Offering what perhaps are the obverse attractions of nano-technology, Big Data’s giga-analytics can produce macro-level pictures of trends, pathways, and patterns that might reveal pictures hitherto unseen even by the data owners. Such tele-analytics allow not only a better understanding of what may be happening here and now, but a reliable basis for predictions of what is to come.

Aside from the obvious attraction for commercial suppliers trying to understand, predict, and influence consumer behavior, Big Data analytics also holds out a phenomenological capability for law enforcement agencies in trying to understand, predict, and influence behaviors of offenders and potential offenders.

As Professor Akghar from CENTRIC² puts it, “When we look at ways to advance the use of data and analytics for public security and safety, the potential has never been greater. We now have the computing power to not only understand past events, but also to create new knowledge from billions of data points—quickly. In minutes, we can run analyses that used to take days” (Akhgar, 2014).

Take, for example, successful work in Greater Manchester ³ that has shown the power of having a range of agencies literally in the same room. Why not have the totality of their data virtually present in the same place, too? Because Big Data can be applied to mass datasets to reveal high-level trends and patterns, it might be thought that the extent to which it can assist in preventing and detecting criminality is limited. Not necessarily. As the Article 29 Working Party⁴ noted, not only can the awesome capability offered by Big Data be used to identify general trends and macro-correlations, it can also be processed—rapidly and almost effortlessly—to directly affect the individual.⁵

From a practical operation perspective, then, there is a vast potential for Big Data in law enforcement. From a legal perspective, the point at which Big Data focuses this astonishing power on individuality can become highly contentious. One such point is where it is used for law enforcement, whether that is in the context of criminological extrapolation or criminal suspect extradition.

The challenging question from a pragmatic law enforcement perspective is: If information is lawfully held within the databases of willing and socially responsible organizations that might help prevent people becoming victims of crime or bring perpetrators to justice, why would LEAs not only feel justified in accessing those data but obliged to do so?

Part of the answer is that the application of informatics within a law enforcement environment is arguably different from that of Big Data application in most other settings. There are several strands to the answer, first among which is the high level of legal regulation of this area. Yes, there are substantial and significant exceptions within most legal data frameworks to allow access by LEAs to data held by others, particularly when their principal purpose is to prevent or investigate crime or pursue the interests of national security, but they are not always that clear and seldom amount to a blank check. Before looking more closely at some of the components of the law enforcement dilemma, it is necessary to look at the broad components of the legal framework within which the pragmatic law enforcement activity takes place.

The second, less familiar system arises from the jurisprudence of the Court of Justice of the European Union (ECJ), which guarantees the protection of fundamental human rights within the EU. Respect of these rights is part of the core constitutional principles of the EU. Both systems are engaged by some activities around data capture, retention, and analysis, but a key distinction in relation to Big Data is that for most purposes, human rights protections treat the protection of personal data as a form of extension of the right to privacy.⁸ (Article 8 of the European Convention on Human Rights incorporates this in the respect for an individual’s private and family life, home, and correspondence.) Article 8 prohibits interference with the right to privacy, except where such interference is in accordance with the generally applicable departures from the Convention article necessary in a democratic society.⁹ The EU Charter of Fundamental Rights, however, specifically enshrines data protection as a fundamental right in itself (somewhat unhelpfully under Article 8). This is distinct from the protection of respect for private and family life (Article 7). The Charter also establishes the principle of purpose limitation, requiring personal data to be processed “fairly for specified purposes” and stipulating the need for a legitimate basis for any processing of such data.

Even the EU’s own legal framework for enshrining rights and freedoms for data subjects is not immune from challenge. For example, the ECJ found that the Data Retention Directive¹⁰ allowed the data retained under its aegis to be kept in a manner so as to allow the identity of the person with whom a subscriber or a registered user had communicated to be revealed as well as identify the time of the communication and the place in which that communication occurred.¹¹ The Directive sought to ensure that data were available to prevent, investigate, detect, and prosecute serious crimes, and that providers of publicly available electronic communications services or of public communications networks were obliged to reveal the relevant data. The ECJ held that those data might permit “very precise conclusions to be drawn concerning the private lives of the persons, whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.” The ECJ also held that the retention of data might have a chilling effect on the use of electronic communication covered by the Directive on the exercise of freedom of expression guaranteed by Article 11 of the Charter of Fundamental Rights.¹²

Then there is the indiscriminate—or at least non-discriminating—nature of Big Data analytics. The automation of processing is not just a strength; it is almost a sine qua non of Big Data use. The dilemma for agencies tasked with the exercise of discretionary powers is that the greater the automation, the less scope arguably there is for intervention by the controlling mind and the application of discretion (which, as once described by Lord Scarman,¹³ is the police officer’s daily task). Much has been written and said of the use of “non fault” or “without cause” powers by the police and the absence of Scarman’s “safeguard of reasonable suspicion” (see, e.g., Staniforth, 2013), and the general trend for law enforcement in the UK has been to move away from the blanket applications of powers.

