Data Protection Report - Norton Rose Fulbright

How do you balance sharing and protecting your business’ data? Unlike tangible assets, which can be protected primarily through physical means, intangible assets such as data require additional considerations. One key strategy to protect your business’ data is to characterize, and protect, that data as intellectual property.

Data as IP


Original compilations of data are protected by copyright, but whether a compilation of data is “original” is a highly contextual and factual determination. For example, the Federal Court of Appeal recently stated that the well-known “Multiple Listing Service” (MLS) system used for collecting and distributing real estate information merely includes a specific compilation of data from real estate listings and thus amounts to a “mechanical exercise” which cannot be protected as a compilation under the Copyright Act.[1] Original compilations are often those where some degree of skill and judgement is involved when compiling the data in question, as opposed to merely re-arranging the data chronologically, for example. Copyright holders also hold “moral rights” in such works which protect the author’s association with a creative work and allow the author to preserve its integrity and intent, though such rights, unlike copyright, can only be waived and are not assignable.

Canadian copyright owners enjoy the sole right to produce and reproduce data subject to copyright protection. They can also create derivative works from such data (i.e. derivative data). As we will address further below, particular care should be taken when dealing with derivative data, as derivative data opens the door for both value creation and destruction.

Copyright protection last up to 50 years following the death of the author, though that may be extended to 70 years in the next year or so.

Trade secrets

Data can also be protected by being characterized as a trade secret. To be considered a trade secret, the data in question must: 1) have commercial value; 2) be secret; and 3) be subject to reasonable measures ensuring the data’s secrecy. The protections for trade secrets, which include additional civil and criminal remedies, last indefinitely, so long as the trade secret remains secret. Businesses should be particularly careful in publishing or otherwise disclosing datasets, as the trade secret protection may potentially no longer be claimed.


Typically, data is not protected through patents since patents can only apply to an actual “invention”. In some fringe cases, however, patents have been awarded to methods pertaining to compilations of data. For example, a US patent was awarded in respect of how a compilation of data was physically stored, since the way it was stored allowed the stored data to be accessed much quicker. Canadian patents last up to 20 years.

Protecting shared data

The most common form of ensuring your intellectual property rights embodied in your sensitive data are protected in a commercial context remains through the creation of “data rights” within the context of commercial agreements (contracts) with third-parties. For example, data licenses allow businesses to share sensitive data with other parties while retaining a comfortable level of control. When licensing your business’ data, consider addressing the following:

  1. where can the data be used;
  2. who owns the data;
  3. what can the data (not) be used for;
  4. who else can use the data;
  5. can the data be modified;
  6. whether there are any confidentiality and data security obligations;
  7. representations or warranties made in respect of the data (e.g. the data is free from viruses, reasonable efforts were made to ensure accuracy of data, etc.);
  8. how and in what form will the data be delivered; and
  9. how is derivative data treated.

However, data licensing raises several unique issues with respect to data ownership and scope of use as well as the treatment of novel, derived or usage data and intellectual property rights that can come into existence through an arrangement or application of such data, which can’t always be reliably anticipated and fully covered in such an agreement. Further complexities may arise when a data recipient co-mingles the licensed data with its own (or data from third-parties) to form new IP and structures in which case the weight of the licensed data into the resulting asset is not always clear.

Derivative data

It is important to clearly define what is and is not derivative data, as well as determining who owns, and who has rights to, the derivative data. This is because derivative data by its definition contains some resemblance to that data it was derived from: your business data. An ill-considered derivative data provision could erode your business’ rights or control over its data by allowing another party to have exclusive rights and controls over a similar, and potentially better, set of data. For example, if broad derivative use rights are granted, you may inadvertently give away to a third-party the right to use your data as a launching pad for further innovation which that party can then claim rights to, eroding your own IP portfolio growth in the process.

In the next publication, we will further discuss and provide practical considerations that all businesses transacting with data should know when entering into agreements with third-parties with respect to such derived and derivative data, including important privacy and cyber-security concerns.

[1] Toronto Real Estate Board v. Commissioner of Competition, 2017 FCA 236