510 likes | 669 Views
BIG DATA… ¿BIGGER PROBLEMS FOR DATA PROTECTION?. Celia Fernández Aller (mariacelia.fernandez@upm.es) Ph.D Law and Technology Spain. 0. What is big data? What is data protection?. 2011. WHAT IS BIG DATA?. Data protection is challenged by the advent of ‘big data’.
E N D
BIG DATA… ¿BIGGER PROBLEMS FOR DATA PROTECTION? Celia Fernández Aller (mariacelia.fernandez@upm.es) Ph.D Law and Technology Spain
0. What is big data?What is data protection? Celia Fernández Aller EUI UPM
2011 Celia Fernández Aller EUI UPM
WHAT IS BIG DATA? Data protection is challenged by the advent of ‘big data’. The quantity of global digital data expanded from 130 exabytes in 2005 to 1,227 in 2010, and is predicted to rise to 7,910 exabytes in 2015 The Economist report 2012. “The challenge of ‘big data’ for data protection “. Christopher Kuner*, Fred H. Cate**, Christopher Millard**, and Dan Jerker B. Svantesson*** International Data Privacy Law, 2012, Vol. 2, No. 2 Celia Fernández Aller ETSISI UPM
The fundamental right to protection of personal data The right to respect for private and family life, home and communications is laid down in Article 7 of the European Convention on Human Rights. Article 8 formulates the protection of personal data as a separate right. It goes beyond simply protecting against interference by the state. It is a proactive right which entitles the individual to expect that his or her information will only be processed by anyone and not only the state, if certain essential requirements laid down in Article 8 (2) and (3) are fulfilled. Celia Fernández Aller ETSISI UPM
Art. 8 ECHR (requirements for data protection) • The processing is fair and lawful and for specified purposes • It is transparent to the individual who is entitled to access and rectification of his/her information • The rights must be subject to control by an independent authority. Celia Fernández Aller ETSISI UPM
DATA PROTECTION Personal data (name, bankaccount, consumerprofile, etc) DATA SUBJECT • PRINCIPLES • Consent • Information • Security… Controller Celia Fernández Aller ETSISI UPM
Personal data as defined in Article 2(a) of Directive 95/46/EC means 'any information relating to an identified or identifiable natural person'. This includes any information which refers to the identity, characteristics or behaviour of an individual or which is used to determine or to influence the way in which that person is treated or evaluated. Celia Fernández Aller EUI UPM
But how will these tools face in a world of ubiquitous surveillance, and thousands of data exchanges by and about every individual on the planet every day? Celia Fernández Aller EUI UPM
The 1995 EU Data Protection Directive, for example, limits the collection of personal data to the fulfilment of specific predefined purposes. It also requires the destruction of data once the purpose of which they have been collected is achieved. This provision prevents the accumulation of data, which is a necessary condition for data to become ‘big’. Celia Fernández Aller EUI UPM
1. Some points of view Celia Fernández Aller ETSISI UPM
“There is noone in the world today who have a complete picture of who has been collecting data on who” “Personal informationshould be translatedintomonetaryterms. Itshouldhave a price”. (Jaron Lanier. Investigación y Ciencia (2014), p53) Celia Fernández Aller ETSISI UPM
“The very same algorithms and analytical tools that Facebook uses to understand your interests and desires, and Amazon uses to calculate (and miscalculate) what else you might like to buy, can be used by government and private security companies alike to calculate (and miscalculate) whether you may be a threat, now or in the future. And it is precisely the “dual use” nature of this technology that makes it so hard to regulate” TNI (2014) The State of Power, p.23 Celia Fernández Aller ETSISI UPM
“The notice and consent is defeated by exactly the positive benefits that big data enables: new, non-obvious, unexpectedly powerful uses of data” “Big data technologies, together with the sensors that ride on the “Internet of Things,” pierce many spaces that were previously private”. (White HouseReport, 2014) Celia Fernández Aller ETSISI UPM
Danah Boyd, Kate Crawford (2011) Six provocations for Big Data “Just because it is accesible doesn´t make it ethical” It may be unreasonable to ask researchers to obtain consent from every person who posts a tweet, but it is unethical for researchers to justify their actions as ethical simply because data is accessible. Celia Fernández Aller ETSISI UPM
The growing globalization of data flows via big data increases the risk that people can lose control of their own data Celia Fernández Aller ETSISI UPM
2. Big data and privacy concerns Celia Fernández Aller ETSISI UPM
Big data can be used: • to identify more general trends and correlations • it can also be processed in order to directly affect individuals. It is not the volume, velocity, variety or veracity what worries me, but the uses of the information. - The uses of the data are notdeterminedbeforecollection. Celia Fernández Aller ETSISI UPM
Risks Big Data may also pose significant risks for the protection of personal data and the right to privacy: • the sheer scale of data collection, tracking and profiling; • the security of data; • the transparency, which implies sufficient information given to individuals; • inaccuracy, discrimination, exclusion and economic imbalance; • increased possibilities of government surveillance. (Opinion 3/2013 on purpose limitation. Art. 29 Data protection working party. UE) Celia Fernández Aller ETSISI UPM
THE CHALLENGE OF BIG DATA FOR DATA PROTECTION It is no exaggeration to say that we are nothing more than a collection of data to most of the institutions—and many of the people—with whom we deal. Big data poses enormous challenges for data protection— both by processors and regulators. It simultaneously changes the context and raises the stakes for Data protection. Celia Fernández Aller ETSISI UPM
