celia fernández aller ([email protected]) ph.d law and technology spain big data…...

Celia Fernández Aller ([email protected])

Ph.D Law and TechnologySpain

BIG DATA… ¿BIGGER PROBLEMS FOR DATA

PROTECTION?

0. What is big data?What is data protection?

Celia Fernández AllerEUI UPM

2011


WHAT IS BIG DATA?

Data protection is challenged by the advent of ‘big data’.

The quantity of global digital data expanded from 130 exabytes in 2005 to 1,227 in 2010, and is predicted to rise to 7,910 exabytes in 2015

The Economist report 2012. “The challenge of ‘big data’ for data protection “. Christopher Kuner*, Fred H. Cate**, Christopher Millard**, and Dan Jerker B. Svantesson*** International Data Privacy Law, 2012, Vol. 2, No. 2

Celia Fernández AllerETSISI UPM


The fundamental right to protection of personal data

The right to respect for private and family life, home and communications is laid down in Article 7 of the European Convention on Human Rights. Article 8 formulates the protection of personal data as a separate right. It goes beyond simply protecting against interference by the state. It is a proactive right which entitles the individual to expect that his or her information will only be processed by anyone and not only the state, if certain essential requirements laid down in Article 8 (2) and (3) are fulfilled.

Art. 8 ECHR (requirements for data protection)

• The processing is fair and lawful and for specified purposes

• It is transparent to the individual who is entitled to access and rectification of his/her information

• The rights must be subject to control by an independent authority.


DATA PROTECTION

CONTROLLER

DATA SUBJECT


Personal data (name, bank

account, consumer profile, etc)

PRINCIPLES-Consent

-Information-Security…

Personal data as defined in Article 2(a) of Directive 95/46/EC means 'any information relating to an identified or identifiable natural person'. This includes any information which refers to the identity, characteristics or behaviour of an individual or which is used to determine or to influence the way in which that person is treated or evaluated.


But how will these tools face in a world of ubiquitous surveillance, and thousands of

data exchanges by and about every individual on the planet every day?


The 1995 EU Data Protection Directive, for example, limits the collection of personal data to the fulfilment of specific

predefined purposes. It also requires the destruction of data once the purpose of which they have been collected is

achieved. This provision prevents the accumulation of data, which is a necessary condition for data to become ‘big’.


1. Some points of view


“There is noone in the world today who have a complete picture of who has been collecting

data on who”

“Personal information should be translated into monetary terms. It should have a price”.

(Jaron Lanier. Investigación y Ciencia (2014), p53)


“The very same algorithms and analytical tools that Facebook uses to understand your interests and desires, and Amazon uses to calculate (and miscalculate) what else you might like to buy, can be used by government and private security companies alike to calculate (and miscalculate) whether you may be a threat, now or in the future. And it is precisely the “dual use” nature of this technology that makes it so hard to regulate”

TNI (2014) The State of Power, p.23Celia Fernández Aller

ETSISI UPM

“The notice and consent is defeated by exactly the positive benefits that big data enables: new, non-obvious, unexpectedly

powerful uses of data” “Big data technologies, together with the

sensors that ride on the “Internet of Things,” pierce many spaces that were

previously private”.

(White House Report, 2014)


Danah Boyd, Kate Crawford (2011) Six provocations for Big Data

“Just because it is accesible doesn´t make it ethical”

It may be unreasonable to ask researchers to obtain consent from every person who posts a tweet, but it is unethical for researchers to justify their actions as ethical simply because data is accessible.


The growing globalization of data flows via big data increases the risk that people can lose control of their own data


2. Big data and privacy concerns


Big data can be used:- to identify more general trends and

correlations- it can also be processed in order to directly

affect individuals. It is not the volume, velocity, variety or

veracity what worries me, but the uses of the information.

- The uses of the data are not determined before collection.


RisksBig Data may also pose significant risks for the

protection of personal data and the right to privacy:a) the sheer scale of data collection, tracking and

profiling;b)the security of data;c) the transparency, which implies sufficient

information given to individuals; d)inaccuracy, discrimination, exclusion and

economic imbalance; e) increased possibilities of government surveillance.(Opinion 3/2013 on purpose limitation. Art. 29

Data protection working party. UE)


THE CHALLENGE OF BIG DATA FOR DATA PROTECTION

It is no exaggeration to say that we are nothing more than a collection of data to most of the institutions—and many of the people—with whom we deal.

Big data poses enormous challenges for data protection— both by processors and regulators. It simultaneously changes the context and raises the stakes for Data protection.


