In this concluding article of our series on "Big Data & Issues & Opportunities", we want to start looking beyond the issues and opportunities that were identified in the 17 articles that make up the series. In this context we invite you, reader, to share your view of these issues and opportunities by participating in the survey available here.
Over the course of 17 articles, we have presented a summary of the findings from our research conducted in the LeMO Project concerning legal, ethical and social challenges and opportunities pertaining to big data. Where relevant, the articles have been illustrated with examples from the transport sector, which is the focus of the LeMO Project. These findings had also been published in two reports, namely the 'Report on Legal Issues' and the 'Report on Ethical and Social Issues'. Both are available online at www.lemo-h2020.eu/deliverables/.
Key questions raised and addressed throughout the series included questions such as:
- "do the privacy concepts of the GDPR fit with big data?";
- "can anonymisation techniques be applied while keeping an acceptable level of predictability and utility of big data analytics?";
- "is the current legal framework in relation to data ownership satisfactory ?";
- "what are the main areas in which competition law may have an impact on the use of big data?"; and also
- "can social differences in access to technology and education or skills lead to data-driven discrimination?".
Through the numerous questions raised and addressed throughout the series, various legal, ethical and social issues and opportunities were identified in relation to big data. The table below offers a succinct summary of the various topics covered by each article.
- General overview (link): In addition to introducing the series, this article provides some background information with respect to big data in the transport sector, useful to bear in mind while reading the other articles.
- Privacy and data protection (link): The second article focuses on some of the key privacy and data protection aspects in a big data context, showing how certain principles and requirements can be difficult to fit with some of the main characteristics of big data analytics. The article demonstrates that finding a balance between the various interests at stake is of paramount importance. In light hereof, it is essential to keep in mind that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. Any guidance or administrative/judicial decision should carefully take into account all interests at stake as failing to do so would necessarily impede the development of disruptive technologies and prohibit the emergence of a true data economy.
- Anonymisation / pseudonymisation (link): This article looks into the impact of anonymisation and pseudonymisation in a personal data protection context, and the possible use of anonymisation and pseudonymisation techniques as a way to protect non-personal data. Anonymisation and pseudonymisation techniques generally provide fertile ground for opportunities with respect to big data applications. Nevertheless, account must be taken of the challenges that may arise in this respect. Most importantly, a balance will need to be struck between, on the one hand, the aspired level of anonymisation (and its legal consequences) and, on the other hand, the desired level of predictability and utility of the big data analytics.
- (Cyber-)security (link): Considering the increasingly devastating impact that cyber-threats and attacks may have on society, issues related to cyber-security have become increasingly important in recent years. The requirement to put in place security measures is imposed in various legislations at EU and national level, including key instruments like the General Data Protection Regulation (GDPR) and Directive 2016/1148 on security of network and information systems (the NIS Directive). Such legislations however remain rather general and vague as to which specific measures are deemed appropriate. In order to comply with the relevant requirements, organisations generally need to rely on security experts and take into account the evolving guidance documents published by authorities such as ENISA (the European Union Agency for Network and Information Security). Also, relying on certification mechanisms, seals, marks and codes of conduct will enable companies to comply with their legal obligations in terms of security and demonstrate their compliance.
- Breach-related obligations (link): In recent years, the EU has made significant progress in terms of cybersecurity and related incident notification requirements, with notable developments including the Cyber Security Strategy and the NIS Directive. It follows that organisations facing a security incident may need to notify such incident to one or more national competent authorities. The requirement to inform authorities will however depend on certain criteria laid down in the applicable legislations, as clarified by the guidance documents published at EU and national level. Accordingly, the various actors of the data value chain need to implement measures, procedures and policies in order to abide by the strict notification requirements and be prepared to provide the necessary information to the competent authorities, all within the imposed deadlines.
