Data has never been as big a priority in the EU as today. Earlier this month, the European Commission and data industry launched a EUR 2.5 billion partnership to be “at the forefront of the global data race”. In the new European Commission, Giovanni Buttarelli looks likely to be the next European Data Protection Supervisor and will have to seek an accord on a major overhaul of the Data Protection Regulation in 2015, potentially implementing large punitive fines (up to EUR 100 million or 5% of turnover) for those companies and bodies that do not conform to the new EU-wide laws, writes Rachel De Souza.
With the emergence of increasingly sophisticated technology, the ability to capture – and make use of – data available from the internet and mobile technology is rising. ‘Big Data’ involves using vast amounts of data, often an individual’s personal data, from a variety of sources. Big Data analysis demonstrates patterns of behaviour to provide insights and inform the development of new products and services.
Both the public and private sectors are expected to benefit from the development of Big Data. Big Data can provide analysis as soon as it is recorded. For example, this could include ‘real time’ data on private purchases and transactions or provide up-to-date information to public bodies to assist with fraud identification. In recognition of the potential benefits of Big Data, the European Commission and Europe’s data industry are to invest €2.5 billion in a public-private partnership. According to the European Commission, the new platform will “offer secure environments for experimenting with both private and open data”.
As the volume and variety of data for analysis increases, concerns over regulation have become a central topic for data protection authorities in Europe. Although not all Big Data analysis involves personal data, a large part of Big Data operations often rely on the extensive processing of such data.
Within the European Union, the processing of personal data within Big Data strategies is governed by the EU legal framework that provides individuals with specific rights, which are arguably often incompatible with Big Data operations. For example, the Directive requires that data controllers collect personal data only for “specified, explicit and legitimate purposes” and require that personal data must be “adequate, relevant and not excessive” in relation to the purposes for which they are collected and/or further processed. However, Big Data analytics usually involves collecting the maximum amount of data from the largest number of data sources, and then repurposing such data for other uses.
The Commission will have many of these inconsistencies to deal with when they review the Data Protection Regulation next year, the draft Regulation first being introduced back in 2012. One of the key changes under the proposed regulation is the stricter conditions for the use of data for profiling purposes, where profiling is broadly defined to cover many Big Data projects. Under the current regulation, notices about profiling must be highly visible and individuals must have the opportunity to object. Profiling based solely on sensitive data is prohibited. Profiling based on pseudonymous data will be acceptable, provided the data cannot be linked to a specific individual.
Another significant change is that data processors will, for the first time, become directly subject to certain data protection obligations by law. The Regulation will also apply to controllers and processors with no physical presence in the EU. Therefore, if, for example, personal data of EU citizens was held on servers of a Canadian company which had no establishment in the EU, the processing of that personal data in Canada will fall under the remit of the Regulation.
Although no agreement has yet been reached on the final text of the Regulation, it is likely that the sphere of Big Data will see an increase in regulation and the need to balance the privacy interests of individuals with the needs of business’ will become greater. As the Great Race on data magnifies globally, the increasing pull on countries and regions to set security and privacy restrictions on Big Data will be counterbalanced with the increasingly global IT infrastructure.
Rachel De Souza is Associate in Data Protection and Privacy at Squire Patton Boggs.