Big data also shows the importance of harmonization, or even standardization, in data protection standards. As personal data are universally collected and shared across sectorial and national boundaries, inconsistent data protection laws pose increasing threats to individuals, institutions, and society Celia Fernández Aller ETSISI UPM
Perhaps the greatest impact of big data is the pressure it brings for new thoughtful, informed, multinational debate about the key principles that should undergird data protection. Most data protection laws continue to rely on the 1980 OECD Guidelines Celia Fernández Aller ETSISI UPM
3. Are companies worried about privacy? Celia Fernández Aller ETSISI UPM
Forgetting security and privacy issues?IBM (2012) Analytics: the real-world use of big data Celia Fernández Aller EUI UPM
How to regulate BIG DATA?(Lokke Moerel, Tilburg University and in a Law Firm advising multinationals) • Delete some EU Regulation principles • Extending the “legitimate interest ground” to the processing of all categories of data and further to all phases of the life-cycle of data • “informed consent” and “data minimisation” are at odds with the reality of big data. Celia Fernández Aller ETSISI UPM
Personal data may be collected, used (which will include profiling), merged, transferred and destroyed if there is a ‘legitimate interest of the controller which does not outweigh the privacy rights of the individuals’. Celia Fernández Aller ETSISI UPM
Transparency requirement for choices made and meaningful access • For example, by including a profile settings dashboard on a social media website where the relevant profile characteristics are displayed and can be tailored by the individual Celia Fernández Aller ETSISI UPM
Accountability for the whole life cycle of data The accountability principle should explicitly extend to all phases of the data life-cycle. Controllers should be accountable for implementation of an internal data protection compliance program ensuring that the choices made are actually implemented in the practices of the company. Therefore, no prescribed documentation and ex-ante consultation and authorization requirements should be imposed Celia Fernández Aller ETSISI UPM
Technology Impact Assessments rather than a Data Protection Impact Assessment Part of the accountability obligation is to perform a Data Protection Impact Assessment when implementing new data processing operations. I propose to extend this obligation to performing a more encompassing Technology Impact Assessment. Celia Fernández Aller ETSISI UPM
Why should companies respect data protection laws? Keeping the information you have about your customers secure will help protect your an their information. Sending out a mailing from incorrect or out-of-date records could not only annoy your customers but also wastes your time and money. Good information handling can improve your business’s reputation by increasing customer and employee confidence in you. Good information handling should also reduce the risk of a complaint being made against you. Celia Fernández Aller ETSISI UPM
4.DATA PROTECTION PRINCIPLES AND BIG DATA Celia Fernández Aller ETSISI UPM
Directive 95/46/EC (the ‘Data Protection Directive’), although adopted on another legal basis, is currently still the central piece of legislation. It requires a balancing of the control of one’s personal information and the free movement of data in the internal market. Celia Fernández Aller ETSISI UPM
The European Parliament and the Council are currently discussing the proposals for a new legal framework proposed by the Commission in January 2012. Celia Fernández Aller ETSISI UPM
Anonymisation Techniques, Opinion 5/2014 WP216 • Directive 95/46/EC refers to anonymisation to exclude anonymised data from the scope of data protection legislation • Anonymised data must be retained in a form in which identification of the data subject is no longer possible Celia Fernández Aller ETSISI UPM
Persons subject to obligations under data protection rules In the interests of ensuring a level playing field, EU data protection law applies equally to all data controllers established in the EU or using equipment situated in the EU. Under the Commission’s proposed general data protection regulation, the territorial scope of the EU’s rules would be extended to any data controller ‘offering goods or services’ and ‘monitoring [the] behaviour’ of data subjects residing in the EU. This clarification seems appropriate in the light of the global exchanges of information which characterise the digital economy. Celia Fernández Aller ETSISI UPM
All businesses which are data controllers are subject to obligations to protect personal data, irrespective of their size or even dominant position in a market. The greater the amount and sensitivity of data held and available for disclosure, the more important [is] the content of the safeguards to be applied at the various crucial stages in the subsequent processing of the data. Many data protection provisions can therefore be considered scalable in proportion to the volume, complexity and intrusiveness of a company’s personal data processing activities, and are therefore of particular relevance to powerful, big data-managing companies. Celia Fernández Aller ETSISI UPM
Legitimate and compatible purposes for data processing Article 6 (1) (b) of the Data Protection Directive provides that personal data must be ‘collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.’ This purpose limitation principle is necessary in order to ensure trust, predictability, legal certainty and transparent use of personal data by data controllers. Further processing for a secondary purpose is not forbidden, but the secondary purpose must not be ‘incompatible’ with the purposes for which the data have been collected. Celia Fernández Aller ETSISI UPM
Distinguishing between compatible and incompatible processing of personal data is often a complex and delicate exercise in data protection law. While the directive does not necessarily prohibit processing for different purposes, the Article 29 Working Party recommended that compatibility should be assessed in the light of the context in which the data were collected, of reasonable expectations of the data subjects, of the nature of the personal data in question, of the impact of further processing, and of safeguards to protect the data subject. Celia Fernández Aller ETSISI UPM