- Supply of digital content and services (link): This article looks into the possible provision of personal data by a consumer in order to receive digital content. It assesses how this practice is dealt with in the recently adopted Digital Content Directive (EU) 2019/770 and looks into its interaction with the applicable data protection legislation, and in particular the GDPR. As demonstrated through this article, legalising this economic reality generates practical and legal concerns. Accordingly, clarifications and guidelines are necessary to allow a greater degree of predictability for digital market actors and to ensure the usefulness of big data.
- Free flow of data (link): Free flow of data represents an ideal scenario in which no (legal) barriers to cross-border data flows remain. Efforts have been taken at EU level with the adoption of the Regulation on the free flow of non-personal data. A number of uncertainties remain, including a difficult interaction with the GDPR. Still, the Regulation remains an important step in the elimination of restrictions to cross-border data flows and their negative impact on business. Companies expect cost reductions to be the main benefit of eliminating data localisation requirements. Furthermore, start-ups in the European transport sector and in the EU in general increasingly rely on competitive cloud services for their products or services. Prohibiting localisation restrictions would therefore increase competitiveness of the EU cloud services market. This in turn could allow start-ups to go to market quicker, to increase their pace of innovation and would also support scalability and achieve economies of scale.
- Liability (link): The EU institutions have been engaged in ongoing work regarding extra-contractual and statutory liability in the context of disruptive technologies. On such basis, it will be possible to determine whether regulatory intervention is required. In all likelihood, intervention should take place in two phases. In the short- and mid-term, non-regulatory intervention, such as the creation of model contract clauses or the identification of appropriate safety standards, should be pursued. In the long term, regulatory intervention should be considered in the form of sector-specific legislation on minimum liabilities to be borne by certain service providers in certain sectors, a general revision of liability law, and/or legislation on insurance-related obligations. Nonetheless, this article has shown that the current status of contractual liability rules, which may differ across the EU, is likely to limit the uptake of new technologies, including big data in the transport sector.
- Intellectual property rights (link): This ninth article examined the aspects related to copyright, database rights and trade secrets and in particular to what extent such protection mechanisms can apply to (big) data. In this respect, it cannot be excluded that different actors in the big data analytics lifecycle will try to claim intellectual property rights or protection under trade secrets in (parts) of datasets intended to be used. These actors may try to exercise the exclusive rights linked to the intellectual property right concerned or keep the information secret. Any unreasonable exercise of rights may stifle data sharing and thus innovation through big data, including in the transport sector. This is however mainly due to the inherent nature and purpose of intellectual property rights and trade secrets protection, which may at the same time provide an incentive for stakeholders to engage in data sharing for big data purposes.
- Open data (link): The 'big data' required to feed big data analytics tools typically emanates from a variety of sources. One such source is the public sector, which has been opening up certain of its datasets to the public. The EU institutions have taken both legislative and non-legislative measures to encourage the uptake of open data, most notably through Directive 2003/98/EC on the re-use of public sector information (the PSI Directive), which attempts to remove barriers to the re-use of public sector information throughout the EU. Still, open data regimes also encounter a number of challenges – on a technical, economic and legal level – that cannot be ignored. The proposal for a recast of the PSI Directive aims to address some of these concerns. A major change concerns the expansion of the Directive’s scope to include public undertakings. While information sharing has not been made mandatory for public undertakings (yet), the new regime constitutes a significant development for the transport sector, where services are often provided by public undertakings.
- Data sharing obligations (link): This article addresses those legal instruments that impose specific data sharing obligations on private undertakings and therefore affect a company's control of, access to, or use of data. Such legislations are usually sector-focused and provide for an array of rights and obligations in relation to specific types of data in particular circumstances. The article offers a succinct examination of those pieces of legislation imposing data sharing obligations that are most relevant to the transport sector, showing that data sharing obligations are increasingly adopted in the context of Intelligent Transport Systems. The EU should however carefully consider whether the imposition of such general data sharing obligations is in each case equally necessary.
