By Zack Bloom
Introduction:
When one thinks of “assets”, the first things that typically come to mind are tangible items like cash, real estate, cars, or expensive jewelry. Yet perhaps there is one asset that is more powerful and critical then all these combined: data. We live in a data-driven age where everything from the ads we see to the medical decisions we make are driven by vast amounts of data. However, the data that is driving these enormous industries is not usually very complex – in most cases the collected data is very basic information about a particular individual, such as demographics, geographic location, and web surfing habits. Thus information about one’s simple existence and everyday activities can be extremely desirable and sought after by companies and firms around the world.
A new way in which individuals are beginning to take back the power in the widespread collection of their personal data is through the pooling together of data from large groups of people. Essentially groups of consenting volunteers would aggregate either their personal data statistics such as age, sex, and habits or their stored data such as their web-browsing history or their medical records. The group would then self-govern what entities they want to provide the data to and how they would like the data to be used. These new pooling activities are also called “people-powered data collaboratives”[1], “consumer-driven health data commons”[2], and “data cooperatives”[3]. For simplicity, this piece will refer to these groups as simply as “data sharing groups”. While still in their genesis and mainly theoretical, it is easy to see a future where individuals can “invest” their data into a data sharing group through which a promoter negotiates the sale of the group’s data to different buyers and disperses the revenue pro-rata to all individuals in the group. If this were to happen, concerns over privacy and abuse of these groups would lead to an immediate need for a well-thought-out regulatory regime. While a new regime suited for this unique model may be the best outcome, perhaps these data sharing groups may already fall under existing regulations. In particular, would it be possible for data sharing groups to be covered by federal securities law? To fall under securities law, these data sharing groups would have to qualify as investment contracts under the test laid out in SEC v. W.J. Howey Co[4]. This piece is intended to serve as a preliminary look at whether these data sharing groups would qualify as investment contracts under the Howey Test.
Understanding Data Sharing Groups:
It is first important to understand the theoretical conception behind these data sharing groups. These groups have been described as “self-governing communities of individuals, empowered by access to their own data, who come together in a shared effort to create high-valued collective data resources”[5]. In most circumstances, these groups would be pools of individuals with some sort of commonality such as adults with diabetes or individuals that are all avid skiers. These individuals would “employ processes of collective self-governance to make decisions about how the resulting data resources…can be used”[6] such as who they would like to sell their aggregated data to or the specific ways in which they would like it to be used. While these groups could be self-governing, they likely need an experienced promoter who has the skills and relationships necessary to leverage this vast pool of data and maximize the potential sale of it. To solve this dilemma, it has been proposed that these data sharing groups function as “intermediary fiduciaries” who would negotiate with potential buyers to establish the sale price, access, and other key terms[7].
Why Applying Securities Law to Data Sharing Groups Matters:
Following from the theory that data sharing groups require a promoter in order to maximize the benefit of joining a group, it is easy to see a future in which promoters seek “investment” into their specific data sharing group. If the “shares” offered by these promoters in return for joining the data sharing group were to be considered securities, they would be subject to current securities regulation such as the Securities Act of 1933 and the Securities Exchange Act of 1934. Most importantly, the offering of “shares” in these groups by promoters would be subject to the restrictions in Section 5 of the Securities Act of 1933 which requires that all issuers must register securities with the SEC unless they qualify for an exemption[8]. Such regulation would dramatically increase the transaction costs for data sharing groups as they would be required to issue a registration statement, abide by gun-jumping rules, and follow the applicable disclosure requirements. If securities laws were applicable, data sharing groups would also be subject to Rule 10b-5 antifraud liability which would allow investors in data sharing groups to sue the promoter for any misrepresentations related to how they use data, breaches, and other potential fraud[9].
Applying the Howey Test to Data Sharing Groups:
Although there are variety of ways in which something can be considered a “security”, data sharing groups would likely have to be deemed investment contracts under the Howey Test to be subject to securities law. An investment contract is essentially a catch-all provision in the Securities Act of 1933, intended to capture different investment schemes that would not be covered by typical securities definitions such as stocks and bonds. As laid out in Howey, an investment contract means “a contract, transaction or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party”[10].
The threshold requirement for an investment contract is that it be a “contract, transaction or scheme”[11]. Looking at data sharing groups, this threshold requirement would likely be met under most circumstances. It is likely that “investing” in a data sharing group would require the individual to sign some sort of data transfer or use agreement and potentially a quasi-investor rights agreement laying out what the member is entitled to receive from a sale of their data.
(a) Person Invests Money
It is hard to say whether the “person invests money” element of the Howey Test would be met for the typical data sharing group. While the test does not require the investment of literal cash[12], it does require that an individual give up “tangible and definite consideration in return for a separable financial interest”[13]. Even though individual would be receiving a “separable financial interest” in the form of a share, it is unclear whether personal data would be considered “tangible and definite consideration”[14]. Personal data is certainly a valuable asset as it can be used to further research, maximize marketing strategies, or even create new products. Accordingly, it may be argued that personal data is in fact something of value and thus valid consideration. However, the term “tangible” may favor the argument that personal data is an “investment of money” as you cannot physically touch it.
