The challenges faced when data value comes not from its primary (purpose) use but from its secondary use
Thoughts from the ITechLaw 2013 World Technology Law Conference & Annual Meeting, Scottsdale, Arizona
Privacy and Big Data Panel Session: Thoughts regarding Big Data Privacy
Sometimes data is earmarked and collected with a particular purpose in mind. However, one of the many means of leveraging value from Big Data is to take data, and perhaps other amalgamated datasets harvested for other purposes, and to interrogate and analyse that data in a previously inconceivable way. Gaining insights from an existing asset. Mining untapped value. This is an example of the value offered by Big Data; the unrealised riches which so many at Board level are being sold.
Not all Big Data contains “personal data” but much will. We are all familiar with the many and varied regulatory controls and restrictions placed upon data controllers using personal data. One such restriction is known as the “purpose limitation principle”. Under the European Union’s Data Privacy Directive 95/46/EC (“DPD”) today there is a two limbed purpose limitation set out in Article 6:
1) a requirement that data collection must be for specified, explicit and legitimate purposes; and then
2) an additional requirement that any further processing of the data collected should not be further processed in a way which is incompatible with those original purposes.
This is currently the law and legal position which has been implemented across all Member States of the European Union (“EU”) as a result of the DPD, but not necessarily a concept typically dwelled on, nor always applied, by data controllers acting in the modern data rich world. Yet, with recent guidance emerging from Europe, there is renewed focus on these provisions. Guidance has been provoked particularly as technology continues to challenge an increasingly dated regulatory framework.
With the advent of Big Data and trend for data controllers to increasingly push the boundaries around the potential uses and exploitation of data, we are starting to see specific guidance around the application of EU privacy laws to Big Data. Earlier this month, this conundrum posed by Big Data and the balance between the rights of the data subject and the new value extraction techniques businesses are gravitating towards was emphasised by Working Party 29 (a group formed of the EU Member State’s Data Protection Commissioners) (“WP29″). WP29 addressed this specifically by publishing new recommendations in its Opinion 03/2013 on purpose limitation. See here.
Where these recommendations challenge Big Data
The WP29 Opinion both highlights the restrictions imposed by the “purpose limitation principle” and offers some practical guidance in applying these principles to real world examples. Including those real world challenges posed by Big Data. Undoubtedly its interpretations are probably narrower and more restrictive than any user of Big Data really hopes, but they do give a sense of the collective view of EU national privacy regulators. The limitation wording makes it clear that any processing must be “specified, explicit and legitimate”. In a sense, a combined test. The data subject should have been made specifically aware of the uses of their data. In addition, any further processing must be “compatible with the original purpose”. In assessing the second limb of the purpose limitation principle, WP29 recommended that any assessment of the compatibility of the further processing with the original purpose, should take account of the following key factors:
• the relationship between the purposes for which the personal data have been collected and the purposes of further processing;
• the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use;
• the nature of the personal data and the impact of the further processing on the data subjects; and
• the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
WP29 goes on to state “[p]rocessing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited”. Not only should there have been sufficient transparency to the data subject at the point the data was collected, but any subsequent uses must be sufficiently related to the original intended purpose. Or perhaps, just because you can, doesn’t mean you should! This potentially restricts the value which can be obtained as a result of some Big Data analysis. It illustrates why, before undertaking any Big Data project, any business should conduct a Big Data readiness assessment.
Of course this limitation is drafted to be technology process neutral and, as with many EU laws, has a broad impact on the use of personal information with different technologies and activities. It illustrates another hurdle imposed by the current regulatory framework and another hurdle to Big Data analysis. Just because Big Data techniques can open new insights, if the associated processing analysis is so far removed from the original reason the personal data was collected, it may not be within the law. Equally, it is important to understand the make-up of the data being analysed.
In order to make a Big Data readiness assessment a business needs to understand the volume and content of the data. But in some instances that may be the point of the insight analysis.
A high regulatory hurdle for Big Data
From its recent proclamations, it is already clear that the WP29’s view is that the “purpose limitation” already limits the scope of what a data controller can do with personal data in the context of Big Data analysis activities where that data includes personal information. In the Opinion, the WP29 states “[w]ith all its potential for innovation, big data may also pose significant risks for the protection of personal data and the right to privacy”. For maximum flexibility around use, there must be a relationship between the purposes for which the personal data have been collected and the purposes of any future or further processing.
