The Irish Government’s Action Plan for Jobs 2013 identified “big data” as one of the key areas where Ireland has distinct advantages compared to other countries. The Irish Government continues to invest heavily in research capabilities that service big data needs. Some examples of such research capabilities include:
Click here to view table.
The Irish Government has also recently announced a significant investment in a research programme in data analytics with the involvement of companies like eBay, Accenture, Dell, Fidelity Investments and Qumas. Organisations looking to leverage the benefit from the data they collect or generate need to be aware of the potential legal implications particularly where that big data includes personal information (as it likely does in most big data circumstances).
If any organisation established in Ireland, collects or stores “personal data” it will be subject to the Data Protection Acts 1988 and 2003 (DPA) which transposes Directive 95/46/EC on data protection into Irish Law. Personal data is any information from which a living individual concerned can be identified, either directly or through use of the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
These regulatory requirements dictate that personal data should only be processed for specified and lawful purposes and that the processing must be adequate, relevant and not excessive. Some key issues an organisation engaged in data analytics should consider include:
- Who controls the data: An organisation would be a “data controller” if it (either alone or with others) determines the purposes for which and the manner in which any personal data is processed. The key obligations under the DPA relate to data controllers established in Ireland. A “data processor” would be a third party who processes data on behalf of a data controller (excluding employees who process data in the course of employment). If the data controller is using a third party to assist it in its analysis of the big data then it must have an appropriate written agreement in place with that third party (including where that third party is just obtaining, holding, retrieving or erasing that data).
- Registration with the Office of the Data Protection Commissioner (ODPC): Certain types of data controllers and data processors must register with the ODPC if they have a legal presence or use equipment that is located in Ireland. Generally, all data controllers and data processors must register unless they are exempt. To process without required registration is unlawful.
- Consent of the data subjects: While consent is not the only way to legitimately process personal data, it is commonly used to legitimatise data processing. Recently, the Article 29 Working Group, which includes the various data protection regulators of the EU, said that consumers’ “specific, explicit consent” is almost always required if companies want to use their information in big data projects. It stated that “vague or general purposes” such as “improved user experience”, “marketing”, “IT security” or “future research” are not, on their own, sufficiently specific enough to gain consent.
- Appropriate security measures: Data controllers must ensure that security measures appropriate to the nature of the data are in place. Appropriate measures are those which provide a level of security appropriate to the harm that might result from any unauthorised or unlawful processing, accidental or unlawful destruction of loss of data.
- Transfer of data: Under the DPA, the transfer of personal data to a country outside of the European Economic Area is generally prohibited, unless that country is approved and ensures an adequate level of protection for the privacy and fundamental rights and freedoms of the data subjects, or certain other conditions are met.
- Appropriate data protection policy: The collection and processing of “big data” raises questions as to whether the organisation has in place an appropriate and correct data protection policy. It is possible that some of the data may have been collected at a time and under a policy in which big data analysis was not contemplated. It may be appropriate to have a customised data protection policy in place for a particular big data project.
- De-identification of data: Under Irish Data Protection law it is possible for organisations to achieve legally permissible de-identification. However, any organisation relying on de-identification to circumvent privacy and data protection issues should proceed very carefully. Any data that is anonymised should exclude any possibility of individuals being identified in the future, even by combining anonymised data. If de-identification is not carried out properly it still may be possible to re-identify individual.
Data Ownership & Risk Allocation
Organisations should take care to check who owns the data they collect and analyse and whether there are any copyright or other intellectual property rights that may exist in that data. Appropriate agreements and licences should be in place with relevant third parties involved in the process of examining that data to avoid disputes over the ownership of the new output data that has been created. If an organisation is licensing the use of that output data to third parties it should consider to what extent it can warrant whether that information is accurate and look to limit its liability under appropriate limitation on liability provisions as allowed by Irish Law.
Look to The Future for Data Analytics
The DPA was enacted before the rise of big data and does not necessarily address all of the concerns of individuals or provide clarification for businesses on the steps that need to be taken to balance the individual’s privacy against the clear business benefits of “big data”. The proposed new EU Data Protection Regulation is expected to be enacted within the next 24 months and means that the use of big data will be subject to an increased harmonised regulatory regime in the EU. The current proposals would give Ireland the potential to operate as a “one stop shop” in terms of data protection regulation for organisations that have their main establishment here.