The European Data Protection Supervisor (EDPS) recently published an opinion on the challenges of big data in the context of data protection. Big data refers to “the practice of combining huge volumes of diversely sourced information and analysing them, using sophisticated algorithms, to inform decisions”. Big data is increasingly employed by businesses across all sectors to, amongst other things, reduce costs and offer a better service to consumers.
In the opinion, the EDPS identifies a number of risks in respect of big data. These include a lack of transparency for data subjects, potentially unfair and discriminatory conclusions being drawn from analysis and ultimately the risk that the core principles of data protection will be compromised.
On transparency, the EDPS suggests that businesses undertaking big data analytics should proactively “disclose the logic” which underpins such analytics where this affects individuals. Some everyday examples of such logic include using car sensor data to judge driving habits, credit scoring services or what media content is recommended to individuals. The EDPS notes that regardless of the source of the data, individuals are entitled to know what they are and from where and whom they were obtained. Of note however, the EDPS advises that “protecting business confidentiality or trade secrets cannot generally overrule the fundamental rights to privacy and data protection”.
In terms of informing individuals as to the uses to which their data will be put, the EDPS advocates the use of “clear and plain language, tailored to the relevant audience”. In terms of big data, businesses need to carefully review their privacy policies with the EDPS suggesting that these “should not be the only, or even the main source of information” for individuals. The opinion goes on to say that consent must be more than a tick the box exercise. Such consent, the EDPS says “without understanding of what we agree to, and without meaningful choice whether we do so, is not sufficient to signify our consent for complex big data applications”.
The EDPS also notes that the fundamental data protection rights of access and rectification are becoming increasingly important with advances in big data. These rights, it is noted, are rarely used in practice as individuals rarely have the time or interest to “indulge in transparency and access for their own sake”. The EDPS suggests that “featurization” of data protection, making it a feature of services rather than an administrative burden, for example access to one’s internet banking online, may overcome this issue.
Meanwhile, the Financial Conduct Authority in England has announced that it is conducting a review into how insurers analyse and utilise information about consumers. It is seeking views on how big data is affecting, and is likely to affect, consumer outcomes and competition in the retail general insurance sector and is looking for the input of both consumers and industry players in this regard.
The current focus on big data by regulators is interesting and underlines the prevalence of big data at present. While big data can deliver significant benefits and efficiencies, the EDPS opinion highlights the potential impact of the processing of such huge amounts of data on the rights and freedoms of individuals. Businesses engaged in the use of big data should carefully review their procedures in light of the opinion and bear in mind its four essential elements: increased transparency; increased control for individuals over how their data is used; privacy friendly design of products and services; and more accountability.