Aggregate Data Clauses – Accept or Push Back?

Before reflexively rejecting a vendor/provider’s aggregate data clause, determine whether pushing back is really necessary.

More than ever before, data is the driver of business. Companies are inundated with new data on a daily basis, which creates a number of business challenges. One of the more prominent challenges of late has been how best to protect data within a company’s infrastructure from inadvertent and improper access and disclosure. Another important challenge is how best to “mine” data sets through data analytics, the quantitative and qualitative techniques businesses use to analyze data in order to develop business insights, conclusions, strategies, and market trend data in order to provide guidance on operational and strategic business decisions. “Aggregate data” is key to data analytics; companies take existing data, anonymize it by removing any personal or other information that can be used to identify the source of the data, and aggregate it with other anonymized data to create a new set of data on which data analytics can be performed.

The strength of the conclusions and insights learned through data analytics is directly proportional to the amount of source data used. Aggregate data comes from two primary sources: (1) internal data sets within the company’s possession or control, such as transactional data, customer data, server data, etc.; and (2) external data sets such as free online databases of government data (e.g., US Census data) and data available from data brokers who have compiled aggregate data sets for purchase and use by businesses.

To ensure businesses have the right to use customer data in their possession for data analytics purposes, SaaS, cloud, software, and other technology agreements often contain an aggregate data clause. This clause gives a vendor/provider the right to compile, collect, and use aggregate data from customer information for the vendor/provider’s own business purposes. Many vendors/providers work hard to craft an aggregate data clause that fairly and adequately protects their data sources. Before reflexively rejecting a vendor/provider’s aggregate data clause, consider the analysis and questions in this article to determine whether pushing back is really necessary to protect your company’s interests.

The vendor/provider’s perspective

Customers often push back on aggregate data clauses for a variety of reasons, such as “it’s our policy not to give this right,” “why should you benefit from our data?” and “how can you guarantee someone won’t be able to figure out it’s us?” On the other side, a vendor or provider may argue that the aggregate data clause is a “table stakes” provision in their agreement. Under this argument, analytical data is used to generate macro-level insights which benefit both the vendor/provider and its customers, and as long as it is used in a way that does not identify a specific customer or client there is no potential harm to the customer in allowing its use for data analytics. Additionally, many vendors argue that the systems used to anonymize and aggregate data do not allow for exceptions on a per-customer basis. Additionally, vendors/providers often share insights and other conclusions drawn from data analytics with their customers and clients, e.g., through client alerts, newsletters, conferences, etc., and therefore clients benefit from allowing their data to be used in the vendor/provider’s data analytics efforts. Data analytics are often a critical part of a vendor/provider’s business plans and operations, and access to client data for analytics purposes is baked into the cost of using the service.

Is the aggregate data clause well-drafted and balanced?

Many vendors/providers take the time to craft an aggregate data clause that is fair and does not overreach. As long as the vendor/provider has protected the customer’s rights and interests in the underlying customer data, the use of a customer’s data for analytics purposes may be perfectly acceptable as a part of the overall contractual bargain between the parties. A well-drafted clause usually contains the following core provisions:

  • Grant of rights – A right for the vendor/provider to compile, collect, copy, modify, publish and use anonymous and aggregate data generated from or based on customer’s data and/or customer’s use of its services, for analytical and other business purposes. This is the heart of the clause. This clause gives the vendor/provider the right to combine aggregate data from multiple internal and external data sources (other customers, public data, etc.).
  • Protection of source data – A commitment that the customer will not be identified as the source of the aggregate data. While this is really restating that the data will be “anonymous,” some customers may want a more express commitment that the aggregate data can’t be traced back to them. I’ll talk more about this later in this article.
  • Scope of usage right – Language making clear either that the vendor/provider will own the aggregate data it generates (giving it the right to use it beyond the end of the customer agreement), or that its aggregate data rights take precedence over obligations with respect to the return or destruction of customer data. The common vendor/provider reason for this is that aggregate data, which cannot be used to identify the customer, is separate and distinct from customer data which remains the property (and usually the Confidential Information) of the customer under the customer agreement. Additionally, the vendor/provider often has no way to later identify and remove the aggregate data given that it has been anonymized.

