Machine learning, artificial intelligence and other big data analytics tools are delivering business value by producing valuable insights and augmenting human skills in judgmentbased functions. In the proptech arena, this trend is fueled by new innovations, the exponential growth in data collection, and the price performance of data storage and analytics. Technology is driving this growth in ways that were previously only contemplated in the movies and our imagination.

Meanwhile, the legal constructs that had governed relationships between contracting parties need to be evaluated and updated to account for the changing landscape brought about by data analytics. One key fact is that big data analytics systems "learn" instead of being programmed, and it is often difficult or even impossible to understand or limit how they use inputs or to know why they arrive at the insights they deliver. Another key fact is that the data and the insights produced may not be protected by intellectual property laws and must therefore be protected in different ways than traditional outputs.

Proptech (also known as Commercial Real Estate Tech/CRETech) may seem like just the latest buzzword. However, we believe that proptech is growing rapidly and is poised to disrupt the global real estate industry. With the value of all global property pegged at roughly $217 trillion,1 both tech startups and established companies are trying to reap benefits by reducing inefficiencies in workflow and by bringing new innovations and technologies to the market.

What is the constant and key concept that runs through each of the associated proptech tools, software, platforms and devices?

DATA, and lots of it. Companies are capturing increasing amounts of data, and they are realizing that there is a tremendous value to be gained by analyzing and using that data. The question is not only what to do with it, but what are you permitted to do with it?

Before diving into a series of DOs and DON'Ts about managing your data and data licenses, it's helpful to understand the various possibilities and value that companies can extract from the data that they have access to. Data analytics is a process of inspecting and analyzing data with the goal of discovering useful information in order to draw conclusions about the information. 2 Data analytics is often grouped into four key categories: 3

1. Descriptive: What is happening? Descriptive analytics focuses on describing metrics and measures within a collection of historical data. It is useful for showing patterns that may offer insights into a business. As basic examples, a real estate broker may track and provide a report on how many visits a particular residential real estate listing received in a prior week or month; a facilities management (FM) provider may have a dashboard that provides access to a regular report of how many work orders are initiated or are outstanding in a given month for a portfolio of properties; and an Internetconnected thermostat may provide a report of an HVAC system's use over the past 10 days.

2. Diagnostic: Why is it happening? Diagnostic analytics examines historical data to find out dependencies and to identify root causes of certain results. For example, the real estate broker may learn that a particular residential real estate listing that received a high volume of visits is located close to a school that was recently ranked as top-tier; the FM provider may learn that the majority of work orders were for snow-related services for the properties in the northern part of the country that had experienced a snowstorm; and the property owner may learn that his or her HVAC usage increased by 50 percent compared to the prior week, coinciding with a scorching heat wave that just came through the area.

3. Predictive: What is likely to happen? Predictive analytics uses the findings of descriptive and diagnostic analytics to help identify trends and forecast future results. For example, the real estate broker may see a pattern evolving and predict that other residential real estate listings within the same school district will also receive greater levels of interest; the FM provider may predict that other properties that experience a snowstorm will also receive an increase in work orders for snow-related services; and the AI operating the thermostat may notify the owner that, because of a future heat wave that has been forecast for the area, his or her HVAC usage will increase compared to the normal usage.

4. Prescriptive: What do I need to do? Prescriptive analytics focuses on what steps should be taken in order to eliminate a potential problem or take 3 Mayer Brown | 9 Dos and Don'ts for Big Data Analytics in Proptech advantage of a particular trend. The real estate broker of the example above may recommend to its other clients with homes for sale within the same school district that they consider higher listing prices; the FM provider may order additional snow-removal equipment/supplies for properties that are in areas that often experience snowstorms; and the property owner, when facing a future heat wave, may conduct preventative maintenance (e.g., check for air leaks, clean AC filter) and identify other areas where energy consumption can be reduced.

What to do—and not do—to reduce legal risks in big data analytics?

While leveraging data analytics to translate data into clear and meaningful insights to achieve a competitive edge, companies need to consider the underlying rights and risks associated with this technology and the information it produces. The risks include inadvertent loss of rights in data, violation of the rights of data providers, overdependence on third-party data analytics providers, and failure to adequately monitor and protect data that has been shared with other parties.

  1. Do review data license clauses carefully and understand their potential impacts. For this purpose, think of any agreement where one company accesses the data of another company as a data license, whether styled as such or not. For example, if you contract for an FM service provider to manage your commercial real estate, the FM provider will require access to and use rights for certain data from you in order to manage your properties (e.g., location of properties, maintenance and vendor agreements for each property, tenant information, entry and exit times for employees who scan badges). Thus, there will be a data license.

    Your FM provider (and its data scientists) may be in a position to market and sell insights derived from access to property and leasing terms and associated data from multiple commercial real estate owners. Your FM provider also may be able to sell, for its own benefit, logs of entry/exit times (and other personal information) of tenant employees in one of your buildings to local lunch providers.

    In addition, providing access to data without contractual restrictions may be equivalent to an unlimited license. Outsourcers, cloud providers and other third-party contractors often push to include in their contracts broad express rights to use customer data as well as any data or insights derived from such customer data.

