telephone Service Co.
499 U.S. 340 (1991)
Traditional IP Rights In Data
15. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
“No one may claim originality as to facts [. . .] facts do not
owe their origin to an act of authorship. The distinction is
one between creation and discovery. The first person to
find and report a particular fact has not created the fact; he
or she has merely discovered its existence.”
Justice O’Connor in Feist
Traditional IP Rights In Data
16. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• Copyright does not protect data in the form of facts
– Originality, not “sweat of the brow,” is the basis for copyright protection
– Facts are not originally authored or created through mere discovery
• Copyright can protect information or content in the form of
original expressions
– Information or content having some level of creativity
– Entertainment content, new media, UGC may all meet this test
– Unstructured raw data in the form of facts will often fail the test
• This results in inconsistent protection for data and databases
– Unstructured raw data – no protection available
– Original information or content having some level of creativity – protection available
– Structure, coordination, and arrangement of data – “thin” protection available (for the
compilation, but not for the underlying data)
Copyright
Traditional IP Rights In Data
17. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• Nearly all states have adopted some version of the Uniform Trade
Secrets Act (UTSA)
• Under the UTSA, a “Trade Secret” is information that:
– Is not generally known to other persons and cannot be readily ascertained by other
persons without improper means
– Provides the holder with economic advantage or economic value (in some cases derived
from its secrecy)
– Is the subject of efforts that are reasonable under the circumstances to maintain its
secrecy
• Broad potential applicability to data and databases
– Virtually any type of data or information
– In nearly any form or format
• Trade secrets covering data and databases are enforceable as long as
the requirements are met
Trade Secret
Traditional IP Rights In Data
18. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Traditional IP rights provide
only limited and inconsistent
protections
Where to turn?
Traditional IP Rights In Data
19. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• Emerging as a primary form of protection for data
• Permit broad protection, potentially even over data and databases not
subject to traditional IP protection
• Limited to the entities bound by the contract
• Even where traditional IP protection is not available, contracts have
become critical to obtaining and clarifying rights in data
– Each form of IP has its own rules regarding ownership
– Left to applicable law, ownership is often (very) unclear
– At best this leaves the potential for confusion
– Assignments and licenses are preferred to clarify these rights
• Industry expectations have risen with the rising value of data
– Contracts required to evidence adequate rights in transactions involving data
– Not unlike rights in software itself
Contracts
Contract Rights in Data
20. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Other sources of protection. . .
21. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Data Privacy
Data Security
22. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
No specific comprehensive
data privacy or security legislation
in the US
23. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• EU Data Protection Directive (95/46/EC)
• Regulates the processing of personal data of EU subjects
– Broad scope of “personal data”
– Restricts processing unless stated conditions are met
– Prohibits transfer to countries not offering adequate levels of protection
• Requires the member countries to pass consistent laws (more or less)
• US Department of Commerce-negotiated “Safe Harbor Principles” enable
transfers to US companies
– Self-certification regime
– Allows US companies to register as compliant
– FTC oversight
• Proposed overhaul in the works (announced Jan. 25, 2012)
Longstanding Comprehensive EU Regulations
Data Privacy and Security
24. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• State consumer protection statutes
– All 50 states
– Prohibitions on “unfair or deceptive” trade practices
• Data breach notification statutes
– At least 46 states (DC and various US territories)
– Notification of state residents (and perhaps regulators) affected by unauthorized access
to sensitive personal information
• Data safeguards statutes
– (Significant) minority of states
– Safeguards to secure consumer information from unauthorized access
• Data privacy statutes
– Online privacy policies covering use and sharing of consumer information
– Use of personal information for direct marketing purposes
Growing Array of Relevant State Laws
Data Privacy and Security
25. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• Consumer credit - Fair Credit Reporting Act (FCRA)
• Financial services - Gramm Leach Bliley Act (GLBA)
• Healthcare providers - Health Insurance Portability and Accountability Act
(HIPAA)
• Children (under 13) - Children’s Online Privacy Protection Act (COPPA)
• Video content - Video Privacy Protection Act
• Others statutes covering education, payment processing, etc.
Industry-specific Federal Statutes
Data Privacy and Security
26. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Federal Trade Commission Act
(15 U.S.C. 41, et seq)
“Unfair or deceptive acts or practices”
27. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• Trend toward increasing enforcement
– More than 45 actions to date
– More than 25 in the last 6 years
– Many more investigated but not brought
• Covering largely electronically stored data and information
• Targeting data security as well as data privacy
• Increasing trend toward mobile data privacy and security
Increasing Activity
FTC Enforcement Actions
29. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• 20 year term
• Cease misrepresentations regarding practices for information security, privacy,
confidentiality, and integrity
• Conduct assessment of reasonably-foreseeable, material security risks
• Establish comprehensive written information security and privacy program
• Designate employee(s) to coordinate and be accountable for the program
• Implement employee training
• Conduct biennial independent third party security and privacy assessments
• Implement multiple record-keeping requirements
• Implement regular testing, monitoring, and assessment
• Undergo periodic reporting and compliance requirements
• Impose requirements on service providers
Legislation by Consent Decree
FTC Enforcement Actions
30. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Not just enforcement. . .
Standards
Best practices
Codes of Conduct
31. Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• We are in an era of increasing data value
• Increasing value means greater focus on data rights
• We do not have the benefit of strong and comprehensive laws to match
• Data “rights” are defined through an increasingly broad array of sources
– Traditional IP rights,
– Contract protections
– Growing data privacy and data security obligations
• Understand the protections, understand the inconsistencies
• Issues relating to data will only continue to increase
(transactions and litigation)
Lessons Learned
Closing Thoughts