by V. Bentotahewa, C. Hewage and J. Williams
2 June 2020
Abstract- This paper investigates the challenges that the big data is faced with the increased enactment of data security and privacy regulations and laws across the world. Even well-established privacy regulations such as General Data Protection Regulation (GDPR) has recently came under scrutiny in the wake of big data. Data protection law has become not only a safety screen for protecting citizens and consumers data but also play part in international trade. The data protection regulations are established to ensure that information can be shared without causing any infringement on personal data and businesses. In generating big data, it is important to ensure that the information is securely collected, processed, transmitted, stored and accessed. However, given the enormous amount of big data generated everyday there is, particularly in terms of privacy, an apparent conflict between gathering and protecting big data. It is evident that data protection regulations are yet to be in full force in Asian region. The work on data protection is still lagging the ICT development in the region.
Keywords- Data protection, data security and privacy regulations and laws, Big Data, privacy
- INTRODUCTION
The European Union (EU) enacted the General Data Protection Regulation (GDPR) on 25 May 2018 [1]. It is a mutually agreed framework designed for the purpose of harmonising data privacy laws across Europe as well as for providing greater protection and rights to individuals. Likewise, Asian countries are also now showing signs of catching up aligning with the rest of world [22]. However, these developments are lagging the sharp increase of ICT penetration in the region [30]. For instance, South East Asia had the highest internet penetration rates. In China, the internet penetration amounted to only 58.4 percent [30]. However, South Asian countries such as Afghanistan and Pakistan had low internet penetration rates, mainly due to high internet fees for fixed broadband and mobile networks in these countries [30].
In modern digital age, data is collected using multiple sensors as well as through various applications that are designed to monitor and record user movements, communications and transactions. It is common practice for organisations to use systems to process and store what is known as big data. In professional literature, the definition of big data refers to, volume of data collected, the variety of sources, the speed of analysis and interpretation, that could be achieved through the analytical process [2].
- RESEARCH BACKGROUD
A. How big data is generated
As increasing dependency on digital technology is becoming a way of life, the use of video technology (CCTV) for surveillance operations to collect data of personal identities raises concerns. This method has become a common practice in gathering information about people, their movements at workplace as well as public places. The use of CCTV has grown globally for various purposes, for instance, in Australia uses this technology in public places for monitory purposes [3], and the same technology is used in Singapore for enforcement of traffic regulations and to prevent littering [4]. Philippine mandated the installation of CCTV cameras in hospitals under the Filipino Hospital CCTV Act of 2008, and established penalties for releasing any footages without a court order [29]. Thailand, in response to the bomb explosions in Bangkok during the 2007 New Year’s Eve celebrations, also gave the go ahead for the installation of more than 10,000 CCTV cameras for traffic monitoring and security purposes [29]. However, there are different legal constraints on video surveillance in worldwide. Britain and the United States have limited legal constraints, whilst Austria, Germany, Norway and Sweden, employers are obliged to seek consent from the workers for such purposes [5].
Wide ranging methods are used to gather personal information and behaviour patterns of employees. Most commonly use technology are phone tapping, accessing emails, and monitoring computer screens for surveillance operations. Added to that there are other methods in use such as remotely bugging conversations, analysing computer and keyboard usage, tracking devices to monitor personal movements. The use of smart ID badges to track an employee’s movement around a building is common practice particularly in sensitive areas. Range of other methods in the form of psychological tests, general intelligence tests, aptitude tests, performance tests, personality tests and lie detector tests are all electronically assessed.
In the motor industry advanced technology is widely used for broadcasting their location, speed, steering-wheel position, brake status, and a variety of other data that determine performance and safety of the car and the driver [6]. On the other hand, the automobile insurance companies gather location data using satellite (GPS) systems, using mobile phones to track the customer’s movements, and their driving habits are logged using telematics data from on-board IT systems [7]. Similarly, smart domestic sensors are being used to enhance responsiveness to domestic emergencies such as fire risks, flooding and theft. Health apps and wearable technologies (Fitbit) have inbuilt technical capacities to provide recorded data and information that are used for health purposes.
