I.P., or not I.P.? Data rights in the energy & resources sector

What you need to know

• Data is an increasingly valuable resource for businesses in, and servicing, the energy and resources sector. However, data is often not protected by traditional categories of intellectual property rights.
• Contractual arrangements are critical for dealing with and extracting value from data, but must be carefully structured, and exist alongside confidentiality and intellectual property provisions.
• There are also important data security and privacy considerations, including in particular obligations under applicable regimes such as the Privacy Act, SOCI Act and the Consumer Data Right regime. These will impact the scope of obligations for the management of use and data in any contractual provisions.

What you need to do

• Be mindful of the limitations of your IP clauses. Data may not be protected by IP rights. As a result, your IP clause must deal with data in a consistent way, but will not provide complete protection for data.
• If valuable data will be created or shared, ensure the contract specifically deals who "owns" the data, who has access to the data, and what the data can be used for. Consider if the access and usage rights granted are sufficient for your intended operations.
• Don't leave value on the table. Access to data is valuable and you should extract fair value for granting that access.
• Equally, don't create risk. Vague or ambiguous data rights may present freedom to operate challenges in future, slow down subsequent development, or create an obstacle for future M&A.

What is the issue?

Data is increasingly valuable. Businesses in the energy and resources sector collect significant volumes of data. For example, data collected by sensors on equipment can be used to optimise operations, minimise maintenance and other costs and even guide decision making about future projects or technology innovations. In some cases, data is an essential requirement to develop a valuable technology (e.g., an optimisation algorithm based on machine learning analysis of a sufficiently large and robust data set) or progress a project.

Data often needs to be shared. With the ongoing digitisation and automation of the energy & resources sector, it is increasingly common (and often desirable) for businesses to share operational data with customers and partners.

The energy and resources sector also makes significant use of external contractors who may require access to data in order to perform their services. We discussed some tips and tricks for managing external contractors in our earlier article here.

Data is rarely protected by intellectual property rights. The automatic protection from other categories of IP such as copyright will often not apply to data. As a result, to protect the integrity and commercial value of operational data, it is important to establish contractual boundaries around who can access the data and what the data can be used for. Despite this, we often see contracts that are silent on data, or inconsistent in the treatment of data across the clauses dealing with data, IP and confidential information.

Don't forget privacy, data protection and other regulatory requirements. Data in the energy and resources sector may be subject to a number of legal and regulatory requirements, including relating to privacy, consumer data rights, security of critical infrastructure and other energy specific laws. This article focuses on technical and operational data collected by businesses in the energy and resources sector, and it is beyond the scope of the article to address privacy, consumer data rights, security of critical infrastructure and other energy specific laws in detail. You should keep the broader legal and regulatory requirements in mind when considering how to manage data in your contracts.

What do we mean by data?

We often deal with (and define separately in contracts):

• Raw Data: being the data generated in the course of the relevant activity, such as data from the use or operation of any software or equipment; and
• Processed Data: being the data which is created by applying any process (e.g., an algorithm, filter or any logical process) to Raw Data.

As an example, a company seeking to develop a wind farm may erect a number of meteorological masts to measure wind and other conditions on a site. The data logged by those sensors (e.g., wind speed over time) will be Raw Data. That Raw Data may then be combined with other Raw Data (e.g., geographical data) and processed to generate enriched data, which will be Processed Data.

Defining separate categories of data can help overcome impasses that may arise when negotiating data ownership and use rights. For example, a supplier that maintains a database with data from multiple projects may be concerned that granting rights over that a database will be inconsistent with its own data policies and obligations to third parties. By contrast, the supplier may have no concern granting broad rights over the specific Raw Data from the project. As another example, a supplier who is providing data processing may want to rely on (anonymised and aggregated) Processed Data to improve its services, but may be able to accept limited rights to the underlying Raw Data.

Why isn't data protected by IP rights?

Data cannot be protected by patents (which are not available for facts or discoveries), designs (which protect appearance), trade marks (which protect badges of origin), circuit layouts or, unsurprisingly, plant breeder's rights.

This leaves copyright and confidentiality. Copyright only protects particular categories of work or other subject matter. In addition, copyright protection requires a human author (which is why AI-generated content lacks copyright protection). In the context of data, this means:

• Raw Data collected with no human input will not be protected; and
• Processed Data or other outputs which are compiled by automated processes will generally not be protected.

Even when copyright protection arises, it only protects the particular expression, and does not protect the underlying facts. Other jurisdictions, such as the UK, have established a "database right", which is separate to copyright. Australia does not have a separate database right, and copyright protection will only arise if the database satisfies the requirements for a compilation, including that some (human) intellectual effort was directed towards the selection, arrangement and presentation of information, and that this was not dictated by the nature of the data.

As a result, data and databases will often not attract any meaningful copyright protection.

However, we note there can be some variation in the way these requirements are applied, and IP can still be relevant. For example, copyright was held to subsist in tables of part details that were regularly maintained by employees in TS & B Retail Systems Pty Ltd v 3Fold Resources Pty Ltd (No 3) (2007) 158 FCR 444 at 466 [82]-[84] (Finkelstein J). This emphasises that your IP clauses should still deal with IP rights (if any) subsisting in data, even though this is unlikely to provide complete protection for all data under an agreement.

