Big Data Masterclass
This SCL event was hosted by Linklaters LLP and chaired by Richard Graham, Head of Digital within the Richemont Group’s Intellectual Property department. The speakers were Peter Church, a Senior Associate at Linklaters LLP, who addressed the regulatory issues surrounding Big Data; Stéphanie Patureau, an Associate at Linklaters LLP, who discussed the competition law side of Big Data; and Mark Deem, a litigation Partner at Edwards Wildman Palmer UK LLP, who warned the audience of the potential pitfalls of Big Data.
Richard Graham began by providing an introduction to Big Data as a concept. The term ‘Big Data’ characterised the ability to process mass volumes of data, both structured and unstructured. He highlighted a number of reasons as to why Big Data has become such an important development in the digital environment, including cheaper access to information technology, advancements offered by cloud computing and open source, developments in mobile and sensor technology, the growth of social media and the digitalisation of huge volumes of information. Richard emphasised that there were two important aspects of Big Data for digital businesses: (i) search algorithms; and (ii) consumer analytics. There was significant value in search engine optimisation and advertising, and he noted a number of recent high profile court cases which debated search engine algorithms. He also listed the vast array of types of data available for consumer analytics, ranging from social data to health and fitness data. From the perspective of the individual, he noted that ‘Big Data knows more about us than we do!’
Peter Church spoke about the regulatory framework governing Big Data. He discussed some of the key attributes of Big Data and their impact on the way it is regulated. One example is the concept of N=All and the shift from causation to correlation. Previously, a small sample of data would have been analysed to test a hypothesis. Big Data, by contrast, lets technology free on data about the entire population being studied, leaving computers to determine patterns and correlations between data sets. This potentially raises privacy issues, because it allows individual behaviour to be profiled, and accuracy issues, because the Big Data conclusions may be wrong. However, Peter also highlighted the value of Big Data – companies could self-reflect to improve their own operations, whilst externally, there was value in selling data to third parties. Peter moved on to provide a brief overview of the regulatory and legislative framework governing data processing. The key issue is that the data protection rules apply to Big Data in the same way as other processing. This includes the general processing requirements, for example, transparency and accuracy, which regulate data processing and the context specific requirements surrounding certain types of data, for example, sensitive data. He noted the differing outlooks of the Article 29 Working Party, at a European level, and the Information Commissioner’s Office on a UK level. Whilst the former focused on the principle of purpose limitation, the latter was concerned with what may be in the ‘reasonable expectation’ of the data subject. Peter also drew the audience’s attention to the draft Data Protection Regulation, which may be adopted in early 2015, and its role in protecting data subjects, for example, through the expansion of the concept of personal data and the moving towards a consent requirement for profiling.
Stéphanie Patureau presented on the competition law implications of Big Data. She discussed how Big Data could increasingly be seen as an asset, whether or not data was a company’s core business, and consequently was something that could impact competitive behaviour and market dynamics. She noted that there were four main tools open to EU competition authorities to deal with competitive behaviour surrounding Big Data: (i) Article 101 of the Treaty on the Functioning of the European Union (‘TFEU’) (and its national equivalent) relating to anti-competitive agreements and concerted practice; (ii) Article 102 of the TFEU (and its national equivalent) on the abuse of dominance; (iii) merger control legislation; and (iv) soft law. In relation to Article 102 TFEU, Stephanie highlighted that an undertaking may be deemed to be dominant over the data itself (although whether data may constitute a ‘market’ is the object of debate), or it may be dominant on a market using data. Abuse of that dominant position could emerge through various abuses, such as (i) a failure to grant access to data where such data could be considered indispensable for competitors to be able to effectively compete, and not easily replicable, and where there is no objective justification for refusing access; (ii) price discrimination or other types of targeting, enabled by data findings; or (iii) a unilateral decision to lower privacy standards. She also emphasised how data could confer market power, therefore increasingly becoming a non-price competition parameter, which as a result is being taken more seriously by competition authorities when assessing the competitive impact of mergers. Lastly, Stéphanie highlighted the power of certain competition authorities to launch market or sector investigations possibly resulting in remedies being imposed. She spoke about the OFT’s recent report on personalised pricing which highlights some of the possible concerns arising out of targeted pricing practices resulting from data sets analysis.
