As the nights draw in, our thoughts turn to the year ahead. Here we attempt to anticipate a few important developments, likely to fall under a data protection spotlight in 2015.
It anticipated that Big Data in the context of profiling and personalisation for advertising is likely to expand rapidly over the coming year. Profiling for personalisation purposes in online advertising has been in use for nearly 20 years, however the availability of a broader range of data collected across smartphones, apps, social networking and connected devices is likely to give rise to more holistic approaches to targeted advertising campaigns. This may enable offers to reach out to people simultaneously across an increasing range of channels including television, online advertising through popular apps or websites and social networks, even through to the use of interactive public space advertising or digital billboards that tailor their promotions to the profiles of the passing footfall.
A resolution of the International Data Protection Commissioners on Big Data at their 36th Annual International Conference in October 2014, recognises that developments around Big Data can be beneficial to society, yet stresses the importance of minimising the risks associated with the use of Big Data. The resolution makes clear that any "watering down of key privacy principles, in combination with more extensive use of Big Data, is likely to have adverse consequences for the protection of privacy and other fundamental rights". The Commissioners urge caution around the use of Big Data in profiling and call upon all those who use Big Data to:
- respect the principle of purpose limitation;
- limit collection and retention of data;
- obtain, where appropriate, a valid consent from users;
- be transparent about what data is collected, how, for what purposes and whether it is shared;
- give individuals rights to access their data, to know the sources of that data and, where appropriate, be able to correct their information and have effective tools to control their information;
- provide access to the decision making algorithms used to develop a profile;
- carry out privacy impact assessments, especially when using data in novel or unexpected ways;
- consider whether anonymisation may improve privacy protection;
- exercise care when sharing or publishing pseudonymised data sets; and
- demonstrate that decisions around Big Data are fair, transparent and accountable.
New technology and the surveillance society
Closer to home, the evolution of CCTV surveillance to include new and potentially more intrusive tools, is likely to lead to a closer public scrutiny of the boundaries of acceptable use for this technology. These include Automatic Number Plate Recognition (ANPR), body worn video (BWV) and unmanned arial systems (UAS) (or drones as they are more commonly known).
The Global Data Hub examined the regulatory landscape surrounding the use of CCTV technologies in March 2014 and the UK Information Commissioner (IC) published his revised CCTV Code of Practice in October 2014. A notable introduction to the IC's Code was the inclusion of a section addressing the use of new surveillance technologies that are increasingly being taken up by both the public and commercial sectors.
A House of Lords Committee is currently examining the civilian use of drones, the legislation that surrounds them and whether specific licensing or registration needs to be introduced or data protection laws need to change. The Committee's final report is due in March 2015. The report is likely to be the focus of intense interest by the public sector and by industry who are investigating the potential commercial applications for drone technology, ranging from pizza delivery through to enhanced arial surveillance and mapping. Civil liberties groups are also likely to engage in a debate around the privacy risks posed by the use of drones across the EU.
Growth in Cybersecurity risk
As society becomes more connected and the Internet of Things moves from concept to reality, the spectrum of opportunity for cybercriminals will continue to expand. 2015 is likely to see an increase in the range, extent and sophistication of cyber-attacks. These concerns are reflected in the 2014 IOCTA (Internet Organised Threat Assessment) published on 29 September 2014 by the Europol Cybercrime Centre. The report highlights how a cyber 'Crime-as-a-Service' industry is developing where cybercriminals offer their services within the dark net.
Alarmingly the report points to an expected rise in people being victims of extortion where their connected devices are disabled, subject to the payment of a ransom, as well as to the potential for injury or even death as a result of online attacks on internet connected equipment with the risk falling particularly on those involved in maintaining safety critical equipment.
The report makes a number of recommendations for law enforcement authorities and others to keep ahead of the criminals in addition to stressing the importance of raising awareness and standards and for more international cross-border cooperation for cybercrime investigations.
Draft EU Data Protection Regulation
Finally, will 2015 be the year that the draft EU Data Protection Regulation ('Regulation') is agreed and adopted? The betting money is on late spring early summer 2015 for the final adoption of the Regulation.
The agreement of the Council ministers on 10 October 2014, for a partial general approach for revisions to Part IV of the Regulation, (which covers the obligations relevant to data controllers and data processors and rules for notifying data breaches) suggests real progress is at last being made. The Council approach is dependent on the principle elaborated by the Italian presidency that nothing is agreed until everything is agreed. This means that agreement on all of the Regulation must be reached by the Council ministers before it will enter into negotiations on finalising the Regulation with the European Parliament and the European Commission.
In a separate development, the in-coming EC president Jean-Claude Juncker, (whose mandate commenced on 1 November 2014) has directed his new Commission appointees responsible for, among other things, data protection, the task of reaching a speedy adoption of the EU data protection reform within six months of his taking office. This remains an ambitious yet potentially achievable target (for more on the progress of the Regulation in 2014, see our article, "When will there be a new EC data protection Regulation?").