Things to watch for

When reviewing an aggregate data clause, keep the following in mind:

Protection of the company’s identity. While language ensuring that a customer is not identified as the source of aggregate data works for many customers, it may not be sufficient for all. Saying a customer is not identified as the source of aggregate data (i.e., the vendor/provider will not disclose its data sources) is not the same as saying that the customer is not identifiable as the source. Consider a customer with significant market share in a given industry, or which is one of the largest customers of a vendor/provider. While the vendor/provider may not disclose its data sources (so the customer is not identified), third parties may still be able to deduce the source of the data if one company’s data forms the majority of the data set. Customers that are significant market players, or which are/may be one of a vendor’s larger clients, may want to ensure the aggregate data clause ensures the customer is not identified or identifiable as the source of the data, which puts the onus on the vendor/provider to ensure the customer’s identity is neither disclosed nor able to be deduced.

Ownership of aggregate data vs. underlying data. As long as the customer is comfortable that aggregate data generated from customer data or system usage cannot be used to identify or re-identify the customer, a customer may not have an issue with a vendor/provider treating aggregate data as separate and distinct from the customer’s data. Vendors/providers view their aggregate data set as their proprietary information and key to their data analytics efforts. However, a well-drafted aggregate data clause should not give the vendor/provider any rights to the underlying data other than to use it to generate aggregate data and data analytics.

Scope of aggregate data usage rights. There are two ways customer data can be used for analytics purposes – (1) to generate anonymized, aggregate data which is then used for data analytics purposes; or (2) to run data analytics on customer data, aggregate the results with analytics on other customer data, and ensure the resulting insights and conclusions are anonymized. Customers may be more comfortable with (1) than (2), but as long as the vendor/provider is complying with its confidentiality and security obligations under the vendor/provider agreement both data analytics approaches may be acceptable. With respect to (2), customers may want to ask whether the vendor/provider uses a third party for data analytics purposes, and if so determine whether they want to ensure the third-party provider is contractually obligated to maintain the confidentiality and security of customer data and if the vendor/provider will accept responsibility for any failure by the third party to maintain such confidentiality and security.

Use of Aggregate Data. Some customers may be uncomfortable with the idea that their data may be used indirectly through data analytics to provide a benefit to their competitors. It’s important to remember that data analytics is at a base level a community-based approach – if the whole community (e.g., all customers) allows its data be used for analytics, the insights and conclusions drawn will benefit the entire community. If this is a concern, talk to your vendor/provider about it to see how they plan to use information learned through analytics on aggregate data.

Duration of aggregate data clause usage rights. Almost every vendor/provider agreement requires that the rights to use and process customer data ends when the agreement terminates or expires. However, vendors/providers want their rights to use aggregate data to survive the termination or expiration of the agreement. A customer’s instinct may be to push back on the duration of aggregate data usage rights, arguing that the right to use aggregate data generated from the customer data should be coterminous with the customer agreement. However, if the data has truly been anonymized and aggregated, there is likely no way for a vendor/provider to reverse engineer which aggregate data came from which customer’s data. This is why many vendors/providers cannot agree to language requiring them to cease using aggregate data generated from a customer’s source data at the end of the customer relationship. One approach customers can consider is to ask vendors/providers when they consider aggregate data to be “stale” and at what point they cease using aged aggregate data, and whether they can agree to state that contractually.

Positioning an objection to the aggregate data clause. As noted earlier, the right to use data for analytics purposes is considered to be a cost of using a vendor/provider’s software or service and a “table stakes” provision for the vendor/provider, and the ability to use data for analytics purposes is already baked into the cost of the software or service. Some customers may feel this is not sufficient consideration for the right to use their data for analytics purposes. If that is the case, customers may want to consider whether to leverage an objection to the aggregate data clause as a “red herring” to obtain other concessions in the agreement (e.g., a price discount, a “give” on another contract term, or an additional service or add-on provided at no additional charge).

