The legalities of big data and data analytics

By Matthew Hunter March 19, 2015

Data is a business asset, like money, IP, stock, property or employees
As with such assets, there are legal rights, obligations, regulations and limits

The legalities of big data and data analytics SOCIETY is producing and collecting more and more data. The analysis of that data can provide significant commercial benefits.

So what are the legal issues if you want to analyse data? There are two: First, you should check that the data is yours to analyse or that you have a contractual right to analyse it. Second, you should consider if there are any laws or regulations (e.g. privacy laws) that limit or impose requirements on the analysis you want to carry out.

What is ‘big data’?

In short, we are really talking about analysing data, lots of data. Thanks to more powerful (and cheaper) technology, organisations can more easily collect and process large amounts of data. The Internet of Things, social media, mobile and e-commerce all provide more data and more opportunities for analysis.

Conclusions from the analysis of this data can create efficiencies, improve customer experience, and save money and time, all of which ultimately drive business success.

So it is no surprise that everyone is talking about big data and data analytics: Startups, multinationals, service providers, banks, retailers, governments, healthcare organisations and education establishments, the list goes on.

Within these organisations, it is not just IT teams that are talking about big data and data analytics, it is also human resources, finance, marketing, sales, operations, management, and research and development.

Why should you think about the legal issues?

Data is a business asset, like money, IP (intellectual property), stock, property or employees. In dealing with any of these assets, there are legal rights, obligations, regulations and limits.

If you get it wrong, there are consequences. We are talking about security breaches, cyber-attacks, the loss of IP, regulatory investigations, regulatory fines (which can be substantial), claims for damages by third parties, even criminal charges, and, possibly worst of all, the loss of reputation, goodwill and trust of your customers and employees.

This is not meant to scare you. These consequences can be avoided. Organisations should analyse data for their benefit!

Here we will consider the legal issues and, most importantly, how to address them (and avoid the consequences).

How should you address the legal issues?

It is hard to avoid getting legal now but I have tried to keep this as clear as possible. If you are analysing data, you should always talk with your legal team.

Broadly speaking, there are two questions to ask: First, do you have the right to analyse the data in question? Second, are there any laws or regulations that limit or impose requirements on the analysis you want to carry out?

If the answer to the first question is yes, you must still consider the second question. The two questions are equally important.

Question 1: Do you have the right to analyse the data?

If you collected the data, then there is a good chance it is yours to analyse (subject, of course, to the answer to the second question).

What if a third party collected the data on your behalf or shares it with you as part of their relationship with you (e.g. a business partner, a customer or a supplier)? Can you analyse this data?

You need to check that you have the right to analyse the data. This should be dealt with in your contract with the third party, which should set out the things you can and/ or cannot do with the data.

If you have the right to analyse the data, then you are okay; but if the contract forbids it, then you will need to renegotiate the terms (otherwise you will be in breach of contract if you do analyse the data).

What if the contract is silent on this issue, or what if you do not have a contract at all?

This is often the case (e.g. if the contract was signed before data analytics was contemplated). The best advice is to discuss the point with the third party and amend (or write) the contract accordingly.

Alternatively, you could take the risk and analyse the data without raising the point with the third party. The risk is that there will be a dispute, which can be expensive, time consuming and, ultimately, detrimental to business relations.

Also, it is hard to be certain you would win the dispute; data analytics is on the increase but the law in this area is still playing catch-up and does not always provide clear answers.

You should also check the confidentiality clauses in your contracts. This could be an issue if you intend to disclose the data to a third party in order to carry out the data analysis (e.g. an analytics service provider).

The data is likely to be subject to an obligation of confidentiality, which, generally, means that you cannot disclose the data to third parties.

What about publicly available data – is this a free for all? No. Publicly available data is often still subject to terms of use.

Twitter data is a good example of this. You should check the terms of use of Twitter before you use its data for analytics purposes.

The same applies for any publicly available data. You should check the terms of use, the basis on which the data is made publicly available. There are often limits or controls on what you can and cannot do with the data.

If you have the right to analyse the data, you still need to answer the second question.

Question 2: Are there laws or regulations that limit or impose requirements on the analysis you want to carry out?

Data, and there are lots of different kinds of it, is increasingly being regulated.

In my previous article, I wrote about the rise of privacy laws in Asia (and that is true for the rest of the world too). These laws protect data about individuals (commonly known as ‘personal data’) and place limitations on what organisations can and cannot do with personal data.

These laws are here to stay and are likely to become more prevalent in the future.

So – and this first point should be obvious – if the data you are analysing includes personal data (that means data about individuals e.g. names, e-mail addresses, addresses, telephone numbers, shopping habits, spending habits, social status, hobbies and the list goes on), then your data analytics must comply with privacy laws.

Three examples:

If you are looking into how often the tyres on your fleet of trucks needs to be replaced, then you do not need to worry about privacy laws.
Do the privacy laws apply if the personal data is anonymised? Technically, no. If the data is anonymised in such a way that the relevant individuals cannot be identified, then the rules do not apply. However, the risk is always that the data can be or will be de-anonymised. There are lots of examples of that happening and sometimes third parties have been able to do so. The burden of compliance with privacy laws is not high. The safest approach is to comply and always think about the security risks if you anonymise the data.
If you are looking at optimising your sales and marketing strategies, based on the analysis of the behaviour of your customers, then you will need to consider these laws. Privacy laws, inevitably, impact a lot of data analytics.

In brief, compliance with privacy laws means you must: (i) Explain to individuals what you are doing with their data; (ii) Get their consent; (iii) Not use the data for other purposes, without obtaining further consent; (iv) Keep the data secure (this requirement is critical and the regulators are focusing their attention here); (v) Keep the data accurate and up to date; (vi) Provide individuals with access to their data; (vii) Protect the data if it is transferred to another country; and (viii) Only keep the data for as long as is necessary for the relevant purposes.

These requirements are commonplace in privacy laws around the world. But the burden of compliance should not be too high. None of these requirements should come as a surprise and they should just represent good business practice to most organisations.

There are other laws and regulations relevant to other kinds of data. These are often sector-specific.

For example, financial services institutions, education establishments, healthcare organisations, the public sector, and telecommunications companies must all comply with their sector-specific regulations.

These regulations often impose requirements on what can and cannot be done with data and what measures should be taken (e.g. security and business continuity requirements) when handling data.

Any data analytics project should consider these requirements as well. The requirements do not usually prevent data analytics, rather they usually impose standards and controls on how the data should be treated.

Conclusion

Organisations should analyse data for their benefit. You should be able to avoid the negative consequences of getting it wrong if you address the legal issues raised above.

Do not be discouraged! Remember that many organisations have been analysing data for a long time – just think about how long you have been using loyalty cards.

Matthew Hunter is an international commercial lawyer at Olswang Asia LLP. His focus areas are cloud, data, e-commerce and e-payments, franchising, IoT, licensing, procurement, sourcing and technology. You can contact him at [email protected],@matthew1hunter or linkedin.com/in/matthew1hunter