TABLE OF CONTENTS

INTRODUCTION – DATA PROTECTION AND INTELLECTUAL PROPERTY....................3

HOW BIG DATA AFFECTS INTELLECTUAL PROPERTY.....................................................4

Patent Strategy.............................................................................................................................5

Ownership of Data.......................................................................................................................6

Copyright.....................................................................................................................................6

Trade Secrets...............................................................................................................................7

GDPR AND CCPA..........................................................................................................................8

General Data Protection Regulation (GDPR)..............................................................................8

California Consumer Privacy Act (CCPA)..................................................................................9

Impact of GDPR and CCPA on IP............................................................................................10

Domain Names......................................................................................................................10

Direct Dealings with Data Subjects.......................................................................................10

INDIAN SCENARIO – THE PDP BILL......................................................................................12

Background................................................................................................................................12

Need for a Data Protection Law................................................................................................12

The Personal Data Protection Bill, 2019...................................................................................13

CONCLUSION..............................................................................................................................14

REFERENCES..............................................................................................................................15

2
 INTRODUCTION – DATA PROTECTION AND INTELLECTUAL PROPERTY
Data collection is without a doubt the most important and pervasive phenomenon in the age of
technology. Government bodies, educational institutes, hospitals and businesses are constantly
engaged in collecting data from individuals for various reasons, and sometimes, for no apparent
reason at all. This data needs to be very well protected
The rise of technology has made data collection and processing extremely easy which in turn
makes it convenient for organizations of all kinds to function optimally. As a result, personal
data such as address, phone number, medical record, travel plans etc. of majority of the world
population can be easily accessed/ tampered with in the absence of a stringent data protection
legislation. Data protection, as the name suggests, refers to the strategic framework for protection
of sensitive data. Data privacy ensures that sensitive data is accessible only to the authorized
parties and a strong data protection mechanism in turn strengthens data privacy, prevents data
loss and reduces damage in case of breach.
Data sharing is no longer optional for the public – it is quintessential to conducting any
transaction online. In the absence of data protection laws people live in a constant state of worry
about their data. If a proper legislation is not brought about soon the government might as well
be forcing people to give up their right to privacy. Therefore, the need for a well-coded
legislation for data protection is the most pressing need in India and many other nations.
The impact of the growing digital transformation on the global IP landscape is not very clear yet
and our understanding of it is preliminary, to say the least. There is no doubt however, that it will
have a profound bearing on administration of IP systems and IP policy. Majority of the IP laws at
present had been laid down during the industrial revolution to accommodate the tremendous
growth in production. In my opinion, a technological revolution is soon to bring an overhaul to
the existing system. The question then becomes if the existing system provides enough
incentives to promote innovation in the digital age and how much will we need to adapt our
existing laws.
At present, there is no reason to say that the classical IP system is out-of-date but the data-driven
digital technology is clearly the dominant factor in economic production and distribution within
the digital economy. How effective the classical IP system will be in addressing all of the issues

3
arising from the data-driven technologies that dominate in the digital economy remains unclear.
Undoubtedly, these will pose significant challenges for IP policymakers.
Under the classical IP system, any non-public data that an economic agent has taken reasonable
steps to keep confidential, and which have perceived economic value, may constitute a trade
secret. Within the digital economy, trade secrets have become a dominant means of protecting
unpublished data of economic significance. But do trade secrets adequately protect such data?
Trade secrets are not a property right in the classical sense, they are relational rights in the sense
that individuals do not have the right to intrude on or abuse another’s trade secret. For example,
if a company gives data to a sub-contractor for a specific purpose, the subcontractor cannot use
them in any other way. Policymakers will need to examine whether trade secrets adequately
address or regulate all of the issues that may arise in relation to data protection in the digital
economy.