The GDPR view on use of aggregate data

The European Union’s new General Data Protection Regulation (GDPR), which becomes effective on May 25, 2018, makes a significant change to the ability to use personal data of EU data subjects for analytics purposes. Under the GDPR, a blanket consent for data processing purposes is no longer permitted – consent to use data must be specific and unambiguous. Unfortunately, this directly conflicts with data analytics, as the ways a data set will be analyzed may not be fully known at the time consent is obtained, and there is no right to “grandfather in” existing aggregate data sets. Simply saying the data will be used for analytics purposes is not specific enough.

Fortunately, the GDPR provides a mechanism for the continued use of aggregate data for analytics purposes without the need to obtain prior data subject consent – Pseudonymization and Data Protection by Default. Pseudonymization and data protection principles should be applied at the earliest possible point following acquisition of the data, and vendors/providers must affirmatively take data protection steps to make use of personal data

  • Pseudonymization – Pseudonymization is a method to separate data from the ability to link that data to an individual. This is a step beyond standard tokenization using static, or persistent, identifiers which can be used to re-link the data with the data source.
  • Data Protection by Default – This is a very stringent implementation of the “privacy by design” concept. Data protection should be enabled by default (e.g., an option in an app to share data with a third party should default to off).

 

Data analytics is an important part of every company’s “big data” strategy.  Well-crafted aggregate data clauses give vendors and providers the ability to leverage as much data as possible for analytics purposes while protecting their customers.  While there are reasons to push back on aggregate data clauses, they should not result in a negotiation impasse. Work with your vendors and providers to come up with language that works for both parties.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Paralegal vs. Legal Assistant vs. Junior Attorney – Know the Differences and Pick the Right Professional Before Hiring or Contracting

It’s a good sign when the volume of legal work at a company increases to the point where another legal resource is needed, either permanently or temporarily. Most often a company will look for a generalist resource, such as a paralegal, a legal assistant, or a junior attorney, to handle a variety of tasks and free up time for senior attorneys and other specialists to focus on other work. However, many companies post a new position or reach out to a placement firm for a temporary resource without first thinking through which type of legal professional is best suited for the needs of the organization.

Paralegals and legal assistants are non-attorney legal professionals that can perform substantive legal work under the supervision of an attorney, and often form an integral part of an in-house legal department or law firm.  There are advantages and disadvantages to adding a paralegal, legal assistant, or junior attorney. Thinking through whether a paralegal, legal assistant, or junior attorney is the best role for your company’s needs can help maximize productivity for the person filling the role, and help ensure that the person is capable and ready for the work he or she will be tasked to perform. Just as important, understanding what attorney and non-attorney legal professionals can’t do, and how they should be classified from an employee perspective, can help protect your company (and any existing in-house attorneys) from ethical or business issues.

I’ll conclude with a note about contract managers, another role used by some companies to manage transactional work.

Differences at a Glance

At a high level, here are the differences between paralegals, legal assistants and junior attorneys:

Diving In

Let’s look at each of these roles in a little more detail.

Paralegals

Paralegals are non-attorney legal professionals with education, a certification, work experience, or other training which allows them to perform substantive legal work under an attorney’s guidance and supervision. Paralegal as a profession first appeared in the 1960s. Paralegals support the substantive work of attorneys by allowing attorneys to delegate work to them that attorneys would otherwise need to perform directly. Paralegals can play a critical role within legal departments given the breadth of work they can perform. Unless it involves the unauthorized practice of law (which I’ll address later in the article), paralegals can be delegated almost any project that an attorney would normally perform, as long as the paralegal is qualified to do it or willing to learn and the paralegal is supervised by an attorney. Paralegals at smaller departments may also handle administrative tasks for the legal team. There are a number of certification programs for paralegals, such as the National Federation of Paralegal Association (NFPA)’s Paralegal CORE Competency Exam (PCCE) and Paralegal Advanced Competency Exam (PACE) and the National Association of Legal Assistants (NALA)’s Certified Paralegal (CP) and Advanced Paralegal Certification (APC) credentials. There are also paralegal associate degree, bachelor degree, and master’s degree programs.

