By Patrick Van Eecke & Mathieu Le Boudec
Last week, a resolution on big data was adopted under the auspices of the 36th International Conference of Data Protection and Privacy Commissioners (hereafter: “ICDPPC”). After earlier guiding documents released this year by, among others, the Executive Office of the President of the United States, the Information Commissioner’s Office (UK), the Working Party 29 and the European Data Protection Supervisor, this resolution is yet another confirmation of the attention big data gets from regulators worldwide.
During the yearly conference national, regional and local data protection authorities gather to discuss privacy-related concerns and challenges with legal experts but also with actors from the economy, the industry or civil society. Some sessions are accessible for everybody, others are reserved to data protection authorities only. These closed sessions result in the adoption of resolutions on topical issues which reflect the point of view of the “community of data protection authorities”.
This year one of these topical subjects was big data, i.e. the ability to store and analyse massive amounts of data. The notion is often described by referring to the 3 V’s:
- Volume (very large datasets are used);
- Variety (data from different sources are often combined); and
- Velocity (both in terms of collection and processing of the data).
According to the ICDPPC, big data entails a new way of looking at data, to a large extent involves the reuse of data and its value may lie in its ability to make predictions. The ICDPPC also notes that use of big data is expected to bring substantial benefits for society.
However, the ICDPPC points out that when personal information is implicated, big data raises some important issues with regard to privacy, protection against discriminatory outcomes and the right to equal treatment. Notably, big data seems to challenge some key privacy protection principles such as the principle of purpose limitation according to which personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes or data minimisation, i.e. the data collected should not be excessive in relation to the purpose and not be retained longer than necessary.
In its September 2014 Statement on big data the Working Party 29, a European advisory body on data protection legislation and composed of members of the EU national data protection authorities, confirmed that the EU legal framework for data protection is applicable to the processing of personal data in big data operations. Whilst acknowledging that the application in practice of key data protection principles such as data minimisation and purpose limitation might require some innovative thinking, the Working Party 29 stated not to believe that a substantial review of these principles, as asserted by some stakeholders, is necessary to enable big data operations to take place.
The resolution of the ICDPPC holds a comparable view stating that “the protection provided by these privacy principles is more important than ever at a time when an increasing amount of information is collected about us. The principles provide the foundation for safeguards against extensive profiling in an ever increasing array of new contexts. A watering down of key privacy principles, in combination with more extensive use of Big Data, is likely to have adverse consequences for the protection of privacy and other fundamental rights.”
The legal concerns relating to profiling seem to be a recurring theme for the ICDPPC taking into account its Uruguay Declaration on Profiling (2012) and its Warsaw Resolution on Profiling (2013).
In concrete terms, the Mauritius resolution on big data from last week calls upon all parties making use of big data:
- To respect the principle of purpose specification.
- To limit the amount of data collected and stored to the level that is necessary for the intended lawful purposes.
- To obtain, where appropriate, a valid consent from the data subjects in connection with use of personal data for analysis and profiling purposes.
- To be transparent about which data is collected, how the data is processed, for which purposes it will be used and whether or not the data will be distributed to third parties.
- To give individuals appropriate access to the data collected about them and also access to information and decisions made about them. Individuals should also be informed of the sources of the various personal data and, where appropriate, be entitled to correct their information, and to be given effective tools to control their information.
- To give individuals access, where appropriate, to information about the key inputs and the decision-making criteria (algorithms) that have been used as a basis for development of the profile. Such information should be presented in a clear and understandable format.
- To carry out a privacy impact assessment, especially where the big data analytics involves novel or unexpected uses of personal data.
- To develop and use Big Data technologies according to the principles of Privacy by Design
- To consider where anonymous data will improve privacy protection.
- To exercise great care, and act in compliance with applicable data protection legislation, when sharing or publishing pseudonymised, or otherwise indirectly identifiable, data sets. If the data contains sufficient detail that is, may be linked to other data sets or, contains personal data, access should be limited and carefully controlled.
- To demonstrate that decisions around the use of Big Data are fair, transparent and accountable. In connection with the use of data for profiling purposes, both profiles and the underlying algorithms require continuous assessment. Injustice for individuals due to fully automated false positive or false negative results should be avoided and a manual assessment of outcomes with significant effects to individuals should always be available.
We will of course further inform you about any new regulatory initiatives relating to big data.