In this seventeenth article in our series on "Big Data & Issues & Opportunities" (see our previous article here), we look into the social and ethical aspects of privacy, with a particular focus on transparency, consent and control, and personal data ownership in a big data context. This article further elaborates, from an ethical perspective, the second and twelfth articles of our series. Where relevant, illustrations from the transport sector will be provided.
Privacy is probably the most recurrent topic in the debate on ethical issues surrounding big data, which is not illogical given that the concepts of big data and privacy are prima facie mutually inconsistent. Indeed, the analysis of extremely large datasets may include personal data, and the more personal information included in the analytics, the more it might interfere with the privacy of the individuals concerned. In this context, the question of ownership over personal data is also raised, as individuals tend to have a sense of ownership over their personal data.
These aspects are also discussed in the recently published Ethics Guidelines to achieve trustworthy Artificial Intelligence ("AI"), issued by the Independent High-Level Group on Artificial Intelligence (AI HLEG) set up by the European Commission. The Guidelines list seven key requirements, including privacy and data governance and transparency, and suggest technical and non-technical methods to implement them. The Guidelines also provide an assessment checklist to ensure AI takes into account the ethical requirements.
Setting the scene on privacy from an ethical perspective
The EU Charter of Fundamental Rights ("EU Charter") codifies the concept of privacy as a fundamental right in Article 7, according to which: "Everyone has the right to respect for his or her private and family life, home and communications."
Article 8 of the EU Charter provides specific fundamental rights and principles in relation to the protection of one's personal data in the following terms:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
The first Recital of the General Data Protection Regulation ("GDPR"), which entered into force in May 2018, further elaborates Article 8 of the EU Charter. Nevertheless, Recital 4 of the GDPR clearly favours a balanced approach by stating that "the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".
Ethical challenges and opportunities for privacy
After years of wilful abuse or unintentional ignorance in respect of people's personal data, the entry into force of the GDPR has increased the protection of individuals' personal data by obliging companies to abide by a strict set of rules. This Regulation addresses several ethical issues, including transparency, consent and control. The GDPR notably provides for the following:
a strengthened principle of transparency in relation to personal data processing, ensuring better information to individuals about the processing of their personal data
the requirement that any processing should be lawful, i.e. based on a legal ground
extended and strengthened rules on consent
new and reinforced rights for individuals aiming at giving individuals more control over their personal data, i.e. the rights of access, rectification, erasure, restriction of processing, data portability, objection and the right not to be subject to automated individual decision-making
The GDPR has raised the public's awareness in relation to privacy and data protection, which should improve end-users' trust in the use of personal data by private and public organisations. This may encourage them to communicate their personal data, and therefore improve big data analytics.  This development can be seen as an opportunity by companies to guarantee high data protection standards and distinguish themselves from their competitors, particularly in a big data context where considerable amounts of data may be processed.
Although this can be qualified mostly as a positive evolution, it has also had some undesirable side effects, mainly due to incorrect reports on the GDPR's exact content, creating confusion both among data subjects and organisations. This is for example the case for the data subject rights, which are often considered as being absolute whereas in some conditions data subjects will not be able to exercise those rights. Both industry and government should take up responsibility to eliminate the existing misconceptions and educate data subjects about privacy and big data analytics in order to encourage the use of big data.
Furthermore, even though the GDPR is now applicable throughout the EU as one single set of rules, the expectations regarding privacy may vary between individuals or situations. It will therefore be difficult for companies and developers to adopt a one-size-fits-all approach, with the risk of opting for the strongest protection and therefore limiting big data analytics using personal data.
The concept of transparency is indirectly included in Article 8 of the EU Charter, which states that "Everyone has the right of access to data which has been collected concerning him or her". This entails that individuals have the right to be informed about any processing activities of their personal data. In a big data context, this also refers to the transparency of the big data analytics, i.e. the entire ecosystem of big data analytics, the algorithms used to make predictions about individuals, and the decision-making process.
