Protecting Data Compilations in the US

As we enter the fourth industrial revolution, there is an exponential increase in reliance on data as the foundation of our work. The enhanced computer processing power of today and growth of artificial intelligence capabilities, allows for the generation of enormous data compilations, will have a substantial impact on business as we know it. (Schwab, 2016 - The Fourth Industrial Revolution: what it means and how to respond | World Economic Forum (weforum.org))

1. Data as Intellectual Property: Do you collect data that can be used, for example, to diagnose disease, monitor climate change, or improve cost efficiency for your industry?
   • In a data driven economy, many products rely on innovative means of data collection.
     • Data collections have economic and social value: they can be bought, sold, and used in social and economic development.
   • Intellectual property rights (IPR): To consider protecting your data compilations, an important distinction is the data as separate from the system in which it operates.
     • Given the wide range of information that can be considered data, the type of intellectual property right (IPR) which is applicable on the data may vary.
     • Example: Creative data (e.g. photographs) can be protected by copyright. If the data is factual (e.g. a sensor reading data point), that piece of data would not be copyrightable.
   • Data compilations can be protected through different IPRs.
     • Copyright protection may be sought for creative manipulation of data. This includes creative arrangements (i.e. not just chronological), annotations and selections of data. The structure of the database and the code that is developed to retrieve and/or organize the data may be eligible for copyright protection.
     • Trade secrets may be used to protect data if the data falls under the general criteria for eligibility:
       • must have economic value due to being secret.
       • must have value to those who cannot obtain the information on their own.
       • Reasonable efforts must be made to maintain its secrecy.
     • Patents may protect processes for processing data including databases, data mining, and data structures (US Patent Class 707). However, this does not protect the data collections themselves.
     • Some countries promote database protection by codifying database rights, EU participants among the most notable.
       • The goal is to reward the investment in producing databases.
       • Canada and the US do not have database rights.
2. Data Protection and Contracts
   • For trade secrets, distribution of the trade secret should be limited and contractual agreements in place.
     • Employment Agreements: Should contain non-disclosure, confidentiality, and non-compete clauses, and should specifically refer to trade secrets.
     • Business agreements: If a trade secret must be shared with another party, it should only be done after the other party has signed a confidentiality or non-disclosure agreement.
   • Licensing and Terms of Use
     • Contractual agreements can be used to define guidelines, expectations, and limitations on the terms of use (and excluded uses), access, and sharing of data compilations.
     • Special attention should be taken about ownership and the creation of derivatives, especially when data from multiple sources are combined to train models or create new IP.
3. Data and Privacy
   1. Data may have privacy considerations and regulatory obligations that vary per jurisdiction.
      1. Example: In Canada, data privacy can be governed by the Personal Information Protection and Electronic Data Act (PIPEDA), while health care data falls under the Health Insurance Portability and Accountability Act (HIPAA) in the United States.
   2. The US does not have a single electronic data act; rather, it includes data in other acts, such as HIPAA, or acts protecting the privacy of children. Some states, however, have data privacy laws, which must be accounted for if selling or purchasing data compilations in the US. For more on this, please refer to our resource on United States Comprehensive state privacy laws.
   3. If your company collects data from people outside of Canada, you may be subject to different restrictions depending on the jurisdiction. Generally, if your data is stored in Canada, you and your clients are protected by PIPEDA. If your data is stored remotely, i.e. in the US, the lessened privacy protections offered in the US may mean that you are at risk of noncompliance with PIPEDA, with respect to your Canadian clients or with the European Union’s General Data Protection Regulation (GDPR) with respect to your European clients.
      1. Your company can either collect and store data separately, in separate jurisdictions, or store in a jurisdiction that offers privacy protection compliant with the most stringent privacy laws.

Key considerations for Canadian companies:

• Data can be protected by contracts and multiple type of intellectual property rights (copyright, trade secrets, and patents).
• When negotiating data licensing contracts, special attention should be taken to clarify ownership, access and use of the data, and the creation of derivatives.
• Data may also be subject to privacy considerations, and these considerations may vary from state-to-state in the US.
• “Intellectual property considerations for protecting data should be done in an intentional and holistic manner - it is an incredibly powerful intangible asset and should be managed as such,” says Myriam Davidson, Director of Engagement at Stratford Intellectual Property.

Additional information:

• For information about IP protection in the US, please see the Canadian Intellectual Property Office’s publication on Doing business abroad: Protecting your IP in the United States
• For material relating to the export of goods to the US, please see the Doing Business in the United States webpage
• For more information on going global with your IP, visit ca/export-ip