HOW BIG DATA AFFECTS INTELLECTUAL PROPERTY

Data is a very wide concept. Everything created digitally is covered. From every document on
your desktop to any picture posted by any user of social media. But it's much more than that. It
also means that, e.g. all the 150 million sensors of the Large Hadron Collider in Geneva,
delivering data 40 million times per second, are included in the concept of data. If all of that data
was recorded, it would exceed 500 Exabyte per day - 200 times more than the world creation of
data per day according to IBM. The implication is that there are enormous potential amounts of
data that will be created and processed, once our computing and communication capability allow
for it1. But "data" means more than that. It also includes everything created by any kind of
sensor, but also by any camera, the input of any user, any person operating a computing device
(PC, mobile, tablet, etc). Any project, any plan, any invention, any communication is also
included. It simply means that the faster the amount of “data” grows, the useful or sensitive data,
i.e., data that needs to be protected and brought under privacy laws increases just as much.
In this paper I will look at how Big Data 2 will impact IP Strategy from four angles. These five
are 1) patent strategy 2) ownership of data 3) copyright and 4) trade secrets/know-how.

1
According to EMC, by 2020 the world will generate 50 times the information it generated in 2011.
http://www.emc.com/leadership/programs/digital-universe.htm
2
http://www.ibmbigdatahub.com/sites/default/files/infographic file/4-Vs-of-big-data.ipg

4
PATENT STRATEGY
Patent strategies can be quite different from one industry to another. However, there are some
common elements to consider, and they can be summed up in two observations. The
observations are that both obtaining and using patents will become much harder. As a
consequence, the business value of patents is likely to drop significantly. The observation is
straightforward, but very important: if the amount of available information doubles every 18
months, the amount of prior art also doubles every 18 months. If the amount of existing
information grows exponentially, this means that in principle, the rejection rate of patents must
also grow exponentially, to the point where it will reach 100%. What causes problems in this
field is that granting of patents does not occur very fast – the number of patents granted
worldwide has grown from slightly less than 400,000 to more than 900,000 in 2010 3 – and will
fail miserably in comparison to the rise in information that will soon form part of prior art. So,
unless the granting of patents also grows exponentially, the area of technology that is patentable
will shrink accordingly4.
One of the key reasons why the impact of the Big Data explosion of accessible information is not
very visible at the moment in the way patents are being granted, is because the patent offices
don't actually look at prior art in a way that takes into account the exponential growth of non-
patented technology information. It is not clear to me whether patent offices realize the
exponentially growing insignificance of their traditional data-approach. Once they do, though,
they only have two options. The first is to reject most, and eventually almost all, patent
applications. The second option is to ignore reality, and grant patents on non-novel inventions.
However, this will (and arguably, already does) create huge problems in enforcing or using
patents, as explained further below. Since patent is not a guaranteed right and can be challenged
and revoked at any moment, even if patent is granted the likelihood of it being either revoked
later on or being infringed will increase rapidly. Once the infringer is brought in court all they
need to do is reference prior art and the patent will stand threatened.

OWNERSHIP OF DATA
Data is a non-rivalrous commodity. That means that one person's use of data does not necessarily
prohibit or reduce the value of use of that data by another person, or by another 10,000 persons.
3
Source: httn://www.wino.int/instats/en/statistics/patents/
4
http://www.mckinsey.com/insights/business technologv/oven data unlocking innovationand performance with
liquid information

5
Data ownership is an interesting, and developing area of law. In most countries, it is theoretically
possible to "own" data under the law. The legal principle applied will differ, but is typically
based on some kind of protection of the effort to create or gather the data, and will allow to block
or charge for access or use of such data. Data serves as more useful when it is opened up to
public for use and can potentially create innumerable business opportunities. However, with the
rise in data protection and importance of data privacy, it is anyone’s gamble whether data should
be protected strictly or whether it should be allowed to create business opportunities.
One example is the way algorithms work for online shopping and streaming websites. Using
consumer data allows such companies to deliver the best product in the most efficient manner. In
the past also data has been subjected to various researches which have led to breakthrough
inventions by understanding how consumer behavior works. Data sharing could be stifling for
business, economy and invention if seen from this perspective.