Transparency regarding personal data processing activities and big data analytics may increase individuals' trust in the processing activities and the technology used. Moreover, it also ensures safer tools as transparency allows individuals to verify the conclusions drawn and correct mistakes.
Today individuals' trust is however negatively affected by a lack of transparency, particularly in a big data environment. Individuals are indeed not always aware of the exact nature of the processing activities and of the logic of algorithms and the decision-making process behind big data analytics. This challenge is even more important considering citizens' limited knowledge about big data analytics, particularly the possibility to combine individuals' personal data with other accessible data, allowing to make more accurate and broader decisions or predictions.
From the perspective of organisations, transparency is also a challenge in the sense that some of them are reluctant to be transparent, invoking business confidentiality or trade secrets protection. In this respect, it is worth noting that other means of protection of information exist, such as intellectual property rights (see the ninth article of our series on Intellectual Property Rights).
The concept of consent has been foreseen in Article 8 of the EU Charter stating that "Such [personal] data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law." This means that any processing of personal data should be based on individuals' consent or on another legitimate ground.
The GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Collecting individuals' consent does not mean that the organisations processing the data are free to process the data as they wish. They are still accountable and have to meet the privacy standards (ethical, legal, etc.). It is also worth noting that if individuals have given their consent for a particular personal data processing activity, they also have the right to withdraw their consent.
As explained in the second article of our series on Privacy and Data Protection, the GDPR requires all data processing activities to be lawful, i.e. based on a legal ground, which means that, from a legal perspective, consent is not always needed and other legal grounds might be applied. This is another misconception of the GDPR, highlighting the lack of awareness and transparency observed among individuals. By informing individuals, notably through transparent notices, about the grounds for processing and the possible impacts on their privacy, they will indeed be more inclined to participate in big data analytics.
It is worth noting that relying on consent in the context of big data analytics may be risky, given that when an individual decides to withdraw consent, as foreseen in the GDPR, the big data analytics process may be completely jeopardised.
Illustration in the transport sector: Self-driving cars will collect a high amount of personal data about the users but also about the environment of the car (neighbourhood, other drivers, etc.), and those data may be shared with many stakeholders. Users might be reluctant to give their consent to such massive processing of their personal data. However, without such processing activities, self-driving cars would not work properly and safely. Indeed, a high amount of partners will be involved in such ecosystem to make it function. It might be that individuals will have no other choice than to accept such processing. From a legal perspective, the GDPR introduces different lawful bases for processing (see the second article of our series on Privacy and Data Protection).
The concept of control is implied in Article 8 of the EU Charter, particularly when referring to the "consent of the person concerned", "the right of access to data which has been collected", and "the right to have it rectified". Several aspects of the GDPR, such as transparency, consent, and data subjects' rights, also allow individuals to retain control over their personal data, including in a big data environment.
Today, there is an asymmetry of control over personal data between data subjects and the organisations processing the data. In a big data context, individuals indeed hardly control their personal data, and are sometimes not aware of the processing activities in which their data are involved, which may lead to decisions that individuals do not understand. In addition, data subjects may fear losing control over their digital identity by engaging in big data analytics as they are not consulted anymore, nor taken into account in the decision-making process, which means that they might be discriminated without having the possibility to react.
This is why giving more control to individuals, and ensuring transparency, should improve big data analytics, by allowing them to rectify mistakes, detect unfair decisions, and make better choices. In this way, they will benefit from the processing of their personal data in a big data context, and therefore feel more inclined to participate in data processing activities for big data purposes.
Illustration in the transport sector: Civil drones collect data intentionally and unintentionally, especially pictures about individuals, which can give indications about their location, habits, physical characteristics, etc. In their survey about the use of civil drones and their related privacy, data protection and ethical implications, Finn and Wright explain that in some instances the images captured by drones are recorded, stored and shared with other organisations. Individuals are not aware of such processing and have therefore no control over their data. According to Finn and Wright, awareness and legal initiatives are necessary to improve knowledge about legal and ethical standards in order to be able to raise and tackle those issues.
