020 7831 0101

Data Protection Regulations: A Blessing or Curse? (Part 1)

Data Protection Regulations: A Blessing or Curse? (Part 1)

The magnitude of personal information that individuals make available, either knowingly or unknowingly, is growing at an exponential rate. The term big data was coined to describe the large volume, high velocity and wide variety of both structured and unstructured data that is processed on a daily basis.[1]

Over the years, companies and governments have stored information about their clients, employees and citizens – giving rise to a number of security and privacy concerns. Personal data held by organisations is legally protected as it may become subject to misuse and unauthorized access by third parties, which can lead to issues such as fraud and identity theft.

The purpose of data protection regulation is to ensure that individuals are aware not only of their personal data being collected, processed and stored; but also, of its high value. These sets of laws strive to prevent privacy violations through regulatory frameworks that securely monitor how personal data is processed by placing responsibilities on data controllers, who determine its end purpose. By setting high standards of regulation, these policies also seek to ensure “the free flow of personal data,” which is ultimately beneficial to the organisations that comply.[2]

Companies & Personal Data

According to Article 2 of the European Union’s (EU) Directive 95/46/EC, personal data is defined as “any information relating to an identified or identifiable natural person.”[3] This can include name, address, email, phone number, bank account or credit card information; as well as, more sensitive personal data such as health records, religious views and political affiliations. Similarly in the United States, the Department of Labour defines personal data or personal identifiable information (PII) as “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”[4]

Companies collect a wide variety of personal data to gain a holistic understanding of current and prospective clients. Volunteered data includes information shared by an individual via social media platforms; observed data includes information collected by monitoring an individual’s actions via location services on handheld devices; and, inferred data describes the conclusions derived by analysing both volunteered and observed data.[5]

Some of the most influential companies – Google, Facebook, Snapchat, Uber and Amazon – consider personal data a valuable “asset” to their business processes.[6] They use the information to gain a better understanding of their audience, allowing them to create effective business and marketing strategies for prospective customers. In addition, companies can offer more personalised services to their existing customers by analysing, not only, their previous purchases; but also, their feedback and activity on social media platforms. By exploiting big data, companies can innovate and create new products and services.

Unfortunately, this data driven mind-set has created an imperative that drives corporations and governments alike “to create surveillance technologies that infiltrate all aspects of life and society” in order to extract data and discover underlying patterns.[7] Therefore, the question remains: to what extent can companies and governments continue to collect personal data without violating an individual’s right to privacy?


The following article is the first of a two-part series focused on data protection, written by Yancho Yanchev and Stanley Rowe of Cubism Law's European Practice Group.