By now, you’ve probably come into contact with big data in some way, whether this be through personalized recommendations on Netflix or insurers that use the technique to reduce car insurance premiums. So far, there is not widespread concern that these data acquisition systems could be abused.
That lack of concern is partially based on ignorance, of course: most people remain blissfully unaware of just how much data is being collected on their online habits. In other cases, consumers exhibit a touching (and somewhat naive) confidence in their governments to protect them from tech companies misusing this data.
Unfortunately, governments have not been that effective in addressing the privacy concerns of big data and, in fact, appear keen to use big data systems themselves for some pretty dubious purposes. In reality, we are quickly reaching the point where the scale of big data collection and processing is beyond the ability of governments to regulate it.
In this article, we’ll look at recent government attempts to regulate big data, and explain why they will become increasingly inadequate in the coming decade.
First, let’s give credit where credit is due. Governments in the West appear keen to regulate data, and some administrations have passed fairly strict provisions to do so. At this point, it’s obligatory to mention Europe’s GDPR, invariably described as the “Gold Standard” when it comes to protecting consumers’ privacy rights. This regulation is now also being imitated by many other executives, including a sizable number of US states.
Unfortunately, many of these regulations are based on an outdated assessment of the power and reach of data acquisition systems. You only need to look at the dates when the existing data legislation was passed to see this: at the moment the US largely relies on the HIPAA (1996), the Children’s Online Privacy Protection Act (1998) and the Computer Fraud and Abuse Act (1986), all of which are now tasked with regulating technologies that simply didn’t exist then.
In addition, none of these regulations cover big data specifically. Rather, they are built to control small-scale data acquisition systems. “In the United States, there are no laws that currently regulate Big Data specifically,” writes Jacqueline Klosek, a lawyer with Goodwin Proctor, a law firm that specializes in high-tech issues. “Rather, companies seeking to participate in Big Data operations must ensure that their proposed activities comply with privacy laws that are applicable to the data involved in their operations, as well as the companies’ own privacy policies and all applicable contractual requirements.”
But it gets worse. Given the international reach of big data collection systems, it’s difficult to believe that regulations passed in any one territory can adequately control them. In a world where 50.7% of global internet population is based in Asia, much of the data that organizations are working with has been collected from citizens in countries that have little (or no) data privacy legislation. In fact, in Asia governments seem to be moving in the opposite direction: toward a form of “surveillance capitalism” in which governments rely on big data to manage their populations.
As a result of all of these factors, the world of big data is already largely unregulated. Some governments have realized this, notably state-level legislatures in the USA, but in reality things are about to get a lot worse. In the next decade, governments might lose the ability to meaningfully control the way in which data is collected and processed.
This is due to a number of reasons. One is simply the scale and complexity of big data flows today. The number of companies who make their money largely from selling consumer data has risen rapidly in the last decade, and many of them are based outside the West, partially in order to avoid data regulations.
A second issue is that of data theft. Cyberattacks have been on the rise for much of the past decade, and many analysts feel that the hackers are winning the cyberwar. The prevalence of unauthorized data breaches means that, even where organizations are following government-mandated data privacy guidelines, the data they hold are still regularly leaked on public channels.
The third problem is inherent to the paradigm that underpins existing data regulation. Even Europe’s GDPR is based on the assumption that the data firms collect can be effectively anonymised before it is processed or sold. A growing body of research, however, suggests that the sheer number of data points now available for most individuals means that their data can never really be anonymous. By cross-referencing data collected from various sources, those wishing to misuse it can now reveal the identities of the individuals it was collected from, completely undermining the requirement for anonymity in much existing privacy legislation.
The Bottom Line
These problems are not ones with easy solutions. However, it is clear that governments still need to do more to regulate big data. While it may be impossible to stop every cyberattack, and to regulate small companies who are based outside their jurisdiction, it is possible to further regulate the tech giants who still dominate data acquisition. In practice, this means that the US government needs to take further steps to control and limit the activities of the Big Five tech companies (Facebook, Amazon, Apple, Netflix, Google) that are based in the US.
The fact that big data is increasingly hard to regulate doesn’t mean we shouldn’t try.