COPYRIGHT
Copyright is a remarkably inept system for the Information Society. Its nominal goal is to reward
authors and other creators. In real life, it mainly benefits content distributors. Originally,
copyright was typically granted for the expression of creative activity: writing a book or a blog,
creating or playing music, making a film, etc. However, copyright also applies to software code,
based on the observation that code is like language, and therefore subject to copyright. As such,
copyright covers the code, but not the software functionality expressed through the code.
However, copyright does not protect a particular text based on the message but on how it is
written and if only one possible formulation is there copyright will not apply. This automatically
brings majority of Big Data outside of the copyright perspective. However, it is still possible for
circumvent the existing requirements of copyright and try to register data under copyright law.
Another large subset of Big Data is, in theory, covered by copyright, but in practice, the
copyright approach does not work. This subset relates to all user generated data. Any picture,
video or other creation posted by any social media user online is, in theory, covered by
copyright. But that copyright is never actually used. More importantly, the value of all that user
generated content lies in using it in ways that copyright is structurally unable of handling. User
generated content, in order to have value, must be freely available to copy and paste, tag, adapt,
create derivatives of, and, fundamentally, share without limitation. It is the opposite of what
copyright tries to achieve (a system of limited and controlled distribution and copying).

6
Therefore, in time the existing copyright law will also need to be overhauled to adapt to the data
revolution.

TRADE SECRETS
Secrecy and know-how protection can be a very valuable asset of businesses. The most classic
example is of course the secret formula of Coca-Cola. It's not actually protected by a formal
Intellectual Property Right (anyone is free to copy cooking recipes), but it has significant
business value, and it is protected by other legal instruments. Typically, contract law, with
confidentiality agreements, will play a big role in protecting business secrets and know-how, and
most legal systems allow businesses to bring legal claims against competitors, business partners
or employees who disclose or use secret information in unauthorized ways. Businesses that open
up their data are more likely to retrieve value from those data, and those that do, will retrieve
more value from the data that is most open and accessible. These developments will change
habits within businesses, which will be pushed by market forces and the need to be more
efficient, to open up more and more data sets and data sources. Inevitably, this will clash with
strategies to keep information secret.
From an IP Strategy point of view, this means that understanding and selecting those intangible
assets that have more value as a secret than as an open, accessible intangible asset will become
more difficult, but, arguably, also more important. On the other hand, businesses that reject the
knee-jerk reaction to keep as much as possible hidden or secret, may find that they evolve faster
and generate more new business opportunities. It is not a coincidence that Open Innovation has
become such a tremendous success. Big Data is likely to reinforce that evolution.

7
 GDPR AND CCPA

GENERAL DATA PROTECTION REGULATION (GDPR)5

In January 2012, the European Commission set out plans for data protection reform across the
European Union in order to make Europe 'fit for the digital age'. GDPR is an EU framework and
is the most significant part of this reform that came into force across the European Union on 25
May 2018. It applies to organizations in all member-states and has implications for businesses
and individuals across Europe, and beyond. GDPR was designed to give its citizens more
control over their personal data. It aims to simplify the regulatory environment for business so
both citizens and businesses in the European Union can fully benefit from the digital economy.
The reforms are designed to bring laws and obligations - including those around personal data,
privacy and consent - across Europe up to speed for the internet-connected age.
Information is likely to get lost, stolen or otherwise released into the hands of people who misuse
it resulting in data breach. GDPR sets terms that make it mandatory for data collecting
organizations to ensure that the data is collected legally and well-protected. The obligation to
protect data falls on such organizations failing which they face penalty. GDPR applies to any
organization that collects and stores data of the citizens of Europe even if it operates from out of
Europe. That ultimately means that almost every major corporation in the world needs a GDPR
compliance strategy6.
The legislation differentiates between types of data handlers, one type being “controllers” and
the other type being “processors”7. GDPR ultimately places legal obligations on a processor to
maintain records of personal data and how it is processed, providing a much higher level of legal
liability should the organization be breached. Controllers are also forced to ensure that all
contracts with processors are in compliance with GDPR. A controller is a "person, public
authority, agency or other body which, alone or jointly with others, determines the purposes and
means of processing of personal data", while the processor is a "person, public authority, agency
or other body which processes personal data on behalf of the controller".

