Big Data – Navigating Privacy and Data Protection
By Luc Delany
Big Data – Navigating Privacy and Data Protection
23 Jan 2015 - Big Data

Like any technology trend Big Data comes with a number of unanswered questions and therefore faces a number of policy issues in 2015 and beyond. The major concerns are data protection, privacy infringements, data security breaches, the intersection of Big Data and the Internet of Things and job losses due to increased automation. With ever more data being generated, collected, harvested and processed issues around data privacy and protection will only grow.

Big data is defined as an all-encompassing term for any collection of data sets that are too large or too complex to process using traditional data processing applications. We can already see how the growing interest in big data is encouraging companies to increase their holdings of information, as it could prove valuable. Big data essentially provides companies with business intelligence. They then have the ability to better understand the consumer but also the inefficiencies in their business. In an incredibly saturated marketplace, big data can provide solutions to overtake the competition.

The principle of existing law in Europe is that personal information can only be processed if the subject has given permission, and used in a way that consumers can anticipate. It should also be accurate, up-to-date and not kept for any longer than necessary. The storing of big data contradicts this entirely. Companies are using personal information in a way that would not have been anticipated and more is likely to be out of date the longer it is held. This is a breach of the existing law.

Good governance and regulation of big data can improve data quality and the reliability of results. However, Governments need to ensure that legal requirements regarding data privacy are met and greater emphasis should be placed on encouraging public interest in, and involvement with, big data projects.

The increased uptake of big data analytics by businesses has led to a need for regulators to provide greater oversight.  The rate of innovation of how businesses are using big data will make it difficult for regulation to stay current. To add to the complications, the regulation of personal data use varies between countries. For now, the best course may lie in encouraging self-certification, self-regulation and transparency by businesses.

Europe’s advisory body on data protection and privacy, the Article 29 Working Party, has said there are legal and ethical questions about how big data fits within the law. The collection of masses of information could lead to a legal mess for companies in the EU that suffer a serious data breach. A new EU General Data Protection Regulation is currently being debated and UK businesses will be affected by it. Companies will have to disclose every data breach, whether it is major or minor, to the regulator within 72 hours of discovery. For breaches resulting from extreme negligence the fines can go up to 5 per cent of global annual turnover. The regulator will also keep a register of disclosures that is available to the general public and companies will have to notify all affected individuals about a breach if it can have a significant impact on them. The EU General Data Protection Regulation is expected to come into force in 2017.

The Information Commissioner’s Office (ICO), the UK’s independent authority for upholding information rights, is encouraging businesses to act within the law by providing guidance to the business community when violations occur.  The ICO released its first data guidance guide in July 2014 and the report acknowledged that, while many big data projects do not use personal information, many gather data on people from social media or consumer loyalty schemes. It has led the ICO to urge companies to be open and clear on how they gather and use data. How companies comply with this is extremely important to the future of big data. If the public begin to question who is gathering their personal data, for what purpose and how it is secured, it will become harder for organisations to gather the big data they desire.

The EU Data Protection Directive prohibits personal data transfer to non-EU countries that do not meet EU privacy standards, and while Australia and Canada have similar regulations in place, the USA has no specific federal DPA or privacy act. It does have several privacy laws specific to particular sectors or industries but at the current speed in which big data is harvested and analysed this is may not be enough. To enable US companies to comply with the EU Directive, a ‘safe harbour’ framework has been developed. This allows an organisation that self-certifies compliance with this framework to meet EU standards. The ICO is also working with the US Federal Trade Commission to increase cross-border enforcement.

It will be interesting to see how the new Republican controlled Congress will respond to President Obama’s call for increased cyber security, data privacy and protection in light of the recent Sony and Target hackings. While top down regulation may comfort some, self-regulation, especially at a time where big data has yet to reach its potential, is the quickest, most flexible and most effective guidance to pursue at this point in time. Needless to say, whatever Governments decide to engage with, the longer they wait, the more unmanageable big data will become.

Photo Credit: Delivering Tomorrow