The Privacy Advisor

Technology agreements commonly involve transfer of rights in both intellectual property and data. While IP provisions are typically extensive and heavily negotiated, data has not been receiving the same degree of attention. Many technology agreements contain incomplete or inadequate data provision or no data clauses at all.

Yet, data, like IP, can present lucrative opportunities for profit, while simultaneously threatening hefty liabilities. By contrast, unlike IP, data is ineligible for separate statutory protections that patents, copyrights and trademarks enjoy. This begs the question of how to give data the proper treatment in technology agreements to maximize value and reduce liability. Agreements between a data provider and a data service vendor typically range, in the order of increasing data processing activities, from data hosting agreements (such as cloud services agreements where data is hosted by vendor), data outsourcing agreements (where data are outsourced for processing under provider’s instructions), to data licensing/acquisition agreements (where data is licensed or sold to a vendor for commercial exploitation).

Authors: Xiaoyan Zhang

Three preliminary issues

Three preliminary issues must be resolved before we commit to any data provisions in a technology agreement. First, we must identify and define the types of data involved in the transaction, including those provided and/or received by each contracting party. Second, we then must assign ownership to such data. Third, we must define what license or other rights involving data are granted under the agreement.

Defining data

At the outset, the data that is the subject of an agreement should be categorized and defined. Standard tech agreements provided by vendors often do not contain any official definition of data that provider is deemed to own. Including a definition enables providers to ensure that all the relevant data issues (discussed below) are adequately addressed.

But defining data is no small task. In hosting and outsourcing contexts, provider data can be defined through a general description that includes all data and information transmitted from provider to vendor in connection with the agreement. In the licensing contest, provider data should be defined by its specification via a separate exhibit that essentially lists the names of the data fields of the database. A data definition should also address the data derived from the raw data, which may include metadata, anonymized data, pseudonymised data and aggregated data (in combination with non-provider data).

Data ownership

Once all data involved is defined, the next step is to assign ownership to it.  Because there is currently no statutory guidance on data ownership, contracting parties are free to negotiate which party owns the data. While the ownership of raw data is typically assigned to the data provider, ownership of derivative data is often contested. For example, in hosting agreements, vendors often demand for the right to own the anonymized data derived from provider data to be used for mining purposes. In the licensing context, vendors sometimes wish to own the aggregated data based on provider data and other data for similar purpose. In this case, it is often difficult for the provider to claim exclusive ownership as the aggregated data is part of an inseparable portion of the resulting data set derived from a combination of data including data from other sources.  

Data license

While data licensing clauses are usually present in data licensing agreements, hosting or outsourcing vendors often replace the license clause with a weak grant of right clause. Typical IP-license restriction terms such as territory, non-exclusive, non-sublicensable, non-transferrable, revocable, and limited should be considered. While a license in hosting agreements is often given royalty-free for the limited purpose of performing customer services, a license in commercial licensing agreements is much broader, warrantying careful consideration.

The data license grant clause should be followed by at least three mechanisms to narrow its scope. First, a permitted-use clause to expressly specify the types of permitted data processing activities permitted. Second, a prohibited use clause to expressly specify the types of prohibited data processing activities. Examples of prohibited activities include to resell, broker, transfer or otherwise make available provider data to any third party other than vendor’s authorized contractors, or to use provider data in any manner or for any purpose that knowingly infringes, misappropriates or otherwise violate any right of any person. Third, a reservation of rights clause to reserve all rights in and to provider data not expressly granted to vendor.

Once data is defined, ownership is designated, and license grant is carefully narrowed, we explore ways to safeguard provider data through contractual clauses.