THE DATA PROTECTION PARADIGM for THE TORT OF PRIVACY IN THE AGE OF BIG DATA

• Citation: (2015) 27 SAcLJ 789
• Author: Hannan LIM Yee Fen BSc, LLB, LLM(Hons)(University of Sydney);, Advocate and Solicitor(Singapore);; Associate Professor of Business Law, Nanyang Technological University, Singapore.
• Date: 01 December 2015
• Published date: 01 December 2015

It will be argued in this article that the legal scholarship on the common law tort of privacy in the US and some Commonwealth countries have not produced any meaningful concept of privacy appropriate for the age of big data. Due to the nature of digital information, a better paradigm for protection can be found in the European Union data protection regime. This article will also evaluate the Singapore Personal Data Protection Act (Act 26 of 2012) in this regard.

1 As legal scholar Raymond Wacks has commented, “the discourse on ‘privacy’ is anything but coherent”.1 Furthermore, “the voluminous literature on the subject has failed to produce a lucid or consistent meaning of a concept”.2 Indeed, Wacks has aptly summed up the current legal landscape. The impetus and framework focus of this article is big data and how big data forces a rethink of the traditional discourse on the common law tort of privacy. The generally accepted concepts of privacy as it is known at common law in the US and in some of the major Commonwealth countries will be considered. These will show the challenges of legal scholars and courts trying to grapple with a massive tort that seems to have no conceivable boundaries. This will be followed by a comparison with the key features of the 1995 European Union (“EU”) Data Protection Directive (“Data Protection Directive” or “the Directive”).3 It will attempt to show that the Directive covers many of the areas that common law privacy has been grappling with; it also provides a workable and sensible blueprint for a restructuring of privacy law in the age of big data. It is the unifying legislation that can more appropriately deal with privacy encroachments than the current

jurisprudence. Finally, the article will consider the position in Singapore.

2 It should be highlighted at the outset that in the age of big data, consideration of privacy is not merely academic, nor does it only have a place in high theory. The issues at stake here are associated with the facilitation of cybercrime and criminal activities in the physical world. In order to elucidate this, this article will begin by examining what exactly big data is and its potential contribution to criminal activities.

I. Big data

3 With endless and rapid advancements in technology, the law must adapt to new possibilities made available by innovation. In this regard, the privacy of individuals has been at stake since the advent of computers and computing networks, especially the Internet, but never before has the privacy of individuals been at greater risk than now with the rise of big data.

4 Data has always been collected even well before the invention of the computer and digital technology but computer hardware and software technologies and computer networks, and the increasing power and speed of all of these, have given unprecedented opportunities for data to be combined, matched, analysed, used and disclosed in ways unimaginable. There has also been an exponential growth in the volume of data collected, much greater data storage capacity and the increased ability to connect previously discrete data networks.

5 There is no precise definition of “big data” but it generally refers to the collection and analysis of unusually large datasets. The data is both structured and unstructured data generated from diverse sources in real time, in volumes too large for traditional technologies to capture, manage and process in a timely manner.4 The datasets typically come from a variety of industries and settings, and the sources are often consumer and social media related with tracking technologies allowing the datasets to be combined and often matched. Some of the sources include websites, blogs, news feeds, social media, and public and private databases.5

6 Jules Berman describes big data as being characterised by “the three Vs”. First, there must be volume, meaning large amounts of

data. Secondly, there must be variety, meaning that “the data comes in different forms, including traditional databases, images, documents, and complex records”.6 Lastly, there must be velocity, which means:7

… the content of the data is constantly changing, through the absorption of complementary data collections, through the introduction of previously archived data or legacy collections, and from streamed data arriving from multiple sources.

