Main image
The use of big data has come under the spotlight amid concerns that individuals’ private information is being misappropriated on a commercial scale. Elisabeth Jeffries assesses the business implications as the EU prepares to update its data protection legislation

It was intended as an open, free and benign service connecting people across the planet. But today the web seems to be trapping terabytes of innocently supplied data for more pernicious purposes.

Alongside the spiders of Google and Facebook at its centre, some claim, lie a number of national intelligence agencies that are sifting through all the material gathered in order to spy on the populace.

Public opinion about the internet is changing. The early signs of trouble came last year when CNIL, France’s information security commission, told Google that it was checking whether the company was complying with French data protection law – a warning it later claimed that Google had ignored.

Then Facebook’s “like” button, enthusiastically clicked by millions of users, was unmasked as a covert source of targeted advertising; Barclays announced that it was going to sell data on clients’ spending habits to other companies; and the US National Security Agency was caught spying on European institutions.

All of a sudden, the internet is threatening to mutate from 21st-century pleasure dome into a house of horrors.

A cluster of new technologies has enabled this explosion in the volume of information being captured.

Microchips the size of a fingernail, now containing several billion transistors (raising memory capacity), have driven the development of smartphones and other mobile devices, while the 3G wireless telephony standard has given millions of people high-bandwidth access to the internet on these devices.

“The growth we have seen in smartphones and their applications has depended partly on wireless broadband systems such as 3G. Five years ago there wasn’t much mobile web access, so you couldn’t access apps on your phone,” says Anna-Verena Naether, public affairs manager at ICT trade association Digital Europe.

Other electronic advances have slashed connection costs, while cloud computing is expected to transform business communications.

Developments in satellite navigation technology have also improved mapping and tracking. The esoteric nature of this high-tech industry has inevitably fuelled privacy concerns.

Many consumers are clueless about data storage, yet they are hooked into networks for many everyday transactions while being bombarded with demands for more and more information.

They must rely on trust and, for many younger people, opting out means social exclusion. Meanwhile, the speed, frequency and complexity of transactions mean that the data trail has become a labyrinth.

On the face of it, then, the ICT industry appears to be out of control.

Naether explains: “Let’s say that you’re a consumer giving your details to an insurance company. You have no idea what is going on. You don’t know or care whom the firm is using to process the data, as long as this information is not made public  or used inappropriately. But the processor may be another company. IBM, for example, is subcontracted by many businesses for this purpose.”

Boundaries have shifted. In the present climate there is little hope of restricting the amount of material held by commercial interests.

Technically, consumers still own the data they supply online. The question is: who is using it and how?

“Imagine that you buy a phone from Nokia,” Naether says.

“The company gives you a phone number and a code, and it could use these to make a link with your activities online. Nokia doesn’t own that data, but you’re giving the company the right to use it.”

The task of minimising the amount of information harvested is widely seen as problematic, according to Eduardo Ustaran, a partner specialising in data protection at law firm Fisher Field Waterhouse.

“It’s very difficult to say that a company has too much data,” he says. “But there should be an obligation stating that the greater amount of information a company has, the greater its responsibility to keep this safe.”

At the start of this year the European Commission drafted a new set of rules for its planned General Data Protection Regulation.

Scheduled for adoption early in 2014 – updating a directive that was first enacted in 1995 – this reform is intended to empower consumers.

One of the objectives of the exercise is to ensure that neither a data controller (the insurance company, say) nor a data processor (IBM, for instance) is exempt from their responsibilities in using the information.

“At the moment, a data controller will outline in a contract what a data processor should do to store and defend the material, for example. Clear distinctions are made between their obligations,” Naether says.

“But the new data protection regime will require both processor and controller to share liability.”

This may appear to be a more complex arrangement. But it could protect consumers better in the event that cloud computing becomes the norm, which would increase the amount of data transferred among companies still further.

In this way a data controller could not avoid taking some responsibility for any mishandling of information committed by a processor.

Affirming up
A key objective of the EU reforms is to ensure that consumers do have control over the information they provide.

To this end, stronger definitions of consent have been recommended. Under the current system, consent is not always required.

None is needed for the processing of personal data for direct marketing purposes, for instance, although the individual does have the right to object to this.

