Businesses often think that they “own” data, but they are probably wrong. In fact, Canada does not recognize free-standing ownership in data. Rather, like much business information, “proprietary” data is mostly kept proprietary not because independent rights govern it—but because it is not shared.
As a result, protecting data requires a patchwork of contracts, intellectual property (IP), statutory regimes and common law causes of action. Appreciating how this assortment of legal rights and restrictions applies to data will allow businesses to gain a more accurate understanding of their rights and therefore the value of their data. This article canvasses them, and then discusses concrete steps businesses can take to protect their data rights.
There are four primary sources of data rights and protections in Canada. While businesses typically rely on all four sources to protect their data, the specific rights and protections that apply depend on the type of data in question among other variables.
While people often consider data to be intellectual property, they are often surprised at how little traditional IP rights assist in protecting this important business asset. Patents can protect specific methods for analyzing data, but not the data itself. Copyright applies to a database if sufficient skill and judgment go into its selection and arrangement, but not to the underlying data. Trademark law offers no data-related protection at all.
The other area of law that is sometimes referred to as “intellectual property” is the law of confidential information. However, unlike patent, copyright and trademark, this area does not have comprehensive statutory frameworks for protecting confidential information. Rather, confidential information is protected primarily by keeping it confidential (think about KFC or Coca-Cola).
Of course, some business information needs to be shared or used in a way that makes it difficult to keep it entirely confidential. That does not mean it cannot be protected, however. Rather, it usually means it is protected through contracts.
Contracts are one of the most straightforward ways to obtain rights or apply protections to data. They allow you to share information on the basis that your counterparty agrees to protect it in certain ways. Businesses often make the mistake of including clauses that assert “ownership” of data. However, since data cannot really be “owned” in the traditional sense, we instead recommend specifying permissible and impermissible uses of the data.
Contracts can also require that a party have specific safeguards in place as an additional layer of legal protection. Indeed, this is a common question asked by companies conducting due diligence for transactions.
Another example of contractually protecting data is terms and conditions on websites, which can restrict or prohibit the collection or use of the website’s data. Businesses seeking to accumulate data using screen-scraping and similar techniques should be aware of the contractual risks that come with these types of practices.
A number of statutory regimes protect what can and cannot be done with data requirements in particular contexts.
One widely applicable example is privacy statutes like the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and similar provincial legislation. PIPEDA and its provincial cousins provide requirements for organizations that collect, use or disclose personal information. While these requirements are primarily aimed at protecting the privacy of the individual to whom the personal information relates, they also govern when one company may or may not collect, use or disclose personal information under another company’s custody or control.
Sector-specific statutory regimes also create their own data rights and requirements. For example, laws in financial services, securities, healthcare, life sciences and telecommunications may stipulate circumstances regarding when and how certain data can be handled or shared, and by whom.
Finally, companies should be aware of protections for trade secrets in the Criminal Code. It is an offence to knowingly obtain, communicate or make available a trade secret by deceit, falsehood or other fraudulent means. The Criminal Code also prohibits:
Common law claims can also help protect data. A company may be able to claim breach of confidence when it conveys confidential data to a recipient, a reasonable person would have understood that the data was conveyed in confidence, and the recipient misuses the confidential data to the detriment of the confiding party.
A plaintiff may also be able to claim unjust enrichment in relation to the use of data. Such a claim could be made out where a defendant is enriched through the use of data, that use causes a corresponding deprivation to the plaintiff, and there is no legal reason for the defendant’s enrichment.
Other common law claims may also arise in contexts relating to data, such as a breach of fiduciary duty (provided that a plaintiff can establish a fiduciary relationship and show that the misuse of data constituted a breach) or negligence (such as the negligent use or protection of data).
Instead of relying on a general right of data ownership, businesses should assess the value of the data under their custody or control and audit which precise rights and protections apply to it.
Once value is assessed, businesses should consider the most effective legal and practical steps that can be taken to protect their data. For example, a business sharing data with another company should be protecting itself with contracts. Contract terms should clearly specify what actions or purposes are permitted and prohibited, and not rely on a general assertion of ownership. Businesses should also consider whether the contract provides an adequate remedy for misuse.
Businesses should also be aware of the remedies available to them. Depending on the circumstances, remedies can include injunctions and damages awards, by various measures (including restitution for unjust enrichment). However, companies should also consider the ease, cost and likelihood of obtaining a remedy, and whether that remedy will be sufficient. In particular, some statutory regimes may penalize a party who has misused a business’ data, but still fail to provide an adequate remedy to the business whose data has been misused.
Businesses should also consider the practical steps they can take to prevent misuse of their data in the first place. This includes implementing a robust data protection and cybersecurity program that applies physical and technical safeguards to a company’s data.
Organizational safeguards are also important. For example, businesses should ensure that data that they want to keep confidential is treated as confidential in practice within their organization. Common steps businesses can take include formally designating information as confidential, stipulating specific restrictions on disclosure and other data handling practices in internal policies, limiting access to the data to a “need-to-know” basis, and ensuring proper data handling practices are included in employee training.