The WP29 Opinion goes deeper and classifies two Big Data analysis situations. Their thinking is that “[i]n order to identify what safeguards are necessary, it may be helpful to make a distinction between two different scenarios”.
(1) Data processed “to detect trends and correlations in the information”. WP29 sees more scope for flexibility in this scenario: it emphasises a need for “functional separation” to provide an assurance in relation to the segregated processing and confidentiality of that data. This does not necessarily require the explicit consent of the data subject but “data controllers need to guarantee the confidentiality and security of the data, and take all necessary technical and organisational measures to ensure functional separation”; and
(2) In the second scenario, the organisations are interested in actual individuals. When the processing of Big Data directly affects individuals and an “organisation specifically wants to analyse or predict the personal preferences, behaviour and attitudes of individual customers, which will subsequently inform ‘measures or decisions’ that are taken with regard to those customers” : in which case specific opt-in consent would almost always be required from the data subject. As ever, such consent should be “free, specific, informed and unambiguous”. Otherwise further use cannot be considered compatible.
The challenges posed when the true variety, volume and velocity of unstructured Big Data is involved are obvious. Particularly when Big Data analysis was never even contemplated when the original data collection took place. Therefore, to maximise freedoms to use and exploit data “specified, explicit and legitimate” notices to data subjects are required. The requirement for specific opt-in consent is a high one and WP29 state “[i]mportantly, such consent should be required, for example, for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research”. From this statement, it is quite clear that a data controller has less flexibility undertaking a Big Data project.
It is better to be transparent with a clear statement of intent around the potential uses of a data subject’s personal data. Statements of intent need to be clearer. All very well for new data collection activities but, where a data subject has not been given explicit and specified insight into the potential uses of their data, then there are no legitimate grounds for its use.
Insight into future hurdles
Going further, with its eyes on the future General Data Protection Regulation, currently under discussion in draft form, there are recommendations on how these purpose limitation principles could be strengthened. WP29 states that it sees “the history of the purpose limitation concept, both in the EU and beyond ….. shows that purpose specification and compatible use are essential principles in the system of data protection”. It draws from principles of the Organisation for Economic Co-operation and Development in the argument to assert that this is not just a European concern. That’s one, perhaps inevitable, direction for Europe – tougher limitations.
But should the regulatory framework still be emphasising data minimisation and purpose limitation in an age of Big Data? The individual’s rights seem to trump all, but what if the use of their data has social and global economic benefits which may outweigh these individual rights of privacy? Is specific opt-in always the right approach? Opt-out would be a logistical nightmare to manage across huge datasets so should there be more emphasis on processing in a secured and controlled way and the means by which information is protected and ultimately used? Perhaps current thinking is outmoded if we are really going to reap the value of Big Data?
Big Data presents more challenges than the “purpose limitation” alone
The purpose limitation principle is just one hurdle in the realm of data privacy compliance and of course, in the context of a large Big Data project, privacy laws should be considered and complied with in the round with intellectual property rights, confidentiality obligations and other contractual restrictions which may or may not be imposed.
WP29 recognise some of the other privacy challenges in their Opinion, which goes on to state that despite its potential for innovation, Big Data may also pose significant risks for the protection of personal data and the right to privacy. In particular, for WP29, Big Data raises concerns about:
• the sheer scale of data collection, tracking and profiling, also taking into account the variety and detail of the data collected and the fact that data are often combined from many different sources;
• the security of data, with levels of protection shown to be lagging behind the expansion in volume;
• transparency: unless they are provided with sufficient information, individuals will be subject to decisions that they do not understand and have no control over;
• inaccuracy, discrimination, exclusion and economic imbalance (as will be discussed further below); and
• increased possibilities of government surveillance.
Coupled with the fact that much Big Data analysis relies on the power of cloud computing and the expertise or services of third party processors, there’s plenty to think about in the new world of Big Data. Whether we’re in danger of stifling innovation and economic value by being too restrictive in the EU about how we can go about leveraging data for business purposes is open for debate.
Technology always has means to make things work in the end.