Tech & Sourcing @ Morgan Lewis


Building on our introductory discussion of data analytics and use restrictions from last week, in this post, we describe in more detail some potential restrictions, under applicable law and contracts, of a company’s ability to use data for analysis purposes.

  • Third-Party Terms. If a company plans to use data owned or sublicensed by a third party, or jointly owned by the company and a third party, for analysis purposes, the applicable license, services, or other agreement should be reviewed because it may control the company’s use rights with respect to the data. The company should confirm that it has the necessary rights to use the data and, if applicable, whether the third party that owns or licenses the data has the right to grant such a license. If the company’s right to use the data is unclear in any way, it should obtain consents to such use from the owning or controlling party or parties. Companies should also consider seeking from the third party that owns or licenses the data an indemnity against third-party claims that arise from any failure to have such necessary rights to use the data.
  • Applicable Laws. Particularly with respect to personal information, some states and countries have enacted laws that regulate companies’ data use. Perhaps the best known example is the European Union, which imposes the following central requirements with respect to individuals’ data:
    • Personal data must be collected only for “specified, explicit, and legitimate” purposes.
    • Personal data must not be further processed in a way that is “incompatible” with such specified purposes.
    The nuances of both of these central principles have been a matter of significant interpretation and fact-specific analysis. However, the key concern for data analytics is that, as the relationship between the purpose of the analysis and the purpose for which the data was originally disclosed becomes more tenuous, the less likely the processing will be permitted under the law.
  • Privacy Policies. When data is collected and gathered by a company from end users (whether directly or via a business partner), there may still be restrictions on the company’s use rights. One principal restriction may apply by virtue of the company’s (or the applicable business partner’s) published privacy policy that was in effect at the time the data was collected.

    If, for example, a company’s privacy policy states that the data disclosed by end users will be used only for processing their transactions, then the company may not be able to use that data for analysis purposes (and such a prohibited use would risk the Federal Trade Commission taking an enforcement action based on such use as a deceptive act and practice).

    As a result of this issue, forward-thinking companies are crafting their privacy policies carefully to preserve future flexibility in the ability to analyze, disclose, and combine data with other sources. In our next and final post in this series, we will take a look at some sample privacy policy language that is designed to achieve this goal.