First published in the Oath, Issue 39, March 2015
Joby Beretta, Head of TMT-Middle East, considers some of the key legal issues arising from the proliferation of Big Data and questions whether the current GCC legislative framework is ready for these challenges.
What is Big Data?
Most of us have heard the phrase ‘Big Data’ but many may struggle to define it. One of the most often quoted definitions is Gartner’s: “Big data is high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery and process optimisation”. Gartner’s 3’V’’s definition of Big Data (Volume, Velocity and Variety) is often now supplemented by another ‘V’ – Veracity.
Before we assess the fundamental regulatory challenges posed by Big Data, and the applicable regulatory framework in the GCC, lets consider what is at the core of each of these components in turn:
Most of us are used to dealing with data in Kilobytes (1000 bytes) such as emails, have songs on our iPads in Megabytes (10002 B), upload videos to YouTube in Gigabytes (1000b3 B) and our new laptops may even have reached the geek-level of Terabytes of storage (1000b4 B). Although there is no minimum volume that constitutes ‘Big Data’, its capacity extends into the realms of Petabytes (10005 B), Exabytes (10006 B) and beyond. To put it into context, eBay apparently uses some 7.5 Petabytes of data just to compute its consumer recommendations.
The speed of both the transfer and analysis of data is another feature of Big Data. Stock exchanges for example can capture and process Terabytes of trade information during each trading session, but it is the ability to process and analyse this data in real time that is a fundamental part of Big Data.
Another key element of Big Data is the ability to analyse a wide variety of data such as video, Tweets, information from public databases etc. Today, there are numerous technical sensors around our Smart Cities collecting and transferring data such as our smart phones transferring our GPS location data, SALIK reporting our progress along Sheikh Zayed Road, etc. Big Data has the power to consolidate and process all this discrete information into one very valuable, insightful repository.
The final ‘V’, veracity or accuracy of the data, is key to the ability of Big Data to make enhanced decisions and gain insights. Poor data quality costs the US economy around USD3.1 trillion a year.
What are the key legal challenges?
Various legal challenges arise from Big Data including document retention, data security, national security, consumer protection, spam, cyber security and data protection. Here we will focus on the later two fundamental challenges – cyber security and data protection.
The region has witnessed a number of high-profile cyber-attacks such as the attack on a major Saudi oil and gas company in August 2012 in which it was reported that 30,000 computers were compromised. This was followed in the same year by an attack on two Middle East banks where USD45 million was reportedly withdrawn from cash machines in 27 countries. As the value of Big Data increases it becomes a bigger target for hackers and cyber criminals. Every player in the Big Data ecosystem clearly needs to be concerned with cyber security.
Here in the UAE, the Government re-enforced its commitment to fight cyber crimes in 2012 with the enactment of the Cyber Crimes Law and the establishment of the National E-Security Authority. The UAE Cyber Crimes Law is robust with a wide range of offences relevant to Big Data including:
- hacking and phishing;
- disclosure of e-information without permission;
- eavesdropping, intercepting communications etc.; and
- threatening state security.
Penalties under the law can be up to AED3 million and imprisonment of up to 10 years and courts have wide powers to confiscate devices and IT systems and shut down illegal websites. In addition, the TRA established the UAE Computer Emergency Response Team (aeCERT).
With the recent enactment of laws in Qatar and Bahrain, all of the GCC countries apart from Kuwait now have specific cyber crimes law in place as follows:
- Oman: Cyber Crime Law (Royal Decree No. 12/2011);
- KSA: Arab Cybercrime Agreement (No. 126 of 2012);
- Qatar: Cyber Crime Law (No. 14 of 2014) plus Qatar Computer Emergency Response Team (Q-CERT); and
- Bahrain: Cyber Crimes Law (No. 60 of 2014).
In Kuwait we understand the authorities are considering draft laws and, in the interim, are taking action against cyber crimes under existing penal laws. These national laws are in addition to the pan GCC initiatives such as the Arab States Convention on Combating Information Technology Offences, the GCC Common Cyber Crimes law1 and GCC-CERT.
The current cyber crime laws across the GCC, combined with active enforcement by the courts and administrative bodies should therefore be sufficient to handle Big Data.
Data protection / privacy
Another challenge of Big Data is privacy concerns. Big Data collects more data about us, our personal choices, buying habits and can target advertising specifically for our current location. A further complication is that in the Big Data world data is combined using mining techniques and analytics therefore we may not know, at the time of providing our consent, exactly what use will be made of the data in the future.
In the UAE, there is no general data protection law but pockets do exist in Dubai International Financial Centre (DIFC) and in Dubai Healthcare City (DHC) and concepts of data privacy are enshrined in a patchwork of UAE laws2. The protection in the current legislation is however more concentrated on unauthorised access or disclosure of confidential information. There currently is, for example, no express legal obligation to provide end-users with the right to opt-out from marketing material, no general prohibition on SPAM3 and no express restriction on transfer of personal data outside of the UAE4.
Similar to the UAE, the other GCC countries have general rights of privacy enshrined across various laws5 rather than specific data protection laws (apart from the Qatar Financial Centre (QFC)). Most GCC countries also have specific privacy regulations relating to certain sectors such as telecoms6 and healthcare7.
In the absence of general data protection laws that apply across all sectors, end users need reassurance that their privacy concerns will be addressed.
Although this could obviously be achieved by specific legislation an alternative (or perhaps an interim measure) is for companies utilising Big Data to achieve this by complying with privacy policies in line with best industry practice. A good reference point for such policies is the Madrid Resolution principles on data privacy8 but there are also various other international bodies which have standards which could be incorporated9.
Another option is to voluntarily benchmark the data protection polices to data protection laws which are already applicable to other group companies (e.g. a Saudi bank with a subsidiary in DIFC may opt to comply with DIFC data protection laws across its entire group) and/or consider adopting data transfer agreements similar to those used in Europe.
Companies in the GCC can embrace Big Data with the confidence that adequate cyber crime laws are already in place. In the absence of generic data protection laws GCC companies should, however, consider playing an active role in dealing with privacy concerns to facilitate the full potential of Big Data.