Mark Deem ended the formal presentations by emphasising that Big Data presented ‘bigger challenges’. He argued that, whilst Big Data offered a welcome ability to boost economic activity and harness the true value of data, it was necessary to understand the true nature of Big Data and ensure appropriate checks and balances were in place to minimise exposure to risk. Mark highlighted five categories of potential harm which, unless addressed, could pose a legal risk.
First, Mark emphasised the tension between the ever-increasing capture of data and certain outdated expectations of privacy. He explained that underlying data, for example metadata or geo-location data, had the potential to counteract and erode the traditional ways in which privacy has been assured. Secondly, Mark highlighted how the mass accumulation of non-personal information could lead to the discovery (or inference) and subsequent disclosure of personal data. Whereas privacy at its highest level was underwritten by the complementary concepts of control and consent, he questioned how individuals could genuinely consent to the disclosure of information which arose during a consumer analytics exercise whose outcome was necessarily uncertain. Where the aggregation and processing of data had the potential to infer or establish personal data, this could trigger data protection obligations and commercial and PR risks would follow. Thirdly, Mark underlined the threat posed by false conclusions being reached during or following a Big Data exercise, whether by the extrapolation of incorrect information or projections using statistically questionable datasets or algorithms. He cautioned against over-reliance on Big Data and noted the potential PR, economic or even political consequences of incorrect conclusions being drawn. Fourthly, Mark highlighted the risk of the re-identification of individuals, whose anonymity had been desired or required, citing the reveal of JK Rowling’s pseudonym Robert Galbraith as a recent example. Lastly, Mark discussed Big Data breaches, commenting that the huge variety and volume of data (as well as its potential value) could lead to breaches on a huge scale or indeed very targeted attacks on data centres which housed the Big Data activity.
Mark finished his presentation by exploring the legal response to these ‘bigger challenges’. He argued that it was essential to understand what Big Data was and what it was not; it was generally not a pure scientific exercise and should not be seen as such and any correlations made between data sets fell far short of establishing legal causation. Given the potential legal risks (and financial losses) involved, he argued the need for those engaging in Big Data projects to be able to attribute responsibility at each stage of the analytics being undertaken; to consider at an early stage whether legal jurisdiction could be established over those with such responsibility; and, if so, whether any rights could genuinely be enforced against them. As a final thought, Mark commented that Big Data was originally defined by reference to the relative concepts of volume, velocity and variety of data. In order to achieve a workable legal framework, he suggested that we need to be placing greater emphasis on the absolute concept of validity, both of the data and the processes being used.
The presentations were followed by a lively, interactive case study and question and answer session.
Foundations Module 6: Cloud Computing
This SCL event, the sixth in the series ‘Foundations of IT Law’ was hosted by Hunton & Williams and focused on the cloud. Bridget Treacy chaired the event and began by challenging participants to consider what is genuinely new, and what is not new, in a cloud context. She introduced the speakers: Dr Sam De Silva of Pennington Manches LLP, who discussed the cloud from the customer’s perspective; Samantha Hardaway, Associate General Counsel for EMEA Cloud Legal at Oracle, who discussed the cloud from the vendor’s perspective; and Wim Nauwelaerts, a partner in Hunton & Williams’ Brussels office, who discussed the data protection issues that are raised in cloud context.
Dr Sam De Silva focused on the differences between the cloud and traditional IT outsourcing. Sam began by highlighting the diverse range of cloud offerings available and how they may be categorised. The defining characteristics of the cloud are that it is on demand, elastic and customers pay only for the computing resources that are actually used.