5
Commission Regulation 2016/679, (2016) O.J. (L 119) 1
6
GDPR Is an Evolution in Data Protection, Not a Burdensome Revolution, Info. Commissioner’s Off. (Aug. 25,
2017), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/08/blog-gdpr-is-an-evolution-in-data-
protection-not-a-burdensome-revolution/.
7
GDPR, supra, Article 4

8
The types of data considered personal under the existing legislation include name, address, and
photos. GDPR extends the definition of personal data so that something like an IP address can be
personal data. It also includes sensitive personal data such as genetic data, and biometric data
which could be processed to uniquely identify an individual8.

CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

The California Consumer Privacy Act (CCPA) is the first big state-wide privacy legislation in
the US. It entered into force on January 1, 2020 in the US after the European GDPR reshaped
how data privacy law looks in May 2018. The CCPA changes the way Californians can handle
their own data, as it empowers them with new rights to request businesses to disclose or delete
the data they have already collected, or to opt out completely of third-party data sales. The
CCPA requirements create new obligations for commercial entities doing business in California.
Whether a particular business falls under the CCPA’s obligations depends on a set of definitions.
CCPA applies to any for-profit businesses in the world that sells the personal information of
more than 50,000 California residents annually, or has an annual gross revenue exceeding $25
million, or derives more than 50 percent of its annual revenue from selling the personal
information of California residents. Sale of PI is defined in the CCPA as “selling, renting,
releasing, disclosing, disseminating, making available, transferring, or otherwise communicating
orally, in writing, or by electronic or other means, a consumer’s personal information by the
business to another business or a third party for monetary or other valuable consideration.”
The California Consumer Privacy Act (CCPA) is a law that allows any California consumer to
demand to see all the information a company has saved on them, as well as a full list of all the
third parties that data is shared with. In addition, the California law allows consumers to sue
companies if the privacy guidelines are violated, even if there is no breach.
If a company shares common branding (i.e. shared name, service mark or trademark) with
another business that is liable under the CCPA, the company will be subject to CCPA
compliance too. Under the CCPA, California residents (“consumers”) are empowered with the
right to opt out of having their data sold to third parties, the right to request disclosure of data
already collected, and the right to request deletion of data collected. Additionally, California
residents have the right to be notified and the right to equal services and price (i.e. cannot be

8
European Data Prot. Bd., Statement of the EDPB on the Revision of the ePrivacy Regulation and Its Impact on the
Protection of Individuals with Regard to the Privacy and Confidentiality of their Communications (May 25, 2018)

9
discriminated against based on their choice to exercise their rights). Failure to comply with the
CCPA can result in fines for businesses of $7,500 per violation and $750 per affected user in
civil damages for businesses. The power to enforce the CCPA lies with the office of the Attorney
General of California.

IMPACT OF GDPR AND CCPA ON IP

Domain Names – The Internet Corporation for Assigned Names and Numbers (ICANN) requires
a network of directories and databases of domain name registrants to be maintained in the form
of the WHOIS system. Until recently, a lot of personal data was freely searchable on WHOIS.
However, having the personal data of individual registrants publicly searchable online creates a
tension with the data protection principles under the GDPR. In the run up to the implementation
of the GDPR in May 2018, there was heated debate by users and maintainers of the WHOIS
system over the question of how to strike the right balance. On the one hand, individual domain
name registrants have a legitimate expectation of privacy, but on the other hand intellectual
property rights owners should be able to obtain information about ownership of domains to
support infringement claims, and others may also have legitimate reasons for wanting to discover
the details of the registrants of domain name addresses.
In the United Kingdom and elsewhere, the main domain registrars have reacted by choosing to
restrict public access to individual domain name owners’ details without the owner’s express
consent. Instead, anyone seeking that information will now need to demonstrate a “legitimate
interest” in accessing that individual’s personal data before the registrar can determine whether it
is appropriate to comply9.