Interference by a member state with an individual’s rights under the European Convention must be “necessary in a democratic society” and have a legitimate aim to answer a “pressing social need,” but even then an identified interference must be proportionate and remains subject to review by the Court (Coster v. United Kingdom, 2001; 33 EHRR 479).¹⁴ Whereas the relationship between accuracy and reliability is clearly important in any form of data analysis, when the analysis is used at the level of the individual, biometrics, demographics, and social epidemiology take on a different legal quality. Almost by definition, Big Data deals with the supra-personal, the yotta-aggregation of data that is unconcerned with the binary constructs of personal identity and individuality.

However, the Working Party puts it thus: “The type of analytics application used can lead to results that are inaccurate, discriminatory or otherwise illegitimate. In particular, an algorithm might spot a correlation, and then draw a statistical inference that is, when applied to inform marketing or other decisions, unfair and discriminatory. This may perpetuate existing prejudices and stereotypes, and aggravate the problems of social exclusion and stratification.”¹⁵

Just how little information Big Data needs to pinpoint an individual can be seen in Tene’s (2010) graphic citing of research that has shown how “a mere three pieces of information—ZIP code, birth date, and gender—are sufficient to uniquely identify 87 per cent of the US population.”

Purpose limitation, which has parallels in other jurisdictions (such as Article 6 of Law n. 121/1981 in Italy; see Chapter 16 for more information), has two components. First is purpose specification, which means that the collection of certain types of data such as “personal data”¹⁷ must be for a “specified, explicit, and legitimate” purpose. The second element of purpose specification is “compatible use.” This means that the data must not be further processed (see below) in a way that is incompatible with those purposes.

Arguably, the whole concept of Big Data analytics is predicated on some further perhaps even ulterior processing of data collected as a separate set or for a different, more specific purpose. The subsequent use of data represents a key barrier to lawful processing because of the requirement for compatibility. That is not to say that there can be no further processing, but such processing as there is will generally need to be compatible with the original lawful purpose or be exempt from that compatibility requirement. Even the recycling of personal data that has already been made publicly available remains subject to the relevant data protection laws.

An important aspect of the further processing issue is the nature of the relationship between the controller and the data subject; in general terms, compatibility assessments should be more stringent if the data subject has not been given sufficient—or any—freedom of choice.

Exemptions for processing personal data within the UK are widely drafted and include purposes such as the administration of justice, statutory functions, and public interest provisions, which cover the work of a whole range of public bodies. However, the number of community outcomes for which the police alone are responsible is vanishingly small and (certainly in the UK) almost every activity that keeps people safe and thriving is the product of collaborative enterprise and partnership. This level of engrenage is not specifically reflected by the law regarding data protection and processing. There are restrictions on data sharing, particularly when the organizations involved are in different jurisdictions. Then there are limitations on the aggregation and analysis of huge datasets generally, which can present barriers to the proper activities of LEAs and problems regarding reliability of extrapolation, interpolation, and identification. Public bodies such as police forces have no general power to share data and must do so only when they are able to indicate a power (expressed or implied) that permits them to do so.¹⁸

A key challenge of Big Data for law enforcement therefore arises from the almost total reliance on partnerships within the British neighborhood policing model, which makes sectoral and functional separation (i.e., separation into public health, education, research) all but impossible. The best one can hope for is to identify the legitimate outcomes toward which the law enforcement partnership is working, understand the key elements of the relevant data protection framework applicable to that setting, and aim for compliance.

The relevant legislative frameworks, however, presuppose a “neat dichotomy” (Tene, 2010), whereas the increasingly collaborative manner in which businesses operate precludes a neat dichotomy between controllers and processors. Many decisions involving personal data have become a joint exercise between customers and layers upon layers of service providers. With the rise of cloud computing and the proliferation of online and mobile apps, not only the identity but also the location of data controllers have become indeterminate (Tene, 2010).

