Who owns the data in the Internet of Things (IoT)?

Interesting piece on who owns the data in the Internet of Things. Lots of companies seem to think that the value of their ‘thing’ will come from the Big Data exhaust produced by e.g. home thermostats, car driving habits etc so this is timely.

The data are hugely valuable. But who owns them? The answer is: no one – there is no property right in a piece of data itself. The owner of a smart thermostat does not, for example, own the data about how he uses it. The only thing that is ‘ownable’ is an aggregation or collection of such data, provided there has been a relevant investment in carrying out that aggregation or collection (the individual user is very unlikely to have made that investment). It is that investment and who carries it out that are the focus of this article.

For someone to ‘own’ the data, you need to establish a ‘Database Right’ (this is an EU specific thing designed to incentivize investment in storage and protection of data.

For a database right to exist:

  • There has to be a “database”, as defined – this is a collection of independent data which are arranged in a systematic or methodical way and which are individually accessible. The key point here is that the data must be collected in an orderly way to allow for retrieval of those data. This will ordinarily be the case where there is capture, transfer and analysis of data. However, if this is all happening in real time without the data ever being “collected” into a fixed base, there is unlikely to be a database;
  • There has been substantial investment in the obtaining, verification or presentation of those data. Obtaining and presenting will be most relevant here – there must be investment in the seeking out and collection of the data and/or in their arrangement and organisation. With so much data being captured by connected devices (that being the whole point of the IoT), the opportunity for substantial investment in collecting and/or arranging them is obvious; and
  • The maker of the database (or one or more of them if it was made jointly) has to have a substantial economic and business connection with an EEA state. This may catch out many overseas entities. For example, the maker would have to be: (i) incorporated in an EEA state and have its central administration or principal place of business within the EEA; or (ii) have its registered office in the EEA with its operations being linked on an ongoing basis with the economy of an EEA state.

Well worth looking at the full article at TW Tech Briefs. It seems pretty clear though, that the issues are not well understood at the moment, companies need to take the time to understand the issues and incorporate them into the business models they are building and they will be keeping lawyers around the world busy for a long time to come.