Data Privacy in the Context of AgTech, FinTech and Retail

So….What’s data?

What do we really mean when we say we need to protect data? What is data? How do you characterize it?

And is data capable of being owned?

Consumers and businesses need to consider what rights do they have to their data. Are they legal rights? Are they contractual rights? Do we have a legitimate claim? Do we have a contractual claim? And again, does anyone really own the data?

Also, if data in the possession of a business and is subject to some ransomware attacks, and it’s lost, would the business be considered the owner of the data? Would they be liable for the loss? and How?

Data Right in the Context of Copyright

Copyright is one form of Intellectual Property (IP) rights.

There are four forms of IP rights:

1. Patent rights or invention rights,
2. Trade secret rights,
3. Trademark rights, and
4. Copyrights

Data right doesn’t fit neatly into any of these rights

If we look at Patent and Copyright, Patent works on data or use it to create more data. Copyright is the format of the data (the creative formatting of the data), but data in it in itself is not creative. The factual piece of information that creates the data is not creative.

So the legal framework that exists in the United States (and many other countries) doesn’t treat data as a form of intellectual property.

So what’s the deal right now in Washington and Brussels (and other places) where we see Mark Zuckerberg and others being called on the carpet by Congress to answer on what’s happening with consumer data? Is that just grandstanding? Are these guys missing a key legal point that Facebook and others don’t own the data?….

I think a better way to frame what’s happening in U.S.Congress (and other Legislature Chambers around the world) with Google, Facebook, etc, in terms of the discussions that are occurring, are around ‘use rights,’ or privacy; i.e., the right to control the information, and restrict the use of the information… not whether a party has a legitimate legal claim or title to the information.

Privacy vs. Ownership

You might think that you have a privacy right to the information you posted on a public social media, but you put that information out to the public to see. You have a basis for prohibiting the use of this information; that’s a privacy notion that is different from the ownership concept, both from business and legal standpoints.

But Parties routinely enter into agreements concerning data ownership. Doesn’t that demonstrate ownership of the data? Not necessarily!

Keep reading…

Data and Contracting: The Color of Your Car

Parties agree to contract to just about anything within the law (of course if it’s not against the law… or against public policy).

You and I can enter into an agreement about information about the color of your car. The agreement specifies whether or not you own the information about the color of your car). You (say Dominic) and I can allocate ownership of the information about the color of your car between the two of us, but that doesn’t extend to Alice, Bob, and Chris…and would not place ‘restriction limitations’ on their use of the information around the color of your car.

So Chris can say that I know that Domenic Smith and Mark Castellani entered into an agreement that states that Mark owns all the information on Domenic’s car color, but that doesn’t place restrictions or prohibit Chris Hemsworth from using the data because he’s not a party to the agreement.

So there is a notion of ownership that exists between contracted parties, but beyond that, contracting does NOT protect data against parties that are not signatories to the agreement.

The legal backdrop is we dealing with traditional copyright, trademark, and patent law. There’s uncertainty on whether or not the data itself is even capable of being owned.

Restrictive Covenants in Privacy Policies

However, you and I can make agreements around that data that protect the use and potentially deny access to data. We call those restrictive covenants, which you see in commercial agreements.

Examples of these restrictive covenants are in ‘Terms of use,’ terms of service or privacy policy (your agreement with Google and Facebook you will see “Rights & Restrictions) are documented and if properly documented are binding on the parties. You scroll and most likely agree to waive any rights to any claims to any ownership rights that you might have to the data. You will see rights to use and restrictions on use.

Bailment and the Property/Contract Interface

When you take your car to a parking lot, you get a ticket (a bailment), and on the back of the ticket, you might see “we take no responsibility to your vehicle.”

However, in most U.S. States, no matter how big the letters are, that statement by the parking garage owner is NOT enforceable. The bailment does take/have a fiduciary responsibility to take care of your tangible property/car.

Data Protection: Is this a bailment?

When we go to Facebook, and we have our personal data there, can we say that Facebook is a bailer? That Facebook have to take care of our property/information?

Would common law bailment apply to entrusting other parties to keep your data safe?

You can argue that the EU’s GDPR, HIPPA, Graham Leach, or California CCPA are codified forms of bailment. However, in bailment, you have to be referring to tangible property. Your car is your personal property that’s tangible. But your data is not tangible personal property.

A print of a picture of you is tangible property that would be protected under property law, but the picture itself is not; that would be covered under IP law. That said, there are laws that grant exclusive use rights (or the right to exclude someone else) concerning a piece of data.