The concept of compatibility may be compared with that of substitutability, which is used in the application of competition rules to determine which products may be considered to be competing in the same market. In the context of the digital economy, it is conceivable that a company might collect data for the purpose of providing a certain service in one market, and further process those data in order to compete in the provision of another service in a separate market Celia Fernández Aller ETSISI UPM
Consent and the rights to information, to access to data and to data portability Personal data processing requires a legal basis. One such basis is the freely-given, unambiguous and informed consent of the data subject to the specific processing operation. Mere silence or inaction, such as in the case of default settings of online social networks or web browsers, is not valid. Consent should be requested prior to the data processing and only after the data controller has given notice to the data subject of the processing operations in clear and understandable language. It may be withdrawn, in which case any personal data pertaining to the data subject should be erased unless there is another legal basis that justifies continued storage of the data. Celia Fernández Aller ETSISI UPM
“The notice and consent is defeated by exactly the positive benefits that big data enables: new, non-obvious, unexpectedly powerful uses of data.” Celia Fernández Aller ETSISI UPM
This right to data portability would allow users to transfer between online services in a similar way that users of telephone services may change providers but keep their telephone numbers. In addition, data portability would allow users to give their data to third parties offering different value-added services. By way of illustration, if applied to smart metering it would enable customers to download data on their energy usage from their existing electricity supplier and then to hire a third party able to advise them whether an alternative supplier could offer a better price, based on their patterns of electricity consumption. Such transparency enables individuals to exercise their other data protection rights and may be seen to mirror the objective of rules on the provision of clear and accurate information to the consumer. Celia Fernández Aller ETSISI UPM
Supervision, enforcement, sanctions and access to remedies for infringements Article 8(3) of the ECHR asserts that the rules laid down ‘shall be subject to control by an independent authority’. Article 28(1) of Data Protection Directive duly requires EU Member States to provide for one or more public authorities to act with complete independence in the monitoring of the application of the directive. Data protection authorities’ tasks include dealing with complaints and conducting investigations. They may order the blocking, erasure or destruction of data and temporary or definitive bans on processing. Celia Fernández Aller ETSISI UPM
Every person has the right to a judicial remedy for any violation of the rights guaranteed under the directive (Article 22) and to receive compensation for any damage suffered as a result of unlawful data processing (Article 23). The sizes of potential sanctions for breaches vary widely between Member States: the lower limit in Croatia is HRK 10 000 (EUR 1 131), while the UK or spanish authority may require penalties of up to GBP 500 000 (EUR 597 000). Celia Fernández Aller ETSISI UPM
5. PROPOSALS Celia Fernández Aller ETSISI UPM
What types of uses of big data raise the most public policy concerns? 1. Correlation of disparate data such as healthcare, financial, demographic and location data. 2. Tracking consumer behavior and sharing them with 3rd party without proper authorization for targeting and other purposes. 3. Big data storage in the cloud across multiple geo boundaries 4. Lack of transparency: who has access to which data, which data is collected and for what reason. Celia Fernández Aller ETSISI UPM
The Cloud Security Alliance (CSA) Big Data Working Group (BDWG) has come up with 100 best practices to enhance the security and privacy of big data: https://docs.google.com/document/d/1FqeHlA53sliNS3sd3ECy2hwyJu0UJDZT71zUs-02nX4/edit Celia Fernández Aller ETSISI UPM
The top 10 best practices are: 1. Authorize access to files by predefined security policy 2. Protect data by data encryption while at rest 3. Implement Policy Based Encryption System (PBES) 4. Use antivirus and malware protection systems at endpoints 5. Use big data analytics to detect anomalous connections to cluster 6. Implement privacy preserving analytics 7. Consider use of partial homomorphic encryption schemes 8. Implement fine grained access controls 9. Provide timely access to audit information 10. Provide infrastructure authentication mechanisms Celia Fernández Aller ETSISI UPM
BIG DATA: SEIZING OPPORTUNITIES, PRESERVING VALUES, May 2014 1. Preserving Privacy Values: Maintaining our privacy values by protecting per-sonal information in the marketplace, both in the United States and through in-teroperable global privacy frameworks; 2. Educating Robustly and Responsibly: Recognizing schools as an important sphere for using big data to enhance learning opportunities, while protecting personal data usage and building digital literacy and skills; 3. Big Data and Discrimination: Preventing new modes of discrimination that some uses of big data may enable; 4. Law Enforcement and Security: Ensuring big data’s responsible use in law en-forcement, public safety, and national security; and 5. Data as a Public Resource: Harnessing data as a public resource, using it to improve the delivery of public services, and investing in research and technology that will further power the big data revolution. Celia Fernández Aller ETSISI UPM
FUTURE CHALLENGES FOR SOCIAL SCIENCE DATA Celia Fernández Aller ETSISI UPM