Data security and IP protection: lessons from Meta

In May this year, the European Data Protection Board fined Meta €1.2 billion and ordered the company to bring its transfers of user information into compliance with the General Data Protection Regulation (GDPR). The decision – involving the largest GDPR fine to date – shows the necessity of having strict data protection policies that conform with all relevant laws, especially if collection, storage and usage cross borders.

The fine concerned Facebook's copying of user records from the European Union to the United States, where it was saved and processed. Privacy groups had raised concerns that U.S. intelligence agencies could also access the information of non-citizens once it was relocated by social media companies, search engines and other major digital service providers.

"This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US," wrote Nick Clegg, President of Global Affairs at Meta, and Jennifer Newstead, its Chief Legal Officer, in a blog post. They also confirmed that the company will appeal the decision.

Meta argued that Facebook used standard contractual clauses (SCCs), like many other international companies, and that these were in line with the GDPR. Moreover, the social media giant noted that policymakers in the EU and the United States were working to implement the Data Privacy Framework (DPF) following an agreement between U.S. President Joe Biden and European Commission President Ursula von der Leyen last year.

The significance of data

Meta claims that all companies that move data between jurisdictions are in a similar position to Facebook. "The ability for data to be transferred across borders is fundamental to how the global open internet works. […] Thousands of businesses and other organisations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day," wrote Clegg and Newstead.

Data is a critical asset for many companies. It can include personal information on customers, staff or other stakeholders, financial and commercial statistics and business-critical knowledge. Digitalized intelligence has the potential to transform healthcare, enable more accurate forecasting and streamline business processes. In turn, this makes it essential to the development and training of machine-learning tools.

Perhaps drawing inspiration from Humby, in 2021, World Intellectual Property Organization (WIPO) Director General Daren Tang described data as the fuel of the future economy. But while the value of information as an intangible asset is increasingly recognized, its legal status remains complex. Depending on how it is created and kept, data may be guarded using established IP mechanisms such as trade secrets, database rights or copyrights. However, copyright protection may not be applicable in many cases as it requires human originality in the generative process.

The use of personal data in business also raises sensitive questions about transparency and fundamental rights, such as ownership and privacy. The GDPR was an attempt to address these issues and has been influential in Europe and beyond. But, as the Meta case shows, in today's global connected economy, enterprises need to understand how records are governed in every jurisdiction where they operate.

A data protection strategy

Given its sheer importance, every company, however big or small, should have policies and procedures covering how data is compiled, used, shared and secured. The risks of failing in this due diligence can include regulatory fines (as Meta has found) and jail sentences, loss of trade secrets, cyberattacks and damage to consumer trust.

Key security topics that all companies should consider include:

• Ownership and licensing: Do contracts with staff, customers and business partners clearly define what data is covered and to whom it belongs? Are these sufficiently flexible to accommodate future developments and innovation?
• Data mining: Where non-proprietary copyrighted data is used (for example, in training text- or image-based generative AIs), does permission from the rights holder(s) need to be obtained or does an exception apply? The law on this question varies between jurisdictions.
• Personal data: Special rules govern the storage and processing of personal information, including users' right to access it. It is, therefore, vital to identify what constitutes this type of data and ensure that processes are in place to manage requests in a timely and thorough way.
• Trade secrets and confidential information: Many valuable corporate assets exist as files that need to be kept safe from competitors. Departing employees pose a particular risk: There have been many high-profile cases where staff have been accused of taking confidential information with them to a new job. One of the most recent examples is the spat between X (formerly Twitter) and its new rival Threads (owned by Meta). Strong contracts, limits on access to sensitive files and enforceable termination procedures are needed to avoid problems arising.
• Transfer across borders: The Meta case highlighted the specific liabilities that arise when moving data between jurisdictions with different regulatory systems – an issue that potentially affects all international entities. On July 10 of this year, the European Commission adopted an adequacy decision for the EU-U.S. DPF after the United States introduced enhanced safeguards for personal data. This decision recognizes that GDPR stipulations are satisfied, allowing data to flow between the European Economic Area (EEA) and the United States without being subject to additional conditions or authorizations.

The price of failure

Crude, unrefined data is plentiful, but awareness of how to gather it responsibly and ethically is less common. In light of the potential commercial value of digital information, this gap must not grow too wide or businesses may unknowingly fall short in their duties of care. Consumer protection, corporate accountability and data security must all be active and recurring considerations, especially as the relevant law continues to evolve.

While many large companies have dedicated data compliance teams, in smaller businesses, these tasks may fall to people already performing onerous functions, including IP counsel or chief information officers. This presents the danger of overburdening those staff members who act as the lynchpin of innovation activities. Inundated with workflows, even the most astute IP manager or legal expert can misjudge regulatory obligations. Though fines on the scale of Meta's are reserved for only titanic data handlers, they are a sobering wake-up call to the possible consequences.

And the taste of success

Whatever their industry, enterprises must seek advice to ensure that all data matters are covered and the risks are properly managed. In upholding full compliance with national and international regulations, organizations reassure their clients that personal information is rightfully entrusted. It follows naturally that this confidence on the part of investors and customers is reflected positively in revenue streams, and if all data is processed and protected fittingly, additional income generation may become possible.

Just as oil can cause devastation if it is released carelessly, so too must a tight seal be kept on this precious intangible resource. Treated respectfully, businesses and the general public share the benefits of an interconnected, digital economy. The IP experts at Dennemeyer know this well and are always ready to help you get the most out of your data while keeping it safe.