The 29 Working Party has recently adopted an opinion on which the concept of purpose limitation is deeply analysed. The key of purpose limitation is its goal: "protect the data subjects by setting limits on how controllers are able to use their data" and that’s how it is and should be connected with Big Data and Open Data in order to deal with the privacy risks they raise.
The recent opinion of Article 29 Working Party on purpose limitation
I am very pleased to see that Article 29 Working Party is concerned about the new concepts of "our modern, networked society" and is willing to embrace and demystify (rather than neglect) Big Data and Open Data as well as seeking for solutions that will make them compliant with the current and future data protection legal framework.
Under the 29WP’s opinion, the concept of Purpose Limitation has two important components: purpose specification and compatible use.
This means that the purposes should be:
- Specific – purpose must be previously defined by the controller and known by the data subject in order to discern what can and cannot be processed;
- Explicit – although it can be achieve in many different ways, purpose must be intelligible for the data subjects and meet their reasonable expectations;
- Legitimate – purpose must be built on a lawful ground which does not necessarily mean picking one of the legal grounds referred in the Directive.
As deeply explained by the 29 Working Party, compatible use "requires that further processing must not be incompatible with the purposes for which personal data were collected" in the first place.
Art. 29 Working Party made clear that further processing for historical, statistical or scientific purposes’ are compatible and therefore allowed but there could also be other compatible purposes as well. This means that a compatibility assessment must be made on a case-by-case basis and should be substantive rather than purely formal, taking into account:
"a) the relationship between the purposes for which the personal data have been collected and the purposes of further processing;
b) the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use;
c) the nature of the personal data and the impact of the further processing on the data subjects;
d) the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects."
Special emphasis of compatibility assessment is placed on Big Data and Open Data.
Big Data is defined by the 29WP as referring "to the exponential growth in availability and automated use of information: it refers to gigantic digital datasets held by corporations, governments and other large organisations, which are then extensively analysed using computer algorithms. Big data relies on the increasing ability of technology to support the collection and storage of large amounts of data, but also to analyse, understand and take advantage of the full value of data (in particular using analytics applications)."
No doubts on the benefits that Big Data can provide in several sectors (including healthcare, mobile communications, marketing, crime detection, etc.) to the society, business and data subjects as well.
However, the picture is not all rosy as Big Data raises several and significant privacy risks and in particular:
- "the sheer scale of data collection, tracking and profiling, also taking into account the variety and detail of the data collected and the fact that data are often combined from many different sources;
- the security of data, with levels of protection shown to be lagging behind the expansion in volume;
- transparency: unless they are provided with sufficient information, individuals will be subject to decisions that they do not understand and have no control over;
inaccuracy, discrimination, exclusion and economic imbalance (particularly as a result of large datasets and the type of analytics application used); and
increased possibilities of government surveillance."
In order to address such risks, an assessment as far as compatibility ("including the relationship between the purposes, the context of collection, the reasonable expectations of the data subjects, the nature of the personal data and the impact on the data subjects") and safeguards are concerned is essential.
29WP goes on distinguishing the differences of using Big Data to (i) detect trends and correlations in the information and (ii) analyse or predict personal preferences, behaviour and attitudes of individuals.
In the first case, 29WP is of the opinion that "data controllers need to guarantee the confidentiality and security of the data, and take all necessary technical and organisational measures to ensure functional separation".
However, in the second case "free, specific, informed and unambiguous ‘opt-in’ consent would almost always be required, otherwise further use cannot be considered compatible", particularly, tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research.
29WP highlights that disclosing the decisional criteria as well as the source of the data that led to the creation of the profile and enable the data subjects to correct or update their profiles are crucial as far as Big Data is concerned.
Further to the above safeguards and guaranties, the 29WP considers that it is important to empower data subjects and provide balance on the controllers (organisations) and data subjects (consumers) relationship by, for instance, providing direct access to their data in a portable, user-friendly and machine-readable format as well as to share the benefits from Big Data to the data subjects for their use to make informed choices and decisions.
As defined by the 29WP, "Open Data projects take accessibility of information processed by public bodies to a whole new level" assuming different formats:
- making entire databases available;
- in standardised electronic format;
- to any applicant without a screening process;
- free of charge, and
- for any commercial or non-commercial purposes under an open license
Without questioning the relevance of open data for innovation, again 29WP calls the attention for the privacy risks that it can give raise "if applied indiscriminately and without appropriate safeguards".
Due to the fact that the purpose limitation principle cannot be efficiently applied in the reuse of public sector information (PSI) the only way is finding and implementing the adequate safeguards as far as data protection is concerned.
Whenever full anonymisation is not possible to ensure due to the fact that more often is difficult to exclude the re-identification possibility "an effective data protection impact assessment to decide what data may be made available for reuse, and at what level of anonymisation and aggregation" should be put in place.
29WP states that in this case not only "the risk assessment should include tests to assess re-identifiability, for example, penetration or ‘pen’ testing" but also a periodic review of the organizations’ "policy on the release of data and of the techniques used to anonymise it , based on current and foreseeable future threats" should be executed.
Additionally, such public release should be compatible with the purposes defined by the time of the data collection and have a legal ground as well.
Whenever full anonymisation is not possible due to the nature and purposes of the reuse, the selection of the information that is going to be released is something to have in mind.
In this particular scenario, if on one hand the 29WP considers that "making data available for reuse under an open license should be avoided unless it can be clearly demonstrated that compliance with data protection law can be effectively ensured", on the other hand recognizes that "it cannot be excluded that a data protection impact assessment may conclude that the data may be opened up and made publicly available following the principles of ‘open data’" and subsequently adds that "for these cases, a rigorous licensing regime should be put in place, which must also be stringently enforced to ensure that the data will not be used for incompatible purposes".
There is no doubt that this opinion is one of the most relevant and useful opinions of Article 29WP because it truly gives guidance and not only points out the threats that come along with the use of "Big Data" and "Open Data" but also provide some guiding principles and recommendations to address such risks and fears.
I just would like to add that "Big Data", in my opinion, does not raise any new particular risk as far as data protection and privacy are concerned as it is mostly linked with combination of data for different (compatible or incompatible) purposes. I believe that the biggest challenge Big Data faces is the huge amount of data that will significantly increase the well-known privacy risks and demand narrower security measures and safeguards.