The General Data Protection Regulation (GDPR) (see the latest text here), which was approved at the political level last week, heralds a new era of data protection in the EU and beyond. The GDPR imposes numerous new obligations on companies both within and outside the EU, strengthens the rights of individuals and foresees stiff
Earlier this week, U.S. Federal Trade Commission (FTC) Chairwoman Edith Ramirez gave the keynote address at a technology conference, in which she focused on the privacy challenges of so-called “big data.” Her remarks provide some guidance about what the FTC considers “best practices” in terms of deploying big data analytics without raising privacy concerns.
- Data minimization and sound retention limits. The Chairwoman urged companies to “[a]void the indiscriminate collection of personal information” and suggested that it is not appropriate for companies to, “[k]eep data on the off-chance that it might prove useful.” She also suggested that retention limits are appropriate, noting that “old data is of little value.”
- De-identification. She noted that stripping out unique identifiers to render data anonymous can be an effective risk-mitigation technique. She cited the FTC’s 2012 Privacy Report as describing “an approach to de-identification that seeks to balance the benefits of de-identification with the risks that anonymous data will be re-identified.”
- Choice. She called on companies to “focus on consumer choice at the time of collection.” She noted that when consumers decide to share personal data with a business, that consent “is generally limited to the transaction at hand.” “Rarely, if ever, are consumers given a say about the aggregation of their personal data or secondary uses that are not even contemplated when their data is first collected.” Chairwoman Ramirez did not expand on what she believes that companies should do to provide consumers more of a “say” with respect to the aggregation and secondary uses of their data.