So, your business is seeking to extract value from its newly discovered treasure trove of data. To unlock this value, you will often need to work with other parties — data analytics service providers and contributors of other, complementary data sets.
The problem is that many data analytics services contracts currently in use are not fit for purpose. Below are some key ways to get your contracts right — to unlock value and to protect your data assets.
Why are many data analytics services contracts not fit for purpose?
Big data analytics is a dynamic and rapidly evolving industry. Data analytics business models often change to reflect emerging technologies or shifting opportunities. Many data analytics services contracts in common use are simple adaptations of data use agreements or software license agreements. These contracts provide inadequate safeguards to the parties.
These contracts often specify the expected outcomes from analytics services too rigidly and then are unable to deal with the inevitable pivots and changes that arise during the discovery phase of data analytics projects. They often lack effective ongoing governance mechanisms or transparent processes for re-pricing or realignment as these changes occur.
Data analytics services contracts should protect each party’s valuable business information during the service term. They should also safeguard methodologies or insights arising from the project beyond the service term.
There are issues with many of the traditional safeguards used in standard data service agreements. These include:
- Copyright law concepts of ‘who owns what’ no longer work to effectively allocate ownership and rights of use. Copyright cases in many jurisdictions create significant hurdles to establishing ownership of databases or computer generated works – making it difficult to use copyright law to govern your data analytics projects.
- Poorly drafted contractual protections are often misunderstood or worse, simply unenforceable. If drafted incorrectly, vertical and horizontal restraints risk challenge under competition (antitrust) law, invalidity as unlawful fetters on employee mobility, unreasonable restraints of trade or impermissible extensions of intellectual property protection. Even where extensions of intellectual property are lawful, such extensions may not be enforceable in some jurisdictions. Fetters on employee mobility are also difficult to enforce in jurisdictions such as California and Germany. A combination of targeted application of the law of confidential information (trade secrets), well-drafted contractual vertical and horizontal restraints and appropriate ring fencing arrangements can be effective to ensure fair and predictable allocation of rights.
- Patents may not provide ‘value for money’ — other as comfort to venture capitalists or as defensive shields or "tickets to trade" in the event of patent infringement claims by others. Your data analytics projects may rapidly evolve away from the originally anticipated processes and outcomes. As a result, patent claims often fail to provide patent owners with enduring freedom to operate.
Privacy: value enhancing or getting in the way?
A well-constructed privacy-management process can be a significant value creator and source of competitive advantage in a data analytics deal. Unfortunately, privacy regulation is seen by many businesses as addressing a problem — a compliance hurdle to be jumped rather than an enabler of a better deal. Privacy compliance is often addressed by simply layering more obligations onto the weaker party in the negotiation — a lawyer's version of "pass the parcel."
There is a better way. Well thought-through privacy and information management creates optionality for future uses, reduces risk of later reworks, enhances the value of shared information and builds the trust of data partners, customers, and regulators.
Data contributors and service providers must work together to design end-to-end information management processes that are properly documented and verifiable. These processes consider privacy compliance in conjunction with protection of rights of use within the broader information lifecycle and service delivery chain. Dependencies between a data provider and analytics partner should be identified and then information management designed and implemented in a way that is mutually understood and fully transparent to each party. The parties can then appropriately allocate responsibilities for effective de-identification of information and, where personal information must be used, provision of privacy notices and obtaining of consents.
Anonymisation of transaction data and de-identification of personal information is crucial to get right. If you can achieve reliable and verifiable de-identification (so that no individual can be re-identified by any recipient of that information, including through matching with other knowledge or data sets available to that recipient), then information may be used and disclosed without restriction under privacy law in many jurisdictions.
The definition of "personal information," "personally identifying information," or "personal data" in many privacy laws does not expressly deal with the issue of de-identification. The growing consensus is that that the test to be applied is whether it is reasonably practicable for an entity receiving de-identified data to be able to re-identify an individual. This will be judged by a range of factors which include not only reference to the information itself, but also a recipient’s ability to access other information reasonably available to the receiving entity.
The risk of re-identification of any individual need not be completely eliminated, but it must be mitigated until it is (at least) low or remote. If you are sharing de-identified information you need to "stand in the shoes" of possible recipients and then satisfy yourself before you release the de-identified information that the possibility of re-identification of any individual by the first recipient or any other reasonably anticipated downstream recipient is (at least) low or remote. In making this judgment, you may take into account reliable and verifiable risk-mitigation controls and safeguards, technical (i.e. encryption, information security etc.), operational (clean teams, full data segregation and controlled access, etc.) and contractual. But you need to consider both the first recipient, upon whom these controls and safeguards may be contractually imposed, and any possible recipient further downstream. And it’s not what people say they will or won’t do: it is what you fairly judge they cannot reasonably do. This judgement can’t be fudged: it must be fair, expert, and fully defensible.
Negotiating fit-for-purpose data-analytics services contracts
To deliver value and strong protections in your data analytics services contracts, you should consider:
- how to get an agile contract in place with appropriate (and at least adequate) protections, without ‘boiling the ocean’;
- allocating rights in order to address shortcomings in copyright, patent and trade secret law;
- ensuring that processes and data uses by each data partner are specified and well understood and protect against the leakage of value, such as through: permitting additional commercially valuable uses that were not anticipated and therefore not factored into pricing and value calculations; or your competitors getting access to commercially valuable business information directly or indirectly through analysis of the data received;
- drafting vertical and horizontal restraints that are fair and workable and also do not contravene competition laws;
- facilitating clean disengagement on termination or expiry of the agreement, with each party able to re-engage with other data partners, including competitors, but with clarity as to subsequent uses and applications of project inputs, outputs, methodologies and processes and other learnings;
- ensuring continuing alignment of upstream privacy statements and terms with downstream uses and disclosures (for compliance with privacy regulation);
- not creating exposure to misleading or deceptive conduct claims that often arise, e.g. out of overly broad statements (for example, as to how ‘any information that we collect about you’ is to be used) or through unfair contract terms or through inadequate notice (such as vague statements about uses of de-identified information that are buried in privacy statements which purportedly only address uses of personal information);
- anticipating and addressing fears and expectations of ‘privacy advocates’ and some consumers (including non-digital native consumers that may have greater sensitivities as to ‘spooky stuff’) and accordingly mitigating any risk that consumer trust and brand equity is undermined;
- not being ‘blind-sided’ by collateral legal obligations including restrictions upon unlawful surveillance or use of tracking devices; fiduciary obligations; banker’s and insurer’s duty of confidentiality; potential availability of information collected under subpoenas or to regulatory authorities such as environmental protection authorities or to taxation or other government agencies; contravening restrictions upon discrimination that may be triggered by targeted offerings to segments of consumers and so on;
- anticipating and allocating ‘knowledge based liability risk’ (i.e. exposure to negligence claims arising from failure to manage and/or mitigate risks based upon available information);
- building in a ‘big red button’ to allow each party to appropriately address unanticipated major legal or reputational exposure without inadvertently creating an open backdoor of termination for convenience; and
- addressing possible future regulated access to ensure open availability or interoperability, as the focus of competition regulation shifts from the network layer to the applications layer or data layer.
Achieving good information-management and negotiating fair and balanced data-analytics deals is not easy. And that is why transparency of rights and use and good information management will be a key differentiator of industry leading data analytics businesses of the future. Corner-cutting or slapdash operators will wither away either through regulator action or mistrust of business partners. The stakes are too high to not do data analytics deals and information management really well.
If you want to comment on this post, you need to login.