Big Data is the new black. This ‘phenomenon’, which has seen businesses around the globe boost their economic activity from harnessing the commercial value of their data, has now even grabbed the attention of governments on both sides of the Atlantic.
In March 2014, the UK government announced the formation of the Alan Turing Institute for Big Data. The eponymous Institute, which bears the name of one of the key individuals who used technology to break Nazi ciphers during the Second World War, has been given a specific remit to invest money in the exploration of Big Data and how it can be used for the greater good.
More recently in the US, on 1 May 2014, the Executive Office of the President published a report on ‘Big Data: Seizing Opportunities, Preserving Values’, following an investigation as to how Big Data could transform the way we live and work and how the public and private sectors can maximise the benefits of Big Data while minimising its risks.
Without doubt, these developments are both welcomed. However, unless the technological advances, which are being embraced by businesses and now encouraged by governments, are accompanied by wholesale reconsideration of the accompanying legal framework for the treatment of data, Big Data represents something of a legal time bomb for its key proponents and individual alike.
The concept has the potential to deliver significant developments in the scientific arena and an enhanced consumer experience in other sectors. In engineering and manufacturing, Big Data is used to predict maintenance issues, enhance manufacturing quality and manage costs. In healthcare, the aggregation of data facilitates the prediction and more rapid reaction to critical clinical events for the benefit of the patient. In retail, data analytics are used to improve the accuracy of stock forecasts and to predict changes in demand. In financial services, real time Big Data allows financial institutions to make more advised trading and risk decisions. In the entertainment arena, Big Data is credited with the decision of Netflix to commit at least £50m to commissioning the remake of the 1990s BBC production, House of Cards, with a Hollywood cast, for a new audience: a determining factor being detailed analysis of the viewing preferences of subscribers to the platform.
The legal framework, which is being used to ‘regulate’ and ‘police’ the Big Data arena, however, is woefully inadequate – being based almost exclusively on concepts of privacy from the 1990s or before and with little recognition given to the defining nature of Big Data: the so-called ‘three Vs’ of volume, variety and velocity.
The volume of data being created is unprecedented. It was estimated that 4 zettabytes of data was generated globally in 2013 and, with the cost of data storage falling and extremely little data being properly destroyed on an annual basis, the volume of data available globally will continue to increase, challenging linguists to come up with new approved prefixes to accurately describe the sheer scale of it.
This data is being produced by an ever wider variety of sources. More and more devices are being created with an ability to connect to connect to a network and, increasingly, with each other, as the so-called Internet of Things becomes a reality.
And all this is being done with tremendous velocity – it is estimated that 90 percent of the entire data created in the world ever has been created in the last 24 months. Further, the Big Data market is expected to grow to $16.9bn in 2015.
By contrast, the primary tool used to deal with issues of Big Data from a legal perspective, the notion of privacy, looks outdated, two-dimensional and too narrow in its application.
At its highest level, privacy is underwritten by the complementary concepts of consent and control: if data is personal to me, I should be able to control the use of that information, by requiring any third party to seek my consent before using it. For those who seek to use that data without having obtained my consent – and, by consent, we are generally referring to consent freely given – legal consequences will follow. This is logical and workable where data can be readily identified as personal data/information or even sensitive personal data/health information.
The challenge presented by Big Data, however, is that the technology is enabling an ever-growing global database of non-personal data (over which the ‘owner’ has no control and in respect of which no consent need properly be sought prior to use) to be aggregated in such a manner and to such a degree that it could create personal data/information (even of a sensitive nature) further down the line.
For the Big Data technologists and users, what does this mean? What legal risks are posed if they seek to use this data? For the individual, is it really acceptable that technology can be deployed to enable the triangulation of non-personal data in a manner which has little or no regard to the personal or sensitive nature of the information created?
It was precisely this type of technology which enabled a US retailer to recognise that one of its teenage customers was pregnant, before even her father knew: by analysing its database, a data analyst for US retailer Target was able to identify a number of key products which allowed him not only to assign a pregnancy prediction score to a shopper, but to predict the likely due-date with a very high degree of accuracy. Armed with this information, the retailer was able to provide the customer with coupons which were timed to meet anticipated demands throughout the remainder of the pregnancy.
Irrespective of whether this is great customer service or an entirely inappropriate use of the technology, this scenario is set to repeat itself across sectors with ever more alarming results, as information we would easily accept as being personal is no longer within the control of its rightful owner, but simply a by-product of a technological process, over which no proper consent has been (or, arguably, could be) given. How long before incorrect personal data is produced with very real consequences for those involved?
Against this background, it is to be hoped that the efforts of the UK and US governments to maximise the benefits and minimise the risks of Big Data will extend to encouraging a new legal framework to be developed in line with the technology. In this regard, real effort needs to be invested to ensure that we look to the end product of the Big Data process – what is actually being produced and what impact might that have – so that businesses are not inadvertently caught out for breaches of old data privacy laws and personal rights are not simply ignored. Put simply, in addition to consent, greater focus is necessary on the new ‘V’ of Big Data: veracity.
Alan Turing committed suicide in 1954; his death attributed to poisoning following a conviction for acts of homosexuality, which were criminal offences at the time. Given that a person’s sexuality is, in any major jurisdiction, sensitive personal information, it would be deeply unfortunate if the institute which now bears his name did not work to ensure that privacy is not undermined by the creation of personal information as a technological by-product, with little or no regard to the rights of the individual, and limited protections for the innocent third party seeking to commercialise data for the greater good.
Mark Deem is a litigation partner at Edwards Wildman Palmer. He can be contacted on +44 (0)20 7556 4425 or by email: firstname.lastname@example.org.
© Financier Worldwide
Edwards Wildman Palmer