This is challenging enough when the LEAs and partners are within EU members states. When non-member states are involved—as occurs in many cases particularly involving serious organized crime—there is an additional requirement of “adequacy of protection.” It is a key principle of the relevant legislation in member states that personal data must not be transferred outside the European Economic Area (EU member states and Norway, Iceland, and Lichtenstein) unless there is an ensured adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Some key features of Big Data, such as behavioral targeting, have a different cachet in LEA settings, and the history of data processing within UK policing has not been without its difficulties. There have been various legal challenges to the use and retention of personal data by the police: for example, S & Marper v. United Kingdom (2008) ECHR 1581 (police retention of DNA samples of individuals arrested, but who are later acquitted or have the charges against them dropped, was a violation of right to privacy) and R (on the application of GC & C) v. The Commissioner of Police of the Metropolis (2011) UKSC 21 (successful challenge of a policy of the Association of Chief Police Officers allowing indefinite retention of biometric samples, DNA and fingerprints for an indefinite period save in exceptional circumstances).

Police monitoring of public protests has produced a series of legal challenges for which LEAs have not always managed to achieve the fine balance between the obligations of the state to ensure the security and safety of its citizens and its duty to ensure the protection of their human rights and fundamental freedoms (see The Queen (on the application of Catt) v. The Association of Chief Police Officers of England, Wales and Northern Ireland and The Commissioner of Police for the Metropolis (2013) EWCA Civ 192). The Catt case involved a lawful demonstration and the indefinite retention of data about the applicant on the National Domestic Extremism Database. The case shows that even where the relevant event takes place in public, the recording and retention of personal data about individuals involved can be an unlawful interference with the right to respect for private life under Article 8 of the European Convention of Human Rights.

Aside from the litigious challenges over operational retention and use of personal data, the police have also experienced the ignominy of having their official recognition removed by the Office for National Statistics because their data processing approaches for recording crime were found to be unreliable. The police found themselves the subject of a Parliamentary report called “Caught red handed: Why we cannot count on police recorded crime statistics,” published by the Public Administration Select Committee,¹⁹ whose chair, Bernard Jenkin, MP, said in the press release accompanying the report: “Poor data integrity reflects the poor quality of leadership within the police. Their compliance with the core values of policing, including accountability, honesty and integrity, will determine whether the proper quality of Police Recorded Crime data can be restored.”²⁰ Shortcomings in data quality and reliability in the LEA context are not just about compliance and can have real and immediate detrimental impacts on and within the criminal justice process.²¹

The Public Administration Committee’s report was followed by a report of HM Inspector of Constabulary on the reliability of crime recording data created and maintained by the police forces of England and Wales.²² The interim report published on May 1, 2014, which drew upon several previous reports, referred to the Inspectorate’s “serious concerns” in the integrity of police crime recording data.

Conversely, the failings of the police in England and Wales to retain relevant data in a searchable and shareable way, so as to enable the tracking of dangerous offenders such as Ian Huntley,²³ were widely reported and criticized in the Bichard Report,²⁴ which led to wholesale changes in the police approach to operational information technology capabilities.

The corrosive effect of such cases and the media’s reporting of them can be expected to damage public trust and confidence in the police and to affect the legitimacy they need to operate. When taken against the wider international context of “data-gate” and the Snowden revelations²⁵ of how governments have been using Big Data analytics and high-tech information and communications technology monitoring capabilities, this reduced trust and confidence represents a serious impediment to even the lawful and compliant use of Big Data by LEAs in the future particularly as we move into an era of “omniveillance” (Blackman, 2008).

When it comes to Big Data, the higher the stakes, the greater the challenges for LEAs that risk being condemned for not using all available data to prevent terrorist atrocities or cyber-enabled criminality and damned if they do so to the detriment of individual rights and freedoms.

As Polonetsky and Tene (2013) put it: “The NSA revelations crystallized privacy advocates’ concerns of sleepwalking into a surveillance society’ even as decision-makers remain loath to curb government powers for fear of terrorist or cybersecurity attacks.”

One thing seems certain: The continued expansion of Big Data capability will inflate the correlative dilemmas it presents to our LEAs.

The resolution of the dilemmas of Big Data for LEAs—and by extension, for their partners in key areas such as safeguarding, fraud prevention, and the proper establishment of the rule of law in cyberspace—will be as much a challenge for the law as the technology. The dilemmas for LEAs are but one example of how our legal systems and principles need to catch up with the practices of their citizens’ lives. It will need a new breed, a form of lex veneficus,²⁶ perhaps, to work alongside the technical wizards who have set the height of the Big Data bar.