    Thus, it is important to understand and, where appropriate, limit the rights to use data that you provide, especially if you have limited rights to use such data. In addition, if there is value to be derived from your data (even at an aggregated level), then you have an opportunity to craft a business deal that reflects a sharing of that value.
  2. Do consider the purpose of the data collection, including uses that may not be imminent at the time the data is gathered, and obtain appropriate consents and licenses. The best chance to obtain an adequately broad consent and license is at the start—for example, when you negotiate the lease with a tenant or first obtain the data from an individual. The FM provider in the example above would likely advocate for a broad data license right so that it can use the aggregated property management data to develop market information analyses and products that it can then sell for a profit. 4 Mayer Brown | 9 Dos and Don'ts for Big Data Analytics in Proptech However, those purposes might not have come up during your lease negotiations with your tenants or in developing the applicable policies because, perhaps, this opportunity had not been identified. If you permit the FM provider to use data obtained from you for this purpose, then make sure that (i) you can grant the FM provider the right to use your data in such manner (perhaps by modifying the restrictions in the licenses under which you obtained such data, for example, in tenant leases) and (ii) the business deal adequately compensates you for the data access that you give to the FM provider.
  3. Do know where data is coming from and what rights, licenses and consents you have. Data often comes from multiple sources and is stored in multiple databases spanning the entire enterprise. Due to the volume of such data feeds and data stores, tracking and understanding your rights to the underlying data can become quite complicated (e.g., consider a commercial real estate owner, its FM provider, its tenants, its tenants' employees and their personal information (including CCTV and other security information)). Best practice is to implement a process that categorizes the data depending on its sensitivity (e.g., personal information, data subject to HIPAA (in the United States), sensitive pricing information) and tracks the data as it is used and shared within and outside of the organization.
  4. Don't exceed those rights, licenses and consents. While this principle is easily stated, it may be challenging to implement across a large organization, where many different personnel have access to the data. It is important for a company (and its personnel) to understand where data is coming from, the rights the company has to such data and where the data may ultimately flow. Continuing with the example above, consider a situation where you have only a limited right to use certain data from tenants but inadvertently grant a broad license to the FM provider to use and process all of the data obtained from tenants (e.g., including entry/exit logs and home addresses) when such information is not required). In such a scenario, tenant employees may be concerned because the FM provider's access to the data increases the risk of inadvertent access or a security breach. With that additional information, a thief or home intruder may be able to learn patterns of when tenant employees will not be at their homes. Therefore, best practice is to (1) implement a process for tracking your data rights, licenses and consents that is linked to the data categories you're monitoring (as suggested in item #3 above) and (2) confirm before using or granting access to data in new ways that you have obtained all required rights, licenses and consents.
  5. Do monitor evolving data laws and regulations, including those relating to privacy, cybersecurity, import/export, e-discovery and records retention, in your industry and geographies and for the types of data that you gather, store or use. Data privacy is an evolving bundle of issues that impacts all types of businesses and industries. A company cannot simply implement "reasonable" steps to be in complete compliance. There are state, federal and international laws with specific requirements. For example, a commercial real estate company with a tenant's employees' information (e.g., names and photos for ID badges) will need to be aware of the applicable data privacy laws.
  6. Don't assume that having a consent, license or absence of regulation means that you can ignore reasonable expectations and potential ethical obligations. Personal and ethical sensitivities are evolving quickly. The market appears to punish perceived abuses, even if permitted under all applicable privacy laws. Data giants such as social media and search providers are the focus of most current regulatory attention, but it's easy to imagine a future where, for example, building owners are held to account for knowing too much about visitors and profiting too freely from that information. Building owners could also become particularly vulnerable because there has not been a practical way for them to obtain the broad consents that social media companies obtain in their terms of use published online.
  7. Don't expect the digital business team or the data scientists to spot the legal issues in big data analytics. Digital business teams are focused on the business opportunities, and data scientists are focused on new ways to derive insights from accessible data. They aren't trained, naturally inclined or motivated to ask whether all of the necessary rights, licenses and consents are in place. Running a digital business and data science are novel and complex activities at this point and have not been wellintegrated with compliance and licensing functions at most companies.
  8. Do ensure that you are flowing down to your contractors and other licensees, and that they are flowing down to their subcontractors and sublicensees, any applicable data restrictions. Just as it's important that you know your obligations with respect to data, it is also important to ensure that others who obtain data directly or indirectly through you are subject to terms consistent with those rights and obligations. Take the example of the company with commercial real estate and the FM provider: While the rights that the FM provider has with respect to data from the company may be expressly stated in their contract, the commercial real estate company should also require that any data restrictions be flowed down to any subcontractors that the FM provider may use to perform its obligations.
  9. Do document and implement rules, processes, procedures and a strong governance mechanism to govern and secure your data. It is in both the sharing party's and the receiving party's interests to implement a strong governance process that addresses and protects the rights to use shared data and helps regulate the use of that data. The sharing party should consider requiring the receiving party to notify and train its employees on the contractual restrictions regarding the use of shared data.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.