Sam then explained the key differences between the cloud and traditional IT outsourcing. Typically cloud offerings are standardised and there is little scope for customisation beyond configuration of basic parameters. Cloud vendors are usually not obliged to provide updates or improvements to software. As cloud offerings tend to be standardised there tends to be less opportunity to negotiate contractual terms. However, cloud vendors are often more flexible around the length of contract. Traditional outsourcing arrangements are typically for a term of five years or more, whereas cloud offerings are usually shorter, with some vendors offering as little as 30 days’ notice.
Sam went on to explain that the cloud requires a different negotiating approach to traditional outsourcing. Cloud vendors are unlikely to agree to a number of clauses that would be found in traditional outsourcing contracts, for example, audit rights and benchmarking. Consequently, customers should focus on risk evaluation and selecting a provider that meets the business’ needs, rather than seeking to negotiate particular contractual provisions.
Samantha Hardaway talked about the cloud from the vendor’s perspective. She began by explaining the main drivers for the adoption of cloud technology: globalisation, the need to increase productivity and cut costs, and the recent explosion of big data. Samantha then explained that cloud terms often are not found in a single document, as with traditional outsourcing agreements. For example SLAs, change management and other key provisions are likely to be found in separate documents, increasingly online. A contract that appears to be two pages long may, in fact, amount to 50 or 60 pages once hyperlinked documents are included.
Samantha provided an overview of key contractual provisions that are likely to be relevant. Cloud providers will not grant IP rights in cloud software to customers. Providers may also request IP rights over certain customer data stored on the cloud. This is typically in respect of aggregated customer data only, which the provider may wish to analyse to improve the service offering. Samantha explained that cloud agreements are usually for a fixed term, typically around three years, and are subject to auto renewal. Due to the nature of the cloud, providers will often, particularly for simpler services, allow the customer to terminate for convenience. In many cases, however, customers will incur early termination costs.
Providers usually require the right to suspend the provision of services. Firstly, services may be suspended for non-payment by the customer, but other suspension rights are also common, for example if customer data stored in the cloud is found to be illegal or to infringe third-party IP rights, or where suspension is necessary due to a risk to the service, for example due to an attack by hackers. A waiver of indirect or consequential damages, together with a cap on damages calculated as a ratio of fees paid, is typical.
Wim Nauwelaerts discussed European data protection law and its implications for the cloud. Wim began by explaining the complicating factors relevant to the cloud. Firstly, there is often a contractual imbalance between the customer and the provider, allowing cloud providers to dictate terms to the customer. Secondly, due to the nature of the cloud, it is often difficult or impossible to determine the physical location of data stored in the cloud.
European data protection law is likely to apply if either the customer or the vendor is established in an EEA jurisdiction. Even where this is not the case, EU data protection law may still apply if the vendor makes use of equipment located in an EEA country for processing data.
Wim explained that often it is difficult to comply with the main data protection principles in a cloud context, for example, to ensure that data are adequate, relevant and not excessive, and that cloud customers know of all subcontractors that participate in the cloud service and all locations in which data may be stored or processed. The key data protection obligations lie with the customer who may have too little bargaining power to insist on contractual changes. Further, personal data transferred outside the EEA must meet the EU adequacy requirement. Some cloud providers may be Safe Harbor certified. While the Safe Harbor remains an approved legal basis for data transfers from the EU to the US, its long-term future has been called into question by the Article 29 Working Party. Standard contractual clauses may also be used, but may be difficult to implement or unsuitable, for example, where an EU-based service provider makes use of non-EU sub processors.
Finally, Wim discussed the proposed EU general data protection regulation. In particular, the regulation is likely to impose obligations upon cloud providers that currently apply only to customers. It is as yet unclear how this will impact the cloud industry, but in any event cloud providers are likely to face increased compliance hurdles.
Annie Clarke is a Trainee Solicitor at Edwards Wildman Palmer UK LLP.
James Henderson is an associate in the Privacy and CyberSecurity Team at Hunton & Williams.