Is Big Data too big to manage from a privacy perspective?

By 2003 we were creating as much information every two days as we had from the dawn of civilization until 2003, and today we create even more. On any given day we create 2.5 quintillion bytes of data – so much that 90% of the data in the world today has been created in the last two years alone. This data comes from everywhere and relates to everything and the power of Big Data allows you to analyse it. However, the sheer power of Big Data may be what puts obstacles in its own way.

What is Big Data?

Big Data refers to large volumes of high velocity, complex and variable data that requires advanced techniques and technologies to enable the automated analysis and eventually use of the data. The data is collected both from traditional and digital sources inside and outside companies e.g. through public databases, purchasing data and statistics, social network interactions, web surfing, time and location data, and from countless more sources.

Big Data does not simply mean the vast amounts of input data but also inherently refers to the tools to manage and analyse it and the output of the analysis. Such tools are becoming more and more accessible as the required software, process power and data storage are becoming
cheaper and cheaper. This gives ordinary companies the possibility of tapping into that reserve of knowledge and applying it to their own company specific environments in order to further their business interest and to gain a better understanding of their business, customers, and the
marketplace. What will distinguish successful companies is the ability to analyse the data and put it in the right business context, e.g. by understanding its customers and the marketplace.

For companies not able to administer Big Data themselves, an industry of service providers offering Big Data services has sprouted up making Big Data available for any big or small company. Big Data has already been shown to aid companies in several different areas including healthcare,
mobile communications, smart grid, traffic management, fraud detection, marketing and retail, both on- and offline.

Anonymised data or personal data

To get the best out of Big Data, you need to collect as much data as you can, keep it as long as possible, and use it for as many different purposes as you can. Big Data creates a problem here because what is not said in the definition is that a lot of the data directly relates to individual people and their behaviour, i.e. the information in Big Data is often personal data in disguise.

Considering the obligations that come with processing of personal data, Big Data is often only interested in using anonymised data as the processing of anonymised data is not subject to personal data protection legislation. However, it has been shown that the great powers of Big Data may be its Achilles’ heel as anonymised data easily can be de-anonymised with few extra data.

In 2006, Netflix released over 100 million movie ratings made by 500,000 subscribers to their online DVD rental service. Netflix had anonymised the data set by removing any personal details to protect its customers’ privacy. Despite this, researchers could shortly afterwards announce
that they were able to de-anonymise the data by comparing the Netflix data against publicly available ratings on the Internet Movie Database (IMDB). (1)

Under our current legislation, any anonymised data which is possible to de-anonymise and reconnect to an individual e.g. by the availability of the original record or other information, will still be considered to be personal data (the original record does not have to be available for the processor, it is sufficient that the reconnection is possible). Put briefly, even though data may seem anonymised it might not be in a world of Big Data.

Hence, based on the Netflix-problem, companies cannot feel safe and disregard personal data protection based on the presumption that the data is anonymised which will have a major impact Big Data in general and specifically on so called “profiling”(2) which utilizes Big Data to predict
customer behaviour in order to render a company’s actions more effective. Instead, companies that wish to strengthen their business by using Big Data will need to take a more pre-emptive and structured approach and exert themselves to handle any data referring to, or produced by, individuals in accordance with personal data legislation.

Legal landscape for Big Data

The processing of personal data by Swedish entities, or for entities established in Sweden, is regulated by the Personal Data Act which is based on principles contrary to Big Data. Put simply, the current legislation does not take the latest technological development into consideration. For the market to be able to make the most of this new tool, we would need new legislation in the area. Fortunately, European data protection legislation is in the process of being updated as the future of privacy is about to be harmonized within the European Union.(3) However, what is less uplifting, strictly from a Big Data perspective, is that the current version of the regulation goes the other way and makes Big Data even more problematic. This paired with the fact that the new regulation proposes heavier sanctions, further emphasises the need for companies to review their processing of data.

Conclusion

In essence, we have a new analytics tool that promises to be of great help on all different markets, but which is also hard to fit into the personal data legislation both of today and of tomorrow. Should, however, companies choose to tap into the new possibilities of Big Data it is advisable to structure any processing of data with personal data protection in mind to avoid investments being squandered.

(1) http://news.cnet.com/8301-13739_3-9826608-46.html
(2) Profiling is defined in the Regulation as “any form of automated processing of personal data intended to evaluate certain personal aspects
relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location,
health, personal preferences, reliability or behaviour;”
(3) Regulation of the European Parliament and the Council concerning the protection of natural persons in connection with personal data
processing and with regard to the free movement of such data (the ”Regulation”) dated 25 January 2012, COM (2012) 11 final.