But then U.S. courts do not view that someone who has your data (e.g., data around your pictures on Facebook) has the reasonable duty to return it…absent a contractual agreement of course!

No Expectations of Return

In a litigation context, courts have said that data is not personal property that is entitled or covered by a bailment claim.

The rationale here is although a cloud provider may be storing your data, there are no expectations (absent a contractual agreement) that they will give it back to you. They have to secure it, but they are not going to wrongfully withhold it or not give it back, and that’s the bailment claim under the common law requirement!

A case in point is the Target data breach

Unfortunately for some, the court dismissed the bailment claim in the Target data breach case. The court said the data is NOT personal property; it’s intangible property, and there were no expectations that it would physically be returned.

Of course, when you sign a contract (say with some ‘datacenter in the sky’ provider), you can add some lingo around expectations of return, etc. Again, like I mentioned above, that’s a notion of ownership that exists between contracted parties

So, when we say businesses (or more accurately the cybersecurity folks) are trying to protect data, we are effectively saying there is a property INTEREST, that we/they are trying to protect. BUT, the property interest only in the use of that data… and how it might be used for us, or against us.

3 Case Studies

How Data Right Issues have faired in the context of 1) Industrial Automation, 2) Retail, and 3) Financial Technology

Industrial Automation: Data Privacy in Agriculture Machinery

The takeaway point here is data privacy concerns are (yeah no shit) driven by economic incentives/impact

So more and more data is being generated by machines, sensors, and other devices, both on the job site and farms. Machinery and construction are more B2B than B2C, but the B’s tend to be fairly small in construction and the C’s in Agriculture are more protective than many demographic basis. A combination of a fragmented (but well lobbied end market base) brings these arguments to the forefront of the political world.

Most farmers believe that any data collected on a farm, or about their operations is private and “owned” by a grower.

There’s broad consensus amongst growers that Agriculture Machinary companies should not profit off of customer data, and fee-based programs have been largely underwhelming in what they’ve been able to collect so far.

Data privacy for machines isn’t limited to solely the cloud but also the actual machine

Similar to that in the context of consumer electronics, right to repair could complicate the data loop that drives aftermarket. The debate around right to repair is not new to OEM’s; it’s dating back to at least 2012.

With aftermarket at 2.5x that of the new equipment, and parts as much as 2 to 3 times more profitable than services, aftermarket is a large profit pool that’s worth protecting (from the OEMs’s point of view), which could be at risk as relevant privacy laws gain more traction.

OEM’s contend they have a right to protect their intellectual property and their customers. Consumers counter that purchased machine repairs are the owner’s discretion.

Push for right to repair legislation though, has largely stalled over the years; Agriculture companies are “improving” data transparency

There are currently several U.S. States with a pending bill advocating right to repair. Legislation in the favor of consumers have OEMs face more aftermarket competition (or a market opportunity for someone else).

But in a world increasingly worried about privacy of data, many OEM’s have taken steps to adhere to transparent data use standards — with the American Farm Bureau designating ~30 co’s as Ag Data Transparent, including John Deere, CNH Industrials, & AGCO.

The USDA could dive deeper into the arena of digital data collection in Agriculture

But the ‘private’ side will still set the tone. In the 2018 Senate bill, the USDA created a Data Warehouse for landgrant universities. The bill then adds that within 3 years (i.e., by 2021) farmers should have access to private confidential conservation data specific to each farm and profitability metrics. The bill however prohibits sales of individual producer data and should be released in aggregate only, but the bill does not porhibit mandatory anonymous collection of field data.

Again, the takeaway point here is data privacy concerns would have economic impact; in this case, unintended consequences to aftermarket!

Retail Troubles: Sale Of Goods By A Non-Owner

The point here is to maybe consider data rights in the context of whether someone (or some business) can sell something (data) that they might not own to begin with?!!

One growing trend in the ongoing retail bankruptcies is the tranfer of personally identifiable information. Some legislations may have led to bankruptcy cases of retail debtors to be more likely than not to end in liquidation sale (sale to another retailer) as opposed to restructuring and turnaround of the same retail entity, or sale to financial sponsors (the Private Equity guys).

Some background: Beside the widely discussed secular shift (yeah and that Jazz), retailers are also facing legislation driven existential risks… How?

1) A result of the 2005 Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCPA) changes, troubled retail debtors now have to address their lease issues “very early” in the case, which means they would be making speculative, premature decisions as to which leases to assume or reject*.

