wsf-f - Fotolia
At the end of September 2016, the European data protection supervisor, Giovanni Buttarelli, called on regulators across Europe to take more interest in big data.
He called for a joined-up regulatory regime for big data, including a co-ordinated approach from regulators dealing with data protection, competition policy and consumer protection. It is fair to say, however, that big data is already on the radar of regulators, which have been quick to realise the potential harm created by a few big players with large pots of data.
When it comes to big data awareness, Europe’s regulators have led the way. For example, the Norwegian Data Protection Authority, Datatilsynet, issued a report on compliance issues connected with big data as far back as September 2013. In the US, the executive office of the president issued its report in May 2014.
We have already had one European data protection supervisor (EDPS) opinion on big data, and we have seen big data cases reach the courts in the UK, such as the Vidal-Hall litigation against Google. Google was also the subject of regulatory activity in Spain, France and the Netherlands over its collection of data from various Google properties, including YouTube, in one pot to assist in targeted advertising.
There is also a sign of the multi-faceted approach to regulation in the recent Bundeskartellamt investigation into Facebook, where German authorities are looking at whether the access Facebook has to large pots of data creates a competition law issue. According to an official of the agency, Facebook is a cause for concern as around 28 million Germans are on the site, which amounts to 35% of the country’s population.
Aside from the increased willingness of regulators to look at big data issues, we are also seeing more litigation brought by private individuals concerned about the data others hold on them. For example, we have had a raft of right to be forgotten litigation in Europe, Russia and Japan. We can expect more of the same when the right to be forgotten is strengthened by the new European General Data Protection Regulation (GDPR) in May 2018.
Big data issues are also likely to come before the European Court in the next two years, with the next instalment of Max Schrems’s litigation against Facebook, a civil class action where he claims 25,000 plaintiffs have already signed up, with another 75,000 on a waiting list.
The litigation we’ve already seen shows a real challenge for big data. Organisations want to collect huge amounts of data to tailor their services to individuals and offer them what they want. There are still legal and security implications in all of this. Take the case of Uber, for example. The company collects large amounts of data from its users, including a precise location and direction of travel to enable a car the user has ordered to reach them. However, it also collects data such as the amount of battery power the user has left to help it determine the price.
The important factor from a data protection point of view is to make sure all of this is disclosed and the user consents. There are obvious security concerns about holding this level of data, especially when coupled with the fact Uber also holds financial data. Uber has also been on the regulators’ radar having settled a case with the New York authorities earlier in 2016, after a 14-month investigation into its data handling practices.
So what should those using big data be doing? First, they have to plan properly and have a targeted data acquisition strategy, rather than simply grabbing data because they can. They need to carry out a data protection impact assessment, which will be mandatory from 2016 under GDPR and might already be required in some countries. They will have to make sure they are observing data protection legislation, and only collecting the disclosed data they need. They will also have to build a cyber security game plan around this data to make sure it is protected.
Despite what some regulators might want, there is no chance of the big data genie going back into the bottle. We are, however, likely to see far higher regulatory activity and litigation when people do not get the balance right.