If a company needs a legal professional with the training, experience and ability to perform substantive legal work under the supervision of one of the company’s attorneys, and does not need an attorney for the role to provide legal advice/counsel or to represent the company, a paralegal may be a good option. For example, a paralegal may be best suited to help with a document review project, to draft and negotiate standard agreements, or to research a specific question or new law.

Legal Assistants

Legal assistants also perform substantive legal work under an attorney’s guidance and supervision. Legal assistants may be tasked with administrative activities such as filing, maintaining the legal calendar of important deadlines (e.g., trademark renewal deadlines), and managing legal department bills and expense reporting. Legal assistants may aspire to grow into a paralegal role. If a company needs a non-attorney legal professional who does not possess the training, education and experience of a paralegal but who has the ability to perform both substantive and administrative legal work under the supervision of an attorney, a legal assistant may be a good option. For example, a legal assistant may be best suited to help a small legal department which has administrative needs as well as other substantive work.

Many non-attorney legal professionals within corporations prefer the title “Paralegal” to “Legal Assistant,” as it is often perceived as a more professional and senior position than that of a legal assistant. Some in-house legal departments will use the title “Junior Paralegal” for a legal assistant who does not yet have the necessary experience, education, certification or training to be a full paralegal, but where the person or the company wants the individual contributor to have a paralegal title.

Paralegals and Legal Assistants as Non-Exempt Personnel

One very important note for US employers – the US Department of Labor (DOL) has stated that paralegals and legal assistants should be classified as non-exempt personnel in most circumstances. Under 29 CFR Part 541.301(e)(7), the Department of Labor stated that “paralegals and legal assistants generally do not qualify as exempt learned professionals because an advanced specialized academic degree is not a standard prerequisite for entry into the field.” The DOL has issued opinion letters, such as FLSA2005-54 and FLSA2006-27, supporting this position. However, do not interpret this as meaning that paralegals and legal assistants are not professionals – they are (just not from a Fair Labor Standards Act perspective according to the DOL). It’s also important to note that the DOJ’s webpage on the Overtime Final Rule added a note in January 2018 stating that the DOL is “undertaking rulemaking” to revise the Overtime Final Rule, so employers with paralegals and legal professionals should watch this carefully.

Why Paralegals and Legal Assistants are Different

Many view paralegals and legal assistants as interchangeable titles and roles. For example, the American Bar Association uses the same definition for both paralegals and legal assistants. Both paralegals and legal assistants can perform substantive legal work under an attorney’s supervision. However, I think it’s more accurate to view them as two different points on the spectrum of non-attorney legal professionals. Here are some of the key differences I see between the roles:

  • Paralegals often perform (and expect to be tasked with) more and higher-level substantive work than legal assistants.
  • Legal assistants are more likely to be tasked with administrative legal responsibilities than paralegals in the same department.
  • Paralegals are more likely to have completed a certification, education, or other training programs demonstrating a higher level of skill and experience to provide supporting substantive legal work, and are required to maintain paralegal certifications through continuing paralegal education.
  • Paralegals, especially those with a certification, tend to expect a higher compensation rate/salary than non-certified paralegals or legal assistants.