“Under the new regulations proposed by the European Commission, whenever consent is required to process data, it has to be explicit,” says Mina Andreeva, spokeswoman for Viviane Reding, European commissioner for justice, fundamental rights and citizenship.

“The commission’s reasoning behind this is simple: saying yes is not the same thing as saying nothing.”

This principle has been contentious, with some lobbyists arguing that consent is implied when many smartphone applications are downloaded.

For example, if someone purchases and uses a satellite navigation app, it’s logical to assume that they are in effect consenting to having their movements tracked.

According to Andreeva, the tracking of a person’s location via their smartphone can be considered as the processing of that individual’s data.

“The proposed regulation makes it clear that this is covered by the new rules and limited to the extent necessary,” she says.

Data protection by design and by default are to become essential principles in EU data protection legislation, requiring safeguards to be built into products and services from the earliest stage of development, and privacy default settings to be the norm.

Ustaran dismisses some aspects of the new regulations as naive.

“The EU law is very strict in an old-fashioned way,” he says.

“The idea that people are in control of their data and consent to its use is wishful thinking now. The law should be geared to preventing harm rather than focusing on consent. The reality is that there’s no choice.”

He points out that companies set the terms of which data is requested or how many cookies are dropped on to a user’s web browser – and that there is little discussion with the consumer at that point

“The law should focus on not letting companies abuse the information so that it has a negative impact on you,” he states.

The forthcoming regulations will apply to any company operating in the EU, no matter where in the world it’s based.

Another of the European Commission’s key objectives here is to harmonise the regime across the single market, since not all member states currently define consent in the same way.

The unbounded nature of the internet and data traffic has led to international conflicts concerning information security, of course, with US companies operating in the EU claiming to be governed by a different system.

But there are shared principles across much of the world – with the most notable exception of China – when it comes to notice, choice, purpose specification, data minimisation and data protection.

“In the US, personal information is an asset – one can extract economic value from it and it can be exploited. In the EU, personal information is a human right that has to be protected.

That means the US legal approach is to ask: ‘What is the financial damage?’

The EU approach, on the other hand, is to consider the impact on an individual’s privacy,” Ustaran explains.

For instance, using credit card data in the US to target consumers may be acceptable, while in the EU this practice would be treated as using information outside its primary purpose.

Giving the gamers away
Cases of high-profile security breaches abound. Last year, for example, professional networking site LinkedIn was hacked by Russian cyber-criminals.

The year before, Sony PlayStation servers were stripped of passwords, user names and credit card details. As cloud computing and smarter applications develop, companies should start considering the risk of facing class actions from customers claiming that their details have not been properly safeguarded.

The new EU legislation proposes raising the maximum penalty for a company’s failure to protect customer data adequately from €600,000 to up to 2 per cent of its annual worldwide turnover.

Ustaran believes that there “isn’t much risk of a class action at the moment, mainly because in order to sue someone you’ll need to claim that you have suffered a financial loss and it’s difficult to quantify the value of privacy.

The law should recognise non-financial damage as something to sue for – annoyance in the case of spam, for example.”

Christopher Wolf, partner at US law firm Hogan Lovells, also doubts that legal action against companies for harvesting excessive amounts of data could be successful at present.

“Given the many appropriate contexts for having information, and the presumption that information may be exchanged freely as part of freedom of expression, it would be very hard to enforce such a right,” he says.

With the goalposts constantly shifting as internet technology advances apace, new legislation could become outdated very quickly.

For the moment, EU consumers are promised a few concessions, such as the right to be forgotten and the right to move data. Under the forthcoming rules, they will be able to ask for their data to be deleted immediately, while they will also be allowed to insist that data they provide to one company is removed and transferred to a competitor.

Meanwhile, the European Commission has reversed the burden of proof: in future, companies will have to demonstrate that the data they hold is still needed, rather than the individual proving the reverse.

Photo: Gallery Stock


Post new comment

The content of this field is kept private and will not be shown publicly.





All future Financial Management online content will now be available through the FM app. Download the free app from the Apple App Store, Google Play or Amazon by searching for 'CIMA FM'.

Old issues will still be available in the archive.