Big data also shows the importance of harmonization, or even

standardization, in data protection standards. As personal data are universally collected and shared

across sectorial and national boundaries, inconsistent data

protection laws pose increasing threats to individuals, institutions, and

society


Perhaps the greatest impact of big data is the pressure it brings for new thoughtful, informed, multinational debate about the key principles that should undergird data protection. Most data protection laws continue to rely on the 1980 OECD

Guidelines


3. Are companies worried about privacy?


Forgetting security and privacy issues?

IBM (2012) Analytics: the real-world use of big data


How to regulate BIG DATA?(Lokke Moerel, Tilburg University and in a

Law Firm advising multinationals)• Delete some EU Regulation principles

• Extending the “legitimate interest ground” to the processing of all categories of data and further to all phases of the life-cycle of data

• “informed consent” and “data minimisation” are at odds with the reality of big data.


Personal data may be collected, used (which will include profiling), merged,

transferred and destroyed if there is a ‘legitimate interest of the controller which does not outweigh the privacy

rights of the individuals’.


Transparency requirement for choices made and meaningful access

• For example, by including a profile settings dashboard on a social media website where the relevant profile characteristics are displayed and can be tailored by the individual


Accountability for the whole life cycle of data

The accountability principle should explicitly extend to all phases of the data life-cycle.

Controllers should be accountable for implementation of an internal data protection compliance program ensuring that the choices

made are actually implemented in the practices of the company. Therefore, no prescribed documentation and ex-ante

consultation and authorization requirements should be imposed


Technology Impact Assessments rather than a Data Protection

Impact Assessment Part of the accountability obligation is to

perform a Data Protection Impact Assessment when implementing new data processing operations. I propose to extend this obligation to performing

a more encompassing Technology Impact Assessment.


Why should companies respect data protection laws?

Keeping the information you have about your customers secure will help protect your an their information.

Sending out a mailing from incorrect or out-of-date records could not only annoy your customers but also wastes your time and money.

Good information handling can improve your business’s reputation by increasing customer and employee confidence in you.

Good information handling should also reduce the risk of a complaint being made against you.


4.DATA PROTECTION PRINCIPLES AND BIG

DATA


Directive 95/46/EC (the ‘Data Protection Directive’), although adopted on another legal basis, is currently still the central piece of legislation.

It requires a balancing of the control of one’s personal information and the free movement of data in the internal market.


The European Parliament and the Council are currently discussing the proposals for a new legal framework proposed by the Commission in January 2012.


Anonymisation Techniques, Opinion 5/2014 WP216

• Directive 95/46/EC refers to anonymisation to exclude anonymised data from the scope of data protection legislation

• Anonymised data must be retained in a form in which identification of the data subject is no longer possible


Persons subject to obligations under data protection rules

In the interests of ensuring a level playing field, EU data protection law applies equally to all data controllers established in the EU or using equipment situated in the EU. Under the Commission’s proposed general data protection regulation, the territorial scope of the EU’s rules would be extended to any data controller ‘offering goods or services’ and ‘monitoring [the] behaviour’ of data subjects residing in the EU. This clarification seems appropriate in the light of the global exchanges of information which characterise the digital economy.


All businesses which are data controllers are subject to obligations to protect personal data, irrespective of their size or even dominant position in a market.

The greater the amount and sensitivity of data held and available for disclosure, the more important [is] the content of the safeguards to be applied at the various crucial stages in the subsequent processing of the data. Many data protection provisions can therefore be considered scalable in proportion to the volume, complexity and intrusiveness of a company’s personal data processing activities, and are therefore of particular relevance to powerful, big data-managing companies.



Legitimate and compatible purposes for data processing

Article 6 (1) (b) of the Data Protection Directive provides that personal data must be ‘collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.’ This purpose limitation principle is necessary in order to ensure trust, predictability, legal certainty and transparent use of personal data by data controllers. Further processing for a secondary purpose is not forbidden, but the secondary purpose must not be ‘incompatible’ with the purposes for which the data have been collected.

Distinguishing between compatible and incompatible processing of personal data is often a complex and delicate exercise in data protection law. While the directive does not necessarily prohibit processing for different purposes, the Article 29 Working Party recommended that compatibility should be assessed in the light of the context in which the data were collected, of reasonable expectations of the data subjects, of the nature of the personal data in question, of the impact of further processing, and of safeguards to protect the data subject.