Gathering and storing some specific data on individuals bring obvious benefits in many areas. Aviation industry including airlines generate and hold vast amounts of data on passenger’s personal preferences and travel habits at all stages of their journey [7]. Although the airlines do take measures to protect such personal data, they are under obligation to share the passenger information with security organisations to combat terrorism and serious crimes, but there are inherent risks of compromising such data held by the airlines. The long-term retention, sharing and use of this data for those purposes without adequate safeguards has been controversial and, has attracted criticism from privacy groups and security experts [7].
Video and audio data generate a range of signals; for example, to detect Parkinson’s disease voice recordings are used and smartwatches are used to measure heartrate [8]. Research has shown it may even be possible to extract conversations from video recorded images of vibrations on surrounding materials, or to determine the occupancy of a room based on Wi-Fi signal strength [8].
The urgency of the need to manage and find cures for the Covid-19 has also made it necessary to collect data in volumes. A number of countries are developing contact tracing apps as a digital tool to diagnose the presence of the virus and to prevent it from spreading thereby mitigating the risk of worsening of the pandemic. For an example China is using Covid-19 tracking apps which generally work by assigning a colour code (green, yellow or red) using an algorithmic assessment of the user’s travel history and health status [27]. The Hong Kong government operates a mobile app that uses geofencing technology to track and monitor quarantined person’s movement to ensure he remains in the location [27]. The Japanese government has also developed a Bluetooth technology integrated contact tracing app [27]. The contact tracing app developed by the Government of India processes users’ travel history, symptoms, and location data to calculate the risk they are exposed to contracting the coronavirus, but that approach has come under widespread criticism from the public [28]. The government has made the app mandatory for public and, according to the reports those caught without the app could face fines of $13 or a six months jail sentence [28]. This mandatory requirement leaves people with no choice and unwilling or willingly are obliged to participate in gathering of data in large volumes. That make the case for implication for violations of individual privacy rights.
These contact-tracing apps do generate large amount of big data. The impact of contact tracing apps cannot be taken in isolation, and the focus should also be on the impact of facial recognition cameras, wearable bands and police surveillance drones. For instance, the Chinese authorities have been using street cameras with facial recognition system to apprehend, shame, and fine citizens venturing outside without face masks [9] and even used similar tools and even to identify and quarantine individuals who appeared to be carrying the virus [9]. The reports also claim that the UK has also used drones to track people who were ignoring Covid-19 social distancing rules [10]. Whatever and whoever using such mechanisms will be infringing on public privacy in one way or another.
Online sales outlets such as e-Bay uses consumer shopping history to promote their own brands of products. In a different context, social media platforms such as Facebook collects information on subscriber habits and preferences in using its services, content types, the devices used, language and time zones. According to the reports, by 31 January 2020, the Population in Asia using Facebook has reached 867,984,000, and it is a significant number when compared to the rest of the world [25]. Retailers do use information on consumer shopping habits and social interactions for direct marketing and to promote alternative products to the consumer. For instance, Uber tracks its drivers to make their service effective and to provide a rapid response to public needs. However, this data could also be used to monitor driver behaviour, road traffic breaches and productivity estimation [11].
The Section 5(1)(b) of the GDPR article sets out the fundamental notion that personal data must be collected for a specific, explicit and legitimate purpose [12] but with the Big data purpose is not clearly defined. As you have observed from above examples, big data is generated using different devices, and it is impossible to give a legitimate reason for collecting data. Also the GDPR specified that the collected data should be limited to what is necessary [12], but in practice such limitations are very difficult to enforce.
B. Application of Data security and privacy regulations and laws
Most western countries have established special privacy protection agencies for the purpose of protecting citizen’s privacy and personal information. In the region of Europe, the European Union has created a legal framework in the form GDPR, key focus of which is to ensure the privacy rights of individuals are protected. But it is worth mentioning that the GDPR does not replace personal data breach notification requirements that organisations may be subjected to, under other legislation [13].
Regardless of technology used in processing big data and the storing in an IT system, the GDPR provides protection to personal data [14]. In all cases personal data is subject to protection requirements set out in the GDPR. However, if personal data can be truly anonymised then the anonymised data is not subject to the GDPR [15].
