Digital Transformation Monitor

Big data:a complex and evolvingregulatory framework

January 2017

Internal Market,Industry,Entrepreneurshipand SMEs

2

Figure 1: Enterprise view and intent on big data

Source: DNV G, April 2016L

Big data:a complex and evolving

regulatory framework

7

© Montri Nipitvittaya/Shutterstock.com

Given the rapid development of active technologies based on artificial intelligence and big data, the existence ofefficient and appropriate European standards and regulations is key to support the competitiveness of EU industriesand enterprises. Regulations at EU level must therefore allow for a swifter and flexible uptake of innovativetechnologies.

Big data: the result of continuedinvestments in data analyticstechnologies

The accumulation of data both inbusinesses and on the Web, along withthe growing number of open datainitiatives have enabled the emergenceof the concept of big data.

The Big data trend mainly constitutes theevolution of existing data analyticstechnologies. There is no clear differencebetween big data and traditionalanalytics. However, the following threecharacteristics are usually associatedwith the big data trend:

• Volume: the data generated are usuallyproduced in large volumes

• Velocity: data is generated at a highspeed pace

• Variety: the data generated usuallytakes various formats or typesincluding text, video, picture, sound orwebsites.

With the ever-increasing amount ofdigital connections, both in terms ofnumber of connections and time spent,the volume, velocity and variety of bigdata is only going to keep growing.

A rapidly growingBig data marketcoming with awide array ofregulatorychallenges

1Big data: numerous opportunities, newinvestment flows

Recent studies all indicate that the bigdata market is undergoing an upwardtrend which is not expected to slowdown in the near future. A joint surveyconducted by DNV GL and GfK Euriskoprovides an insightful glimpse into thebig data-related projects of differentorganizations (see figure 1). The studydoes not account for a representation ofbig data adoption across all enterprisesglobally however it demonstrates thatbig data is seen as an opportunity for52% of survey respondents (with lessthan 5% seeing it as a threat). Inaddition, it also shows that 51% of firmswith more than 1,000 employees plan toincrease their investments in big data inthe next two to three years (with 76% ofall organizations planning to increase ormaintain their big data investment).

U.S. giants, the big winners of the datamonetization trend

The adoption of big data is booming inthe advertising industry. Businessmodels based on big (mainly personal)data are developing rapidly throughoutthe world. The ecosystem ofinfrastructures and services enabling thetarget, collection, storage and processingof personal data is largely dominated byU.S. providers of OTT services, who havesucceeded in the monetization ofpersonal data. The personal data ofEuropean consumers are thereforelargely processed by these global marketplayers. Indeed, Google and Facebook arethe largest beneficiaries from ads; theirreliance on the use of personal data andthus advertising is evident, with Googleand Facebook producing 90% and 95%of their revenues respectively fromadvertising in 2015.

Q: Is your company considering big data more as an opportunity for or as a threat to your business?

Q: Is your company going to invest in big data in the next 2 to 3 years?

3

Big data: a complex and evolving regulatory framework

An evolvingregulatoryframework

2Moreover, consensus has not yet beenreached on the usage and exploitationrights attached to different types of data.Exclusive and non-exclusive approachesare central as they will determine theneed for complex fair pricing andoversight mechanisms.

A clear need for a common frameworkregulating the use of big data at EU level

A lack of common guidelines also resultsin data being recorded and saved indifferent taxonomies, formats, and typesdepending on the entity or the countryproducing it. This lack of guidelines andshared common taxonomies formetadata curation and integration limitsthe development of analytical platformsand the digital integration of data flows.

Most public and private data sources alsohave to face data quality challenges.Hence, increasing data quality is afundamental success factor for theuptake of big data.

Two set of actions linked to a better andclarified usage of data and to data qualityin order to reap the full benefit of bigdata should be undertaken:• EU guidelines for companies to make

the most of data

• Promotion and implementation ofdata quality standards

Security and privacy issues: a growingconcern

The adoption of Big data solutionsprovides many opportunities. Howeverthe increasing number of alarmingreports indicating significant databreaches and the leak of such data alsoraises many questions. For instance, themonetisation of personal data is key foradvertising businesses but a balanceneeds to be reached to ensure privacy,rights and the secure storage of data.

