In both the US and Europe, there’s still a distinct lack of clarity around who owns industrial IoT data – customer or vendor? – as well as what that data might be worth, as David Meyer reports.
Companies using IoT technologies are sometimes unaware of the value of the data those systems create. As a result, they’re inadvertently signing lopsided agreements with system vendors.
That’s the view of Giulio Coraggio, a partner at law firm DLA Piper in Milan, who warns of a current lack of clarity when it comes to the question: Who owns industrial IoT data – the vendor or its customer?
That uncertainty is a problem, says Coraggio, since this data can have a transformative impact on companies, giving them better insights into the functioning of their products and services, and importantly, providing them with a potentially saleable asset.
“The issue is whether the company receiving the service has any intellectual property right on such data,” he tells Internet of Business. “The question has no straightforward answer, since it depends on the type of IoT technology and the type of data. There might be either a copyright or a database sui generis right, or no intellectual property right on IoT data.”
Read more: Time to get moving on GDPR preparation, lawyers warn
Rights to data?
Data itself is not generally protected by intellectual property rights, neither in the US nor the EU. However, the same doesn’t necessarily apply to the databases in which the data is held.
In Europe, there has since 1996 been a database right under EU law, with three major conditions: the data must be collected and arranged in a systematic way; the holder of the rights must have made a “substantial investment in either the obtaining, verification or presentation of the contents”; and they must have a strong connection with a state in the European Economic Area.
(There is also, potentially, a copyright for databases, but there must be a creative element to them that is unlikely to apply in most industrial IoT scenarios.)
There is currently no straightforward database right in the US, where ownership is generally assumed to be owned by whoever has title to the device that collected the data. However, in both legal landscapes, it’s sometimes unclear who owns the device, or who made that “substantial investment”. Is it the enterprise customer, or the vendor that’s gone and deployed its solution across the customer’s facilities?
Read more: IoT device makers: Tackle security or face legal action
Absence of clarity
In the absence of clarity, control over the data will by default go to whoever controls the data collection system. In many cases, that’s the vendor, even though both vendors and their customers have a lot to gain through the canny exploitation of the data that is generated through their arrangement.
“At the moment, IoT data risks remaining ‘locked’ into suppliers’ technologies which have the sole ability to control it,” says Coraggio. “But there is an increasing awareness of the potentials and value of IoT data by entities using internet of things technologies.”
“Therefore, I expect interesting negotiations between suppliers and customers which will have to decide whether it is more valuable for them to either keep full control of its data, or get a better price because of the supplier’s ability to use that data for future projects or improvements of their products and services,” he says.
Are these negotiations commonplace yet, though? According to Coraggio, they are “starting to arise”, but many companies are not yet fully educated about the value of their data. “Therefore, there are opportunities for suppliers in this sense,” he says.
Coraggio noted that the European Commission is currently contemplating the introduction of new ad hoc database rights, which could help make the question of IoT data ownership somewhat clearer and eliminate what Coraggio calls the risk of a “short blanket” regulatory regime, where some data may not have clear intellectual property protections.
The Commission launched a review of the EU database directive earlier this year, and its consultation closed on Wednesday (30 August). When the directive was last evaluated back in 2005, there was no IoT, and the Commission’s next steps, if any, remain to be seen.
Read more: Healthcare IoT world must prepare for GDPR, lawyers warn
Careful calibration
However, Coraggio warns that any move by the Commission to introduce new rights over IoT data could have negative repercussions if it is not carefully calibrated.
“The challenge is that if new ownership rights are created to control data, this might increase the number of entities whose permission is required to exploit data, representing more a restriction than an incentive to exploit data,” Coraggio says.
“A most prudent approach is to contractually regulate the matter in the relevant contracts, leaving the issue to a commercial negotiation which might become very complex once entities become aware of the value of their data of their suppliers.
“A potential compromise that is also being reviewed by the European Commission is to ban unfair clauses also from B2B contracts, but this might represent a disincentive for non-European companies providing IoT technologies. Therefore, I believe that it is necessary to see the dynamics of the market before taking any regulatory initiative.”
Whatever the future might hold, it’s clear that certainty is best established through the careful drafting of contracts, with both vendors and their customers going into negotiations with a clear idea of the value all that data might hold for them – not just in the present, but down the line, when there is a risk that serious disagreements could arise.