Big data: managing the legal and regulatory risks
Too many organisations enter into the hype of big data without a comprehensive view of the legal and regulatory minefield they're about to navigate
Short of time?
In the rush to embrace the opportunities that big data brings, we must not forget history. One characteristic of the dotcom boom (and bust) was that many new Internet businesses did not address the basics of doing business. For example, many of them found too late to their cost that they had not secured their asset values through appropriate legal protection and intellectual property rights. After all, anyone can set up a website. That meant that funding from private equity and venture capital sources was hard to come by.
When adopting a new and potentially disruptive technology such as Big Data, just as with any new venture, all the risks need to be identified and managed. That includes securing asset values and addressing the other legal and regulatory risks. As the Information Commissioner recently observed, Big Data is 'not a game played by different rules' (The Information Commissioner’s Office, Big Data and Data Protection, 2014). Among other things, a failure to address legal and regulatory risk in relation to Big Data could result in a serious regulatory breach, attracting fines, reputational damage and loss of business. In this article we consider how to identify and manage such risks.
Big Data consists of large, complex data sets generated from sensors (for example, via the Internet of Things), Internet transactions, mobile payments, email, click streams and other digital interactions. Small and unconnected pieces of data generated from these sources, when amalgamated and subjected to powerful Big Data analytics, can reveal useful information about the user.
Why use big data?
Big Data analytics is predictive in character, allowing a business to interact with its customers as individuals, on a bespoke basis (reflecting customer preferences) through tailored advice, offers and related products, with the objectives of obtaining a market advantage and engendering customer loyalty. Beyond customer interactions, Big Data is used to make market predictions and will increasingly inform business strategy.
> See also: Is big data dead? The rise of smart data
In the technology arena, Big Data will spark economic activity as diverse as joint ventures and collaborations, monetising data sets (by licensing, including by data aggregators), software and app development, supply of hardware for processing capacity, consultancy services (for contextualising data and analytics), sourcing and outsourcing, supply of connectivity (communications and data carriage), and the provision of new infrastructure (such as data storage and management). In the public sector, Big Data will be used to implement public policy by delivering public sector efficiencies.
Controlling use of big data
Data privacy law is one area of law that any business is going to have to take very seriously indeed in relation to the use of Big Data. While these laws vary from country to country, in Europe there are certain commonalities. Big Data typically involves the reuse of data originally collected for another purpose. Among other things, such reuse would need to be 'not incompatible' with the original purpose for which the date was collected for reuse to be permissible. The Article 29 Working Party (consisting of the data privacy regulators across the EU) has set out a four stage test to determine when this requirement is met.
The four stage test includes a requirement that safeguards are put in place to ensure fair processing and to prevent undue impact on the relevant individual. This could include 'functional separation' (that is, anonymising / pseudonymising or aggregating the results).
Functional separation may be difficult to achieve in relation to Big Data (where the sheer volume of data may make identification possible when large data sets are brought together). On the other hand, reuse is more likely to be compatible with the original purpose if it is impossible to take decisions regarding any particular individual based on the reused data.
In many cases, the only way to overcome data privacy concerns in relation to Big Data will be by way of adequate consent notifications. To obtain effective consent in relation to Big Data analytics is not straightforward.
The possession of large data sets can confer market power and exclude other market entrants. Competition regulators (and competitors) aggrieved by lack of access to such data may attempt to deploy competition law to force such access. Aggregations of data sets by merger and acquisition activity may also attract the attention of competition regulators.
Tax laws may also have an impact on Big Data projects. For example, the OECD’s Centre for Tax Policy and Administration is currently considering a proposal (called Base Erosion and Profit Shifting) to control the way digital businesses structure their profit flows internationally to limit tax exposure.
Likewise, discrimination laws in the UK and across the EU may need to be considered. They may be relevant where, say, the outcome of Big Data analytics is to offer goods and services selectively in a way that is discriminatory.
How do you protect rights in big data?
Across the EU, the intellectual property right that could provide the most protection is the database protection regime. It has limitations, as do copyright and patents in relation to Big Data. The law of confidentiality may provide some protection, depending on the particular information and its source. As the law in this area may provide only limited protection, it may sometimes be necessary to return to the basics: ensure that any disclosure is coupled with adequate contractual confidentiality provisions limiting further use and disclosure.
Conversely it will be essential to check that the compilation of a Big Data data set has not infringed a third party’s intellectual property or contractual rights.
What are the other potential liabilities?
Among the potential liabilities that need to be addressed is the question of data reliability. Data sourced from publicly available sources, from another business, or collated by the business itself, may contain errors. Such errors may be processing errors or may arise at source (for example, from mistakes in field coding and other inputs). These errors may flow through to the outputs of the data analytics processes (such as trend analysis and predictions), upon which a business’s strategic and investment decisions may depend.
Data sets may have their origin in several different sources. So-called 'open data' is typically licensed on terms similar to those applicable to open source software. Such terms usually give little or no comfort in relation to the reliability (and non-infringing nature) of the licensed material.
Public providers of such data sets (such as local authorities or central government) are seldom willing to accept liability for losses arising from reliance on the data (particularly when the data are provided free or for a nominal charge).
Businesses who on-supply such data, or who provide services dependent on that data, could potentially face claims in contract, in tort (for example, for negligent misstatement) or for some other form of liability (this could include consumer claims based on statutory rights). They will need to ensure that they circumscribe their own liability on a back-to-back basis with their own supplier where possible, or insure against the risks.
What technical and organisational measures should be considered?
Interception, appropriation and corruption of data remain an issue for businesses possessing Big Data data sets, just as with any other data. The data privacy laws in many countries require that the data controller implements appropriate technical and organisational measures to safeguard the security of personal data. Such laws typically require the data controller to flow down these requirements in contractual relations with their suppliers. These requirements will apply to Big Data data sets held by businesses that contain personal data.
Businesses will also need to take into account the new EU Data Protection Regulation, which will require that technical and organisational measures ought to be provided for by design and default. Purely technical solutions, implemented in the absence of a more comprehensive approach to information governance, may not be adequate.
> See also: Big data: not a magic pill, but an antidote
Businesses whose business models depend on creating and exploiting Big Data will need to develop an approach to information governance that is capable of addressing the risks presented by unstructured Big Data data sets. Compliance with information retention requirements will need to be reconciled with the legal and commercial imperatives regularly to purge unwanted data as part of a business’s risk management strategy.
The need for expertise
A recent survey by Accenture (Big Success with Big Data Survey, April 2014) found that 41% of businesses reported a lack of appropriately skilled resources to implement a Big Data project. Such expertise will need to include a legal and regulatory compliance review. It is simply a case of taking steps to address these issues early on.
Sourced from Mike Rebeiro and Marcus Evans, Norton Rose Fulbright LLP