News

AmCham IT Committee: Big Personal Data = Big Legal Problem?

Series of seminars on Data Management - Security and legal aspects of working with company data - prezented by Vojtěch Chloupek of Bird & Bird, Stanislav Bednář of BERNARD LEGAL. And Solutions for cost effective and flexible company data management - prezented by Dalibor Kačmář of Microsoft, Miloš Mastník of T-Mobile.

“Big Data” are the buzzwords, analysing them in order to target your marketing and steer your business through the current uneasy times is sexy, particularly in the eyes of many enlightened managers. And there is nothing to be afraid of when you examine petabytes of data from multiple sources, right?

Well, it depends. As usual, the annoying lawyers will try rain on the managers’ parade. Or, to be more exact, they will try to tell them what obstacles to look for and how to avoid them if possible.

Without having the ambition to describe all legal aspects of Big Data, I would like just reminding you that some of the Big Data can include personal data (“Big Personal Data”). The current Czech-EU legislation is quite stringent in this respect and it will soon get even juicier with the new EU regulation on the horizon. Among other changes, this new regulation may introduce fines of up to 5% OF THE ANNUAL WORLDWIDE TURNOVER for those bad companies who disobey. And that could kill some of the companies, particularly those with big sales and low margins. By the way, the Czech AmCham tried to influence the lawmakers by taking a clear position in respect of some of the most troubling parts of the draft regulation:  http://www.amcham.cz/activities-schedule/detail/157923

My simple advice would be: unless you have to, do not analyse Big Personal Data and do not even let anybody else to do it for you.

If you have to analyse Big Personal Data or just want to do so, try to anonymise or pseudonymise the them first, if possible. After all, if you want to examine the shopping patterns of your customers (for example by analysing cookies at your web-site) you may not really need to know their exact names and addresses. The only (major) problem with the anonymisation is that, at least from some perspective, it is not possible nowadays because if you employ the latest state of the art software, superfast computers and all available information sources (
from the Internet and commercial databases), you will likely attribute most of the allegedly “anonymised” data to specific people.

Examples: (a) already back in 2000, 87% of all U.S. citizens could be identified based on only their birthdate, gender and zip code, (b) AOL released in 2006 “anonymised” data about its customers, found out later on that many of them could be identified based on just the pattern of their searches and subsequently settled with these angry customers to the tune of USD 6 million, (c) Edward Snowden might also be able to give us a couple of examples of what can be done with Big Data if there is a will. To summarise, if the Czech and European data protection watchdogs decide to interpret the term “personal data” in such a broad manner, then Big Personal Data could arise everywhere around your company and even within.

Therefore, the safest solution would be to assume that at least part of your Big Data is personal and comply with the relevant rules and regulations. For example, you should be transparent with the people whose data you are processing (obligation to inform them), you should ask their consent, you should deploy adequate security measures, you should not transport the data outside EU (or let the providers of your cloud services do so) without taking care of the legal side, etc. In some cases, these obligations do not apply, for example if the analysis of the Big Personal Data is necessary for you to fulfil the customer contracts. However, this might require consulting someone specialised in this area to take you on the magical boat of Big Personal Data compliance.

BIG DATA & LEGAL ISSUES

In order to fully maximize the value and commercial potential of Big Data, businesses need to understand the variety of associated legal issues. They also need to be aware that not all of these legal issues must be necessarily seen as pure risks, although it is true that for example the tightening of privacy regulations around the world makes compliance harder and harder. Regulations governing fairly new topics such as data security and security breaches, as well as those classic areas like antitrust, will need to be taken into account. But, regardless of burdensome regulation, if appropriate processes are applied, they will surely be helpful in building the company image and reputation of a good "Big Data" citizen and make it stand out among competitors. Law will also be a very useful and quite indispensable tool in data-heavy transactions as they advance in near future, be it database licensing and transfers or M&A and finance deals in which data will be central asset.

WHO OWNS DATA?

One of the possible forms of legal protection for Big Data is the sui generis database right. Where an investment is made into systematically or methodically arranging data (which could include Big Data), a database right might exist which provides legal protection for those who have made that investment to prevent third parties from commercially exploiting and transacting with the Big Data. However, most legal systems (especially in Continental Europe) do not recognize the concept of ownership of data/information. Contrary to common language, in legal sense data as such cannot be owned by a particular person. For vast majority of dealings with data, contractual set up will be extremely important, including precise definition of data/database involved, specific warranties and carefully crafted termination and exit provisions.

BIG DATA & INNOVATION

Big Data is likely to boost innovation throughout software companies, service providers, internet-based businesses, all the way up to large holders of Big Data. All these will have imminent interest in protecting their key assets – people and intellectual property. As far as intellectual property is concerned, the number of patents relating to Big Data has rocketed in the last two years and the trend is likely to continue. In-depth understanding of the benefits of patents for computer-implemented inventions ("software patents"), as well as copyright protection of software and databases, is therefore key.

BIG DATA & SECURITY BREACH

A number of European jurisdictions have implemented or will soon implement (including the Czech Republic) regulations requiring remedial action in case of security breaches, to an extent following the regulations on security breaches as enacted in the United States. A completely new European Cybersecurity Directive is in the pipeline as well as the new Czech Cybersecurity Act. Dealing with security breaches typically includes not only understanding the relevant law and regulation, but also coordinated project management. Already before a security breach occurs, strategic decisions must be adopted with respect to balancing risk and leveraging the regulatory constraints in data processing agreements and other service arrangements with an explicit exposure to data security breaches.

BIG DATA & ANTITRUST

To the extent companies hold Big Data that are indispensable for the implementation of certain business models they may be confronted with requests to grant third party access to their data. Refusing third party access to such data or discriminating licensees of such data may constitute an illegal abuse of the Big Data holder’s dominant position and could result in civil litigation and significant fines. The increased interest among competition authorities in data-heavy industries is evident in both the EU and the US. Remedies that have been typically mentioned as those that might be imposed on businesses include FRAND licences (i.e. licensing on fair reasonable and non-discriminatory terms), data minimation, portability and restrictions on retention.