(b) In a Common Enterprise
Data sharing groups would likely meet the “in a common enterprise” element of the Howey Test, fitting under either the broad or narrow vertical commonality category[15]. Broad vertical commonality requires “the well-being of all investors be dependent upon the promoter’s expertise”[16] while narrow vertical commonality requires “investors’ fortunes be interwoven with and dependent upon the efforts and success of those seeking the investment or of third parties”[17]. Data sharing groups likely fit under either of these requirements as members are collectively dependent on the expertise of the promoter in negotiating the block sale of their data and their fortunes depend on the promotor’s success in doing so.
(c) Led to Expect Profits
Whether data sharing groups meet the “is led to expect profits” element of the Howey Test is a fact-dependent inquiry and would require information about the circumstances behind why individuals are “investing” in a specific group. To meet this element, individuals must be attracted to the group solely for the prospects of return on investment and can’t be motivated by a desire to use or consume whatever they are receiving in return[18]. While it would be easy to argue that individuals joined a data sharing group that is selling personal data to a consumer products corporation for the prospect of return, it is more difficult in a situation where individuals are joining in part to further medical research through use of their data.
(d) Solely From the Efforts of the Third Party
Data sharing groups would also likely meet the “solely from the efforts of the third party” element of the Test. “[S]olely” is not intended to be interpreted restrictively and instead courts should look to the economic realities of the situation[19]. The economic reality of data sharing groups would likely show dependency of the individuals on the entrepreneurial and managerial skills of the promoter as they are unlikely to have the connections and skills necessary to negotiate the sale of their data themselves. There is also little to no investor effort in data sharing groups as they are simply permitting the promoter to sell their personal data.
(e) Existence of Alternative Regulatory Regime
While not an element of the Howey Test, courts have stated the existence of alternative regulatory regimes may show Congress did not intend for the SEC to regulate a certain activity[20]. In the case of data sharing groups, there are certainly some existing regulations. The most famous example would be the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which provides safeguards to protect the privacy of health data and limit its use[21]. It may be that courts would see the existence of HIPAA as clear evidence that Congress did not intend for the SEC to regulate data sharing groups. However, it may be argued that HIPAA is intended to regulate the collection of data while securities law would regulate the ability of parties to sell other peoples’ personal data.
Conclusion:
It is unclear whether data sharing groups would pass as investment contracts under the Howey Test. On one side, these groups would clearly depend on a promoter’s expertise and connections to sell the group’s data at the highest price. However, the existence of alternative regulatory regimes such as HIPAA and uncertainty surrounding whether personal data would be deemed definite consideration sways against considering data sharing groups investment contracts. Regardless, this preliminary glance at whether securities law could apply to these types of groups highlights the potential uses of collective data and the need for regulation to manage the prospective problems that may come with them.
[1] See Barbara J. Evans & Harlan M. Krumholz, People-Powered Data Collaboratives: Fueling Data Science with the Health-Related Experiences of Individuals, 26(2) J. Am. Med. Informatics Ass’n., 159 (2019).
[2] See Barbara J. Evans, Barbarians at the Gate: Consumer-Driven Health Data Commons and the Transformation of Citizen Science, 42 Am. J. L. & Med., 651 (2016).
[3] See Katharine Miller, Radical Proposal: Data Cooperatives Could Give Us More Power Over Our Data, Stan. Univ. Inst. for Hum. Centered AI (Oct. 20, 2021), https://hai.stanford.edu/news/radical-proposal-data-cooperatives-could-give-us-more-power-over-our-data.
[4] See S.E.C. v. W.J. Howey Co., 328 U.S. 293 (1946).
[5] Evans, supra note 2, at 653.
[6] Id. at 654.
[7] Miller, supra note 3.
[8] See 15 U.S.C. § 77e (1933).
[9] See 17 C.F.R. § 240.10b-5 (1934).
[10] W.J. Howey Co., 328 U.S. at 299.
[11] Id.
[12] Uselton v. Com. Lovelace Motor Freight, Inc., 940 F.2d 564, 574 (10th Cir. 1991).
[13] Int’l Bhd. Of Teamsters, Chauffeurs, Warehouseman & Helpers of Am. v. Daniel, 439 U.S. 551, 560 (1979).
[14] Id.
[15] See S.E.C. v. SG Ltd., 265 F.3d 42, 49 (1st Cir. 2001).
[16] Id.
[17] Id.
[18] United Hous. Found., Inc. v. Forman, 421 U.S. 837, 852-853 (1975).
[19] S.E.C. v. Mut. Benefits Corp., 408 F.3d 737, 747 (11th Cir. 2005).
[20] Daniel, 439 U.S. at 569.
[21] See generally Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-9 (1996).