Within the world of data protection and privacy – the phrase ‘Big Data’ has become the buzz word synonymous with Data Protection Conferences and LinkedIn postings by privacy professionals. It is as commonplace as more traditional themes such as data breaches and cyber security.
The proposed Data Protection Regulation makes no specific reference to Big Data and given the current structure of the regulation – the question is, whether it really will be equipped to deal with the practical reality of Big Data. Legislation necessarily always lags behind current technological developments, but some commentators such as Chris Pounder worry that the Regulation will afford less protection – not more, if and when it comes into force. The risk is that a watered down Regulation will exacerbate the data protection gap and erode existing protection.
How is an individual’s privacy protected? What tools are available now? if an individual wants to know who holds their data, the individual may make a Subject Access Request. But, is it fit for purpose? Arguably, it is clunky, inexact and a shot in the dark. An individual seeking to understand the flows of their personal data would have to undertake painstaking detective forensic exercise – akin to researching one’s family ancestry.
Big Data and Keeping Joe Public in the Loop
It is not difficult to envisage companies one day exploiting data acquired from smart phones sensors and harvesting social media analysis to identify mental illnesses such as depression. So let us imagine a scenario. A Face book member posts photographs of a recently deceased parent and shares about the difficult times they are going through. That person researches information on the internet around depression and treatment. They go on to make an appointment at a clinic and is prescribed medication and undertakes counselling. The location data of each search and every visit to the clinic is recorded. The medical information is sold onto big data analytics firms in the US.
Is the current data protection framework adequate to ensure that this particular individual cannot be identified? If the company crunching their personal data is a Californian start-up for example, how is it possible for that person to find out that their data is being exploited for profit. You don’t know what you don’t know and there appears to be no available practical means to uncover that blind spot. Can an individual trust the assurances of a company claiming anonymisation and data minimisation as a protective shield? Where are the safeguards to ensure that if a company wants to drill down and identify a particular individual, that it can be prevented from doing so? As things stand, the foreseeable future for control of one’s right to privacy, will be one where the immensely powerful interests of Government and Big Business increasingly have the capability to override those of the individual in a globalised world.
The Information Commissioner’s Office in its 2014 Report on Big Data appears to chime with some commentator’s concerns that the current data protection framework is not fit for purpose in the world of Big Data. Strengthening Fair Processing Notices with detailed explanation of data flows and uses as an aid to transparency might just have the opposite effect – the potential complexity could as likely bewilder the average user rather than enlighten. As the ICO states in its Report: “… it remains to be seen how practicable it would be to communicate all of the stipulated information in some of the contexts in which big data is gathered”.
Global Data Privacy Lawyer