Technology agreements commonly involve transfer of rights in both intellectual property and data. While IP provisions are typically extensive and heavily negotiated, data has not been receiving the same degree of attention. Many technology agreements contain incomplete or inadequate data provision or no data clauses at all.
Yet, data, like IP, can present lucrative opportunities for profit, while simultaneously threatening hefty liabilities. By contrast, unlike IP, data is ineligible for separate statutory protections that patents, copyrights and trademarks enjoy. This begs the question of how to give data the proper treatment in technology agreements to maximize value and reduce liability. Agreements between a data provider and a data service vendor typically range, in the order of increasing data processing activities, from data hosting agreements (such as cloud services agreements where data is hosted by vendor), data outsourcing agreements (where data are outsourced for processing under provider’s instructions), to data licensing/acquisition agreements (where data is licensed or sold to a vendor for commercial exploitation).
Three preliminary issues
Three preliminary issues must be resolved before we commit to any data provisions in a technology agreement. First, we must identify and define the types of data involved in the transaction, including those provided and/or received by each contracting party. Second, we then must assign ownership to such data. Third, we must define what license or other rights involving data are granted under the agreement.
Defining data
At the outset, the data that is the subject of an agreement should be categorized and defined. Standard tech agreements provided by vendors often do not contain any official definition of data that provider is deemed to own. Including a definition enables providers to ensure that all the relevant data issues (discussed below) are adequately addressed.
But defining data is no small task. In hosting and outsourcing contexts, provider data can be defined through a general description that includes all data and information transmitted from provider to vendor in connection with the agreement. In the licensing contest, provider data should be defined by its specification via a separate exhibit that essentially lists the names of the data fields of the database. A data definition should also address the data derived from the raw data, which may include metadata, anonymized data, pseudonymised data and aggregated data (in combination with non-provider data).
Data ownership
Once all data involved is defined, the next step is to assign ownership to it. Because there is currently no statutory guidance on data ownership, contracting parties are free to negotiate which party owns the data. While the ownership of raw data is typically assigned to the data provider, ownership of derivative data is often contested. For example, in hosting agreements, vendors often demand for the right to own the anonymized data derived from provider data to be used for mining purposes. In the licensing context, vendors sometimes wish to own the aggregated data based on provider data and other data for similar purpose. In this case, it is often difficult for the provider to claim exclusive ownership as the aggregated data is part of an inseparable portion of the resulting data set derived from a combination of data including data from other sources.
Data license
While data licensing clauses are usually present in data licensing agreements, hosting or outsourcing vendors often replace the license clause with a weak grant of right clause. Typical IP-license restriction terms such as territory, non-exclusive, non-sublicensable, non-transferrable, revocable, and limited should be considered. While a license in hosting agreements is often given royalty-free for the limited purpose of performing customer services, a license in commercial licensing agreements is much broader, warrantying careful consideration.
The data license grant clause should be followed by at least three mechanisms to narrow its scope. First, a permitted-use clause to expressly specify the types of permitted data processing activities permitted. Second, a prohibited use clause to expressly specify the types of prohibited data processing activities. Examples of prohibited activities include to resell, broker, transfer or otherwise make available provider data to any third party other than vendor’s authorized contractors, or to use provider data in any manner or for any purpose that knowingly infringes, misappropriates or otherwise violate any right of any person. Third, a reservation of rights clause to reserve all rights in and to provider data not expressly granted to vendor.
Once data is defined, ownership is designated, and license grant is carefully narrowed, we explore ways to safeguard provider data through contractual clauses.
Data as IP
As discussed above, data is not subject to separate statutory protections. Data, however, sometimes can be protected as copyright and/or trade secret. Copyright is afforded when data is the collected, selected and assembled in such a way to render the result as an original work of authorship. Trade secret is more commonly evoked provided that, in part, it is kept confidential. Contractually, a tech agreement can include a clause requiring vendor to acknowledge that provider data may be deemed as copyright and/or trade secret in the U.S., and not to challenge the provider’s IP rights to its data.
Data as confidential information
Data can further be protected contractually as confidential information. Following the standard “confidentiality provision,” the agreement should state that provider data is deemed provider’s confidential information. While the confidentiality provision typically survives the termination of the agreement and continues for an extended period of time (two or three years, for example), a separate clause needs to extend the confidentiality duty to further cover any trade secret embodied in data for so long as it remains a trade secret. Finally, upon the termination of an agreement, provider data, as provider’s confidential information, shall promptly be returned or destroyed as instructed by the provider.
Privacy and security
Considerations for privacy should, at a minimum, include both party's pledge to follow its own privacy policy and other legally imposed privacy obligations. For licensing or outsourcing transactions involving personally identifiable information, the provider might sometimes wish to include an ongoing obligation requiring the vendor to comply with the provider’s privacy policy as updated from time to time. A compromise is to limit such and ongoing obligation to a commercially reasonable effort.
Security provisions vary from agreement to agreement. For example, some cloud agreements refuse to make any guaranty on data security. Others contain a general provision requiring the vendor to adopt adequate technical and organizational measures to protect the confidentiality, integrity and availability of confidential information including provider data. For extra protection warranted by PII, the provider can include an audit clause allowing for the provider’s audit of the vendor’s computer system for security purpose, and a data breach notification clause requiring the vendor to promptly notify the provider upon a potential or actual security breach.
Prior to entering the technology agreements, the provider may consider conducting a due diligence review of the vendor’s privacy and security practice. A privacy review may include a privacy impact assessment while a security review may include engaging outside consultants for a security assessment. Such assessments are vital supplements to the privacy and security contractual provisions.
Three Ways to Limit Data Liability
Representations & warranties
Providers may be asked to warrant that
- Provider data, especially PII if any, are collected lawfully without violating any third parties’ rights, contractual obligations or applicable law.
- The provider has all rights and authorization to grant the data license.
- The permitted use of provider data a by the vendor will not violate any third party’s rights. While these requests appear fair, providers in the licensing context should disclaim any implied warranties or warranties that provider data or any products or results of its use will achieve any intended result, be compatible with any software or services, or be error free. The vendor should warrant that it will not use the provider data exceeding the permitted use or violate its own privacy policy and applicable laws.
Indemnification
While it is common for the provider to indemnify the vendor for infringement claims arising out of the vendor’s permitted use of provider data, the provider should correspondingly ask for indemnity from the vendor for third-party claims arising out of the vendor’s use of provider data not expressly authorized by the agreement.
Liability cap
Vendors typically wish to limit their liabilities under indemnities for an amount equal to the fees they receive from providers. Providers need to make sure that such fee cap can cover potential liabilities providers may incur under applicable federal and state breach notification laws in the event of a data breach involving PII.
In-house counsels should work closely with privacy counsels to standardize data provisions in technology agreements, paying particular attention to three threes: three preliminary issues, three ways to protect data to maximize value and three ways to limit data liabilities.