Direct Dealings with Data Subjects – The GDPR also empowers data subjects directly with
greater control over the personal data that businesses hold on them; for example, the right of
access under Article 15 entitles individual data subjects to obtain on request a copy of all the
personal data a data controller has collected about them. In the United Kingdom, there has been
recent media coverage regarding a data subject access request (DSAR) made to Tinder by a
journalist writing for the Guardian, which returned a staggering 800 pages of data she had herself
provided in the course of subscribing to and using the matchmaking service. However, what her
DSAR did not reveal was the detail of how Tinder was using all that information to personalize

9
See ICANN Temporary Specification for gTLD Registration Data app. A, § 4.1 (2018

10
her user experience and identify potential matches. When she requested this information,
Tinder’s response was reportedly that its “matching tools are a core part of our technology and
intellectual property, and we are ultimately unable to share information about these proprietary
tools10.”
Data subjects are entitled to receive their personal data in a structured, commonly used, and
machine readable format on request. However, as above for DSARs, it is conceivable that the
compilation and organization of data presented in that format could attract copyright protection
or form part of the business’s confidential know-how, which it would clearly not want disclosed
to competitors. In fact, the scope of this right is limited by GDPR Article 20 to personal data
which that data subject has himself or herself provided to the data controller. It does not
therefore include the controller’s (possibly more valuable) inferred and derived data or any
know-how or intellectual property that the controller has used to process the raw data supplied
by the data subject, but it may be difficult in practice to separate the two.

10
Judith Duportail, I Asked Tinder for My Data. It Sent Me 800 Pages of My Deepest, Darkest Secrets, Guardian,
Sept. 26, 2017

11
 INDIAN SCENARIO – THE PDP BILL

BACKGROUND
Right to privacy is a fundamental right under Article 21 of the Constitution of India, which lays
down our fundamental rights. This was affirmed by a nine-judge bench of the Supreme Court in
Justice K.S. Puttaswamy vs Union of India11 in its historic judgment dated 24th August 2017
wherein they declared ‘the right to privacy’ as an integral part of Part III of the Constitution of
Constitution of India. It was important to establish right to privacy as a fundamental right
because of the rocky history of judicial interpretation on the matter. It had been recognized as a
right but not as a fundamental right before the Puttaswamy case wherein the broad interpretation
by the Supreme Court led to a stream of initiatives by the government towards Personal Data
Protection laws.

NEED FOR A DATA PROTECTION LAW

India does not have a stand-alone personal data protection law to protect personal data and
information shared or received in a verbal or written or electronic form. Though, protections are
available, they are contained in a mix of statutes, rules and guidelines.
The most prominent provisions are contained in the Information Technology Act, 2000 (as
amended by the Information Technology Amendment Act, 2008) read with the Information
Technology12 rules (SPDI Rules). It is the primary law in India dealing with cybercrime and
electronic commerce. SPDI Rules, as the name suggests, only cover data and information which
is exchanged in an electronic form and not those received through non-electronic communication
form.
When this IT Act, 2000 came into force on October 17, 2000, all the laws and procedures in
reference to the given Act lacked the protection and provisions required to protect one’s sensitive
personal information provided electronically. This eventually led to the introduction of the IT
Bill13 in the Indian Parliament which then led to an amendment in the act 14. It inserted sections
42A and 72A which lay down the liability on the part of the body corporates dealing with
11
(2017) 10 SCC 1
12
Information Technology [Reasonable Security Practices And Procedures And Sensitive Personal Data Or
Information] Rules, 2011 (SPDI Rules)
13
Information Technology (Amendment) Bill, 2006
14
Information Technology (Amendment) Act, 2008

12
sensitive data in case of negligence and the punishment for the same. However, the scope and
coverage of the IT Act and Rules are limited. Majority of the provisions only apply to ‘sensitive
personal data and information’ collected through ‘computer resource’. The provisions are
restricted to corporate entities undertaking the automated processing of data and consumers are
only able to take enforcement action in relation to a small subset of the provisions. There is no
provision which was the major concern and reason for the government entities dealing in data in
India.

