DATA PROTECTION IN THE BIG DATA ERA: THE CHALLENGE IS LAUNCHED
In the early 1990s, the fast development of computers with processors capable of delivering better performance and increased storage capacity contributed to the onset of the so-called “information economy”. Rewards of the information society are easily found through smartphones, computers and information technology systems increasingly present in small, medium and large-size companies (MAYER-SCHÖNBERGER; CUKIER, 2013, p.4). The Big Data represents a relatively recent data revolution, which has its magnitude confirmed by the numbers linked to it, is rapidly growing exponentially around the world, with huge consequences for society, regardless of social class, and which is characterized by the collection and processing of a large volume of data and obtaining information at a speed almost impossible to imagine (BAGNOLI, 2016, p. 7). Therefore, to deal with Big Data is to face an informational flood.
The term ‘Big Data’ refers to datasets of which size is beyond the ability of a traditional database tool to capture, store, manage, and analyze, representing the next boundary for innovation, competition, and productivity. Volume (large volume), velocity (fast generation and processing of data), variety (data and sources), value (intangible heritage), veracity (accuracy) and validation (understanding and compliance), or the “6V’s”, are virtuous characteristics linked to Big Data (BAGNOLI, 2017, p.397) and that composes its concept.
The data collection ubiquity present in today’s Society, made possible by the constant use of Internet-connected devices, the lower storage costs, the increasing power of capture and the capacity of computers, motivates the increasingly wide exploitation of the benefits provided by Big Data. The different media and equipment connected to the Internet is such that the term “Internet of Things” (IoT) has been replaced by “Internet of Everything” (IoE). By the year 2020, it is estimated that by 2020 there will be 30 billion equipment units permanently connected to the Internet, and another 200 billion equipment units intermittently connected, each of them producing data (MENDES, 2017, p.22), of which procedure of information extraction relevant to the world business or the State would be the purpose of processes of identification, organization, deletion, selection, understanding, mining, interpretation and storage of collected data.
There are two core characteristics inherent to Big Data that bring great challenges to their legitimate exploitation. The first one is that Big Data analysis often reveals the possibility of using the data collected for a purpose different from that initially proposed. The second is related to the volume of data collected, which are often not much better and more valuable than those traditionally found in structured databases (KALYVAS; OVERLY, 2015, p.33). Therefore, there are economic and social impacts of Big Data, since it enables unprecedented predictions about private life and displaces or strengthens the power of those who hold information (HIJMANS, 2016, p. 98). Such characteristics challenge principles to be observed in the processing of personal data and the right to privacy, which end up imposing limits on the exploitation of Big Data due to its intimate capacity to interfere in the establishment of fundamental individual rights.
The General Data Protection Regulation (GDPR), which has been in force in the European Community since May 25, 2018, includes in its Article 5, six basic principles for personal data processing, which are translated into: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitation; Integrity and Confidentiality. Among other important issues, the principle of purpose set out in the General Data Protection Regulation (GDPR) Article 5.1 (b), suggests that personal data must be “recogidos com fines determinados, explícitos y legítimos, y no serán tratados ulteriormente de maneira incompatible com dichos fines.”
This is one of the big barriers to be faced when it comes to Big Data. This is because many of the tools used in Big Data are exactly based on the gathering and binding of collected data of the most different forms, origins, moments, contexts and for different purposes, that are often not even known at the moment of the data collection. Not infrequently, the purpose or even usefulness of the data is known only after its collection and treatment, making the compliance to such principles a rather difficult task to complete, and perhaps adverse to the very essence of Big Data.
In Brazil, Law 13.709 of August 14, 2018, also known as the General Data Protection Law (LGPD), counted on contributions from the academic community, civil society and representatives of the private sector for its development. The LGPD, recently promulgated by the President of the Republic, although some provisions in the original text were decided against, changes the legal and economic scenario of the country in a significant way. As in the case of the European legislation, the LGPD imposes a series of obligations and rules to be met by those who wish to explore activities related to the collection and processing of personal data. The LGPD contains very similar provisions to those laid down in the European legislation, including the principles to be observed in the activities of processing personal data, that are: Purpose; Adequacy; Need;
Free Access; Data Quality; Transparency; Security; Prevention; Non-Discrimination; Responsibility and Accountability.
Keeping a certain similarity with Article 83 of the GDPR, the Brazilian law, in its Article 52, provides a list of penalties for infringements to the regulation, the possibility of applying a simple or daily fine of up to 2% of the legal entity governed by private law billing, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limiting it, in the total, to BRL 50,000,000.00 per infringement, in addition to other penalties such as the publication of the infringement and block or deletion of the personal data. The LGPD also establishes parameters and criteria for the application of sanctions, which should be proportional to the seriousness of the infringement. These criteria and parameters consist of the analysis of the seriousness and nature of the infringements and personal rights affected; on good faith, economic condition and the advantage received or intended by the offender and the degree of the damage caused. In addition, the recidivism and cooperation of the offender; the repeated and demonstrated adoption of security mechanisms and procedures capable of minimizing the damage; the existence of compliance policies and the prompt adoption of corrective measures regarding the incident occurred, are issues to be observed for the application of the probable penalties resulting from incidents involving personal data in Brazil.
The enactment of the Brazilian General Data Protection Law inserts the country in the list of those which have adequate protection of personal data, although it is still necessary to overcome a period of 18 months of vacancy of the law, from its official publication for its effectiveness, provided for February 2020. It must be remembered, also, that the norms provided for in the Brazilian Constitution, particularly regarding the fundamental individual rights, including privacy, in the consumer legislation (e.g., Law 8.078/90, Law 12.414/2011), in the legislation that regulates the Internet (e.g., Law 12.965/2014, Decree 8.771/2016) also ensure certain limits and the respect for the fundamental rights and guarantees of the personal data holders, and shall therefore be fully respected.
Following a worldwide trend, the regulation of the activities of personal data processing in Brazil will bring greater security to the market, nevertheless requiring a complete adjustment to the LGPD by the economic agents interested in the advantages obtained through the treatment of personal data and in many of business models that integrate what has been called the 4th Industrial Revolution. This processing of personal data, incidentally, can only be carried out in the cases provided for in Article 7 of the LGPD, which includes consent, compliance with legal obligations, studies, regular exercise of rights, protection of life and credit, health protection, the legitimate interest of the controller and for specific issues, in the case of public administration.
In this way, with no questions as to the advantages provided by Big Data and the processing of personal data to economic agents for market action and to the State for the better development of public policies, regarding the protection of personal data in Brazil, it is necessary to wait and prepare for the effectiveness of the General Data Protection Law, from which activities involving the processing and exploitation of personal data shall be guided.