This SCL event was hosted by Linklaters LLP and chaired by Richard Graham, Head of Digital within the Richemont Group’s Intellectual Property department. The speakers were Peter Church, a Senior Associate at Linklaters LLP, who addressed the regulatory issues surrounding Big Data; Stéphanie Patureau, an Associate at Linklaters LLP, who discussed the competition law side of Big Data; and Mark Deem, a litigation Partner at Edwards Wildman Palmer UK LLP, who warned the audience of the potential pitfalls of Big Data.
Richard Graham began by providing an introduction to Big Data as a concept. The term ‘Big Data’ characterised the ability to process mass volumes of data, both structured and unstructured. He highlighted a number of reasons as to why Big Data has become such an important development in the digital environment, including cheaper access to information technology, advancements offered by cloud computing and open source, developments in mobile and sensor technology, the growth of social media and the digitalisation of huge volumes of information. Richard emphasised that there were two important aspects of Big Data for digital businesses: (i) search algorithms; and (ii) consumer analytics. There was significant value in search engine optimisation and advertising, and he noted a number of recent high profile court cases which debated search engine algorithms. He also listed the vast array of types of data available for consumer analytics, ranging from social data to health and fitness data. From the perspective of the individual, he noted that ‘Big Data knows more about us than we do!’
Peter Church spoke about the regulatory framework governing Big Data. He discussed some of the key attributes of Big Data and their impact on the way it is regulated. One example is the concept of N=All and the shift from causation to correlation. Previously, a small sample of data would have been analysed to test a hypothesis. Big Data, by contrast, lets technology free on data about the entire population being studied, leaving computers to determine patterns and correlations between data sets. This potentially raises privacy issues, because it allows individual behaviour to be profiled, and accuracy issues, because the Big Data conclusions may be wrong. However, Peter also highlighted the value of Big Data – companies could self-reflect to improve their own operations, whilst externally, there was value in selling data to third parties. Peter moved on to provide a brief overview of the regulatory and legislative framework governing data processing. The key issue is that the data protection rules apply to Big Data in the same way as other processing. This includes the general processing requirements, for example, transparency and accuracy, which regulate data processing and the context specific requirements surrounding certain types of data, for example, sensitive data. He noted the differing outlooks of the Article 29 Working Party, at a European level, and the Information Commissioner’s Office on a UK level. Whilst the former focused on the principle of purpose limitation, the latter was concerned with what may be in the ‘reasonable expectation’ of the data subject. Peter also drew the audience’s attention to the draft Data Protection Regulation, which may be adopted in early 2015, and its role in protecting data subjects, for example, through the expansion of the concept of personal data and the moving towards a consent requirement for profiling.
Stéphanie Patureau presented on the competition law implications of Big Data. She discussed how Big Data could increasingly be seen as an asset, whether or not data was a company’s core business, and consequently was something that could impact competitive behaviour and market dynamics. She noted that there were four main tools open to EU competition authorities to deal with competitive behaviour surrounding Big Data: (i) Article 101 of the Treaty on the Functioning of the European Union (‘TFEU’) (and its national equivalent) relating to anti-competitive agreements and concerted practice; (ii) Article 102 of the TFEU (and its national equivalent) on the abuse of dominance; (iii) merger control legislation; and (iv) soft law. In relation to Article 102 TFEU, Stephanie highlighted that an undertaking may be deemed to be dominant over the data itself (although whether data may constitute a ‘market’ is the object of debate), or it may be dominant on a market using data. Abuse of that dominant position could emerge through various abuses, such as (i) a failure to grant access to data where such data could be considered indispensable for competitors to be able to effectively compete, and not easily replicable, and where there is no objective justification for refusing access; (ii) price discrimination or other types of targeting, enabled by data findings; or (iii) a unilateral decision to lower privacy standards. She also emphasised how data could confer market power, therefore increasingly becoming a non-price competition parameter, which as a result is being taken more seriously by competition authorities when assessing the competitive impact of mergers. Lastly, Stéphanie highlighted the power of certain competition authorities to launch market or sector investigations possibly resulting in remedies being imposed. She spoke about the OFT’s recent report on personalised pricing which highlights some of the possible concerns arising out of targeted pricing practices resulting from data sets analysis.
Mark Deem ended the formal presentations by emphasising that Big Data presented ‘bigger challenges’. He argued that, whilst Big Data offered a welcome ability to boost economic activity and harness the true value of data, it was necessary to understand the true nature of Big Data and ensure appropriate checks and balances were in place to minimise exposure to risk. Mark highlighted five categories of potential harm which, unless addressed, could pose a legal risk.
First, Mark emphasised the tension between the ever-increasing capture of data and certain outdated expectations of privacy. He explained that underlying data, for example metadata or geo-location data, had the potential to counteract and erode the traditional ways in which privacy has been assured. Secondly, Mark highlighted how the mass accumulation of non-personal information could lead to the discovery (or inference) and subsequent disclosure of personal data. Whereas privacy at its highest level was underwritten by the complementary concepts of control and consent, he questioned how individuals could genuinely consent to the disclosure of information which arose during a consumer analytics exercise whose outcome was necessarily uncertain. Where the aggregation and processing of data had the potential to infer or establish personal data, this could trigger data protection obligations and commercial and PR risks would follow. Thirdly, Mark underlined the threat posed by false conclusions being reached during or following a Big Data exercise, whether by the extrapolation of incorrect information or projections using statistically questionable datasets or algorithms. He cautioned against over-reliance on Big Data and noted the potential PR, economic or even political consequences of incorrect conclusions being drawn. Fourthly, Mark highlighted the risk of the re-identification of individuals, whose anonymity had been desired or required, citing the reveal of JK Rowling’s pseudonym Robert Galbraith as a recent example. Lastly, Mark discussed Big Data breaches, commenting that the huge variety and volume of data (as well as its potential value) could lead to breaches on a huge scale or indeed very targeted attacks on data centres which housed the Big Data activity.
Mark finished his presentation by exploring the legal response to these ‘bigger challenges’. He argued that it was essential to understand what Big Data was and what it was not; it was generally not a pure scientific exercise and should not be seen as such and any correlations made between data sets fell far short of establishing legal causation. Given the potential legal risks (and financial losses) involved, he argued the need for those engaging in Big Data projects to be able to attribute responsibility at each stage of the analytics being undertaken; to consider at an early stage whether legal jurisdiction could be established over those with such responsibility; and, if so, whether any rights could genuinely be enforced against them. As a final thought, Mark commented that Big Data was originally defined by reference to the relative concepts of volume, velocity and variety of data. In order to achieve a workable legal framework, he suggested that we need to be placing greater emphasis on the absolute concept of validity, both of the data and the processes being used.
The presentations were followed by a lively, interactive case study and question and answer session.
Annie Clarke is a Trainee Solicitor at Edwards Wildman Palmer UK LLP