Many countries across the globe are yet to adopt data protection laws or finalise existing draft legislation, and in doing so these countries are expected to follow GDPR framework as a template in developing their cyber legislations [16].
The Personal Data Protection Bill of 2018 (PDPB) of India is reported to have been inspired by the General Data Protection Regulations of the European Union (GDPR) [23]. Even though the PDPB is modelled on the GDPR, significant differences have been noted. For an example, PDPB does not give Indians the “right to be forgotten” which requires entities to completely delete shared data, and the PDPB instead allows individuals to restrict companies from using their data [23]. Another difference is its approaches to data localization. Just as in China, Russia, and Saudi Arabia, PDPB requires companies to localize data [23]. The localisation means that citizen’s information is restricted from leaving home country for processing, storage and collection, whereas in the GDPR data can be shared with adequate protections [23].
On the contrary, the PDPB mirrors GDPR on enforceable penalties, just as in the GDPR, the draft bill provides differing ranges of penalties. For an example, some violations carry a maximum penalty of either $727,450 or to 2% of the global turnover of a company in the previous year, whichever is the highest [23].
Sri Lanka’s Personal Data Protection Bill is another that was inspired by GDPR, and it covers both the public and private sectors. According to the Bill, public sector authorities may only process personal data within the country, unless the Data Protection Authority (DPA) and any relevant supervisory body classifies the data as permitted to be shared overseas [22]. But in contrast the same data localisation requirement does not apply to the private sector. The private sector may transfer personal data to a third country on ministerial advice [22]. This is an indication of apparent loophole in the rules of protecting personal privacy. There is should be non-selective consistency in the application of data protection regulations, whether data is being collected by the public or private sector, and same data protection rules should apply in relation to people’s privacy.
In 2019, the National Legislative Assembly of Thailand approved and endorsed the Thailand Personal Data Protection Act (PDPA) and due to come into effect in 2020 [26]. The PDPA mirrors GDPR in the broad definition of personal data, and it specifies the requirement to establish a legal basis for collection and use of personal data, extraterritorial applicability, and potentially harsh penalties for non-compliance [26]. However, as the reports show, the penalties for non-compliance are more complicated than GDPR. Administrative fines are approximately 140,000 Euro and there is potential for criminal penalties that can be levied in the form of imprisonment for up to one year [26].
Personal Information Protection Act of South Korea has been effective since September of 2011 and included provisions similar to GDPR, including requirements for gaining consent, the scope of applicable data, appointment of a Chief Privacy Officer, and limitation and justification of data retention periods [26].
However, copying data protection clauses from other countries has raised concerns as cloning of such laws may come into conflict with national law enforcement mechanisms, and even be affected by different cultural norms.
Some also argue that the GDPR would not create more harmonisation but rather create even more national differences than today [17]. The GDPR has set standards that no data controller will be able to ignore it, and other governments will be under pressure to raise their data protection standards in order to allow their economies access the digital single market of the European Union. The effects of this can be seen already today, where some countries like Japan intends to introduce similar provisions to the GDPR [17], and UK businesses are doing their best to make sure the GDPR applies to its full extent in post Brexit Britain, and UK remains committed to the privacy principles enshrined in the EU Regulation. The UK Government has also pledged to introduce a new ‘digital charter’ with the aim of ensuring UK remains the safest place to use online facilities [18].
- DISCUSSION
A. Challenges and obstacles to application of data security and privacy regulations and law to Big data
Even though there is a considerable development in data security and privacy regulations and laws, these regulations and laws face many challenges in the digital age, and the emergence of Big Data is perhaps considered to be the greatest. In the big data era, the public enjoys many benefits that internet technology offers to them. But at the same time, they also do face potential breeches of on privacy laws affecting personal data. Failure to protect user accounts and personal data will directly threaten the privacy of users and the security of data.
