To complement our previous considerations about the civil-law status of data, we should analyse the possibility of using data to create security interests in business transactions. The increasing economic value of data inspires a search for effective ways to collateralise these assets.
To better illustrate this point, let us use a visual example. Imagine a server owned by company X. Various data are stored on the server, including data collected by X for the purpose of training an advanced algorithm used for medical diagnostics. The market value of the data stored on the server exceeds many times over the value of the server itself.
X provided its creditor, company Y, with security in the form of a registered pledge on the movables of X. X did not fulfil its obligations towards Y, and therefore Y enforced its security and took ownership of the server storing the data. The value of the server alone is insufficient to satisfy all of Y’s claims against X, while the value of the data stored on the server exceeds X’s debt to Y. What is the effect of Y’s taking ownership of the server?
It all depends on the type of data
As in the case of other issues considered in our series on the data economy, the type of data saved on the server will also be vital here. The importance of dividing data into different layers is also very clear in this case.
The physical layer of data is the medium on which data are stored. In this case, it is the server. The current law in Poland provides for a clear procedure for dealing with collateral in the form of movable property. Therefore, in principle, in this case it will not be difficult to determine how to deal with the server. For the purposes of this article, let’s assume that enforcement of the pledge created by Y on the server proceeds in such a way that the server is taken over by Y. How does this affect the data stored on the server? Do they also become Y’s “property”?
Distinguishing between layers of data (discussed in the article “Different layers of data”) makes us aware that the legal status of particular layers may vary and should be analysed separately in relation to each layer. Ownership of the data medium does not automatically translate into ownership of the data stored on the server (i.e. data in the semantic and syntactic layers). In particular, these data will not constitute a component of the server (they do not meet the conditions for being regarded as components within the meaning of Art. 47 of the Civil Code), nor will they be benefits accruing from ownership of the server.
The legal status of data will depend on their nature. The data might be subject to rights of an absolute nature (e.g. intellectual property rights). If such rights belong to third parties, they will be excluded from enforcement by Y. If they belong to X, whether Y can enforce those rights will be determined by whether the security established by Y also covers those rights.
If the data are the subject of separate rights, a disposition of only the physical layer of the data, i.e. the server itself, will not lead to a disposition of other property rights, the physical elements of which are recorded on the server. Such a situation would arise particularly if data stored on the server could be regarded as the subject of an intellectual property right (such as copyright—we discuss in more detail whether this is possible at all in the article “Data and copyright”) or the producer’s right to the database. They constitute separate and transferable property rights. Any of these rights could be disposed of regardless of the medium on which they are stored.
We can imagine transferring these rights as collateral or encumbering them with an ordinary pledge or a registered pledge. We cannot exclude a situation where both the server and data stored on it are jointly pledged. This may take place in the case of establishing a registered pledge on a set of things and rights constituting an economic whole, but in such a case, the registered pledge agreement should specify which components are included in the encumbered set.
As in other cases, the most practical problems will arise in relation to “uncategorised data,” i.e. data not subject to absolute property rights. (The Polish legal system assumes that the catalogue of absolute rights is closed and cannot be freely shaped by the parties, as we discuss further in the article “Who owns data?”) If the data are not subject to any relative rights either, their status is unclear in the context of enforcement.
By acquiring the server with stored uncategorised data, Y acquires actual control over the server without formally infringing anyone’s property rights. The fact that data are not granted the nature of an absolute right means that X, which collected the data, has no claim for release of the data, or that Y ceases to use or enjoy the data. Thus, in principle, Y is free to dispose of the data (subject to potential limitations arising e.g. from the data’s status as trade secrets or personal data). For example, it can commercialise data placed on the server.
In the case in question, the server, a movable item, was the subject of security and enforcement. The uncategorised data on the server as such could not be covered by the security or seizure, as they do not constitute a component part of the server and, lacking the status of an absolute property right, it is difficult to subject them to execution or an encumbrance in rem. As a result, further questions arise: Can X “clean up” the server before releasing it to its new owner, Y? It appears that without any additional agreement between the parties, Y has no claim to the server with specific data on it. It can only claim the machine itself.
