Legal rights and duties in data

Data is increasingly central to many, if not most, sectors: businesses are focusing as never before on protecting and exploiting their own data, and getting access to others’ data that they need on the best terms. This increases pressure in the market place between the data customer/ buyer and the data vendor, and these pressures are starting to play themselves out in more open legal confrontation.


When we talk about legal rights in data what exactly do we mean? Data is funny stuff in legal terms: inert in and of itself – there’s an old case (Oxford v Moss [1979]) involving a sneak preview of an exam question which shows that data can’t be stolen in a criminal law sense – it’s helpful to speak of rights arising ‘in relation’ to data as this shows the type of rights there are in particular types of information.


Data/information may be a literary work and attract copyright protection; may have the attributes of a database to attract database right (and also, confusingly, database copyright); and/or may have the quality of confidentiality to enable enforcement as a confidence.

Each right – copyright, database right and confidentiality – is enforceable as an IP right against the world (as a right in rem1) in accordance with its own rules and requirements. This makes the data legal analysis multi-layered from the outset, as requirements differ widely from right to right. So copyright is a formal right protecting a particular expression: it does what it says on the tin, protecting against copying without permission, although of course the devil’s in the detail. Database right – the newest right dating from 1998 – has its own requirements but in a series of cases about football fixture lists in the mid-2000s2 has seen its importance sharply diminished. The UK rules on protection of confidentiality, oddly, emerge as one of the best sources of legal protection as they are likely to operate to provide a remedy in circumstances that are relevant to data and – unlike copyright and database right, which are formal remedies protecting how information is displayed – the law of confidence can protect the substance of the information itself.

The analytical complexity is compounded against the backdrop of increasingly global data businesses as IP rights are primarily national rights so the rules and requirements will vary not only from right to right but, for each right, from country to country.


The layered nature of the IP rights analysis in relation to data, together with the current unsettled and uncertain state of the law in the UK, means that data remains an area where ‘contract is king’ in the business world; and contracts of course confer enforceable rights (rights in personam) on the parties to them (subject to competition law and other statute and public policy rules that cannot be excluded) but not against the whole world (rights in rem). In a 2005 follow-on UK case from the football fixtures cases referred to above, the judge, Etherton J, made a powerful statement to the effect that a data supplier ‘has in the data a valuable commodity for which it is entitled to charge… irrespective of the extent of any [intellectual property] rights’3.

Generally in relation to data therefore, for IP rights (as rights in rem) the good news is that they can be enforced against the whole world but the bad news is that they confer rights of uncertain scope which are expensive to enforce; while for contract rights (as rights in personam) the good news is that they confer strong rights with the downside that this is only against the contracting parties themselves and not against the whole world.


Competition law protects against the abuse of a dominant position by a market-powerful organisation (at EU level, by Article 102 of the EU Treaty and at UK level, by Chapter II of the Competition Act 1998) and can also make anti-competitive agreements unlawful (by Article 101 and Chapter I). The way the legislation works can be complicated, but essentially it gives wide statutory powers to the regulators – DG Comp in Brussels and the Office of Fair Trading and Competition Commission in London – to gather evidence, conduct enquiries and impose fines for anti-competitive behaviour; and in certain circumstances can give directly enforceable rights to individuals and organisations who can prove they have suffered recoverable loss.

The extent to which competition law duties can circumscribe the exercise of IP and contractual data rights is a bit like the dilemma of ‘unstoppable force meets immovable object’: IP rights in particular confer rights which to a certain extent have characteristics of a monopoly, while competition law will intervene to stop a monopolist or a person who is market dominant from abusing that position.

The data world, particularly the financial market data space, is an increasingly intense battleground between competition and IP law, reflecting market place pressures between data buyers and vendors. In particular, debate rages about the extent to which the owner of an IP right can be compelled to grant a licence of it to a third party under Article 102. It is not the holding of the right that is at issue, rather the key question is at what point the exercise of an IP right is so harmful to consumer welfare that competition law should override it.

The S&P data licensing case (EFAMA v S&P [2003]) is a topical example of what’s at stake. It’s one of the latest in a series of competition challenges in recent years which have tested the ability of rights holders to refuse access to ‘essential’ data, and the terms (especially price) on which data should be licensed. Standard & Poor’s, the ratings, research, index, data and risk advisory services business of The McGraw-Hill Companies, Inc, was accused in 2008 of breaching its monopoly position as the US National Numbering Agency in how it licensed the use of numbers (called ISINs) that identify US securities to financial institutions (such as banks and investment funds) in order to facilitate clearing and settlement of trades in those securities.

The investigation was prompted by complaints filed in July 2008 by associations of financial market data users alleging that S&P had abused its dominant position under Article 102 by demanding ‘double dip’ licence fees both from financial data vendors and also directly from financial institutions which used ISINs.

In May 2011, DG Comp confirmed that S&P had offered to change its EU pricing policy by (i) charging direct users (information service providers and financial institutions) a maximum of $15,000 pa (adjustable annually in line with inflation) and (ii) abolishing charges to indirect users that source ISINs via information service providers to avoid the Article 102 breach allegations.

In today’s more straitened economic times, the tougher behaviours being shown by data buyers and vendors in the market place mean we’re likely to see more contractual, IP and competition law related disputes in our data-centric world.


  • The law on IP rights in data is evolving quickly at the moment and in an unstable state. Make sure you/your clients are protected by appropriate written contacts and/or polices;
  • In the contract:
  • make sure you and your clients have identified the information/data you are concerned with; and then
  • (where you are the user) set out in sufficient detail the rights you have over it – what you can do with it; or
  • (where you are the data owner or service provider) the limitations on use and what the user’s obligations are;
  • don’t forget the basics – price, service quality, time of delivery, etc and duration and exit; and
  • If you/your client has a degree of market power, you may need to consider whether competition law will operate to put legal constraints on what you might otherwise be free to do.