1.02 billion

Number of data recordslost or stolen in:

707.5 million

2014:

2015:

The privacy paradox: an increasing useof Internet services despite theincreasing distrust in Internet services

Various surveys have shown that thegeneral public is losing confidence intheir ability to gain control over theirown personal data. A 2014 study by PewResearch found that 91% of respondentsbelieved they had lost control over theirpersonal data collection and use, and88% also believed it was very difficult toremove inaccurate data aboutthemselves. Yet, as the figure belowdemonstrates, despite the lack of trustin Internet services, the population isstill using them. Ultimately, onlineservices have become such an integralpart of our daily lives that even lowlevels of trust level cannot prevent theiruse. Stakeholders thus face thechallenges when trying to regainconsumer confidence in these services.

Figure 2: Comparison between theuse and trust levels of diverse onlineservices: (2015 survey)

Source: IDATE

Figure 3: World’s largest security breaches, Oct 2016

Source: Information is Beautiful

A fragmented and heterogenousregulatory framework

A patchwork of 28 different laws andheterogeneous sets of rules define dataprotection across EU member states.This leads not only to unequal protectionrights for citizens, but also representssignificant administrative burdens forbusiness, including the uptake of bigdata. Common and harmonized guide-lines on data usage, rights and qualityare crucial for an effective and sustainedEU-wide uptake of big data and thedigital transformation of industry andbusinesses.

The agreement on the Commission’s EUdata protection reform announced on 15December 2015 now opens thediscussion on national implementationrules. Currently, each country’s nationaldata protection agency is set to definehow they will implement the newregulation into their national frameworkwhich will likely increase the risk of EUdiscontinuity and problems of crossborder data exchanges

4

Big data: a complex and evolving regulatory framework

Figure 4: Google (above) and Facebook (below) advertising revenue and itsratio over total revenue, 2009-2015 (Million EUR; %)

Source: IDATE DigiWorld, State of OTT markets worldwide, July 2016

EU guidelines for companies to make themost of data

The development of common guidelinesis an essential prerequisite for theuptake of big data. Companies andindustry players must be provided withthe certainty that they can safely andsecurely generate value from datawithout breaching data protection lawsor stepping beyond the boundaries ofpublic acceptance. Without clearguidelines EU companies will both facechallenges to use data as a businessdriver and expose themselves to risks.This will severely hinder the EU’scompetitiveness, innovation drive andeconomic growth.

Appointing a Chief Data Officer permember state to oversee theimplementation of open data initiativeswould be a further step in the rightdirection. An independent advisory panelmade up of national chief data officerscould forge consensus around a cohesivevision and strategy for capturing thefull benefits of data-driven innovationin Europe, guaranteeing similar and fairmarket conditions for all market playerswhile protecting consumers, workersand business investment.

In the healthcare industry, thedevelopment of multipurpose EUconsent templates should be promotedto enable the creation of pan-Europeandata sets and to encourage the use andexchange of Electronic Health records(EHR).

Promote data quality

Promotion and implementation of dataquality standards is a strong enablingfactor across industries as quality islinked to credibility and trustworthiness.A new generation of common curationmethodologies and technologies forcomplex usages such as clinical trials,antifraud or energy savings has to berapidly promoted.

Expected impact:

Pan-European guidelines on data usageand quality will further support theDigital Single Market by ensuring aharmonised European framework. Dataaccessibility is the primary enabler ofdata aggregation. In order for companiesto gather and use data they mustovercome the current barriers linked tothe lack of clear consent and exploitationguidelines.

In this sense, the origin, rights andconsent attached to different types ofdata must be well defined. Otherwise,SMEs will have to depend on datagathered outside the EU and face highercosts for obtaining data.

A clear definition of data usage andrights will boost the potential of pan-European Data Lakes. A data lake is asubject-specific repository for largequantities and varieties of data, bothstructured and unstructured. The datalake accepts input from various sourcesand can preserve both the original datafidelity and the lineage of datatransformations. The lakes could helpresolve the issue of accessibility and dataintegration for European businesses andcitizens in different industries andapplication areas.

This would enable stakeholders alongthe value chain in different industries toexchange data within a specific protocolin a rapid and secure manner. Ensuringhigh quality data will bring morecompetitiveness to SMEs. For example, inthe healthcare industry, so far, onlyestablished players have the resources toclean the data and offer datasets ofsufficient quality for clinical trials.

