Big data and Internet of Things (IoT) are the keys of the success for a large number of (if not all) companies, but their exploitation requires to deal with privacy and compliance issues.
We just ran our first Big Data Workshop which was very well attended by banking and insurance companies as well as technology, telecom and consumables companies showing that the topic of big data is relevant for companies active in a very broad range of industries. We made available our presentation here and below is a short outline of the covered topics
What is Big Data?
According to Gartner
“Big data is high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery and process optimization“.
An interesting infograohic from Bain & Company shows that financial services companies invested $ 6.4 bn in big data in 2015 and that there will be an annual growth of 22% up to 2020 with companies using big data that are 5 times more likely to make decisions “much faster” than the competition.
However, the usage of big data can trigger some legal issues.
If the data is BIG doesn’t mean that is privacy compliant
There is sometimes the general perception that large databases aggregating data are privacy compliant. However, if a large database is the result of the collection of personal data that is then aggregated and anonymised, we would still have a privacy breach at the time of the collection and initial processing of personal data. And the process of anonymization would in any case require to comply with stringent restrictions.
The essence of big data is to collect as much data as possible, but this is just the opposite of the privacy principle according to which personal data shall be “not excessive” in relation to the purpose for which it is processed. And indeed, the comment that I usually have from some clients is that they collect more data than necessary since such data “might” become useful. This conduct would be a major privacy breach that according to the latest version of the draft EU Privacy Regulation will trigger fines up to € 1 million or 2% of a company’s global annual turnover (whichever is the greater).
The issue is whether such broad usage of personal data should be somehow restricted or a new way of granting privacy consent should be identified as occurred in Italy with reference to cookies regulations.
And in the Internet of Things?
As pointed out by European data protection regulators, the Internet of Things places considerable privacy issues since sensors will be able to collect a much larger variety of personal data. However, as discussed during our workshop, restrictive European privacy regulations might lead to a competitive disadvantage for European companies against US companies which might rely on more flexible privacy regulations recently reviewed by the FTC. This is one of the main points discussed with the Italian data protection authority as part of the consultation just launched on the Internet of Things where an essential element of the debate is whether privacy by design might be the right solution to balance individuals’ interests with those of companies requiring data for their business.
But Big Data is not only about privacy…
Big Data poses considerable additional legal issues such as:
- Intellectual property compliance: big data databases might be protected in some countries under copyright laws and in Europe they are very likely to be protected under the database sui generis right. Their usage will require the consent of the IP rights owner;
- Confidentiality: big data might be protected not only under intellectual property laws, but they might reppresent confidential information of a company or even a trade secret;
- Contractual and licensing restrictions: confidentiality and IP related restrictions mentioned above imply that users of big data shall make sure that they have the right to use it and the license granted to them allows them to perform a specific type of data usage or communication of data to third parties;
- M&A transactions: the review of usage rights on big data and in general databases and their compliance with privacy laws is becoming an essential part of M&A due diligence reviews. Big data and customers’ databases are esponentially recognised as a fundamental and valuable “asset” of a company. And indeed we closed one of the largest M&A deals in Italy last year where the usage of customers’ databases has been a fundamental element of the negotitation that led to long discussions aimed at ensuring privacy compliant solutions that were also business oriented;
- Big data liability: big data allows to predict the behaviour of customers, market trends and inefficiencies of a company. But if such “predictions” are not translated into actions, companies might face liabilities towards their customers since the damages suffered by them are likely to be considered “predictable” under local laws and directors and managers might face internal liabilities towards shareholders. This requires to put in place adequate internal procedures ensuring that such issues are timely addressed and actions are promptly taken since “velocity” is one of the main features of big data.