- Data ownership (link): If the numerous stakeholders in the (big) data analytics lifecycle cannot rely on any of the other exclusive rights discussed in this article series, they increasingly try to claim "ownership" in (parts of) the datasets used in the analytics. No specific ownership right subsists in data and the existing data-related rights do not respond sufficiently or adequately to the needs of the actors in the data value cycle. Up until today, the only imaginable solution is capturing the possible relationships between the various actors in contractual arrangements. Nevertheless, we found that filling the data ownership gap with contractual arrangements is far from ideal.
- Data sharing agreements (link): A critical analysis is made of the current-day common practice to use data sharing agreements to govern the access to and/or exchange of data between stakeholders in a big data analytics lifecycle. It is unclear, however, whether such practice enables covering all possible situations with the necessary and satisfactory legal certainty. Indeed, data sharing agreements entail numerous limitations in the absence of a comprehensive legal framework regulating numerous rights (e.g. ownership, access or exploitation rights) attached to data, the way in which such rights can be exercised, and by whom. While guidance has been issued by the European Commission recently, a more solid and legally secure solution might be desirable.
- Competition (link): The final article addressing legal issues and/or opportunities in the context of big data in transport focuses on the impact of big data on different aspects of EU competition law and seeks to create more clarity on when and how the so-called ownership or (mis)use of (big) data can give rise to competition law issues. As such, big data aggregation in the transport sector can give rise to a variety of competition law issues that suggest that certain aspects of competition law may not be fit for purpose. Abuse of dominance, merger control and anticompetitive behaviour have all seen challenges in the face of big data, AI and digitisation. The recent public consultation on shaping competition policy in the age of digitisation has yielded some interesting insights on how to mould competition law to address these topical issues.
- Trust, surveillance and free will (link): Moving away from legal issues and opportunities and into ethical and social aspects, the first ethical and social concepts examined in the context of big data and transport are those of trust, surveillance and free will. One of the main dimensions of big data, describing consistency and trustworthiness, is veracity. In this respect, big data may present challenges in relation to its quality (e.g. heterogeneous and unstructured data). It can however also be used for trust assessment, including through so-called reputation systems. In relation to surveillance, two main issues arise, namely risks of asymmetries in the control over information on the one hand and privacy risks on the other hand. With respect to supporting free will of humans, increasing accessibility and personalisation for passengers can provide benefits to people in the form of more personalised or affordable services. Organisations use certain types of data like journey data to ensure a better understanding and serving of people's needs.
- Discrimination (link): (Data-driven) discrimination is a particular social and ethical issue that may materialise in a big data context and is therefore addressed in a separate article. Big data analytics can be a tool to make existing discriminatory decisions visible, hence this social issue may be resolved by personalised services (as “positive discrimination”) based on big data analytics. In spite of this opportunity, there are still biases because of the inherent characteristics of big data (e.g., heterogeneity, data size and quality, noise, etc.).
- Transparency, consent, control and personal data ownership (link): Privacy is probably the most recurrent topic in the debate on ethical issues surrounding big data, which is not illogical given that the concepts of big data and privacy are prima facie mutually inconsistent. Indeed, the analysis of extremely large datasets may include personal data, and the more personal information included in the analytics, the more it might interfere with the privacy of the individuals concerned. In this context, the question of ownership over personal data is among others raised, as individuals tend to have a sense of ownership over their personal data. While a claim of ownership by a data subject in its personal data would be hard to sustain (given that legally no specific ownership rights subsist in data), this does not mean that data subjects have to give up all control over their personal data, particularly with the advent of the GDPR.
Over the past few months, we have provided critical analyses of these 16 different legal, ethical and social aspects in relation to big data and transport, and have shared with you the issues and opportunities we identified in our research in the context of the LeMO Project. The time has now come to reverse the roles. We are interested in knowing your views and experiences with these or other issues and opportunities in relation to big data, whether in the transport sector or in another sector. We therefore invite you to participate in our brief survey (to be found here), in which you can answer key questions and offer views and insights on each of the legal, ethical and social aspects covered in our articles. Your answers will be used in the context of the LeMO Project and could potentially influence the future legal and policy framework surrounding big data in the EU.
We thank you in advance for your participation.