Key questions when buying, selling or licensing data for analytics

What will the data be used for?

Establish the business context for data use. If the context isn’t known, the legal analysis may be incomplete. Questions to consider:

• How will the buyer of the data use it?
• What restrictions on use does the seller require?
• Will the buyer need to “give” data to “get” data in return?
  • If so, what restrictions should be put on the seller’s secondary uses of the buyer’s data?

Does the data include personal information?

Establish whether privacy compliance is a factor, and if it is, whether the groundwork has been laid to use the data as contemplated in the commercial transaction. Questions to consider:

• If so, what privacy laws apply?
• Does the data controller have appropriate consent to sell/license/use the information for the intended purpose?
• Do privacy laws restrict the intended use regardless of consent?
• Do privacy laws give individuals data portability rights?
  • If so, could portability rights require transfer of this data to competitors?

Does the data include commercial information?

Establish whether the data is commercial information, along with the rights surrounding its use. Questions to consider:

• Is there evidence that the company has sufficient rights to use/provide this data? From what sources was it collected/created?
• Is the company subject to any contracts governing how this commercial information can be used, by whom, and for how long?
  • Can contracts be future proofed to ensure company maintains usage rights in the face of changes to data ownership rights at law?
  • Do the contracts address usage rights of both input data and output product of analytics/AI?
• Which countries’ laws apply to the sale/licensing/use of this data?
  • Do those laws recognize data ownership rights?

Does the data include information subject to intellectual property rights?

Establish whether the parties to the transaction (or third parties) have contractual or proprietary rights to the data that is being provided for, or generated as part of, the commercial transaction. Questions to consider:

• If so, which types of IP are involved—copyright/trade secrets/trademark/patent/industrial design?
• Which countries’ IP laws apply?
• Is the company subject to any contracts governing how this IP can be used, by whom, and for how long?

Which regulators have oversight?

Establish whether other legal systems or regulations place limitations on the use of the data. Questions to consider:

• Which countries’ laws are engaged?
• Which regulatory regimes are engaged by the data and the use—privacy, competition/anti-trust, securities, consumer protection, health, manufacturing, safety?
• What regulatory sanctions could arise from the use of the data—fines, contractual repudiation, change in business practices, divestment, disclosure of data?

What risk management tools are available?

Establish the contractual, organizational or other “guardrails” that can help contain the risks of the commercial transaction. Risk management tools to consider:

• Security provisions in contracts to protect data against unauthorized access.
• Processes for addressing data breaches, reputational harm or regulatory investigations.
• Contractual limitations of liability and indemnities vis-à-vis data subjects and counterparties.
• Insurance for data security breaches, counterparty contractual breaches.
• Lobbying with appropriate governments and regulators re data ownership rights.