Legal Implications For Big Data: Ask An Expert

Thadeus Suzenski

This “Ask an Expert” interview is with Joshua Sun, assistant general counsel, SAP Global Legal, whose practice focuses on product development, new business models, and technology partnering initiatives. He is based in the SAP Palo Alto, California office.

What is your involvement with machine learning and artificial intelligence?

I’ve recently started advising the machine learning teams at SAP. I’ve been actively involved in learning this side of the business and how they consume data. My role has primarily been to advise the teams on using data in a manner that is compliant with regulatory laws and helping them to think through the variety of options in utilizing data.

How do you see the market shift going forward?

Currently, many of the machine-learning initiatives involve training machines to perform basic human functions such as seeing, listening, or sorting. We’re training these machines to learn to recognize images or text much in the same way a human might be able to do. We’re also training machines to understand text or natural language.

Once a machine begins to recognize relevant information, the machine can then start to process the information in basic ways, such as sorting and classifying data, which saves time and effort. As we advance from the basic building blocks, machines will be able to perform more sophisticated tasks, learn to perform tasks more efficiently, or provide insights from rapid analysis of large data sets that humans might have missed.

What hurdles do you foresee from a software/implementation standpoint?

As my involvement is less technical and more legal, the obstacles I see tend to be related to obtaining the rights to use data. There is a tremendous demand to find data sources to train and improve our machine learning software, and it is often difficult to keep up with the demand for data. Machine learning requires the use of many types of data—both structured and unstructured.

There are two basic considerations before we can use data for machine learning: (1) obtaining the right to use data; and (2) complying with data protection laws. (I tend to focus on how to obtain the right to use data, while the Data Protection and Privacy team advises on data protection regulations.)

There are many options for obtaining the right to use data. For example:

  • We may be able to purchase a license to use data.
  • We may be able to use publicly available data or open-source data sets.
  • In some cases, we may have the right to use data on our systems for machine learning.
  • Or we may be able to partner with our customers on machine learning projects.

Data protection laws are fixed and non-negotiable, so we work with the teams to figure out whether they really need to use regulated data and whether there are other options. If they need to use regulated data, we advise them on ways to use data in compliance with laws.

What is the most exciting part of AI?

The ability of machine learning to perform many of the basic, mundane tasks that people do and free them to do more interesting activities is undoubtedly one of the most exciting. This also happens to be one of the areas of AI that we believe will come to fruition soon, with wide-ranging impacts and opportunities.

Are there any major regulatory/legal issues on the horizon that you expect to impact the industry?

The European Commission put forth the General Data Protection Regulation (GDPR) in 2012 and approved it in 2016 as a replacement for the Data Protection Directive 95/46/EC. It will come into force in the spring of 2018. In the United States, the Federal Trade Commission has from time to time provided guidance on proper practices for collecting, using, and protecting the privacy of consumers, although much of the focus is on proper disclosure, keeping promises, and maintaining adequate security.

How have current regulations struggled to keep up with the expansion of the industry?

There are a host of issues. One is that every country has different laws, and there isn’t uniformity across geographic regions. As an international company operating globally, for example, SAP needs to comply with a wide variety of regulations. What is regulated and how it is regulated differs from country to country, so we often must find common denominators when we create policies.

Another issue is determining where people are located and whose laws apply. When the EU first passed Data Protection Directive 95/46/EC in 1995, the world was a very different place. With the Internet and cloud services, particularly when those technologies are used by multinational companies, data flows across geographic regions, and you wind up having to navigate many layers of regulation. Rules tend to be broad and can sometimes create obligations that are not necessarily more protective of individuals.

There may be ways to balance protection of individuals while allowing data to be used for productive purposes. For example, the new GDPR introduces the concept of “pseudonymization”—a process rendering data neither anonymous nor directly identifying—as a method of complying with the GDPR’s data security requirements. It also relaxes some requirements when personal data is pseudonymized.

Approaches like this may be helpful to evolving regulation to meet the demands of our changing business landscape.

How can technology help businesses prepare for regulatory change? See 6 In 10 Companies Unsure Tech Is Ready For Regulatory Changes.


Thadeus Suzenski

About Thadeus Suzenski

Thadeus Suzenski is Senior Legal Counsel for SAP SE and is a member of both the Pennsylvania and New Jersey Bar. While his current position predominately involves both drafting and negotiating software services transactions, he also manages field-marketing legal issues and assists with pre-litigation for regulated industries. In addition to his legal functions, Thadeus is charged with writing about Artificial Intelligence & Machine Learning for the company’s Digitalist Magazine. Previous positions at SAP include roles in both Business Operations and Project Management.