Committee Analysis of Data Assets Shows Global Trends

Published: January 27, 2021

The future has arrived, and a flood of information is available online. As some say, data is the new oil.

At the same time, technologies have been developed to collect, treat, and increase the commercial value of data. Governments are regulating the jurisdictional boundaries for how they and companies use data.

To better understand the landscape, INTA’s Data Protection Committee (DPC) reviewed and analyzed developments in 20 jurisdictions in 2020 and identified common points related to personal data and sensitive data.

  • Personal data is private data that links to information about an individual, such as, address, identification, passwords, taxpayer numbers, and family members.
  • Sensitive data receives strict treatment and is related to an individual’s racial and ethnic origin, religious beliefs, political opinion, health particularities, sex life, genetics, biometric data, and more.

According to the analysis, in most of the jurisdictions, companies must inform users of the purposes for collecting and processing their data, and users often must provide their consent. The data may be anonymized by the collector.

In addition, in most jurisdictions, anonymized data can be regarded as proprietary information, trade secrets, or competitive information, suggesting a legal basis for the monetization of data cleared of personally identifiable information.

In the past, companies would conduct surveys to detect trends of customer preferences and behavior. Information is now available if collected in a specific, legally compliant manner.

Here are a dozen examples of developments from various jurisdictions:

  • Argentina: Law no. 24.766 provides that information can be deemed a trade secret if: (i) it is secret; (ii) it has a commercial value because it is secret; and (iii) measures have been taken to keep it secret. If data has been dissociated from the individual and cannot be linked again, it is no longer subject to data protection. From a data protection standpoint, anonymous data can be monetized.
  • Brazil: Anonymized data that cannot be reversed using reasonable efforts and that cannot be linked to an identified or identifiable natural person can be compared to proprietary information or trade/industrial secrets. This data can be monetized, traded, or used for marketing purposes.
  • Canada: Per the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information does not include information rendered anonymously (not possible to link back).
  • China: Cybersecurity law and regulations have imposed heavy security duties for brand owners and platforms to collect and use personal data. Regulations stipulate principles such as legitimacy, reasonability, necessity, and publicity (including rules of collection and usage, purpose, method and scope of collection and use, and consent from data providers). Personal data is treated as a right to dignity (or moral right). It is unclear whether collected anonymous data can be protected as a trade secret because commercial transaction of personal data is limited under the rules of cybersecurity law and regulations, which provides an exception for data collecting parties to “provide” anonymized data to others without obtaining consent from the individuals.
  • European Union: The General Data Protection Regulation (GDPR) states that brand owners and platforms may use personal data anonymously. The anonymization of data aims at preventing the identification of the data subject. This can be achieved by applying different techniques grouped into two families: randomization and generalization. Randomization modifies the degree of truth of data to eliminate the correlation between data and person. Generalization dilutes the attributes of the subject by modifying the scale or order of magnitude (age range instead of the precise age of the subject).
  • India: If customers are aware and agree that information will be collected, treated, and used (informed consent), anonymized data can be monetized.
  • Japan: Companies should make it impossible to identify the subject and restore personal information. Standards are prescribed by the rules of Japan’s Personal Information Protection Commission. The Unfair Competition Law protects trade secrets and is amended to protect what is called Data for Limited Provision (DLP), which must be (i) limitedly provided, (ii) electronically managed, and (3) substantially accumulated. If anonymous/aggregated personal data satisfies these requirements, it can be protected under the Unfair Competition Law.
  • Mexico: Processing of any personal data must comply with the principles of legality, consent, information, quality, purpose, loyalty, proportionality, and accountability. If requirements are met, anonymized data can be monetized.
  • South Africa: Personal information can be monetized, traded, used for marketing purposes, and regarded as an asset. Certain considerations are provided for by several legislations, namely the Electronic Communications and Transactions Act (ECTA), Consumer Protection Act 68 of 2008, and the Protection of Personal Information Act (POPIA).
  • United Kingdom: The Information Commissioner’s guidelines specify that the Data Protection Act does not apply to anonymized data.
  • United States: Aggregate consumer information is not personal information. The California Consumer Privacy Act (CCPA) defines “aggregate consumer information” as relating to a group/category of consumers. The CCPA addresses both aggregated and anonymous data. General requirements are: (i) information “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular customer”; (ii) business must have implemented technical safeguards and business processes that prohibit re-identification; (iii) business must have implemented processes to prevent inadvertent release even of the de-identified data; and (iv) business must not make any attempts to re-identify the information.
  • Uruguay: Data that does not include personal data can be monetized, traded, or used for marketing purposes if the information obtained cannot be linked.

The analysis revealed the following general safe harbors:

  1. Customers should be clearly informed that the data available may be collected, treated, and used (traded/monetized);
  2. Brand owners should adopt the best technologies and procedures to keep data safe, anonymous, and not linkable;
  3. Brand owners should not collect, treat, and use sensitive information; and
  4. Brand owners should use the necessary information in connection with the purpose informed to the customers.

While the above are general, each jurisdiction has its own specific particularities, and companies should clarify local requirements with a regional specialist.

Considering that the product generated by data collection is an asset that, depending on each jurisdiction, can be regarded as proprietary information, competitive information, or trade secrets, the results suggest that the intellectual property community should be consulted and involved in decision-making around company data collection and processing as the legal frameworks continue to evolve.

A list of contributors is provided below. All are members of the Data Assets Subcommittee of the Data Protection Committee except those marked with an asterisk.

Kishi Anderson (Uber, USA), Spencer Kathryn Beall (Jones Day, UK), Roberta de Brito Rodrigues (Stocche Forbes, Brazil),* Sarah Bruno (Reed Smith, USA), Carla Collett (Webber Wentzel, South Africa), Anna Cluzeau (Etex Services NV, France), Agustina Fernandez (Fernandez Secco, Uruguay), Gustavo Giay (Marvall, O’Farrell & Mairal, Argentina), Brian Goldberg (Trademark Ventures International, Australia), Martin Hemmer (akd, the Netherlands), Mauricio Hernandez (Bufete Soní, Mexico),* Sidhant Kumar (Independent Legal Practitioner, India),* Jaime Mantilla (Falconi Puig, Ecuador), Denise Mroz (Johnson & Johnson, USA), Laisha Mubarak Aguad (Phillipi Prietocarrizosa Ferrero DU & Uría, Peru), Junko Mukoyama (Avaya Japan Ltd., Japan),* Lia Puntieri (Trevisan & Cuonzo, Italy), Otávio Saraiva Padilha Velasco (Soerensen Garcia Advogados Associados, Brazil), Matias Somarriva (CMS Carey & Allende, Chile), Julio Vargas Solano (Garcia & Bodan, El Salvador), and Chris Zhang (Dentons Shenzhen Office, People’s Republic of China).

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest. 

© 2021 International Trademark Association