At present, many organisations believe that once information is processed anonymously the identifiers will be hidden, and then the information will be released but the reality is that the protection of privacy cannot be effectively achieved through anonymous protection only. Another concern is the ability of criminals to intentionally fabricate and forge data in big data. The wrong data will inevitably lead to erroneous results. Some people may make up data to create data illusions that are beneficial to them, leading people to make wrong judgments. For example, some websites contain false comments and ratings, and users can easily be lured into buying these goods and services based on the faked comments and ratings. The impact of false information is difficult to measure against the popularity of internet technology and the use of information security technology to screen these data is also very difficult.
The technological advancement highlights the difficulties in sustaining data security and privacy policies inspired by GDPR in its entirety, and right to be forgotten is one such area of concern. This is particularly relevant in circumstances in which an individual from the Euro zone having a rare disease faced with the option to removing personal files containing genetic variance, and if that person happened to be the only known person with that variance, and access to medical records were denied, that would be an obstacle to medical investigation into the disease. Furthermore, with the increase use of blockchain based technologies in public and private domains [20][21], implementation of certain clauses such as right to be forgotten will be challenging due to the tamper proof nature of the technology.
The biggest challenge for big data from a security point of view is the protection of individual privacy. Big data often contains huge amounts of personal identifiable information, that makes privacy of users a huge concern. Given the large amount of data stored, breaches affecting big data would have devastating consequences, that would be more serious than the data already exposed as a result of the security breach. The outcome of such a scenario would potentially affect much larger number of people, with detrimental consequences and legal repercussions.
There is an obviously visible conflict between the data minimization principle and the practices of Big Data analysis. Under the Big Data concept firms do provide a clear incentive to collect and retain as much data as they can for as long as possible. In theory, more data will provide greater knowledge and greater benefit to the organisations and the society in general. Therefore, enforcing the data minimizations will limit the success to Big Data. According to the GDPR data minimization could be achieved by pseudonymization [2]. On the contrary one can argue that removing identifiers to achieve pseudonymization could potentially undermine the quality of the results derived, as the data would be purposefully altered.
Given the number of difficulties in carrying out Big Data analysis, there could be a potential migration of local entrepreneurs to other countries where they would have flexibility to pursue their objectives without obstacles in the use of Big Data. In circumstances where local residents look for foreign companies to obtain their services, protection of privacy could become vulnerable, and is like to be compromised.
- CONCLUSION
The primary focus of data security and privacy regulations and laws is on protecting the rights of individuals to privacy without compromising their personal data stored by state institutions and other organisations including commercial and utility companies. The Big data as it is known allows masses of personal information about day to day lifestyles of individuals to be gathered for a variety of reasons, and what is allowed is set out in data protection laws, within security and restriction parameters to provide greater protection and rights to individuals. It is however worth considering whether big data serves its purpose in its entirety or whether it is used to pry into peoples’ behaviour in living their lives in a liberal environment. So, the question is whether it is all necessary?
Justification for gathering mass amount of information about individuals has arisen as a result of evolving advances in communication technology used by billions of people around the globe. In such an environment, safeguarding personal identities has become virtually impossible, against ever increasing threats from unauthorised access by hackers and clandestine activities of various groups such as commercial enterprises. On the one hand big data acquisition a storage poses a significant threat to individuals, and on the flipside, it helps make important decisions for prevention of terrorism, and monitoring health and medical needs, banking habits, behaviour and movements of people in all aspects of their lives; also most importantly to safeguard against fraudulent activities including unauthorised access to personal bank accounts. It is a fact of life that we are all under surveillance whether in our homes or outside, and equally whether we use our own transport or public transport systems. In all cases our movements and behaviour in public places are being monitored and recorded for variety of reasons, including personal safety, prevention of crime and vandalism.
Against that background, it is crucially important to strike a balance between privacy of individuals and security of the state as well as the organisations. Is the adaptation of data protection laws the best way to achieve that balance, and if so does it fit the purpose? The researcher believes that it does to a great extent. For that reason, many Asian countries are in the process of reviewing their current data protection laws with a view to update their own laws in line with GDPR. That will enable them to keep up with global developments in privacy protection and will reduce the risk in sharing big data amongst countries. It will also help strengthening trust and confident amongst people in sharing personal data.
