Consider the Ramifications Before Agreeing to Data Aggregation Terms
The age of “Big Data” is upon us. Big data is essentially a catch-phrase used to describe massive amounts of data (in one or more types or forms, and in varying varieties, complexities and velocities), that is so large as to be difficult to process or use efficiently. The concept of big data is relevant for many emerging areas of business. And many companies are making big profits by taming “the beast” that is big data, for private companies and government actors (e.g. Palantir Technologies, Inc. and SAS Institute, Inc.). These “Big Data Solutions” companies are using advanced technologies and techniques to capture, store, manage, and most importantly, analyze, big data. After all, big data is essentially dumb data, if it cannot be used efficiently. The potential in this arena is “big” and getting bigger.
Generally, law doesn’t move as fast as technology. Almost every state has data breach laws and certain privacy laws. But many private actors are not recognizing the future potential issues that may arise when dealing with concepts like big data and the aggregation of data that could become big data (especially when reviewing certain contractual issues). For example, many new agreements seek the right to aggregate data in connection with service offerings. Service providers may want this right for various (and sometimes unknown) reasons, including but not limited to determining market value for products and services, demonstrating service levels, creating a profitable movie or television product, enhancing or improving services or service offerings, etc.
If your business entity is considering engaging a vendor who wants to aggregate data, consider covering the following, at a minimum:
- Is it legal? Does HIPAA, Gramm-Leach-Bliley, and other federal and state law allow for such aggregation? Is the data or agreement subject to EU data protection laws or the laws of other foreign nations/countries?
- Does the data have to be de-identified? And if so, how? What process will the vendor use to de-identify the data? What happens if the data is not de-identified properly or becomes identifiable in the future?
- What is the aggregated data being used for? Is the aggregated data being shared, sold and resold? Does the vendor have existing relationships with data brokers? Can the data be utilized by your competitors (or by the vendor in the future) to beat your company in the marketplace?
- What data is being aggregated? Is all of your data provided to the vendor and allowed to be aggregated? Or does the agreement limit aggregation rights to defined and particular type(s) of data?
- Do you also get to see and use the aggregated data in exchange for agreeing to allow the aggregation to occur? Do your competitors get to see the aggregated data?
- Who owns the data in its aggregated form? Does the agreement clearly determine ownership of data even if the data has been de-identified and aggregated in various new forms? Are any rights being waived if the data is aggregated by the vendor? How can ownership be determined if the data is being aggregated with data from other customers of the vendor (including your competitors)?
- Do you have the authority to let the vendor aggregate the data? Do you own all of the data the Vendor will be aggregating? Do you have certain obligations to third parties regarding the subject data? Is some of the data subject to confidentiality obligations or certain laws that restrict use or disclosure of the data? Does the contemplated aggregation “flow-down” your obligations to the vendor or subcontractor?
- What happens when the vendor uses a subcontractor for aggregation? Is the subcontractor bound by the agreement between you and the vendor?
- How is the data being aggregated? Is it being aggregated in a commercially reasonable manner? Where will the aggregated data be stored? The cloud? Some place that subjects the customer to compliance with United States export regulations and laws?
- How is the aggregated data being protected? Does the vendor have reasonable security in place to protect the data?
- Will the aggregator indemnify you? What happens if, during the process of aggregation or after, your data is hacked while in the vendor’s possession? What happens if some of the data is confidential and the vendor accidentally discloses the data to a third party?
Make no mistake, data is a valuable commodity. Unless the business owner feels comfortable and is benefiting from the data aggregation being performed, agreeing to allow a vendor to broadly aggregate data is generally not desirable. A business should think long and hard about a seemingly innocuous data aggregation provision before signing an agreement that allows for aggregation of its data.