Big brother could get in the way

Who gets to see our data is a sensitive issue which could inflict serious financial and reputational damage on businesses, writes Brid-Aine Parnell

Public outrage at the NSA’s access to metadata from calls and internet communications couldn’t have come at a worse time for businesses that are just beginning to monetise their data by selling it to third parties. Thanks to the American security agency’s snooping, the legal and security issue of handling big data is suddenly a hot topic.

Metadata, the anonymised end-result of analysed big data, is big business, matching customers to behaviours, spending patterns and lifestyles in a way that will help companies to target potential sales as they never have before. At the same time, governments are struggling to legislate for a fast-changing data world, and businesses have their hands full complying with laws and standards, keeping customers happy and keeping data secure.

For some businesses, the cloud and managed hosting environments for their big data represent an unnecessary security risk. Irfan Khan, senior vice president and general manager of SAP’s global big data organisation, says: “The lack of control over hosted environments, regulatory and compliance requirements for specific industries, such as financial services, as well as differences in privacy laws at national and regional levels, are all significant barriers for many organisations.”

However, DMH Stallard partner Frank Jennings disagrees. “We have to remember that data protection laws are technology-agnostic. The existing laws weren’t written, and the future laws will not be written, with technology in mind. It’s all about the data. It doesn’t matter how you process it, where you store it; it doesn’t matter what technology you use, the law still applies to that data,” he says. “It’s just that cloud has some interesting issues.”

Thanks to the American security agency’s snooping, the legal and security issue of handling big data is suddenly a hot topic

Things get interesting in cloud storage and, to a lesser extent with managed hosting, when data moves out of the geographic region it started in and under another country’s jurisdiction. The current legislative landscape is fragmented, with countries in the European Union, states in the US and countries in other regions all working off their own data protection laws.

But the EU is hoping to harmonise the legislation of all 28 of its member states, including the UK. Justice commissioner Viviane Reding has a draft Data Protection Bill which will form the basis for the reforms. The bill isn’t expected to become law until 2015 at the earliest, but it’s now, when the horse trading is still going on in Brussels, that companies are preparing.

In some ways, the proposed legislation could make life easier, since it aims to focus on the person the information came from, not where it’s going.

“As the law changes, what the EU effectively is seeking to do is to export its data protection laws across the world. As long as there’s an EU citizen involved in the process, then data has got to be protected to European standards,” Mr Jennings says.

The EU is also considering putting some of the responsibility on the data processor – the cloud or service provider – as well as the data controller – the company.

“In the coming EU data protection reform, data processors may, under certain circumstances, also be held liable for non-compliance with the data protection legislation; potentially they may be liable in the same manner as data controllers are,” says Didier Wallaert, a lead lawyer for DLA Piper in Brussels.

That shift in responsibility is likely to alter contracts between companies and data processors, something Mr Jennings is already seeing in his work.

“The business will always be responsible for their data so they need to make sure that when they’re contracting with the cloud provider or the analytics provider that they’re putting in place protections in the contract,” he says.

“The legislation talks about ‘adequate technical and organisational measures’, so they need to make sure that they’re putting in place obligations on these suppliers to make sure they keep the data safe and secure.”

And no matter how the new legislation shapes up, there will always be wiggle room for intelligence agencies to gather the information they need, Mr Jennings predicts.

“The NSA and GCHQ will always be able to snoop on data, that’s not going to change under the new EU data protection regulation unless Angela Merkel is managing to tighten things up. But I still think we’ll end up with exemptions for national security,” he says.