UK: Data Unlocked: Why Rights Mean More Than "ownership" In B2B Data Sharing

It is a common misconception that data can be owned. As individuals, we might like to think we own the data that is stored in our smartphones. And businesses may feel that they own the information stored in their databases and other IT systems, just like any other asset. But data cannot be owned like a physical asset, for many of the same reasons that make it ripe for sharing. Data can be replicated without diminishing its value, for example, or combined with other datasets to create something new.

Instead, it is more meaningful to consider the rights that people and organisation hold in relation to data: the right to use it, share it, copy it, delete it or even profit from it. When preparing a business-to-business (B2B) data sharing initiative, businesses must consider which rights are held by which stakeholders, their responsibility to uphold those rights and how to do so.

This is no simple task, however, and – like many aspects of B2B data sharing – requires careful planning to mitigate the risks and maximise the chance of success.

B2B data sharing: Getting rights right

Identifying which rights apply to data is not as simple as ascertaining ownership. For one thing, it is highly dependent on the context in which the data is being used, explains Jack Hardinges, head of programmes at the Open Data Institute (ODI).

"If we are talking about personal data, data rights might involve one individual," Hardinges explains. "But if we are talking about an online chat log or a social media conversation, they might involve multiple individuals, the platform and, in some contexts, the state."

Adding to the complexity, rights over data are enshrined by a patchwork of legislation. This includes "common-law rules around confidentiality, and limited intellectual property rights where there is copyright in the data," explains Jocelyn Paulley, partner at Gowling WLG and co-lead of the firm's Data Protection and Cyber Security practice. "Elements of GDPR and statutory instruments cover specific sorts of data sharing, like access to medical records by insurance companies, but there's not a lot in terms of acts and statutes."

As a result, data rights in the context of B2B data sharing are mostly established through contracts. "The contract governing a data sharing initiative will set out who is entitled to do what," explains Helen Davenport, partner at Gowling WLG and co-lead, with Paulley, of the firm's Data Protection and Cyber Security practice. "The contract effectively treats one party as an owner in contractual terms and grants them rights arising out of whatever that contractual agreement says."

This is not without its risks, however. A lack of clarity in data sharing contacts, such as failing to define the purpose of sharing data or to apportion rights to downstream value – such as IP, derivative products and profits – can lead to disagreements.

In a B2B data sharing context, failure to establish contractual rights over data could lead to litigation. An increased awareness of cyber security and privacy means that businesses are increasingly sensitive to any potential misuse of data and the consequences that may follow. "From a litigation perspective, external factors are enhancing risks and perception of risks," says Davenport.

Disputes may arise if a party that is sharing its data has not been clear enough about its expectations of how it will be used, she explains, or if a party using data fails to adhere to the terms and conditions.

Claims such as these are still emerging in the context of B2B data sharing, but they draw on principles that have been established in other contexts. "We might not have been looking at them as data sharing claims, but a customer who wants their data back out of the cloud is an example of a customer sharing data and the creation of further data which has been shared with the supplier that the customer may want back at some point in the future, if not now," Davenport says. "In a litigation sense, we are applying existing principles to claims in new and developing contexts."

The future of data rights

As AI becomes more sophisticated and widespread, the job of identifying and upholding the rights of stakeholders while sharing data is likely to become even more complex. "If you train an algorithm, it's hard to determine which data from which parties is really important and apportion the value," says Hardinges.

The recent emergence of generative AI systems, which ingest vast quantities data from the internet to learn how to create new text, images or audio, has already given rise to disputes over data rights. Achieving this clarity is made even more challenging by the complex and arcane ways in which businesses derive value from datasets today.

"Being public and scrapable doesn't give parties a legal right to use the data, and we've already seen claims by rights holders, particularly over the use of images," explains Hardinges.

Issues might also arise in a B2B context when an AI system is trained using data from multiple parties. "Where we pool data to develop an AI, we have to be clear about who 'owns' what – for example, who owns the improvement," says Gowling WLG partner and head of AI Matt Hervey.

"There are a lot of nuances around foreground and background IP, and what should happen at the end of the deal and who owns what," Hervey explains. "The important thing is to understand where the value lies for each party, because they may have totally different interests and care about different things."

But technology may also reduce the risk of infringing data rights in B2B data sharing initiatives, argues Hardinges. Privacy-enhancing technologies, such as differential privacy and federated learning, allow parties to use datasets for applications such as analysis and machine learning without accessing sensitive details.

One example is the MachinE Learning Ledger Orchestration for Drug DiscoverY (Melloddy) project, a data sharing platform that uses federated learning and multiparty technologies to enable pharmaceutical companies to share proprietary information and generate value from the aggregate datasets without divulging commercial secrets.

"This type of platform may ultimately change the nature of legal contracts or relationships between parties to B2B data sharing initiatives," says Hardinges.

Start with clarity

Given the complexity of rights over data, businesses preparing for B2B data sharing should pursue a strategy of "good documentation, clarity and certainty upfront", Davenport advises.

In order to determine what data they can share, how, and with whom, they need to map out their own rights over data. This might be affected by the IT services that they use, such as cloud hosting or analytics platforms.

Recent contracts with IT service providers will typically include some discussion of data rights. For example, software-as-a-service agreements often state that the provider can use client data in an aggregated, anonymised format to generate industry insights and commercial benefits, identifying trends around pricing or consumer behaviours. Older contracts, however, may be silent on the issue of data rights, Paulley observes.

Businesses also need to consider other stakeholders who might have rights over the data in question. "It is important to establish clarity over who else might have legal rights to the data that you hold and who might be affected by the data that you're sharing, or the fact that you're sharing it," says Hardinges.

Both of these require careful consideration, says Paulley. "Working out what you can do with the data you have, whether it's yours, whether it's derived, whether it's something you have licensed in, is quite complex."

Once you have established which rights apply to which data, the next task is to ensure they are upheld in practice. This requires a mix of technical and institutional measures, and general counsel should take the lead in ensuring that the business understands and mitigates the risks through policies, internal audits, mandating clauses in contracts, and establishing technical and data standards. "Having the right governance around the data is really important," explains Paulley.

Grappling with the complexity of rights over data may seem daunting, and in many cases will require some investment. But the ability to confidently navigate those rights can empower companies to safely maximise the value of their data assets, including by sharing it with other businesses.

Key takeaways

• Be specific – A data sharing contract should spell out a comprehensive list of rights and who retains them.
• Know your rights – Understanding your organisation's rights over the data its uses and produces may take some careful analysis.
• Apply data governance – The data governance techniques your organisation may have developed to oversee data protection can help manage other data rights too.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.