REFFERENCES
[1] J.P Albrecht, ‘How the GDPR Will Change the World’, European Data Protection Law Review, Volume (2-Issue 3), 2016 [Online]. P.287-289. Available at: DOI https://doi.org/10.21552/EDPL/2016/3/4 (Accessed: 13 February 2020)
[2] T. Z. Zarsky, Incompatible: The GDPR in the Age of Big Data. PDF [Online]. P.999. 2017 Available at: https://scholarship.shu.edu/cgi/viewcontent.cgi?article=1606&context=shlr (Accessed: 3 April 2020)
[3] D. Wilson, and A. Sutton ‘Watched Over or Over-watched? Open Street CCTV in Australia’, The Australian and New Zealand journal of criminology, Volume (37-Number 2) [Online]. P.211-230, 2004. Available at: https://core.ac.uk/download/pdf/141439629.pdf (Accessed: 15 March 2020)
[4] A. Rengel, Privacy in the 21st Century. Google book [Online]. P.57, 2013. Available at: https://books.google.co.uk/books?id=6dLeAQAAQBAJ&printsec=frontcover&dq=privacy+in+21+cene (Accessed: 28 January 2020)
[5] W.A. Ascher, The Frog Principle: The Loss of Freedom in America. Google book. [Online]. P.239, 2005. Available at: https://books.google.co.uk/books?id=6CXmZX0izuMC&printsec=frontcover&dq=the+frog+principles:+the+loss+of+freedom&hl=en&sa=X&ved=0ahU (Accessed 3 January 2020)
[6] B.A. Safari, Intangible privacy rights: How Europe’s GDPR will set a new global standard for personal data protection. PDF 2017 [Online]. P. 844. Available at: https://scholarship.shu.edu/cgi/viewcontent.cgi?article=1600&context=shlr (Accessed: 24v March 2020)
[7] R. Kemp, ‘Big data and data protection’, Kemp IT Law, Volume (1. 0) 2014 [Online] P.5-6 Available at: file:///C:/Users/sm77809/Downloads/Big-Data-and-Data-Protection-White-Paper-v1_1-November-2014.pdf (Accessed: 16 March 2020)
[8] M. Altman, et al. ‘Practical approaches to big data privacy over time’, International Data Privacy Law, Volume (8, Issue 1) [Online] P.29–51, 2018, Available at: https://doi.org/10.1093/idpl/ipx027 (Accessed: 15 February 2020)
[9] R. D’amore, Yes, this drone is speaking to you’: How China is reportedly enforcing coronavirus rules 2020 [Online]. https://globalnews.ca/news/6535353/china-coronavirus-drones-quarantine/ (Accessed: 2 May 2020)
[10] A. Gordon, Now COUNCILS use talking DRONES to spy on people ‘ignoring coronavirus isolation advice’ – and order them back inside with loudspeakers 2020 [Online]. Available at: https://www.dailymail.co.uk/news/article-8159665/COUNCILS-use-talking-DRONES-spy-people-ignoring-coronavirus-isolation-advice.html (Accessed: 19 May 2020)
[11] R. Koch, The EU’s GDPR only applies to personal data, which is any piece of information that relates to an identifiable person. It’s crucial for any business with EU consumers to understand this concept for GDPR compliance. [Online]. Available at: https://gdpr.eu/eu-gdpr-personal-data/ (Accessed 28 March 2020)
[12] Information Commissioner’s Office. Guide to the General Data Protection Regulation (GDPR). PDF [Online]. P.22-30. Available at: https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf (Accessed: 3 January 2020)
[13] The ‘security principle’ under GDPR and personal data breaches [Online]. Available at: https://www.walkermorris.co.uk/publications/our-series-of-guides-to-the-eu-general-data-protection-regulation-round-up-of-the-latest-guidance-on-gdpr-2/the-security-principle-under-gdpr-and-personal-data-breaches/ (Accessed: 15 March 2020)
[14] European Commission. (No date) What is personal data? [Online] Available at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en (Accessed 26 April 2020)
[15] Information Commissioner’s Office. (No date) What is personal data? [Online] Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ (Accessed: 16 March 2020)
