On November 19, 2015, the European Data Protection Supervisor (“EDPS”) published an Opinion entitled Meeting the Challenges of Big Data: A Call for Transparency, User Control, Data Protection by Design and Accountability. Focusing on these issues, the report lays down the foundation for a new approach to how big data should be managed in order to create an environment of effective and fair data protection. The report focuses on key areas for the improvement of big data in the realm of individual protection, including analytics, transparency, user control, data sharing, data protection, privacy by design, accountability.
With regulators world wide looking at the issue (including the Office of the Privacy Commissioner of Canada), this report is likely to signal possible directions for other regulators.
What is “Big Data” and “Big Data Analytics”?
The EDPS defines big data as “the practice of combining huge volumes of diversely sourced information and analyzing them, using more sophisticated data to inform decisions.”
Concerns related to big data analytics are based in the collection of the information itself and the potential impact on the rights and freedoms of individuals, especially the right to privacy. Key issues in this section of the report include discussion on the current lack of transparency, informational imbalance, the failure to address issues that compromise or risk the core principles of data protection, and the potential for unfair and discriminatory conclusions. The EDPS sees big data as inextricably linked to the development of the unique individual personality of a functioning and contributing member of society, and describes concerns about the potential for big data to force individuals to conform to perceived social norms.
Disclosure of the decision-making processes and logic utilized in order to draw conclusions from large pools of data was a key item repeated throughout the report. The importance of allowing individuals the opportunity to understand, assess, and consider their data is a consistent theme of the report. Additionally, the ability to rectify incorrect criteria or foundational factors is seen as integral to future the future of big data protection and development. Protecting trade secrets and business confidentiality are insufficient as reasons for negating the right to privacy and the need for data protection. Individuals need not only to be informed of how their data will be used, but disclosure mechanisms need to progress in such a way that they are clear, plain, easily accessibly, and completely intelligible to the recipient.
User Control and Data Sharing
The EDPS wants the consent process redesigned from the bare minimum requirements to a system that is clearly and consistently relayed through logical and easily navigated opt-out systems. Users should be able to access and understand the data, analytics, and conclusions drawn in order for basic requirements of fairness to be met. This would include not only access to data and data sharing, but also data portability and personal data spaces where individuals would have the ability to choose their service provider, engage with third parties for further analysis, and manage, transfer, modify, delete, and process their own information for their own purposes.
Data Protection and Privacy By Design
The EDPS sees a future where privacy and data protection should become a fundamental and foundational part of the construction of information and communication technologies. Engineering with privacy and user control in mind in would occur not only in the technologies themselves, but also as a core component of organizational arrangements and business practices.
The EDPS notes that internal mechanisms and controls should be utilized in a manner that encourages regular verification as the norm for practical and accountable practices in both privacy and processing. The process is described as complex, with the need for a comprehensive system, and accountability approaches should be handled by a multidisciplinary group complemented by an ethics board that would make recommendations and decisions about deployment.
The EDPS report is forward looking, with the goal is of encouraging the simultaneous growth of innovation along with the protection of fundamental rights. The long-term goal is a reform package that would create principles applicable to organizations targeting individuals located in the EU. The report is ambitious and, viewed from the perspective of business, likely overreaching. While the report addresses the key issues that any company exploring big data analytics should consider, the conclusions about the best manner in which to address these issues would be, in many cases, challenging for business to implement.