Jocelyn S Paulley
Partner
Co-Head of the Retail Sector (UK)
Co-lead of Data Protection and Cyber Security sector (UK)
Article
11
As with any commercial relationship, an agreement between two or more businesses to share data has the potential to go wrong. One party might infringe the other's rights over the data or breach the terms and conditions of its use; data might be lost, stolen or otherwise misused; the use of shared data might breach data protection rules; or the exchange of commercially sensitive information could raise competition concerns.
It is therefore essential that parties entering a business-to-business (B2B) data sharing initiative make sure that their legal rights and responsibilities are defined and protected. B2B data sharing is a relatively new field, however, and – unlike the use of personal data – there are few laws that explicitly govern the subject matter of "data".
Instead, data sharing organisations need to create a legal framework that protects their interests. Broadly speaking, there are two approaches to doing this: contractual agreements between the parties or the creation of a new corporate entity.
"It's important to have a company or contracts governing data sharing and stewardship, so that you can identify the risks and responsibilities and decide how to deal with them," explains Jocelyn Paulley, partner at Gowling WLG and co-lead of the firm's Data Protection and Cyber Security practice. "Contracts involve negotiating everything item by item, whereas if you establish a corporate structure, the detail is set out in its articles of association."
Determining the right legal structure for a B2B data sharing initiative is "a multifaceted issue," says Paulley. She advises businesses to be clear about a project's objectives and key priorities, which will determine the right model and legal protections.
"It's about understanding the different parameters and variables and determining which ones are important," Paulley explains. Businesses often need considerable advice on building the right legal structure, as it has implications for finance, commercial principles and resourcing, technical considerations, and risks around managing and protecting shared data, she adds.
To some degree, the right legal structure for a B2B data sharing initiative will be determined by how the data is shared. This, in turn, will reflect what it is trying to achieve. "Form should follow function," says Jack Hardinges, head of programmes at the Open Data Institute, an independent non-profit that advises organisations on how to share data effectively.
The best structure for any data sharing agreement will be determined by its context, the type and sensitivity of data involved, and the timescale of the project, Hardinges adds. "We ask those we work with to start by considering the purpose of a new data sharing initiative, and the form tends to follow."
Two common structures for B2B data sharing, Hardinges explains, are the pooled model, in which organisations combine their data in a common repository, and the federated model, where all parties retain their data and share access with other parties as needed.
The advantage of the federated model is that participants retain control over their data assets. They can decide how their data is accessed – whether it can be extracted, copied for processing or is available on a read-only basis. They can track when their data is accessed and by whom. And they can limit access to datasets or revoke it at the end of the arrangement.
Examples of federated data structures include data exchanges, in which all signatories are bound by agreed terms and each source retains its own data and grants access rights to the others; and data marketplaces, where each source retains its own data and shares it via an intermediary.
Thanks to recent technology innovations, federated data models are emerging that allow participants to extract insight from data without directly accessing it at all, which is particularly useful as a way to preserve privacy. One such platform is OpenSAFELY, which allows researchers to conduct queries across health records without directly accessing them.
Federated models are typically protected by contracts, as the relationship between parties is usually short term and transactional. To justify the risk and expense involved and the expectations of the parties who are committing to sharing their data, these contracts should determine how the data can be used and how it will generate revenue.
One drawback of the federated model of data sharing is that it may limit the scope of data processing and analysis. When data from multiple sources needs to be deeply integrated and extensively processed, the pooled data model might be more appropriate.
Parties that pool their data can do so through contractual agreements. But, given the longer-term commitment that pooling data requires, they may instead choose to establish a new entity to determine the rights and responsibilities of participants. "We need to build organisations and structures that are persistent in order to facilitate impactful data sharing," Hardinges argues.
These entities can take many forms. Options include a data trust, which – like a financial trust – manages data in the interests of its beneficiaries; a cooperative, where the data is used to benefit its members; a community interest company that focuses on social enterprise; a joint venture; or a charitable company.
Establishing a new entity requires more resources than contractual agreements. However, for organisations making a long-term commitment to B2B data sharing, it offers the opportunity to develop the rights and responsibilities of participants collectively over time, and to invest in something that could grow in value.
In practice, a given data sharing initiative might combine both pooled and federated data models, and use corporate as well as contractual measures.
In order to commercialise the data it collects on vehicle use in the UK, trade body the Society of Motor Manufacturers and Traders (SMMT) set up SMMT Data Intelligence, a spin-off company that operates a data exchange. "It is a straightforward business model built around the common need for a reliable source of accurate data," explains Seftton Samuels, general counsel of the SMMT and managing director of SMMT Data Intelligence.
SMMT Data Intelligence gathers information from third parties, blends it with data from government and licenses the combined data to industry stakeholders (including insurers, finance companies, manufactures and dealerships).
Although a new entity was created, SMMT Data Intelligence relies on contracts that were already in place with government and industry partners in order to share and process data. "We needed to ensure that in our gathering, management and [granting] subsequent access to that data, we reflect any controls and provisions in the existing contracts," Samuels explains.
Establishing the right legal structure for B2B data sharing is essential. But organisations also need to implement that structure effectively and be prepared for the risk of legal claims between parties, says Helen Davenport, commercial litigation partner at Gowling WLG and co-lead of the firm's Data Protection and Cyber Security practice.
For example, parties to a data sharing agreement should not grant access to data until all contracts are signed, she advises. "Even if you've made an informed decision about which legal structure to adopt, you could still create legal risks and potential claims by not implementing it properly or parties not abiding by contractual commitments given."
If a dispute arises with another party to a data sharing agreement, it is important for companies need to "identify their objectives early, understand what potential claims they might have going forward with the benefit of legal advice and have a clear litigation strategy," says Davenport.
"Practically speaking, it is always prudent to maximise the availability of legal privilege that will protect documents from being disclosable to other parties in the event of litigation; ensure you retain the evidence that you think will help you bring or defend any claim; and [line up] people who can provide support your case, if required," she explains.
Businesses should also be aware that the legal structures surrounding B2B data sharing are still a work in progress, and innovative organisations are exploring novel structures to facilitate their initiatives. Hardinges highlights the growing interest in trusts, cooperatives and community interest companies as legal vehicles for data sharing.
As this suggests, there is scope for innovative companies – and government – to experiment with legal and technological structures for data sharing and even to invent new ones. However, Hardinges' advice to companies looking to leverage shared data is to "start small, with an eye on the future". A small project still needs legal certainty, which can be scaled up if necessary.
Want to learn more about B2B data sharing? Read the other articles in our Data Unlocked series:
If you have any questions relating to this article, or data sharing in general, please contact Emma Carr or Jocelyn Paulley.
You can also sign up to our mailing list to receive future data-related articles.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.