Data compliance: The legal and regulatory risks of big data analytics

Big data technology and services are expected to grow worldwide to US$16.9 billion in 2015, at a compound annual growth rate of 40 per cent, according to the European Commission.¹ For both law firms and general counsel, big data analytics can be leveraged far beyond maximising cost efficiencies or determining how to price particular matters. Used correctly, data analytics can change how legal services are delivered in future by giving businesses direct access to relevant legal knowledge and advice. The lawyer's traditional role as knowledge broker could consequently come under threat.

In deploying big data analytics, law firms and general counsel must remember that, as the Information Commissioner recently observed, big data is "not a game played by different rules".² A failure to address legal and regulatory risk in relation to big data could result in a serious regulatory breach for a law firm or a business. In this article, we consider how to manage such risks.

Value of big data

Big data consists of large, complex data sets generated from sensors (for example, via the internet of things), internet transactions, mobile payments, email, click streams and other digital interactions.

Small and unconnected pieces of data generated from these sources, when amalgamated and subjected to powerful analytics, can reveal valuable information about the user (or a market as a whole) by identifying trends and making predictions. At its heart, big data analytics allows the user to make targeted predictions through an analysis of past data trends. In that way, it is not that different from the role of lawyers.

The provision of certain types of legal services is about using data (explicit knowledge, including case law, precedents, regulatory decisions and official guidance, as well as personal or embedded knowledge, such as how to present a party's argument or case in the most compelling way) to make predictions about outcomes. That data is held in the hands of lawyers or is at least accessible by them.

Much of a lawyer's role is about making predictions. However, lawyers cannot store in their heads the sheer volume of data that an unstructured big data data-set contains; so much of our predictive analysis is based upon small data sets. What if big data data-sets could be used by law firms and general counsel, in combination with the variables of the particular case or project, to make predictions or to, say, prescribe the outcomes that must be satisfied in relation to the rollout of a particular product or service offering across multiple jurisdictions? How would that affect the risk profile of a law firm or the role of the legal function within a business?

The question is not simply academic. There are already tools that rely on big data analytics or large data sets for use by lawyers. Lex Machina, KMS Technology and Judicta are recent examples. While human judgement cannot be supplanted by machines, nonetheless big data analytics can reveal patterns and trends which are not apparent to the fallible human brain. It may therefore only be a matter of time before the use of such technologies becomes commonplace within law firms and in-house legal departments.

Big data analytics will have a transformative effect on the practice of law. In addition to its potential as a useful analytics tool for both law firms and businesses, big data is likely to be the genesis for economic activity from which both will benefit. The emergence of big data technologies may support workstreams as diverse as M&A, joint ventures and collaborations, the monetisation of software and app development, consultancy services, sourcing and outsourcing, supply of connectivity and the provision of new infrastructure (such as data storage and management). In the public sector, big data will be used to implement public policy by delivering public sector efficiencies.

Both law firms and general counsel will, therefore, have a very real interest in understanding the risk profile of a big data project and in developing an appreciation of the potential commercial applications.

Securing data

Data privacy is one area of law that any law firm or general counsel is going to have to take very seriously in relation to the use of big data. While this will not be an issue where the data to be processed is not personal (for example, a law firm's data about corporate clients involving no information about an individual), law firms have other regulatory responsibilities in relation to such data, even when it involves no personal information.

While data privacy laws vary from country to country, in Europe there are certain common features. Big data typically involves the reuse of data originally collected for another purpose. Among other things, such reuse would need to be "not incompatible" with the original purpose for which the date was collected for reuse to be permissible. The Article 29 Working Party (consisting of the data privacy regulators across the EU) has set out a four-stage test to determine whether this requirement is met.

The four-stage test includes a requirement that safeguards are put in place to ensure fair processing and to prevent undue impact on the relevant individual. This could include anonymising/ pseudonymising the base data or aggregating the results.

Anonymisation may be difficult to achieve in relation to big data, as the
sheer volume of data may make identification possible when large data
sets are brought together. On the other hand, reuse is more likely to be compatible with the original purpose if it is impossible to take decisions regarding any particular individual based on the reused data
(known as functional separation).

In many cases, the only way to overcome data privacy concerns in relation to big data will be by way of adequate consent notifications. Obtaining effective consent in relation to big data analytics is not straightforward.

The possession of large data sets
can confer market power and exclude other market entrants. In relation to businesses, competition regulators concerned about
(or competitors aggrieved by) lack
of access to such data may attempt to deploy competition law to force such access. Aggregations of data sets as a result of merger and acquisition activity may also attract the attention
of competition regulators.

