The big data regulation debate

Back in 2006, Sheffield mathematician Clive Humby declared “data is the new oil” after reaping the benefits of helping to set up a supermarket loyalty card scheme. This was the same year that Facebook went mainstream, accelerating the pace of data harvesting and spawning an entire industry devoted to the collection, analysis and monetisation of large sets of personal data. Although many concerns were raised over the following years regarding the potential dangers of the big data revolution which ensued, arguably it wasn’t until the Cambridge Analytica scandal broke in 2018 that the public – and their parliamentary representatives – began to grasp the true gravity of the situation.

From Big Brother to Cambridge Analytica

The exploitation of big data by business has been subject to relatively light touch regulation compared to the oversight of government surveillance. Existing Orwellian fears of democratic erosion were compounded by efforts of Edward Snowden in 2013 to expose the magnitude of digital state intrusion into personal lives. In contrast, Silicon Valley tech giants were given a free pass and were, until recently, seen more as benevolent disruptors, promoting business development and providing economic benefits for all and sundry, donning fluffy sounding taglines such as Google’s “Don’t be evil”.

But some of the problematic (and probably unintended) consequences of the initial embrace of big tech – and social media in particular – have gradually become increasingly apparent, including tax avoidance, information overload, damage to the hospitality sector, and online social harms. Furthermore, collaboration of the private sector with the state sector (eg Google’s DeepMind AI being unleashed on NHS patient data) has raised eyebrows.

….However, the real turning point came in the wake of a Channel 4 sting of now defunct political consulting firm Cambridge Analytica, building upon the work of investigative journalist Caroline Cadwaller. She had written an article almost a year earlier, in which she exposed the damage to democracy through the manipulation of voters via targeted advertising using the harvested Facebook data of up to 87 million people worldwide, orchestrated by Cambridge Analytica on behalf of political clients. Former Deputy Prime Minister Nick Clegg, now vice-president at Facebook, was later forced to argue that there had been no Russian interference with the Brexit vote as a result of the scandal, although there was broad consensus that it had certainly played some part in the election of Donald Trump to the White House.

Europe vs America vs China

Although the Data Protection Act 1998 (DPA) already provided certain rules pertaining to the use of big data sets, it was the introduction of the General Data Protection Regulation (GDPR) by the EU in 2018 which really set the gauntlet for big tech, providing teeth for regulating bodies such as the ICO by raising the maximum fines for data breaches to the greater of €20 million or 4 per cent of global annual turnover. The fine imposed on Facebook by the ICO for its role in Cambridge Analytica fiasco was limited to the DPA maximum of £500,000 because the breaches in question occurred before the GDPR came into effect, but more recent fines demonstrate that companies which fail to keep the personal data of European citizens safe will get more than just a slap on the wrist.

Meanwhile, privacy campaigner Max Schrems, who played a key part in replacing the Safe Harbor agreement with tighter data protection controls for the transatlantic flow of personal data in the form of Privacy Shield, continues to force EU regulators to keep a close eye on the exploitation of data by Silicon Valley. And, although not about data as such, the movement to prevent tax avoidance measures taken by big tech, seems to be driven primarily by European countries.

However, it would not be entirely accurate to frame this as simply a case of Europe trying to regulate American technology companies. Indeed a new data protection law has recently been passed in the heart of Silicon Valley: California Consumer Privacy Act 2018 AB 375 (CCPA), which has been dubbed as GDPR-lite. Another bill making its way through the Californian legislature (AB 1215) prohibits the use of facial recognition software in body cameras by law enforcement, which would build upon an existing ban on facial recognition in San Francisco.

At the other end of the spectrum, China is not only promoting large-scale deployment of automated facial recognition in public spaces, but is also developing a “social credit” system which is a sort of mashup of credit scores, criminal records and everything in between, giving each citizen a certain number of points which can either help or hinder them as they go about their daily lives.

What does the future hold?

Debates around the regulation of big data, and of the internet as a whole (including concepts such as net neutrality), look set to rumble on for many years to come. For better or worse, the original anarchic founding principles of the internet seem to be increasingly becoming a relic of the past. In the Wild West of the 19th century, sheriffs were required to instigate law and order as more land was claimed and gold, and later oil, was extracted; as the surveillance capitalists of the 21st century tap into the wells of data, it turns out that properly regulating the internet landscape is just as crucial.

But the globalised nature of the internet and data flows means that an international consensus on regulation will probably eventually need to be reached, as can be seen with the current negotiations on taxation of big tech. Although nations can and do place restrictions on content (eg the Great Firewall of China), tech companies and governments need to reach agreements to prevent internet commerce from being stifled – in that sense, it’s a bit like Brexit!

However, one more point worth making is that companies don’t always need to use data; although it’s a very valuable resource, many internet businesses can still make a profit without collecting any personal data. Some content providers (eg Netflix) use subscription models instead of advertising – and although they still often collect data to “improve services” and customise content, it is unlikely that they would collapse if they simply turned off the data tap.

Further reading

BBC: What kind of internet do you want?

Financial Times, Nick Clegg: Governments and tech companies can build a better internet (paywalled)

Financial Times, Shoshana Zuboff: Facebook, Google and a dark age of surveillance capitalism (paywalled)

Shoshana Zuboff website

Wikipedia: Surveillance capitalism

Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words, a copywriting agency in Bristol. Email alex@legalwords.co.uk. Twitter @alexheshmaty.

Image cc by Thought Catalog on Flickr.