"Industry 4.0" or the fourth industrial revolution is a development made possible by big data. It is about using technology to gather and to analyse data from every stage of the manufacturing and distribution process – and beyond - to improve efficiency, to drive down costs and to create new business and service models covering the entire lifecycle of a product. For example, data gathered from cars in day to day use, and subjected to sophisticated predictive analytics, can produce rich and increasingly detailed data about the likelihood of repair, maintenance or replacement needs as components wear out.

However, as EU Commissioner Margrethe Vestagar said in a speech given on 29 September 2016:

"The future of big data is not just about technology. It's about things like data protection, consumer rights and competition. Things that give people confidence that big data won't harm them."

Commissioner Vestagar's speech highlighted several crucial points at which technology has raced ahead of law and regulation, requiring governments and regulatory authorities to adapt existing rules or rapidly to develop new legislative tools to ensure that technological change does not come at the price of diminished protection for consumers or market entrants. She observed:

"Of course, the competition rules weren't written with big data in mind. But the issues that concern us haven't changed. We’re not here to get in the way of innovative ideas. If companies need to collect large sets of data, or share data with their rivals to build better products, we don't object to that. As long as they don't hurt consumers in the process, by undermining competition"

Big data has to be big

Law and regulation is not necessarily engaged just because data is held in large volumes. The whole point of big data is that is has to be big. Using advanced analytics tools, it is possible to find patterns in a large set of data that you just wouldn't see in smaller or isolated data sets.

Law and regulation step in when there is a risk that the measures taken to arrive at large enough data sets creates a risk that personal data might be abused, or that data will be used in ways that inhibit competition.

Data pooling – whose risk?

For manufacturers, combining data into a single, big pool has the potential to create insights that could not be obtained from data relating just to one operation. For example, motor manufacturers might combine data to improve the performance and interaction of connected vehicles and roadside infrastructure such as traffic lights or road tolling systems. It might also help to teach self-driving cars to operate independently and with enhanced safety – a particularly significant issue in light of the fatal accident on 7 May 2016 involving a Tesla Model S in autopilot mode.

The risks are not just for consumers and end-users. Companies entering into data pooling arrangements must ensure that they do not give away business-critical information, allowing others to coordinate their actions rather than competing to cut prices and improve their products. Disclosure of too much information relevant to market strategies, pricing, product development and innovation could potentially stifle improvement or create a drift towards cartel behaviour.

To address those concerns, Commissioner Vestagar suggested a number of ways in which data might be shared in a way that manages and mitigates those risks. She suggested:

  • Companies might send their data to a third-party platform, and get back aggregate data with no indication of which company it comes from, or
  • Companies might limit the type of information they share. So, car companies might decide not to share information that would tell rivals too much about their technology.

Both suggestions make sense, but in each case avoiding the risk of unlawful behaviour and regulatory intervention requires a very clear-eyed view of the corporate governance issues, compliance measures and contractual issues involved.

Using a third party platform to aggregate and analyse data potentially introduces risks as well as benefits. Relevant questions include the location of the processing activities carried out by the third party, and the enforceability of any contractual rights and remedies against that platform.

Legal and regulatory regimes governing data transfers and data processing are becoming at once more stringent and less consistent. The EU is moving rapidly towards the May 2018 compliance deadline for the General Data Protection Regulation (GDPR). Data transfers between EU member states and the US may now be covered either by the Privacy Shield arrangements approved in July 2016, or by model clauses. However, both are currently subject to legal challenge. Meanwhile, the 12 signatories to the Trans-Pacific Partnership (TPP) trade deal are edging towards its ratification, though much depends on the outcome of the US Presidential election in November 2016. If ratified by a sufficient majority of signatories (which, in practice, means the USA and Japan) the TPP will create radically different rules in relation to data localisation and transfers than those under the GDPR. That would require extremely close analysis and mapping of data flows and precise information concerning the jurisdictions in which data is controlled, processed or accessed to avoid falling foul of – potentially – several regulatory regimes.

It is also essential to pay close attention to the contractual terms binding any third party platform – including the governing law and jurisdiction applicable to the platform's terms and conditions. The globalisation of data means that there is no necessary geographical connection between the source of data and the location of data processing or storage. UK manufacturers signing up to data analytics services might easily find that the relationship is governed by the laws of an unfamiliar jurisdiction, or that enforcement of obligations would be uncertain, costly and extremely time-consuming.

On that point, perhaps the worst possible outcome occurs where the contract does not specify the governing law or the jurisdiction applicable to the contract. That creates a risk of parallel or competing litigation in different jurisdictions, with neither court or tribunal having the power to stop the other set of proceedings. That risk was exemplified in Conductive Inkjet v Unipixel [2013] EWHC 2968, where the parties were eventually driven to an out-of-court settlement because courts in the US and UK had each decided that they could not strike out the parties' claim in the other jurisdiction.

It is also worth bearing in mind that the third party platform has its own commercial concerns and objectives. Data is valuable, and the ability to aggregate, analyse and gain insights from multiple data sets is the key to finding or creating value in the digital economy. Manufacturers might do well to consider the balance between the price of the services offered by such platforms, and the value of the data that is being provided to them. Consumers have (arguably) shown themselves to be extremely relaxed about providing rich personal data in return for easy internet search facilities, games or entertainment. It does not follow that businesses should be similarly relaxed about parting with or sharing data that can be the key to competitiveness and success.