“Data is everywhere. The amount of data on the global level is growing by 50 percent annually. 90 [percent] of the world’s data has been generated within the past two years alone,” explains the International Working Group on Data Protection in Telecommunications in their Opinion of May 6, 2014, titled, “Working Paper on Big Data and Privacy: Privacy principles under pressure in the age of Big Data analytics“. The Working Group, founded in 1983, has adopted numerous recommendations and since the beginning of the 90s focused on the protection on privacy on the Internet. Its members include representatives from data protection authorities and other bodies of national public administrations, international organizations and scientists from all over the world.
Big Data is a hot topic on both sides of the Atlantic, not only for the press (see Privacy Weekend: Provocative Articles We’re Reading Now), but also for regulators (see, for instance, the FTC Big Data & Discrimination Workshop, the European Commission’s recent Communication “Towards a thriving data-driven economy”, the PCAST’s Big Data report and the White House Big Data Report). The afore-mentioned Working Paper adds to the chorus of concerns that have been raised in relation to Big Data and Privacy, but concludes with a positive note: “It is possible to make use of this type of [Big Data] analysis without infringing on key privacy principles.”
The Working Paper:
- outlines the Big Data value chain, which includes data collection, storage and aggregation, correlation and analysis, as well as usage;
- highlights the privacy challenges associated with Big Data; and
- provides a number of recommendations how Big Data may be used in ways that will respect privacy.
The Privacy Implications of Big Data
The Working Group outlines key privacy challenges posed by the use of Big Data, including:
- Use of data for new purposes: The reuse of data for purposes other than originally intended puts the principle of purpose limitation under pressure (see also Article 29 Working Party Releases New Opinion on Purpose Limitation, April 15, 2013). Enterprises must ensure that the analysis is compatible with the original purpose for collecting data, taking into consideration the natural expectation of the individuals concerned, explains the Working Group.
- Data maximization: “In essence, Big Data is the very antithesis of the privacy principles of relevance and data minimisation.” In the Working Group’s view, it will become more difficult to enforce the obligation to erase data, as private companies and public authorities may want to keep data which may prove valuable at some point in time.
- Lack of transparency: The Working Group identifies a lack of openness which also makes it difficult for individuals to exercise their right of access.
In addition, the Working Party considers a number of other privacy implications, some of which are considered to go beyond mere privacy concerns, such as the fact that the compilation of data may uncover sensitive information; the risk of re-identification, security implications; risks related to the use of incorrect data; power imbalance; data determinism and discrimination; a chilling effect on citizens and society at large; and the creation of echo chambers or filter bubbles.
The Working Group lays out an array of recommendations regarding how Big Data may be used in ways that will respect the privacy of each individual, in particular:
- Consent: The Working Group stresses the importance of meaningful consent in connection with the use of personal data for analysis and profiling purposes. Whilst it acknowledges that processing may also be possible without consent “within carefully balanced limits“, the Working Group highlights the particular challenges associated with the use of the ‘legitimate interest’ criterion as an alternative legal ground for data processing for Big Data purposes.
- Anonymization: The risk of re-identification has been a theme throughout the Working Paper. The Working Group distinguishes anonymous data from pseudonymized data – only the former fall out of the scope of data protection legislation. Anonymization, which is increasingly challenging, may help alleviating or eliminating the privacy risks, provided it is engineered appropriately (in this respect, see the Article 29 Data Protection Working Party’s Opinion 05/2104 on Anonymisation Techniques).
- Transparency: The Working Group supports greater transparency and control from collection to the use of data. Each individual should have access to his or her profile, including information on which algorithms have been used, and information should be provided in a clear and understandable format. The Working Group is also supportive of the idea of data portability which has also been put forward by the European Commission in its proposal for a General Data Protection Regulation. Individuals should receive all data about themselves in a user-friendly, portable and machine-readable format where appropriate. The Working Paper also promotes enhanced knowledge and awareness, for instance, through training and courses taught at universities and colleges.
- Privacy by Design and Accountability: The use of Big Data technologies should be based on the seven principles of Privacy by Design. Privacy Impact Assessments are mentioned as a helpful tool. Moreover, data controllers need to demonstrate that they are being accountable. They should conduct regular controls to ensure that decisions resulting from the profiling are responsible, fair, ethical and compatible with the purpose for which the profiles are being used.