Roschier Think Tech® – A holistic view on intangibles in an IoT world
On 8 March 2018, we will we be holding a Roschier Think Tech® event on the topic of the Internet of Things (IoT). Distinguished speakers will address several aspects of IoT, starting with the state-of-the art technology for machine-to-machine communications and following up with panel discussions on an intellectual property (IP) strategy for IoT and matters relating to data and IoT. The program can be found here.
The program reflects our current thinking, as technology lawyers, on intangibles in an “IoT world” – or generally in a business environment where digitalization is widespread. In our view, any IP strategy and management processes adopted by companies need to be updated to take account of data as an asset class (similar to but still separate from IP) in this new environment. Two new legislative developments in the EU are also driving this change: the entry into force of the GDPR in May and the Trade Secrets Directive in June 2018.
In short, a more holistic view on intangibles is needed for companies in an IoT world. This can be illustrated in the following way:
When assessing a company’s intangibles, a distinction can be drawn between IP, non-personal data, other confidential information and personal data, and they can be treated as separate asset classes. Of these asset classes, (in most jurisdictions) only IP constitutes “property” and is capable of being owned. However, the other asset classes can also be held by a company and, subject to sufficient control, can be used as (intellectual) property.
Creating and controlling IP
IP constitutes property by way of statutory provisions, e.g. as patents, designs, trademarks and copyrights. A common principle is that all IP is created (or invented) by a person (even if such person may use different tools in the creation process). Therefore, in order for a company to create such assets, it needs the services of people (directly or indirectly) as employees or consultants. While there are certain statutory rules in place granting ownership automatically to an employer for IP created by an employee, the basic principle is that clear contracts on the assignment of ownership (and any related compensation) have been entered into between the company and the creator.
In addition, certain IP is created by registration after its creation. For this, companies need policies to ensure relevant IP is duly registered as part of a company’s IP management. Our views on the management of brands can be found here.
Finally, IP is truly only verified as an asset through litigation. An update on the landscape for IP litigation in Sweden can be found here.
Creating and controlling non-personal data
Non-personal data (also known as “raw data” or “machine-data”) is created by collecting data from the operation of different machines and systems, such as data used for predicting when maintenance needs to be performed. In most cases, the data collection is a by-product of running the machine or system and all data is collected and processed in the cloud. Any database rights are not as relevant, since such protection requires “substantial investment” in relation to the data in the EU and original selection in the USA. Such data is therefore controlled by protection as trade secrets (or confidentiality undertakings) instead. We therefore group this asset class together with other confidential information, such as test data or analyses.
Control requires that clear agreements are entered into with all those with access to the data. While trade secrets as such may be shared between several companies, each of these companies will need to provide an undertaking to the other companies on the potential use and disclosure of such data to ensure that one company does not destroy the potential value of data by e.g. public disclosure. Our views on trade secret audits can be found here.
As regards the entry into force of the Trade Secrets Directive in June 2018, it will also be of the utmost importance for companies to control not only the data it wants to collect, but also which data it receives. This is because the Trade Secrets Directive introduces a new concept of “infringing goods“, meaning goods for which the design, characteristics, functioning, production process or marketing of which “significantly benefits” from trade secrets unlawfully acquired, used or disclosed. Therefore, if a company’s (direct or indirect) employees or consultants have access to another company’s trade secrets, there is a significant risk of the company’s products or processes being contaminated as “infringing goods” even if the company does not itself use another company’s trade secrets. That imposes new requirements on a company in terms of its data management.
Creating and controlling personal data
While the distinction between IP and data is clear, it is much more difficult to clearly distinguish non-personal data and personal data. Under the GDPR, any information related to a natural person (“Data Subject”) that can be used to directly or indirectly identify the person constitutes personal data. Consequently, data that might naturally appear to be “machine-data” can actually constitute personal data if it can be traced back to a person operating the machine.
The distinction is, however, of substantial importance, since personal data ceases to be an asset that can be used in the event of a breach of the GDPR. Any use of personal data in breach of the GDPR exposes a company to liability for both damages and penalties. Equally, protection of personal data is about so much more than compliance with legislation. It is also about creating confidence among customers and business partners that the services provided are secure and beneficial. Our views on this issue can be found here.