Tax laws may also have an impact on big data projects for businesses. For example, the OECD is currently considering a proposal to control the way digital businesses structure their profit flows internationally to limit tax exposure.³ The UK Chancellor's Autumn Statement 2014 pre-empted this by proposing a new 'diverted profits tax' (a so-called Google tax) that aims to counter arrangements used by some multinationals to "divert" taxable profits from the UK. Because the legislation is drafted very widely, it may be particularly relevant for businesses engaged in big data analytics. It will tax profits diverted from the UK in this way at
a rate of 25 per cent from 1 April 2015.

Likewise, discrimination laws in the UK and across the EU may need to be considered. They may be relevant where the outcome of big data analytics is to offer goods and services selectively in a way that is discriminatory. This is as much an issue for law firms (for example, those
that focus on a particular section of the buying public, such as consumers) as it
is for businesses.

IP rights

Across the EU, the intellectual property right that could provide the most protection is the database protection regime. It has limitations, as do copyright and patents in relation to big data. The law of confidentiality may also provide some protection, depending on the particular information and its source.

As the law in this area may provide only limited protection, a return to
the basics may be required: in other words, ensuring that any disclosure is coupled with adequate contractual confidentiality provisions limiting further use and disclosure.

Conversely, it will be essential to check that the compilation of a big data data-set has not infringed a third party's intellectual property or contractual rights.

Safeguarding data

Interception, appropriation and corruption of data remain an issue for law firms and businesses possessing big data data-sets, just as with any other data. The data privacy laws in many countries require that the data controller implements appropriate technical and organisational measures to safeguard the security of personal data.

Such laws typically require the data controller to flow down these requirements in contractual relations with their suppliers. These requirements will apply to big data data-sets held by law firms and businesses that contain personal data.

Law firms and businesses alike will
also need to take into account the new EU Data Protection Regulation, which will require that technical and organisational measures are provided for by design and default. Purely technical solutions, implemented in the absence of a more comprehensive approach to information governance, may not be adequate.

In addition, law firms have their own regulators which impose strict confidentiality obligations on them in relation to client data, and such requirements will need to be complied
with in relation to big data projects that use client data.

Law firms and businesses whose business models come to depend on creating and exploiting big data will need to develop an approach to information governance that is capable of addressing the risks presented by unstructured big data data-sets. Compliance with information retention requirements (including those imposed by regulators)
will need to be reconciled with the legal and commercial imperatives to regularly purge unwanted data as part of a wider risk management strategy.

Data reliability

Among the potential liabilities that need to be addressed is the question of data reliability. Data sourced from publicly-available sources, from another business or collated by the law firm or business itself may contain errors.

Such errors may be processing errors or may arise at source (for example, from mistakes in field coding and other inputs). These errors may flow through to the outputs of the data analytics processes (such as trend analysis and predictions), upon which a law firm's or business's strategic and investment decisions
may depend.

Data sets may have their origin in several different sources. 'Open data' is typically licensed on terms similar to those applicable to open-source software. Such terms usually give little or no comfort in relation to the reliability (and non-infringing nature) of the licensed material.

Public providers of such data sets (such as local authorities or central government) are seldom willing to accept liability for losses arising from reliance on the data (particularly when the data is provided free or for a nominal charge).

Businesses which on-supply such data, or provide services dependent on that data, could potentially face claims in contract, in tort (for example, for negligent misstatement) or for some other form of liability (this could include consumer claims based on statutory rights). They will need to ensure that they circumscribe their own liability on a back-to-back basis with their own supplier where possible, or insure against the risks.

Need for expertise

A recent survey found that 41 per cent
of businesses have a lack of appropriately-skilled resources to implement a big data project.⁴ There is no reason to suppose that law firms or in-house legal departments will be in any better position. Such expertise will need to include a legal and regulatory compliance review. It is simply a case of taking steps to address these issues early on.

Mike Rebeiro and Marcus Evans are partners specialising in technology and innovation at Norton Rose Fulbright
(https://nortonrosefulbright.com)

Endnotes

1. See Towards a Thriving Data-driven Economy, European Commission,
   July 2014

2. See Big Data and Data Protection, Information Commissioner's Office,
   July 2014

3. See the Base Erosion and Profit Shifting Project, OECD Centre
   for Tax Policy and Administration

4. See Big Success with Big Data, Accenture, April 2014