The recent revelation that Zenhua Data, a Chinese firm based in Shenzhen, harvested the personal information of 2.4m global citizens, has brought the dangers of big data analytics back into sharp focus again.
I say “again” because the Facebook/Cambridge Analytica incident previously exposed how the personal data of up to 87m Facebook users could be collected after just 270,000 people used a Facebook app titled “Your Digital Life” that then gave the app access to the users’ friends’ wider network. That meant only a fraction had consented to that access and the app breached Facebook’s own terms of service when it passed the data to Cambridge Analytica, who then used that data for what it termed psychographic analysis, despite the majority of data subjects neither consenting nor being aware of that use of their data.
In the case of Zenhua Data, the data was acquired without any apparent attempt to obtain any consents. The ensuing public concern flowed not just from the scale of the constructed database and the sophistication of collection methods, but also the purpose behind it. Whilst a significant proportion of the information was from open public sources, such as social media, that proportion was put to purposes that were never expressly consented to and, for many, never envisaged.
It does not follow that those who use social media or open source platforms wish their information to be made public or used as intelligence or influence tools by unknown parties in unknown locations. Agglomerated data, where vast amounts of personal information is amassed, can be applied to all manner of nefarious applications such as disinformation campaigns, the exertion of political influence, bribery and propaganda. Agglomeration is a data game changer; it reveals behaviour patterns and provides insights that were not previously visible. In the wrong hands, it can be an instrument of hybrid warfare.
The question that should spring to mind is ‘how can this still happen? The General Data Protection Regulations 2018 (GDPR) expressly safeguard the personal information of Europeans (this includes the UK) and are extra-territorial in that they can apply to non-EU organisations, such as those in China or elsewhere, by virtue of targeting criteria. A key targeting criterion is where the processing of personal information is related to monitoring the data subjects’ behaviour in the EU. On any view, monitoring seems to be precisely what took place here. And yet, despite regulations prohibiting such behaviour, there are no signs of active enforcement.
The impotence of our regulators when it comes to global enforcement of our individual data rights is a problem that must now be addressed. Laws that are not enforced are worthless and those that are enforced selectively will appear unjust. In Europe the individual is supposedly paramount as regards the ownership of their personal information. It is time that those we trust to guard our information step up and take action when entities, whether within or without the EU, infringe our rights.