7 Vast amounts of data are being created and collected everyday by the interactions of billions of people using computers, mobile phones and other electronic devices. Online or mobile financial transactions, social media traffic and global positioning system co-ordinates now generate over 2.5 quintillion bytes of big data every day.8 Even the humble cash card and In-Vehicle Units used in Singapore-registered cars are amassing data every day and, within the next few years, these In-Vehicle Units can be used to track the whereabouts of cars at all times.9

8 When all such large datasets are collected and combined, big data reveals information about individuals that simply was not knowable in previous generations. It reveals who a person talks to, what is said, where he goes, where he works, who he works for, who his family members are, where he eats, what he eats, what he purchases and so on. It gives insight into likes and dislikes, hobbies, financial statuses, employment, and even criminal histories. Most activities involving electronic equipment can be traced and tracked. The metadata from mobile phones, for example, can reveal the location and time of a call, text message, or e-mail.10 Location data can be then used to identify where a person sleeps, where he works, whether he is in fact working at the office as he claims or on the golf course, who he drinks beer with, what medical professionals he visits and what political or religious gatherings he attends. Since 2010, in addition to metadata, Apple iPhones have also been collecting data through Siri, the talking, question-answering application. Apple has been feeding it data since 2010, and now, with people supplying millions of questions each day,

Siri has been learning and it is becoming an increasingly adept personal assistant, and even a “friend” for those who are autistic.11

9 The advances of facial recognition software and biometric identification technologies have made it even easier to collect information about individuals. Facial recognition software can identify a person by comparing the person's face to a database of stored faces.12 As sources of photographs proliferate, especially on social networking sites such as Facebook, the utility and ease of the technology will expand more rapidly. Biometric identification technologies essentially utilise individuals’ biological characteristics to identify them, so they rely on features such as irises, tattoos, scars, shape of people's ears and the gait they may have.13 Like facial recognition software, once a scan is done, comparison is made with a database of stored biometric data.14 Once a person is identified, other information about him can be added to give a fairly comprehensive profile of that person.

10 A recent invention that is a rising cause for privacy concerns is the domestic drone, or unmanned air vehicle. Hobbyists can purchase drones relatively easily as they are now widely available and affordable. Drones can fly at high altitudes, be fitted with high-power zoom lenses with recording facilities, and also have night vision.15 Thus, drones have the capacity to fly outside the window of an apartment on the 26th floor looking in at unsuspecting residents in various states of undress.16

11 In short, big data can create a revealing profile of the person one is. Personal information is extremely valuable, and has become even more so in the era of big data.17 This information can, of course, be used commercially by firms for strategic or marketing purposes. Indeed, companies like Facebook have, as their business model, the acquisition and sale of personal data. Some have bluntly asserted that Facebook's users are really Facebook's product because Facebook sells information

about its users to advertisers.18 Further, with Facebook's acquisition of the instant messaging application company WhatsApp in 2014, Facebook can easily build almost perfect profiles of individuals without recourse to external sources of data.

12 A much greater risk of big data is when vast amounts of personal information fall into the hands of criminals. Unlike physical property, once personal information has been disseminated, it cannot be “recovered” or taken back. This in particular poses long-lasting privacy implications because some kinds of personal information cannot be changed, like one's height, date of birth or irises. Much damage can result from the criminal misuse of personal information, in terms of personal bodily harm, monetary loss, and even psychological harm. It is all these harms that are at the centre of privacy in the 21st century. Personal information and profiles can be used for impersonation, fraud and identity theft which are largely monetary harms. They can also be used to harm the physical, psychological and emotional well-being of individuals if the personal information is used to, for example, stalk a victim or to bully or harass a victim. In effect, having intimate and vast knowledge about an individual gives the perpetrator control and power over the victim as he knows the victim's every move and his every like and dislike.

II. In the beginning: The Warren and Brandeis conception of privacy

13 A precise definition of privacy is elusive as the concept encompasses various different meanings. The concept has been the subject of much academic discussion and writing since the influential article by Samuel D Warren and Louis D Brandeis was published in 1890.19 The article was reportedly inspired by the rise of newspapers, photography and other technologies with the potential to publicise...