Another question will arise if Y physically controls the server itself (e.g. when it was stored by that company or a third party who released the server to Y without interfering with its contents). Does Y have an obligation to delete the data? Can it use them itself, and should the benefits obtained from this use reduce X’s debt?
Since X does not have exclusive rights to uncategorised data, it will be very difficult, if not impossible, to demand that the new owner of the server delete the data or not use them. The issue of reducing X’s debt by the value of the data stored on the server is not much easier. In the case of a registered pledge, the method of reducing the secured claim in a situation where the pledgee resorts to extrajudicial enforcement is regulated by the law and the pledge agreement. The secured receivable is reduced by the value of the repossessed object determined in accordance with the pledge agreement. This may be a specified amount or value indicated by an appraiser (or as otherwise agreed by the parties).
Depending on how the takeover value is settled, the value of data stored on the server may reduce the secured claim (and, if it exceeds it, even lead to an obligation by the pledgee to turn over the surplus in cash), but only if the value of data is included in the valuation of the server itself (by a third party or by the parties themselves). However, one can imagine that in the absence of specific provisions, the server will be seized by the pledgee for the value of the medium itself, which is well below the value of the data stored on it. In such a situation, the outstanding amount of the secured claim will be reduced only by the value of the server.
Court rulings indicating the need to determine the value of the object acquired at its market value may provide guidance on how to behave in such a situation. If we assume that the server owner will be able to use data stored on it (and, for example, make it available to third parties for a fee), the market value of the server itself may also include the value of the data. However, this will not be a decisive argument, as it is possible to find judgments approving the seizure of objects at amounts stipulated by the parties unconnected with the real market value of the seized object.
It is no secret that life and economic development often outpace legal solutions. The discussion above shows that also in the case of uncategorised data, the existing legal instruments lead to conclusions that can be difficult to accept. It seems doubtful whether the legitimate interests of market participants are adequately protected. So what can entities holding uncategorised data do to increase legal certainty surrounding their significant assets?
First of all, it is worth considering whether the collected data can be covered by protection appropriate to known absolute property rights. In the absence of such possibilities, support should be sought in relative property rights, i.e. contractual rights. While such protection is less effective and operates in principle against the counterparty, it will allow the party to maintain control over the fate of the data in certain situations.
Referring to the example we discussed, it may be pointed out that the regulation of rights and obligations of companies X and Y in relation to data stored on the servers constituting collateral can be very helpful in a situation where it is necessary to enforce the established security interests. Finally, it should not be forgotten that a lot of uncategorised data can benefit from protection under trade secrecy rules, as long as the entity entitled to use the data has taken appropriate measures to keep them confidential. Obtaining or using data constituting a trade secret without the consent of the person entitled to the information is considered an act of unfair competition. This instrument can allow X in our example to demand, among other things, that Y remove data from the server it has taken over, and that Y or another entity not use the information.
If these security measures fail and the creditor does in fact gain control over data and the server, and the value of the seizure does not reflect the true value of the data, then X may seek protection under the law of unjust enrichment. Reliance on Art. 5 of the Civil Code, prohibiting the abuse of subjective rights—in this case rights arising from a pledge— does not seem to be excluded either. However, while claims of unjust enrichment may ultimately lead to a reduction in the value of the debt, the defence against abuse of a right, however complicated to apply in such a case, seems to justify a demand that the creditor stop using the data, and possibly return them.
It should be noted by the way that each of the potentially available protective measures will bring with it a number of further legal issues arising from past practice, the legal doctrine, or the unusual factual situation in which it would be applied. Therefore, it should be considered whether economic relations in the 21st century and the dynamic development in the field of digital technologies already sufficiently justifies taking legislative steps to create new legal institutions, or adapt existing ones, to clarify the legal status of uncategorised data.
Krzysztof Wojdyło, Daniel Smarduch