What Paralegals and Legal Assistants Can’t Do

Paralegals and legal assistants can do many things, but cannot provide legal advice or opinions, sign documents or pleadings, engage in other prohibited tasks such as establishing attorney-client relationships, or engage in the unauthorized practice of law. This is a critically important point – paralegals cannot, and should not be permitted to, perform substantive legal work except under an attorney’s supervision, and should not do anything (directly or indirectly) that could be considered the unauthorized practice of law. For in-house paralegals, this can be very tricky as others will undoubtedly come to the paralegal asking for an opinion or advice.  Rank-and-file employees often feel anyone in Legal should be able to give them an answer on a legal question. It’s up to the paralegal to let them know that they need to defer to the attorney on legal advice or opinions, and to ensure their work is being supervised by an attorney. The voluntary codes of paralegal ethics, such as the NALA Code of Ethics and Professional Responsibility and the NFPA Model Code of Ethics and Professional Responsibility and Guidelines for Enforcement, clearly state that paralegals cannot engage in the unauthorized practice of law, perform duties that only attorneys can perform, or take actions that only an attorney can take.

In Minnesota, like most US states, the unauthorized practice of law is illegal. Minn. Stat. § 481.02 prohibits a non-attorney from acting as an attorney or giving legal advice or services. In many states, the unauthorized practice of law is a felony. An attorney responsible for supervising the work of a paralegal or legal assistant who engages in the unauthorized practice of law will also find themselves in violation of Rule 5.5 of the Minnesota Rules of Professional Conduct which prohibits attorneys from assisting others from the unauthorized practice of law.

This is one of the reasons why the first in-house legal hire at most companies is an attorney. It is generally not recommended that a company’s first legal hire be a paralegal or legal assistant, as many of the substantive legal tasks to be performed by the first legal hire at a company require legal supervision, and outside counsel may not be willing to supervise the work of a non-attorney employed by the corporation due to ethical concerns. An attorney who fails to properly supervise the work of non-attorney legal professionals reporting to that attorney is putting his or her legal reputation, license to practice law, and company at risk.

Junior Attorneys

As licensed attorneys, junior attorneys offer a company the ability to do more than paralegals or legal assistants. Not only can they perform substantive work, but they can provide legal advice and opinions, represent the company in court, and otherwise engage in the practice of law. However, junior attorneys are usually considerably more expensive than either paralegals or legal assistants. If a company is hiring its first legal professional and does not need a more senior attorney as its first attorney (e.g., the company has a strong relationship with outside counsel that is acting in a quasi-General Counsel capacity), or needs a legal professional who can perform substantive legal work, provide legal advice and counsel and represent the company, and the company can afford the higher compensation an attorney typically requires, a junior attorney may be a good option.

Contract Managers

There is one other role used by some companies with respect to contracts – the contract manager. A contract manager is a person who is tasked with negotiating, administering and interpreting a company’s contracts (both standard and non-standard). Contract managers can be non-attorneys, or non-practicing attorneys. Contract managers often act in a project manager role to help ensure a company is meeting its requirements with respect to deliverables and other contractual obligations under its agreements. Like paralegals, there are professional associations governing contract managers, including the International Association for Contract & Commercial Management (IACCM) and the National Contract Management Association (NCMA), as well as contract manager certification programs including the NCMA’s Certified Federal Contract Manager (CFCM), Certified Commercial Contract Manager (CCCM), and Certified Professional Contract Manager (CPCM) designations which require a certain amount of continuing education. In some cases, a company’s procurement department will have contract managers who negotiate procurement and other agreements to take load off of the company’s legal team. Some companies choose to establish an in-house legal function by hiring a contract manager as their first legal professional.

Like other non-attorneys in the United States, contract managers cannot provide legal advice or opinions. However, it is an unsettled question whether a contract manager who does not have a legal degree and negotiates agreements, including risk management terms, on behalf of a company without attorney supervision is engaging in the unauthorized practice of law. Companies should consider whether to ensure contract managers are part of the Legal department and are supervised by attorneys just as paralegals must be, or alternatively require candidates for a contract manager position to hold a JD degree – the attorney would be acting not as an attorney for the corporation but in a “quasi-legal” role, and would remain subject to the Model Rules of Professional Responsibility governing attorneys, which would help avoid issues regarding the unauthorized practice of law.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.