THE PERSONAL DATA PROTECTION BILL, 2019

After the Supreme Court’s landmark judgment in the Justice KS Puttaswamy case, a 10 member
committee was formed lead by retired Supreme Court judge B.N. Srikrishna for making
recommendations for a draft Bill on protection of personal data. After working on it for a year,
the committee submitted its report titled “A Free and Fair Digital Economy: Protecting Privacy,
Empowering Indians” along with the draft bill on personal data protection. The revised Personal
Data Protection Bill, 2019 (Bill), was introduced by Mr. Ravi Shankar Prasad, Minister for
Electronics and Information Technology, in the Lok Sabha on December 11, 2019. The Joint
Committee of Parliament (JCP) deliberating on India’s Personal Data Protection (PDP) bill was
given its fifth extension to submit its report on the bill in July and is now expected to submit the
report in the first week of the Winter Session.

13
 CONCLUSION
That traditional view of data and its use is based on making data and information artificially
scarce, and trying to charge for it. Intellectual Property Rights are the most obvious ways of
making non-rivalrous commodities such as ideas, technology and data artificially scarce. Yet, as
an inescapable consequence of the exponential growth of Big Data, that approach is now at risk
of causing more damage to businesses, rather than providing benefits. Big Data is like a river
system. The value of Big Data is not in its many sources, but in gaining access to the flow, and
using it for the strategic purposes of your business.
A traditional IP Strategy, focusing on ownership, is in our analogy akin to focusing on claiming
land a couple of miles from the river. It is looking in the wrong direction, and misses most of the
value of Big Data. While some ownership of a bit of river banks (the algorithms) may have
value, our Big Data River is more complex than a simple estuary it is like the Delta of the Nile -
overflowing regularly, where riverbanks and plots of land all of a sudden disappear or get
flooded. And a new Delta comes into existence every 18 months. Therefore, as a conclusion, IP
Strategies around Big Data should focus on the instruments to access and use the flow of data,
rather than using outdated models of artificial scarcity that will be overtaken by the exponential
growth of Big Data

14
 REFERENCES

(2017) 10 SCC 1............................................................................................................................12

Commission Regulation 2016/679, (2016) O.J. (L 119) 1..............................................................8
European Data Prot. Bd., Statement of the EDPB on the Revision of the ePrivacy Regulation and
Its Impact on the Protection of Individuals with Regard to the Privacy and Confidentiality of
their Communications (May 25, 2018)........................................................................................9
GDPR Is an Evolution in Data Protection, Not a Burdensome Revolution, Info. Commissioner’s
Off. (Aug. 25, 2017),
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/08/blog-gdpr-is-an-
evolution-in-data-protection-not-a-burdensome-revolution/.......................................................8
GDPR, supra, Article 4....................................................................................................................8
http://www.emc.com/leadership/programs/digital-universe.htm....................................................4
http://www.ibmbigdatahub.com/sites/default/files/infographic file/4-Vs-of-big-data.ipg..............4
http://www.mckinsey.com/insights/business technologv/oven data unlocking innovationand
performance with liquid information...........................................................................................5
Information Technology (Amendment) Act, 2008........................................................................12
Information Technology (Amendment) Bill, 2006........................................................................12
Information Technology [Reasonable Security Practices And Procedures And Sensitive Personal
Data Or Information] Rules, 2011 (SPDI Rules).......................................................................12
Judith Duportail, I Asked Tinder for My Data. It Sent Me 800 Pages of My Deepest, Darkest
Secrets, Guardian, Sept. 26, 2017..............................................................................................11
See ICANN Temporary Specification for gTLD Registration Data app. A, § 4.1 (2018.............10
Source: httn://www.wino.int/instats/en/statistics/patents/...............................................................5

15
16