Report from GDR Connect: an IP lawyer’s perspective on data management, protection and exploitation

Bird & Bird’s Toby Bond attended and provides a report and further discussion from the perspective of an IP lawyer working with clients on data issues. You can also read Toby’s report from GDR’s 2020 Data Business Congress here.

Balancing transparent explainable AI with IP rights in AI models

A recurring theme across several sessions were the ethical issues associated with AI. From an IP perspective, something to note is that a focus on the ethical use of AI systems is driving a desire to make decisions taken by AI systems more transparent and explainable. This has been driven in part by concerns about AI bias. It is also being driven by regulatory requirements. For example, Article 15 of the EU’s General Data Protection Regulation (GDPR) requires those making automated decisions using personal data to be able to provide “meaningful information about the logic involved”.

An important consideration for IP holders is whether a drive for explainability creates a conflict with the protection of IP subsisting in AI systems. One of the most effective tools to protect AI models from use by competitors is by maintaining their secrecy and protecting them as a trade secret. If explaining the decisions taken by a model requires it to be disclosed, it’s easy to see why IP lawyers responsible for protecting a businesses’ technology would be resistant.

Whether an IP vs explainability tension will apply in every situation will depend on the specifics of a particular AI solution, the data it uses, and the decisions it takes. Under current regulation, express explainability obligations will only apply in certain situations. In others, there will be no obligation to explain why an AI system took a particular decision. The level of explanation required will also be an important factor. An individual refused an insurance policy based on an automated decision-making process is unlikely to want a detailed technical explanation of an AI model, or find it meaningful. Explaining the decision-making process in terms that are meaningful for a human may not require a disclosure which would prejudice protection of the model as a trade secret.

Potentially more challenging are situations where regulatory compliance requires a detailed technical explanation of the model and the process used to develop, test, train, and validate it. The EU’s recent proposal for regulating AI systems (see our report here) includes several obligations relating to transparency and the provision of information to users of “high risk” AI systems and making technical documentation available to national authorities on request. While the proposal includes provisions indicating that intellectual property rights should be respected, it remains to be seen how this potential tension between IP rights and transparency will play out.

Data rights are a core part of a data strategy

Several sessions discussed what it takes for an organisation to develop a successful data strategy. While the number of major organisations with a Chief Data Officer has increased from around 12% in 2012 to 68% in 2020, not every organisation is clear on their role, responsibilities, and mandate. For example, there has been a tendency to conflate roles intended to focus on an overall data strategy for the business with roles focused on compliance and security, such as Data Protection Officers and Chief Information Officers. This creates challenges for Chief Data Officers seeking to become an agent of data driven innovation within an organisation.

One area in which Chief Data Officers can succeed is assessing the data a business holds, identifying silos where data is locked away within a specific part of the business, and building bridges to other areas of the business that can benefit from this data. By building bridges, Chief Data Officers can unlock the full potential of that data for the organisation. From an IP perspective, building bridges requires careful consideration of the third-party rights which may subsist in data held by a particular silo. If the data was received under licence for a particular purpose, reusing it elsewhere in the business for a different purpose could potentially breach the licence terms or give rise to a claim for IP infringement. Even where there are no express contractual terms covering the data, IP rights and obligations of confidence can still impose restrictions on its reuse. The legal issues are often also compounded by a lack of clarity surrounding the origin of certain data sets, the extent to which original data is retained in processed data sets, and the combination of data sets from multiple sources.

None of these challenges are insurmountable but they do need to be carefully navigated. A key role of a Chief Data Officer is therefore to develop the right business process and legal support to ensure that as much as possible data is being collected, stored, labelled, and tracked in a way which will facilitate its future reuse across different areas of the business.

When developing a data strategy, a Chief Data Officer also needs to keep in mind potential regulatory developments which can affect the use of IP rights to control access use and dissemination of data. On this front, the EU’s forthcoming proposals for a Data Act which will look at the application of the EU’s Database Directive and Trade Secrets Directive in the context of data access and reuse are something to keep an eye on. The draft proposals are expected in Q4 2021, although the Commissions Inception Impact Assessment already gives a flavour of the types of measures currently under consideration (read our summary and commentary here).

Overcoming barriers to open data

Moving beyond internal data use, an area receiving increasing attention is “open data”, which is freely available to anyone to access, use and share. One of the lessons learnt from the success of the open source software community is that value can be created by sharing code rather than keeping it locked up. Open data presents a similar opportunity as, in some situations, making data more widely available may be a better way to unlocking its value than locking it up. Open data has also been proposed as a route to reducing bias in AI systems by facilitating easy access to diverse datasets.

While open source data initiatives have been developing in relation to public sector information, industry norms and the mechanisms for deploying open data on a B2B basis are still developing in many sectors, leading to uncertainty around the opportunities and risks of open data.

Developing an open data policy requires careful thought about the high-level strategic issues associated with open data. A key question is whether using open data brings value to the organisation in the long term? However, a good open data policy will also consider the operational issues which need to be navigated to achieve a strategic vision. This falls into two categories, outbound open data and inbound open data.

Good management of outbound open data considers which data sets, held by an organization, are suitable to be licensed under open data license terms as they are, which data sets could be opened up if they were modified in some way, and which data sets can never be opened up. A key issue here will be identifying and managing any third-party rights which are associated with the data sets. These will include IP and contractual obligations which apply to the data set and data subject rights where the data set contains personally identifiable information. Developing a robust procedure for assessing third-party rights before opening up a data set will substantially reduce the risk of incurring legal liability. Outbound open data management will also involve finding the right technical and legal mechanism for making the data available to third parties.

Good inbound open data management requires a robust procedure for assessing the licensing terms associated with the data set and ensuring they are consistent with the immediate proposed use of the data and the way the data may be used by the organisation in future. It also requires a strong business process to ensure the organisation can keep track of the open data they hold and where it is being used within the organisation.