Language selection


Protecting Data Compilations in the US

Disclaimer: The information provided in this factsheet is meant as an educational resource only and should not be construed as legal advice.

As we enter the fourth industrial revolution, there is an exponential increase in reliance on data as the foundation of our work. The enhanced computer processing power of today and growth of artificial intelligence capabilities, allows for the generation of enormous data compilations, will have a substantial impact on business as we know it. (Schwab, 2016 - The Fourth Industrial Revolution: what it means and how to respond | World Economic Forum (

  1. Data as Intellectual Property: Do you collect data that can be used, for example, to diagnose disease, monitor climate change, or improve cost efficiency for your industry?
    • In a data driven economy, many products rely on innovative means of data collection.
      • Data collections have economic and social value: they can be bought, sold, and used in social and economic development.
    • Intellectual property rights (IPR): To consider protecting your data compilations, an important distinction is the data as separate from the system in which it operates.
      • Given the wide range of information that can be considered data, the type of intellectual property right (IPR) which is applicable on the data may vary.
      • Example: Creative data (e.g. photographs) can be protected by copyright. If the data is factual (e.g. a sensor reading data point), that piece of data would not be copyrightable.
    • Data compilations can be protected through different IPRs.
      • Copyright protection may be sought for creative manipulation of data. This includes creative arrangements (i.e. not just chronological), annotations and selections of data. The structure of the database and the code that is developed to retrieve and/or organize the data may be eligible for copyright protection.
      • Trade secrets may be used to protect data if the data falls under the general criteria for eligibility:
        • must have economic value due to being secret.
        • must have value to those who cannot obtain the information on their own.
        • Reasonable efforts must be made to maintain its secrecy.
      • Patents may protect processes for processing data including databases, data mining, and data structures (US Patent Class 707). However, this does not protect the data collections themselves.
      • Some countries promote database protection by codifying database rights, EU participants among the most notable.
        • The goal is to reward the investment in producing databases.
        • Canada and the US do not have database rights.
  2. Data Protection and Contracts
    • For trade secrets, distribution of the trade secret should be limited and contractual agreements in place.
      • Employment Agreements: Should contain non-disclosure, confidentiality, and non-compete clauses, and should specifically refer to trade secrets.
      • Business agreements: If a trade secret must be shared with another party, it should only be done after the other party has signed a confidentiality or non-disclosure agreement.
    • Licensing and Terms of Use
      • Contractual agreements can be used to define guidelines, expectations, and limitations on the terms of use (and excluded uses), access, and sharing of data compilations.
      • Special attention should be taken about ownership and the creation of derivatives, especially when data from multiple sources are combined to train models or create new IP.
  3. Data and Privacy
    1. Data may have privacy considerations and regulatory obligations that vary per jurisdiction.
      1. Example: In Canada, data privacy can be governed by the Personal Information Protection and Electronic Data Act (PIPEDA), while health care data falls under the Health Insurance Portability and Accountability Act (HIPAA) in the United States.
    2. The US does not have a single electronic data act; rather, it includes data in other acts, such as HIPAA, or acts protecting the privacy of children. Some states, however, have data privacy laws, which must be accounted for if selling or purchasing data compilations in the US. For more on this, please refer to our resource on United States Comprehensive state privacy laws.
    3. If your company collects data from people outside of Canada, you may be subject to different restrictions depending on the jurisdiction. Generally, if your data is stored in Canada, you and your clients are protected by PIPEDA. If your data is stored remotely, i.e. in the US, the lessened privacy protections offered in the US may mean that you are at risk of noncompliance with PIPEDA, with respect to your Canadian clients or with the European Union’s General Data Protection Regulation (GDPR) with respect to your European clients.
      1. Your company can either collect and store data separately, in separate jurisdictions, or store in a jurisdiction that offers privacy protection compliant with the most stringent privacy laws.

Example 1: A SAAS company sells to consumers worldwide a unique Internet of Things (IoT) hardware to monitor temperature. The device transmits temperature data to a secure cloud server for processing and the transmission is done using an innovative data transmission protocol. The cloud server executes an artificial intelligence algorithm that processes the data to generate derived and transformed data and sends a summary report to an application used by the consumer.

In this case, the raw data points would be facts and not subject to copyright. However, the SAAS company creatively selects which data is used for reporting and this structure can be protected by copyright. The artificial intelligence algorithms running on the cloud server would benefit from being kept as trade secrets and copyright on the code. The innovation in the IoT devices and the transmission protocol could be protected by patents. If the data is shared with third-parties, then it should be protected through contractual agreements. Lastly, management of data should comply with jurisdiction-specific privacy regulations.

Key considerations for Canadian companies:

Additional information:

Date Modified: