Big data privacy and security issues are areas to watch for two reasons: 1) there are many unanswered legal questions, and 2) the law always lags technology.

Let’s first take a look at the data privacy issue from the perspective of the consumer.

The Fourth Amendment of the U.S. Constitution guarantees an individual’s right to privacy. This amendment specifically safeguards “the right of the people to be secure in their persons, houses, papers, and effects,” but it is only effective against government intrusions — meaning private companies that have your data are exempted. One must also have standing to claim protection under this amendment. In other words, to make a privacy violation claim, one must first demonstrate that there was a reasonable expectation of privacy.

Only U.S. governments and governmental agencies are subject to Fourth Amendment privacy protections. Also, any personal information that is in the public records (e.g., marriage records and real estate records) is freely available and is therefore not considered private. This means that a majority of consumers whose information is collected through system of record and big data systems like GPS data aggregation can do very little about that data.

Companies in privacy-sensitive industries like banking, insurance, and healthcare are keenly aware of the privacy issues; it is why these businesses (and their industry regulators) issue privacy policy statements to customers annually that state their data privacy policies, and what information the companies will choose to share (or not share) with others. When we get these privacy notifications, most people toss them, because we feel relatively secure that the company will do a good job with the data it collects on us.

But then there is the other side to the data issue: Some companies that gather vast repositories of data on their consumers repackage this data into a side business where the data is sold to others. This creates a new revenue stream for the business, with an implication that the company storing your private data owns that data and has a right to resell it.

“Data privacy is a very hard issue,” said Michael Morton, chief technology officer at Dell Boomi, a cloud integrator. “If I’m a consumer, I’ve read the company’s privacy statement and I’ve uploaded all of my data into an account at that company, but I don’t understand what they’re doing with my data. If the product from them I’m using has GPS, for example, and is also aggregating other information about me, what are they learning from my data?” An additional question is: Who else might these companies be selling this data to?

Selling the data is big business. Google and Facebook have business models that profit from user data, and in the UK, British ministers began looking at changes in 2014 that would allow HM Revenue & Customs to sell taxpayers’ data to third parties.

The unanswered legal questions are:

  1. Should you have ownership (and profit) rights in the information about you?
  2. Even if you don’t have ownership rights, should you have a voice in who the company you are doing business with sells your data to?

The way these legal answers are ultimately gained is through case law, which slowly evolves as lawsuits are litigated and decided.

Dell Boomi’s Morton mentioned that the problem is further muddled when companies begin to aggregate data into new and unique combinations.

“Let’s say I’m a vendor and I have a broad product line and my objective is to make my products better,” he said. “I can’t do this without aggregating data from other vendors’ equipment that interfaces with my own, so I acquire their data….You can see the cascading privacy and security problems for consumers as vendors exchange, mix and match data.”

In the face of these unresolved issues, here are three things consumers and businesses can do.

1: Businesses, continue issuing privacy policy statements that clearly tell your customers about the practices you will exercise with their data to eliminate any confusion about the matter.

2: Consumers, read the privacy policy statement from your vendor instead of just throwing it away. The statements might say that your vendors will be sharing your data with third parties, which you may or may not want it to do.

3: It is time-consuming, painful, and expensive to wait for the legal system to build up enough case law to establish data privacy precedents and guidelines. In addition, it’s important to consider that different countries use different legal systems. It would be far better if companies worldwide could agree to a set of privacy standards that would define the rules, much as they have in areas like communications/internet protocols and universal software interfaces.

Note: TechRepublic and ZDNet are CBS Interactive properties.