[16] Consumers International (No date) The state of data protection rules around the world A briefing for consumer organisations. PDF [Online]. Available at: https://www.consumersinternational.org/media/155133/gdpr-briefing.pdf (Accessed: 13 April 2020)
[17] J.P. Albrecht, How the GDPR Will Change the World. PDF [Online]. P.287-289 2016. Available at: https://edpl.lexxion.eu/data/article/10073/pdf/edpl_2016_03-005.pdf (Accessed: 25 March 2020)
[18] Government of United Kingdom. The Queen’s speech 2017. PDF [Online] P. 59-60, 2017. Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/620838/Queens_speech_2017_background_notes.pdf (Accessed: 05 January 2020)
[19] V. Bentotahewa, and C. Hewage, Challenges and Obstacles to Application of GDPR to Big Data. 2020 [Online] Available at https://www.infosecurity-magazine.com/next-gen-infosec/challenges-gdpr-big-data/ (Accessed: 20 May 2020)
[20] A. Shahaab, R. Maude, C. Hewage, and I. Khan (2020) ‘Managing Gender Change Information on Immutable Blockchain in Context of GDPR’. The Journal of The British Blockchain Association, Volume (3- Issue 1) [Online]. P.1-8 Available at: https://jbba.scholasticahq.com/article/11592-managing-gender-change-information-on-immutable-blockchain-in-context-of-gdpr (Accessed 23 March 2020)
[21] I. Khan, A. Shahaab, B. Langley and C. Hewage ‘Applicability and Appropriateness of Distributed Ledgers ‘Consensus Protocols in Public and Private Sectors: A Systematic Review IEEE Access’. IEEE, Volume (7) [Online]. P. 1-15 Available at: https://ieeexplore.ieee.org/document/8672572 (Accessed: 15 January 2020)
[22] G. Greenleaf, Advances in South Asian Data Privacy Laws: Sri Lanka, Pakistan and Nepal. Privacy Laws & Business International Report 2019 [Online] P. 22-25. Available at SSRN: https://ssrn.com/abstract=3549055
[23] D.D. Panakal, India Shakes International Data Market 2019 [Online]. Available at: https://www.natlawreview.com/article/india-shakes-international-data-market (Accessed: 13 February 2020)
[24] N.S. Dutta, New era of data protection regulation in South Asia 2019 [Online]. Available at: https://www.ikigailaw.com/new-era-of-data-protection-regulation-in-south-asia/#acceptLicense (Accessed: 24 April 2020)
[25] “Internet World Stats” [Online]. Available at: https://www.internetworldstats.com/asia.htm (Accessed: 3 May 2020)
[26] D. Simmons, 6 Countries with GDPR-like Data Privacy Laws, 2019 [Online]. Available at: https://insights.comforte.com/6-countries-with-gdpr-like-data-privacy-laws (Accessed: 15 April 2020)
[27] J. Utzerath, R. Bird, G. Cheng, and J. Ohara, Contact tracing apps in China, Hong Kong, Singapore, Japan, and South Korea [Online]. Available at: https://digital.freshfields.com/post/102g5my/contact-tracing-apps-in-china-hong-kong-singapore-japan-and-south-korea (Accessed: 12 May 2020)
[28] R. Agrawal, The Pandemic Is Enabling Big Brother- India’s new contact tracing app leads to concerns over privacy, security, and surveillance, 2020 Available at: https://foreignpolicy.com/2020/05/07/india-coronavirus-pandemic-big-brother-contact-tracing-mobile-app/ (Accessed: 20 May 2020)
[29] “A New Dawn: Privacy in Asia”. PDF [Online]. P. 10-13, 2012. Available at: https://privacyinternational.org/sites/default/files/2017-12/A%20New%20Dawn_Privacy%20in%20Asia.pdf (Accessed 10 January 2020)
[30] Asia: Internet penetration by country 2019 |Statista [Online]. Available at: https://www.statista.com/statistics/281668/internet-penetration-in-southeast-asian-countries/ (Accessed: 28 May 2020)