Big Data Round-Ups
Our October 30th blog introduced and explained the concept of Big Data. Here we look at some of the pitfalls of collecting the massive amounts of small data that combine to become Big Data. We imagine the ranges of bits and bytes of small data that combine to create Big Data as herds of grazing horses susceptible to round up and inclusion in a Big Data corral. The herds graze on public lands (such as government websites); in private pastures behind weak fences or locked gates (such as privately owned but publicly accessible websites); in quarantined canyons (such as member-only social media sites) and so on. Some of the animals have ear-tags or brands requiring special handling (eg, ‘payment’ ponies that must be handled under Payment Card Industry standards), kid gloves (eg, Social Security Numbers or biometric data) or come with embedded computer chips or halters with special terms or warnings. Given this wide variety, how does one go about completing a data round-up?
1. Ownership or Other Rights
If data really were a pony, it would be obvious that someone owns it, although wild or abandoned ponies might cause consternation. Who owns data? Increasingly, consumers and individuals think they own their personal data, but that is not necessarily true and is a developing area of law. Businesses think they own data collected as they do business, and that is usually true. Importantly, in Sorrell v. IMS Health, the U.S. Supreme Court explained that data can have special First Amendment protection:
“This Court has held that the creation and dissemination of information are speech within the meaning of the First Amendment. Facts, after all, are the beginning point for much of the speech that is most essential to advance human knowledge and to conduct human affairs. There is thus a strong argument that prescriber-identifying information is speech for First Amendment purposes.”
What about intellectual property law protection? For example, can data be copyrighted to come within protections afforded to copyright owners? Yes and No. In the United States, facts tend to be ineligible for copyright, unless specially selected, arranged and organized, but database compilations and other creative works, which are so selected, arranged and organized, are protected under copyright. In the European Union, databases have separate, statutory protection under the EU’s Database Directive.
Even if protection is not available under intellectual property or other laws, data can be protected or restricted by contract. Encumbrances can also be created by privacy policies and the like, eg, often data comes with use restrictions.
When looking at contracts, outright ownership might not be feasible or desirable, in which case exclusive or nonexclusive licensing may be a better fit. When licensing, looking to licensing law outcomes for intellectual property may be helpful, if only by analogy. For example, assume an airline that created a unique set of data or algorithms revealing optimal engine repair schedules, grants an exclusive license to a car engine manufacturer. Can the airline still use the data and algorithms? The answer under copyright law is ‘No’, so a nonexclusive license would have been a better structure.
2. Collection Methods
There are many sources of data, but not all are free for the taking or sharing. To illustrate, a common misperception is that all data posted on the Internet is in the public domain. Not true. Copyright, contracts and concepts of trespass, are examples of legal concepts that can preclude ‘public domain’ status, eg, data on a website with enforceable terms of use (contract) or robot header ‘No Trespassing’ notices is not free for the taking. Another misperception is that trespassing notices can be ignored.
What about social media data such as all that data held by Facebook or LinkedIn? Some of it is in protected locations and all is subject to ‘social developer rules’ that can be contracts. A company that obtained authorized access to social media data, but then used it in a way not authorized under Facebook rules, had to face the Federal Trade Commission (FTC) In the Matter of Jerk LLC et al., docket number 9361(2014). These developer rules are usually presented in connection with adding a social media ‘plug-in’, ‘widget’ or log-in credentials to a website or using a social network’s APIs. How about apps, eg, the ones that upon download to the user’s phone copy all the data in the user’s address book? The FTC also takes a dim view of that. Our point is that, simply because data is accessible, publicly or otherwise, does not mean that it is free for the taking.
3. Ear-tag Restrictions
A privacy policy might pledge particular treatment of data or restrict its use. The FTC has spent a decade making it clear, through private enforcement orders, that it can be an unfair act or deceptive practice to fail to abide by a privacy policy or to fail to take care of personal data. These are also issues for subsequent users who, themselves, never made such a pledge. According to the FTC, companies are not free to ignore restrictions pertaining to the data as it passes through the hands of subsequent users: transferors may need to arrange for compliance by transferees, and at least transferees with knowledge of restrictions will do well to honor them.
Contracts also impact data transfers. For example, a Facebook social developer rule precludes transfer of data initially obtained from Facebook, even if the data is altered to become anonymous:
“10. Don’t transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.”
In sum, ear-tags impact what can be done with the data, ie not all small data may become Big Data. Further, data usually is not free for the taking – intellectual (or other) property rights, contracts or policies will often restrict collection, use and transfer. Additionally, in the United States, the First Amendment can offer special protection to data that requires legislatures to tread carefully.