Promoting data quality and curationstandards will offer SMEs the chance tocompete with larger players and bringnew innovations to the market. © wk1003mike/Shutterstock.com

5

Big data: a complex and evolving regulatory framework

❶ Ensure smooth transposition of the GDPR into EU Member States

❷ Strengthen initiatives to regain consumer trust on personal data

❸ Set in motion a plan to consider a global regulation framework

Moving Forward

3

The Privacy Shield;Replacing the Safe Harbour

Scheduled for review:

Summer 2017

Stronger obligations on theU.S. to protect Europeans’personal data

Adopted by the EC:

June 2016

General Data Protection Regulation

In the context of the new General DataProtection Regulation, it is necessary toclosely follow its implementation andinterpretation by Member States.National barriers may be set, shouldMember States differ in theirunderstanding of the regulation. Thiswould be a major setback to the uptakeof Big Data.

In the case of autonomous car, a mean oftransport that requires to go throughborders, a common rules ofunderstanding must be shared by allMember States to ensure sufficientcommon standards.

Similarly, in the healthcare industry, thesocietal challenge need cross-bordercollaboration to share patient and cohortdata, R&D progress or clinical trials.Clarification of article 83 may be needed,as well as specific rules tailored to thecharacteristics of the healthcare andpharma industry. The implementation ofthe GDPR on file and data exchange musttherefore be closely monitored at EUlevel to enable the creation of a true pan-European data field

The GDPR and implications for the SafeHarbour agreement

The extraterritorial scope of GDPRimplies that U.S. providers will have toapply European data protection ruleswhenever they use European consumers’personal information.

Source: European Commission

Territorial scope The obligations apply to all providers operating in Europe.

If they don't have a legal presence, they must have a dedicated andfinancially sound representative in Europe.

Profiling and bigdata

Personal data must be collected with a clear initial goal and only forthis purpose.

The directive regulates the use and reuse of non-sensitive personaldata.

Pseudonymised data is also personal data.

For the user

(the 'data subject')

Implementation of the right to be forgotten has been furtherreinforced.

User's access to their file, including:

- duration of data retention

- details of the data recipients outside the EU

- details of applicable regulations

Big data: explain the logic, meaning and consequences of the decisionstaken by the processing when it is automated (profiling) and itspurpose is not obvious.

Data portability: users must be able to request their data and have itprovided in a usable format

Figure 5: Key changes in the European legal framework for the GDPR

Regulations as the key to pave the wayfor more innovative solutions

The lack of clear regulations andlegislations at EU level is without a doubta barrier to growth.

This lack of an appropriate frameworkleads to the lack of trust of Europeancitizens in big data solutions andtherefore prevents its further adoption.The question of trust is a centralchallenge to all the stakeholdersinvolved in the industry and is crucial forthe effective development and uptake ofBig Data.

As the backbone and underlying elementat all stages of digital development, trustin the use and management of data needsto be built in and reinforced among allstakeholders and industry players. Thecreation of a common Europeanframework regulating the use of big datawould certainly constitute a big stephelping to buld trust and accelerate theuptake of the Bif data trend.

Figure 6: The European Commission sets out the Privacy Shield framework

GDPR – General DataProtection Regulation

To be imposed by:

May 2018

An EU wide Directive fit forthe digital age

This led the European Commission toquestion whether the Safe Harbourprovided adequate protection for EUcitizens. In October 2015 the finalljudgment of the Court of Justice of theEuropean Union (CJEU) ruled invalid theSafe Harbour data protection agreementbetween Europe and the United States.

About the Digital Transformation MonitorThe Digital Transformation Monitor aims to foster the knowledge base on the state of play and evolution of digital transformation inEurope. The site provides a monitoring mechanism to examine key trends in digital transformation. It offers a unique insight intostatistics and initiatives to support digital transformation, as well as reports on key industrial and technological opportunities,challenges and policy initiatives related to digital transformation.

Web page: https://ec.europa.eu/growth/tools-databases/dem/

This report was prepared for the European Commission, Directorate-General Internal Market, Industry, Entrepreneurship and SMEs;Directorate F: Innovation and Advanced Manufacturing; Unit F/3 KETs, Digital Manufacturing and Interoperability by the consortiumcomposed of PwC, CARSA, IDATE and ESN, under the contract Digital Entrepreneurship Monitor (EASME/COSME/2014/004)

Authors: Vincent Bonneau & Soichi Nakajima, IDATE; Laurent Probst, Bertrand Pedersen & Olivia-Kelly Lonkeu, PwC

DISCLAIMER – The information and views set out in this publication are those of the author(s) and should not be considered as theofficial opinions or statements of the European Commission. The Commission does not guarantee the accuracy of the data included inthis publication. Neither the Commission nor any person acting on the Commission’s behalf may be held responsible for the use whichmight be made of the information contained in this publication. © 2017 – European Union. All rights reserved.