Contractual mechanisms

To properly protect and deal with data, businesses must rely on contractual arrangements and confidentiality.

Can data be owned?

As data does not typically fall into a category of intellectual property rights protected by intellectual property laws, data is not "property" in the usual sense. However, if data is kept confidential it is effectively "owned" by the person who controls (1) access to it, and (2) the grant of permissions to use it.

Confidential information can also be transferred (giving the recipient the right to enforce confidentiality), which is effectively assignment of that "ownership": see, e.g., Elecon Australia Pty Ltd v PIV Drives GmBH (2010) 93 IPR 174 at [35] (Emmett, Perram and Yates JJ).

Best practice drafting.

Businesses can protect data and create certainty of use rights through the data rights clause in their contracts. Because there are often no default protections provided by copyright (or any other category of IP rights), the contractual framework must establish all features of the data "ownership" and use rights.

In this context, contracts involving data should generally address:

• Ownership. Which party "owns" (i.e. controls) the data that is generated under the agreement? That party will generally enjoy the broadest rights to use the data.
  
  Be careful to ensure this is not contradicted by the IP clauses, noting the definitions of Intellectual Property and Project IP / Developed IP, will often (and generally should) also capture any IP rights in data (if any).
• Confidentiality. To maintain protection (and exclusivity), data must be kept confidential and only disclosed to persons who are also bound by appropriate confidentiality obligations. This may be achieved through the definition of Confidential Information and generic confidentiality clauses, although these must be carefully drafted to work alongside the data access and use provisions (e.g., where a party has been granted rights to use data for specific purposes, this should be a permitted disclosure to the extent confidential information subsists in that data). Confidential information that is reflected in the data, and the data itself, can both be treated as confidential.
  
  If confidentiality is lost, it generally cannot be rectified.

• Access rights. The data "owner" should have clear rights to access the data, typically including any database in which it is contained, as well as related works such as documentation or records related to the data (e.g., access logs), and typically any derivative works (e.g., Processed Data). We note the data owner may not always be the party maintaining the database.
  
  As a corollary, the party that does maintain the relevant database should be obliged to prevent unauthorised access, and maintain the security of the data and any databases, documentation or other records containing that data. You should also consider any access limitations as necessary to ensure there is no unauthorised access in breach of applicable privacy or data protection regimes.

• Use rights. To maintain control of the data, prescribe the use rights of any recipients of the data. These use rights are often drafted in the language of a licence and include limitations familiar to IP clauses such as limitations to a particular purpose (e.g., only for a particular site, or to enjoy the benefit of services, or as necessary for the party to perform its obligations), territory and/or time (e.g., for the term of the agreement).
  
  There may also be an intersection between various legislative regimes that govern the relevant data, as further described below. Any access rights should not exceed what is permitted by law.

In particular, consider the value of any data use rights that are being granted, and ensure you extract appropriate value for them. An OEM or other METS firm may derive significant value from access to operational data, and use it to improve their products or services. The principal can justifiably seek some value for those data use rights, or alternatively seek to restrict the OEM or other METS firm from supplying those improved products or services to competitors of the principal. Another option to consider is to provide access to aggregated and anonymised data to reduce the risk of recipients gaining inappropriate insight into your business or operations.

If drafted correctly, the data clause will create a defined asset, provide certainty for use rights (and assist future freedom to operate considerations or even M&A), and reduce the risks of unauthorised use or disclosure of the data.

Privacy and data protection considerations

You must consider the interaction of any privacy or data protection regimes that apply to operational data in the energy and resources sector as part of any data clause.

This may require an interdisciplinary effort, to ensure data security and privacy concerns are dealt with consistently with intellectual property concerns, and access and usage rights do not exceed the scope of a party's legislative obligations. In the energy and resources sector, consideration must be given to any obligations held by parties at law, in particular under:

• the Privacy Act 1988 (Cth) (Privacy Act), and the Australian privacy principles to the extent personal information is contained within the data;
• the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), to the extent the data is business-critical data, protected information, or otherwise relates to the operation of a critical infrastructure asset; and
• the Consumer Data Right regime, to the extent that the relevant data is also "CDR data" for the purposes of the regime.

Each of the Privacy Act and SOCI Act have been subject to recent consideration and reforms, and it remains to be seen how regulators may look to implement and enforce these changes. Further information about these reforms can be found in our article exploring the change in privacy regulation and SOCI reforms.

Key take aways

Data can be an enormously valuable resource, and critical for important projects. However, data is often not protected by traditional categories of IP. As a result, businesses must ensure their contractual mechanisms deal with data in a robust way, and create the "ownership" and use rights, and protections, that are required.

If businesses fail to deal with data properly in their contracts, they may find themselves paying to access and use data they could have secured earlier, lacking exclusivity over technology that would provide a competitive advantage, or unable to demonstrate ownership of a key asset (e.g., for the purposes of any collaboration or M&A). By contrast, with appropriate drafting, businesses can extract appropriate value from their data, and de-risk its use in future.

Authors: Nina Fitzgerald, Partner; Emma Butler, Partner, Tim Rankin, Senior Associate; David Baldi, Senior Associate, Melissa Ho, Associate and Erin Kirker, Associate.