Who owns customer data?

Topic: Direct Marketing

Adam Haines, Osborne Clarke

Most people would take exception to being 'owned' or even having their information regarded as someone else's asset. The commercial reality is that the customer and information pertaining to the customer is extremely valuable as it is the key to controlling the customer relationship. When a customer buys a CD from a branded website, a car from a distributor or subscribes to a telephone company, there is a good chance that more than one company will be involved in the supply chain. It is in these circumstances that the issue of customer ownership arises due to the value of the information.

Can Customer Data be 'Owned'?

In many commercial contracts a party will often assert its ownership of intellectual property in the customer data. This is quite often a contentious issue at the negotiation stage but it is worth noting that sometimes the customer data will not quality for protection at all and therefore no one will 'own' rights to it. According to UK law, there are really only two forms of intellectual property rights which may apply to customer data, namely copyright and database rights.

The Copyright, Designs and Patents Act 1988 ("CDPA") affords copyright protection to, amongst other things, original literary works. This protection is subject to various qualification requirements and assuming these are met, the customer data needs to fall within the scope of a 'literary work'. This is defined as 'any work, other than a dramatic or musical work, which is written'. This is defined to include 'a table or compilation other than a database' and 'a database'. Individual customer records will not attract copyright protection as copyright works cannot be insubstantial and so copyright protection is limited to a collection of customer records which could take the form of a database (a collection of independent works, data or other materials which are systematically arranged and individually accessible by electronic or other means) or a table.

What usually prevents customer data from being afforded copyright protection is the requirement of originality, which does not require literary merit but does require original literary expression. A database of customer information will be original if 'by reason of the selection or arrangement of the contents of the database the database constitutes the author's own intellectual creation'. The problem is that the customer data will usually be automatically alphabetically arranged by customer name. Case law provides some clarification on this point – a table comprising commonplace information involving no skill in its arrangement was held not to be original (Cramp v Smythson) whereas the compilation of a table involving "skill and labour, possibly only labour" was held to be original (Express Newspapers v Liverpool Daily Post and Echo). Customer account information will almost certainly fall within the scope of the Cramp case. The Express case is important because a subset of the database may be protected where the author used skill to select the customers comprising the subset.

There is no requirement of originality for a database to be protected by database rights under the Copyright and Rights in Database Regulations 1997 ("Database Regulations"). This protects databases (as defined in the CDPA) 'if there has been a substantial investment in obtaining, verifying or presenting the contents of the database'. The Database Regulations do not define 'substantial' but do define 'investment' to include investments of "financial, human or technical resources". The maker of the database (who is first owner save where he is an employee) is defined as 'the person who takes the initiative in obtaining, verifying and presenting the contents 'of a database and assumes the risk of investing in that obtaining, verification or presentation'.

To the extent that customer information forms part of a protected database, the customer data can be considered 'owned', either by one company or jointly owned by two or more companies. Although ownership is better than nothing, it does not automatically mean that the owner has unfettered rights to commercially exploit the customer information as use of customer information. Furthermore, joint ownership means that neither party can exploit the jointly-owned database without the consent of the other and this is very important if the partnership between two companies in the supply chain comes to an acrimonious end.

Data Protection Implications

The Data Protection Act 1998 ("DPA") will have a more significant impact on use of customer data than the intellectual property rights outlined above, as the customer data will be personal data relating to a living individual the processing of which will be strictly controlled by the DPA. The exception to this is where customer data has been aggregated and anonymised and cannot be referenced back to the individual customers. Whether a party acts as data controller or data processor, it will have to notify the Information Office prior to processing the customer data and must provide the customer with certain information prior to, or at the time that the customer data is collected (including the identity of the data controller and the purposes for which the data controller will use the customer's personal data).

The data controller must also process the customer's personal data in accordance with eight principles set out in the DPA. The first, and arguably the most important is the requirement of fair and lawful processing. The data controller must provide the customer with certain information (outlined above) and this is usually done within the privacy policy on the website through which the customer data is collected. Where customer data is collected over the telephone, it is important to ensure that call centre scripts ensure the disclosure of this information to the customer. Fair and lawful processing also requires the customer to have given his informed consent to the processing and in the case of sensitive data (for example a medical advice centre or health-related website) the customer must give explicit consent. It is advisable to obtain explicit (i.e. 'opt-in') consent (where the customer positively indicates consent by checking a tick-box) even though the law does not state that 'opt-in' consent is a requirement.

In addition, Members of the European Parliament have recently, and controversially, approved an early draft of a Privacy in Electronic Communications Directive which will require all businesses that send unsolicited commercial emails to ask all customers for permission before they send marketing material to them by email.   It may be some time before this Directive is adopted and then implemented in the UK, however, businesses can begin to prepare for changes in the law by obtaining express consent to their use of unsolicited commercial emails now. This avoids the need to re-contact existing customers in the future when this law is introduced.

The second principle of the DPA provides that customer data must only be obtained for specified and lawful purposes. This requires businesses to notify each customer, and the Information Commissioner, of the purposes for which it intends to process the Customer's personal data.  The former notification can be done by way of a privacy policy and the latter by way of a formal notification to the Office of the Information Commissioner. Additionally, customer data must be kept accurate and up to date (third principle) and must be adequate and not excessive (fourth principle) which prohibits companies from collecting as much customer information as possible on the basis that it might be useful in the future. Many companies inadvertently breach the fifth principle by keeping customer data for longer than is necessary, simply because it is easier and cheaper to leave obsolete data on a hard disk than to periodically review and delete it. The customer data must be processed in accordance with the data subject's rights (which include the right to be supplied with a copy of the customer data and the right to prevent processing likely to cause damage). The data controller must implement appropriate technical and organisational measures to prevent loss, damage or unauthorised access to customer  data (seventh principle) and is prohibited from transferring customer data outside the EEA to countries which do not have an adequate level of protection for the rights of data subjects. On this last point, only Hungary and Switzerland have an adequate level of protection at the moment although the Canadian Personal Information Protection and Electronic Documents Act  will mean that Canada will also have an adequate level of protection from 2004. The US does not have an adequate level of protection but a "safe harbour" arrangement has been developed by the European Commission and the US Department of Commerce in order to provide a streamlined means by which US organisations can comply with the Data Protection Directive and EU organisations are then aware that a particular US organisation provides adequate privacy protection.

Most issues relating to ownership and use of customer data can be addressed in the contract between the companies in the supply chain and this will usually involve each party giving warranties and indemnities in relation to compliance with data protection law. Other issues are not so easily covered. An example of this is the usual contractual disclaimer in relation to loss or inaccuracy of data (which will cover customer data) and the extent to which this can be reconciled with the third principle regarding the accuracy of personal data and the seventh principle requiring appropriate technical and organisational measures to be taken against loss or damage to personal data.

What is clear is that ownership of the customer data should be taken with a pinch of salt – the customer data may not be capable of being owned, and if jointly owned cannot be used without the consent of each owner. Even then, such use is subject to all of the constraints set out in the Data Protection Act. Save in limited exceptions, the customer will always be able to determine what use (if any) is made of his personal data.

So who owns the customer data?

The customer does.