The concept of compatibility may be compared with that of substitutability, which is used in the application of competition rules to determine which products may be considered to be competing in the same market. In the context of the digital economy, it is conceivable that a company might collect data for the purpose of providing a certain service in one market, and further process those data in order to compete in the provision of another service in a separate market


Consent and the rights to information, to access to data and to data portability

Personal data processing requires a legal basis. One such basis is the freely-given, unambiguous and informed consent of the data subject to the specific processing operation.

Mere silence or inaction, such as in the case of default settings of online social networks or web browsers, is not valid. Consent should be requested prior to the data processing and only after the data controller has given notice to the data subject of the processing operations in clear and understandable language. It may be withdrawn, in which case any personal data pertaining to the data subject should be erased unless there is another legal basis that justifies continued storage of the data.


“The notice and consent is defeated by exactly the positive benefits that big

data enables: new, non-obvious, unexpectedly powerful uses of data.”


This right to data portability would allow users to transfer between online services in a similar way that users of telephone services may change providers but keep their telephone numbers. In addition, data portability would allow users to give their data to third parties offering different value-added services. By way of illustration, if applied to smart metering it would enable customers to download data on their energy usage from their existing electricity supplier and then to hire a third party able to advise them whether an alternative supplier could offer a better price, based on their patterns of electricity consumption. Such transparency enables individuals to exercise their other data protection rights and may be seen to mirror the objective of rules on the provision of clear and accurate information to the consumer.


Supervision, enforcement, sanctions and access to remedies for infringements

Article 8(3) of the ECHR asserts that the rules laid down ‘shall be subject to control by an independent authority’. Article 28(1) of Data Protection Directive duly requires EU Member States to provide for one or more public authorities to act with complete independence in the monitoring of the application of the directive. Data protection authorities’ tasks include dealing with complaints and conducting investigations. They may order the blocking, erasure or destruction of data and temporary or definitive bans on processing.


Every person has the right to a judicial remedy for any violation of the rights guaranteed under the directive (Article 22) and to receive compensation for any damage suffered as a result of unlawful data processing (Article 23). The sizes of potential sanctions for breaches vary widely between Member States: the lower limit in Croatia is HRK 10 000 (EUR 1 131), while the UK or spanish authority may require penalties of up to GBP 500 000 (EUR 597 000).


5. PROPOSALS


What types of uses of big data raise the most public policy concerns?

1. Correlation of disparate data such as healthcare, financial, demographic and location data.

2. Tracking consumer behavior and sharing them with 3rd party without proper authorization for targeting and other purposes.

3. Big data storage in the cloud across multiple geo boundaries

4. Lack of transparency: who has access to which data, which data is collected and for what reason.


The Cloud Security Alliance (CSA) Big Data Working Group (BDWG) has come up with 100 best practices to enhance the security and privacy of big data:

https://docs.google.com/document/d/1FqeHlA53sliNS3sd3ECy2hwyJu0UJDZT71zUs-02nX4/edit





The top 10 best practices are: 1. Authorize access to files by predefined security policy 2. Protect data by data encryption while at rest 3. Implement Policy Based Encryption System (PBES) 4. Use antivirus and malware protection systems at

endpoints 5. Use big data analytics to detect anomalous connections

to cluster 6. Implement privacy preserving analytics 7. Consider use of partial homomorphic encryption schemes 8. Implement fine grained access controls 9. Provide timely access to audit information 10. Provide infrastructure authentication mechanisms


BIG DATA: SEIZING OPPORTUNITIES,

PRESERVING VALUES, May 2014 1. Preserving Privacy Values: Maintaining our privacy values by protecting per-sonal information in the marketplace, both in the United States and through in-teroperable global privacy frameworks; 2. Educating Robustly and Responsibly: Recognizing schools as an important sphere for using big data to enhance learning opportunities, while protecting personal data usage and building digital literacy and skills; 3. Big Data and Discrimination: Preventing new modes of discrimination that some uses of big data may enable; 4. Law Enforcement and Security: Ensuring big data’s responsible use in law en-forcement, public safety, and national security; and 5. Data as a Public Resource: Harnessing data as a public resource, using it to improve the delivery of public services, and investing in research and technology that will further power the big data revolution.


FUTURE CHALLENGES FOR SOCIAL SCIENCE DATA


THANK YOU!

CELIA FERNÁNDEZ ALLERETSISI UPM

[email protected]


celia fernández aller ([email protected]) ph.d law and technology spain big data…...

Documents

protection of personal

destruction of data

accumulation of data

collection of personal

advent of big data

challenge of big data

eu data protection directive

thousands of data exchanges