We truly live in an information society, or perhaps more accurately, a data society. Every day, huge amounts of data are processed. Take Facebook for instance. Facebook users generate a mind boggling 500 terabytes of data…each day! These data include some 2.7 billion ‘likes’, 300 million uploaded pictures and 2.5 billion status updates. Another example is Walmart, which processes over a million customer transactions… every hour. And it is not just people that generate a lot of data. Objects are also starting to generate data. The Hollandse Brug (a bridge near Almere) for instance, generates 5 gigabytes of data about itself every single day using a network of 150 sensors.
The creation of huge data sets and the ability to make sense of them using new technologies and software frameworks such as ‘Hadoop’, present huge opportunities and benefits for our society. But the development of what is now colloquially called ‘Big Data’ also raises new questions and societal issues.
One of the most important issues in the context of Big Data is that of privacy. Big data enables both public and private parties to know an awful lot about individuals. Acxiom for instance, processes 50 trillion consumer transactions a year, creating a database with over 1,500 data points on 500 million consumers worldwide. This information could be abused for purposes such as (price) discrimination or the manipulation of consumers. Furthermore, if these data are leaked additional risks such identity theft or reputational damage may arise.
Given the fact that privacy issues in the context of Big Data are so serious, we need a solid legal framework for the protection of privacy. ‘Big Data’ needs ‘Big Privacy’ so to speak.
In Europe, the processing of personal data is governed by the Data Protection Directive (95/46/EC). However, this Directive is for the most part based on a Council of Europe convention from 1981, which has its origins in principles developed in the early seventies, a time when Big Data did not exist.
The result is that Big Data issues are not properly addressed by current legislation, leading to legal uncertainty for organisations wanting to use Big Data, and possible risks for consumers. The good news is that the EU is currently in the process of replacing the Data Protection Directive with a general Regulation on Data Protection. The bad news is that the Regulation does not fundamentally alter the central concepts set out by the Data Protection Directive.
If we want to avoid the possible risks associated with Big Data, we need to look beyond the current legal framework and come up with new ideas on how we wish to govern privacy and data protection in the future.