2) A result of the 2017 ‘Tax Cuts and Jobs Act’, companies including retailers which previously benefitted from unrestricted interest deductions, now face a cap of 30% of their 12-month earnings before interest, taxes, depreciation, and amortization (EBITDA)**. After 2021, the 30% cap will be limited to earnings before interest and tax.The deductibility cap will cause distress to highly leveraged retailers (and likely discourage leveraged buyouts), pushing troubled retailers to sell to strategics (i.e., other retailers).

Data rights in this Context

Section 363(b)(1)of the U.S. Bankruptcy Code provides that if the debtor (e.g., troubled retailer) has a privacy policy in effec t(at the time of the bankruptcy filing) prohibiting the transfer of personally identifiable information, the information cannot be sold in bankruptcy unless ‘additional requirements’ are satisfied.

However, the court can approve the sale at a hearing after finding that the sale (of the information) would not violate applicable non-bankruptcy law.

Retail debtors usually address rights of consumers through first day motions to maintain reward programs and other customer-loyalty programs.

But again, there is a legal argument to be made that retailers did not own the data to begin with to have the right to sell it…right?!

3) FinTech: Data Rights of Use vs. Data Ownership

Takeaway point: Because ownership of data is an amorphous concept, better to consider rights of use vs. ownership.

Also, AFTER you done reading this article, if you are interested, please check out Visa’s acquisition of Plaid throws up data reuse concerns …

What is data in the context of a transaction?

Usually, information obtained at the point of sale include reference data describing transaction amount, time, place, payment methods, date, pending status, and category code. Importantly data obtained in payment transaction can include information generated during authorization and settlement, but it does NOT include Cardholder Data.

That said, what constitutes Data is again a moving target, at best. Data in a payment system morphs as it passes from transaction participants through the payment ecosystem.

Though the only thing for sure is consumers have privacy rights as relates to their personal information and should be able to grant other parties the right to use it.

In the Payments Ecosystem…

1. Issuers may have the greatest claim to the right of use of TRANSACTION Data. Issuers (Banks, American Express, etc.) have a relationship with the customer and authorize the payment transaction.
2. However, Card Brands (e.g., AMEX, Visa, MasterCard) might be arguably the “most significant” influencers on data use rights, since they are the closest to policing the ecosystem and the transactions.

But again contracts are bilateral…

Many different contractual relationships touch the transaction. So upstream and downstream participants may place restrictions on the use of data that must flow through them parties involved in the transaction lifecycle.

1. Payment System Facilitators (e.g., Stripe, Square, PayPal, Adyen): Have information on multiple Cardholders, Issuers, and Merchants. A payment system would have contractual data-sharing relationships with the Merchant, and the Customer.
2. Merchants: Have information on multiple Cardholders, Issuers, and Payment System Facilitations. A Merchant would have contractual data-sharing relationships with the Payment System Facilitator and the Processor.
3. Acquirers: Have information on multiple Cardholders, Merchants, and Payment System Facilitations. An Acquirer would have contractual data-sharing relationships with the Card Brand and the Processor.
4. Card Brands: Have information on multiple Acquirers and everything they have. A Card Brand would have contractual data-sharing relationships with the Issuer and the Acquirer.
5. Issuers: Have all information up and downstream. An Issuer would have contractual data-sharing relationships with the Customer and the Card Brand.

• * Prior to the APCPA, a debtor tenant (the retailer) could routinely seek multiple extensions of the deadline to assume or reject a non-residential real property lease. This left landlords in a state of limbo while retail debtors evaluated their options — including, for example, assuming and assigning below market leases to the detriment of landlords. As amended, section 365(d)(4) now provides debtors with an initial 120 day period to assume or reject leases, with the ability to seek an additional 90 days by motion.
• ** A repeal of the deduction for corporate interest expense, which is intended to accomplish three goals (in my view). First, the tax code has for many years incentivized debt over equity, and some including lawmakers view this as distortionary and would like to treat the two equally. Second, the change is intended to complement the full expensing of capital investment that has also been proposed. Expensing capex without repealing interest deductibility would result in a negative effective marginal tax rate on debt-financed investment and a significant revenue loss. Third, the shift to full expensing of capex and non-deductibility of interest expense is related to the shift to a destination-based tax, as it disregards financing costs while taking into account the full cost of domestic cash outlays. Together with aspects of the destination-based tax, these changes are intended to move the U.S. away from a corporate income tax and toward a VAT-style tax, more formally known as a ‘cash flow tax.’