Setting the scene on personal data ownership
For some time already, the issue of ownership of data (whether it is personal or non-personal) has been heavily debated throughout the EU and in other parts of the world. While it could be labelled as a legal issue, given that ownership or property is traditionally a legal concept going back as far as the legal system of ancient Rome (see the twelfth article of our series on Data Ownership), the personal aspect of data ownership has an ethical connotation that is worth being looked into.
The EU Charter recognises the right to property or ownership in its Article 17 in the following terms:
"Everyone has the right to own, use, dispose of and bequeath his or her lawfully acquired possessions. No one may be deprived of his or her possessions, except in the public interest and in the cases and under the conditions provided for by law, subject to fair compensation being paid in good time for their loss."
Individuals seem to have a general sense that they own their personal data given that the data is about them or relates to them. Moreover, where the personal data is particularly sensitive in nature, individuals even more vehemently tend to claim it as their own.
'Personal data' is defined by Article 4(1) of the GDPR as "any information relating to an identified or identifiable natural person (‘data subject’)", whereas an 'identifiable natural person' is defined as "one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
As explained above, the entry into force of the GDPR has increased the control individuals have over the collection, processing, and sharing of their personal data. This evolution seems to create a certain impression of personal data ownership. For instance, some scholars highlight the fact that the GDPR "recognises different levels of control rights to consumers in accordance with a 'proprietarian' approach to personal data." More specifically, some have emphasised that in practice personal data is perceived as an individual's property.
Challenges and opportunities for personal data ownership
Even if the GDPR and some EU Member States' laws grant important rights to data subjects, they do not regulate the question of data ownership and therefore do not explicitly recognise a "property" right of individuals in their data. In our view, the GDPR only regulates the relationship between the data subject and the data controller(s)/processor(s), without creating and regulating the issues of commercially exploitable rights in personal data.
This view is supported by the manner in which the right to property is recognised in the EU Charter; i.e. the right to own […] his or her lawfully acquired possessions. Personal data is not a possession that can be acquired by the data subject, be it lawfully or not. It is information that attaches to an individual because of his/her persona. Consequently, personal data protection is not conditional upon an act of acquisition on behalf of the data subject. To claim otherwise would go against the data protection principles of the GDPR and the rights to respect for private and family life and to protection of personal data enshrined in the EU Charter.
Whereas personal data is something inherent to and indivisible from the individual, it may be lawfully – i.e. in compliance with the data protection rules – acquired by third parties, either directly from the data subject or through other sources. Such interpretation would fit within the definition of the right to property under the EU Charter. This being said, any such "ownership" right subsisting in personal data to the benefit of third-party natural or legal persons, would be restricted by the application of the GDPR and notably by the rights of data subjects.
In a big data ecosystem, this tension between data subjects wanting to "own" their personal data and third parties claiming ownership over entire datasets could stifle innovation. Indeed, as long as data subjects do not volunteer their personal data, they retain some type of de facto ownership or at least control. Therefore, data subjects may refrain from providing their personal data as soon as they realise this would entail forsaking "ownership" or control over such data. In addition, even if data subjects willingly provide their personal data, it proves highly difficult, if not impossible, to establish ownership of different data components, given that they are part of datasets containing data from various types and originating from various sources. Furthermore, taking into account the various actors involved in the big data ecosystem, many different entities may try to claim ownership in (parts of) the dataset, including in the personal data components.
An additional complicating factor is that the scope of what can be qualified as personal data is constantly evolving. Certain types of information (e.g. IP addresses) that would not necessarily have been qualified as personal data under the previous Data Protection Directive, are now recognised to be personal data under the GDPR. This is not only due to the fact that the legal definition of personal data has been broadened, but also because of continuous technological developments facilitating the identification or linking back to an individual.
In conclusion, a claim of ownership by a data subject in its personal data would be hard to sustain. This however does not mean that data subjects have to give up all control over their personal data. The advent of the GDPR, with its novel and/or strengthened data subject rights, has increased the means of data subjects to exercise control over the processing of their personal data.